Hey guys,
I am playing with exception handling by installing a Vectored Exception handler into my program.
I want to execute a piece of code and let the program break on a hardware breakpoint.
Here is a snippet of the code:
invoke SuspendThread, [hMainThread]
mov [context.ContextFlags], CONTEXT_DEBUG_REGISTERS
mov eax, [HardwareBreakpointAddress] //Copy address to breakpoint in eax
//Set a ba e1 <addie> breakpoint
mov D[context.Dr0], eax //Copy address to breakpoint in Dr0
mov D[context.Dr6],0
mov D[context.Dr7],1 //Enable the breakpoint
mov eax, [StartingAddress]
mov D[context.Eip], eax //Set eip to run the code
invoke SetThreadContext, [hMainThread], offset context
invoke ResumeThread, [hMainThread]
I think I know where the problem occurs and that is how the hardware breakpoint is set.
I want to set a hardware breakpoint on execution.
According to documentation found with Google (mainly C++ code) I found these snippets:
CONTEXT ctx = {CONTEXT_DEBUG_REGISTERS};
ctx.Dr6 = 0x00000000;
ctx.Dr0 = dwBreakPoint; // Set Address of Breakpoint 1
ctx.Dr7 = 0x00000001; // Activate Breakpoint 1
/*
use these for setting more breakpoints
ctx.Dr1=address; // Set Address of Breakpoint 2
ctx.Dr7 |= 0x00000004; // Activate Breakpoint 2
ctx.Dr2=address; // Set Address of Breakpoint 3
ctx.Dr7 |= 0x00000010; // Activate Breakpoint 3
ctx.Dr3=address; // Set Address of Breakpoint 4
ctx.Dr7 |= 0x00000040; // Activate Breakpoint 4
Another snippet:
CONTEXT thread_context = {CONTEXT_DEBUG_REGISTERS};
thread_context.Dr0 = func_addr;
thread_context.Dr7 = (1 << 0);
SetThreadContext(hMainThread, &thread_context);
It looks so easy, but I fail to get it working, could someone englighten me how to do something like that in ASM?.
Thanks in advance.
The Vectored Exception handler should catch an SINGLE_STEP exception but that exception never reaches my exception handler.
If you have the c++ code , you have the soluce in asm.
In "project property" ,"c++ command line" add /Fa
"Generate " and you got an asm file,it's so simple.
I managed to get the code working:
mov [context.ContextFlags], CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS //| CONTEXT_CONTROL
invoke SuspendThread, [hMainThread]
invoke GetThreadContext, [hMainThread], offset context
The change has to be made on:
mov [context.ContextFlags], CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS, without these flags debug registers are not set properly.
The hardware breakpoint is working, but I noticed a slight delay when updating EIP to start at a new place with code,
it takes 3-5 seconds before EIP actually executes there.
Is there any delay in the SetThreadContext API?
On google I found the following topic:
http://www.experts-exchange.com/Programming/System/Windows__Programming/Q_21270206.html
This kind of is my problem aswell. Anyone got any ideas?