| View previous topic :: View next topic |
| Author |
Message |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
 Posted: Sun Aug 07, 2016 2:52 pm Post subject: Trace process flow |
 |
|
Hi, I am trying to make a .dll that traces the flow of the program and saves the result. I am placing a breakpoint on the start address and I would like to step till it reaches max steps or the address the user assigns. Currently this is my code
| Code: |
#include "Trace.hpp"
#include <tlhelp32.h>
HANDLE MainThread;
void GetMainThreadFromProcessId()
{
unsigned long ProcessId = GetCurrentProcessId();
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId);
if (!hSnapshot)
return;
THREADENTRY32 lpThread;
lpThread.dwSize = sizeof(THREADENTRY32);
if (Thread32First(hSnapshot, &lpThread))
{
do
{
if (lpThread.th32OwnerProcessID == ProcessId)
{
break;
}
} while (Thread32Next(hSnapshot, &lpThread));
CloseHandle(hSnapshot);
MainThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME, 1, lpThread.th32ThreadID);
}
}
void SetBp(DWORD Addy, DWORD Index)
{
CONTEXT c = { CONTEXT_DEBUG_REGISTERS };
//SuspendThread(MainThread);
GetThreadContext(MainThread, &c);
switch (Index)
{
case 0:
c.Dr0 = Addy;
c.Dr7 = (1 << 0); // set 0th bit
break;
case 1:
c.Dr1 = Addy;
c.Dr7 |= (1 << 2); // set 2nd bit
break;
case 2:
c.Dr2 = Addy;
c.Dr7 |= (1 << 4); // set 4th bit
break;
case 3:
c.Dr3 = Addy;
c.Dr7 |= (1 << 6); // set 6th bit
break;
}
c.Dr6 = 0;
SetThreadContext(MainThread, &c);
//ResumeThread(MainThread);
}
LONG __stdcall Handler(EXCEPTION_POINTERS* ep)
{
if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{
MessageBox(0, L"step", 0, 0);
ep->ContextRecord->EFlags |= 0x100;
}
if (ep->ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT)
{
MessageBox(0, L"bp", 0, 0);
ep->ContextRecord->EFlags |= 0x100;
}
return EXCEPTION_CONTINUE_EXECUTION;
}
void StartTracing(HWND Hwnd, DWORD MessageValue, DWORD Start, DWORD End)
{
GetMainThreadFromProcessId();
AddVectoredExceptionHandler(1, Handler);
SetBp(Start, 0);
}
|
The problem is that it does not step to the next address but it keeps spamming the Step messagebox on the same address. Doing EFlag |=0x10000 removes the bp tho, but I cant step. I looked and the CEF source but could not find what I need. I hope some could give me a hint in the right way.
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25781
Location: The netherlands
|
| Posted: Sun Aug 07, 2016 4:00 pm Post subject: |
|
|
Assuming you're not on XP, set the resume flag (bit 16)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Aug 07, 2016 4:16 pm Post subject: |
|
|
| Dark Byte wrote: | | Assuming you're not on XP, set the resume flag (bit 16) |
| Code: | CONTEXT c = { CONTEXT_DEBUG_REGISTERS };
GettThreadContext(MainThread, &c);
c.Dr0 = Addy;
c.Dr7 = (1 << 0); // set 0th bit
c.EFlags |= 0x100;
c.Dr6 = 0;
SetThreadContext(MainThread, &c); |
Like this?
And in the handler do this?:
| Code: |
//LOG
return EXCEPTION_CONTINUE_EXECUTION;
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25781
Location: The netherlands
|
| Posted: Sun Aug 07, 2016 4:56 pm Post subject: |
|
|
in the handler, when your breakpoint hits, set the resume flag, else it will hit the same breakpoint again
try EFlag |=0x10100 (Unless you're in XP, which ignores the resume flag)
EXCEPTION_CONTINUE_EXECUTION is ok
also, (ep->ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) should never happen, unless you use int3 bp's. hardware breapoints always cause a single step exception
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Sun Aug 07, 2016 4:59 pm; edited 1 time in total |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Aug 07, 2016 4:59 pm Post subject: |
|
|
| Dark Byte wrote: | in the handler, when your breakpoint hits, set the resume flag, else it will hit the same breakpoint again
EXCEPTION_CONTINUE_EXECUTION is ok
also, (ep->ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) should never happen, unless you use int3 bp's. hardware breapoints always cause a single step exception |
Found that out
| Code: | LONG __stdcall Handler(EXCEPTION_POINTERS* ep)
{
if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{
MessageBox(0, std::to_wstring(ep->ContextRecord->Eip).c_str(), 0, 0);
ep->ContextRecord->EFlags |= 0x100;
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
} |
I guess I have to remove the old bp and set a new one at eip +1? That would mean i need to use a dissasembler for jmps/ret/calls, is it possible to do that without one?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25781
Location: The netherlands
|
| Posted: Sun Aug 07, 2016 5:00 pm Post subject: |
|
|
try EFlag |=0x10100 (Unless you're in XP, which ignores the resume flag, in which case you have to set a bp on the next one)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Aug 07, 2016 5:06 pm Post subject: |
|
|
| Dark Byte wrote: | | try EFlag |=0x10100 (Unless you're in XP, which ignores the resume flag, in which case you have to set a bp on the next one) |
Omg, thanks a lot  That did it. Could u tell me why?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25781
Location: The netherlands
|
| Posted: Sun Aug 07, 2016 5:13 pm Post subject: |
|
|
the Resume flag will ignore the current breakpoint for one instruction (And clears the resume flag afterwards)
but it won't clear the single step instruction on next instruction. (I don't think it ever autoclears but might be a window thing where it does)
so when you set the resume flag and trap flag, it will skip over the current breakpoint and stop at the instruction after it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Aug 07, 2016 6:01 pm Post subject: |
|
|
| Dark Byte wrote: | the Resume flag will ignore the current breakpoint for one instruction (And clears the resume flag afterwards)
but it won't clear the single step instruction on next instruction. (I don't think it ever autoclears but might be a window thing where it does)
so when you set the resume flag and trap flag, it will skip over the current breakpoint and stop at the instruction after it |
Tho it looks like I can't get rid of it.
| Code: |
if (addy == g_StopAddy)
{
ep->ContextRecord->EFlags &= 0x10000;
RemoveBp(0);
PostMessage(g_Hwnd, g_MessageValue, (WPARAM)&g_addies, 0);
}
void RemoveBp(DWORD Index)
{
CONTEXT c = { CONTEXT_DEBUG_REGISTERS };
//SuspendThread(MainThread);
GetThreadContext(MainThread, &c);
switch (Index)
{
case 0:
c.Dr0 = 0;
c.Dr7 = 0; // set 0th bit
break;
case 1:
c.Dr1 = 0;
c.Dr7 |= 0; // set 2nd bit
break;
case 2:
c.Dr2 = 0;
c.Dr7 |= 0; // set 4th bit
break;
case 3:
c.Dr3 = 0;
c.Dr7 |= 0; // set 6th bit
break;
}
c.Dr6 = 0;
SetThreadContext(MainThread, &c);
//ResumeThread(MainThread);
}
|
What is even weirder is that my listview does not get updated after I call the postmessage. Can it have anything to do with the bp? Tho I can move the window and stuff so that cant be it
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
