| View previous topic :: View next topic |
| Author |
Message |
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
 Posted: Mon Apr 20, 2015 11:38 pm Post subject: Capturing usermode breakpoints from kernelmode |
 |
|
I have a few qualitative questions about a debugger that lives in ring0, but is used to debug usermode applications. Background: I have developed a driver and a usermode bridge (driver controller) that does basic things such as read, write and allocate memory of a usermode process, from the kernel.
What I would like to understand qualitatively is how one can handle the signals of a specific ring3 process from a ring0 driver, similar to how CE does (dbk64.sys). In usermode, one typically installs a SEH or VEH to handle the exception thrown by an int3 or a hw breakpoint for a particular process or set of processes.
Is there such a concept of installing an exception handler that lives in your driver, but handles exceptions from specific processes? If so, what is this called? If not, then how is it a kernel driver can detect breakpoints of a specific ring3 process? Any keywords that would help me search for more reading material are appreciated. Thanks
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
| Posted: Tue Apr 21, 2015 3:02 am Post subject: |
|
|
on a 'high level' aproach the debugport and exceptionport of the process structure could be manipulated to point to your own implementation. (not something i've looked into much)
on a low level aproach you could hook the interrupt handler (int1) and handle them that way.
But since you mention dbk64 instead of dbk32, i'll assume your focus is on 64. In which case patchguard will be an issue (it'll bsod you if system memory, like the idt, is tampered with)
so, you need to combine it with a hack that disables patchguard, or use something like dbvm (a virtual machine to capture the debug event in ring -1)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
sullx
Cheater
![]() Reputation: 0
Joined: 03 Jan 2013
Posts: 37
|
| Posted: Sat Apr 25, 2015 1:25 pm Post subject: |
|
|
Thanks Dark Byte. That post gave me enough to go on for the past week. I decided to go with hooking the IDT. Patch guard is disabled . So right now my hooking technique is very simple in the x86 case. When my detoured IDT is called, it firstly preserves the context (pushes all flags and registers to the stack) then calls a handling function. After that function returns, I restore the context (by popping the registers and flags off the stack) and then call the original IDT. In x86 this very easy to do with inline ASM. Since x64 doesn't have inline ASM I'm having a harder time replicating this behavior. Do you have any suggestions?
Thanks
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25821
Location: The netherlands
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
