| View previous topic :: View next topic |
| Author |
Message |
Ecoste
Newbie cheater
![]() Reputation: 0
Joined: 25 Jun 2012
Posts: 10
|
 Posted: Tue Aug 16, 2016 9:18 pm Post subject: INT3 breakpoints and specify the interrupt handler function? |
 |
|
How do debuggers set INT3 breakpoints and handle them?
Ok, I overwrite an instruction with INT3+NOPs to fill the void, and remember what it was to replace it later. This part is easy.
But, what then? How do I set the interrupt handler function, there must be some kind of system call to do that, no? I can't find any information on doing this in Windows user mode.
Could someone point me to some resources that explain on how to do this or provide an example?
Thank you.
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4696
|
|
| Back to top |
|
|
Ecoste
Newbie cheater
![]() Reputation: 0
Joined: 25 Jun 2012
Posts: 10
|
| Posted: Tue Aug 16, 2016 9:47 pm Post subject: |
|
|
| ParkourPenguin wrote: | Haven't done this myself but this should get you started.
(i can't post urls) |
Thanks, don't know how I didn't find that.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Wed Aug 17, 2016 4:23 am Post subject: |
|
|
also no need to nop the rest. Just the first byte is enough
on breakpoint restore the byte
do stuff you wanted to do on break
do a single step, and set the 0xcc back
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Ecoste
Newbie cheater
![]() Reputation: 0
Joined: 25 Jun 2012
Posts: 10
|
| Posted: Wed Aug 17, 2016 3:57 pm Post subject: |
|
|
Thanks for replying guys! Just to add to the answers, I found one more way, you can also roll with SEH or VEH.
VEH: msdn.microsoft()com/en-us/library/windows/desktop/ms679273(v=vs.85).aspx
SEH: microsoft()com/msj/0197/exception/exception.aspx
With SEH, you gotta make sure the EXCEPTION_REGISTRATION is located on the stack because Windows checks if it's within the range of the stack for security purposes.
With VEH, do something like
| Code: |
LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ExceptionInfo) {
if (ExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_PRIV_INSTRUCTION) return EXCEPTION_CONTINUE_SEARCH;
*(char*)ExceptionInfo->ContextRecord->Eip = 0xFF; //0xFF being whatever byte you replaced.
return EXCEPTION_CONTINUE_EXECUTION;
}
...
AddVectoredContinueHandler(1, VectoredHandler);
|
I'm using EXCEPTION_PRIV_INSTRUCTION because I'm using HLT to generate an exception. It's just that when debugging with VS2015 I can't figure out how to not let it handle int3 breakpoints. But when you're not running with the VS2015 debugger then using an int3 is perfectly fine.
|
|
| Back to top |
|
|
hhhuut
Grandmaster Cheater
 Reputation: 6
Joined: 08 Feb 2015
Posts: 607
|
| Posted: Wed Aug 17, 2016 4:34 pm Post subject: |
|
|
| Probably your link is just the wrong one, but use the Vectored Exception Handler rather than the Vectored Continue Handler.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
