Ring3 Hardware Breakpoints

4 Breakpoint Registers DR0~DR3 is used to set the linear address of a breakpoint.

The DR6 is the status register, and the DR7 is the control register.

DR4 and DR5 reserved. When cr4.de==1, Access DR4 and DR5 produce #ud exceptions; if cr4.de==0, Access DR4 and DR5 will be access to DR6 and DR7.

The following table is very clear:
|---------------|----------------|
dr0| Linear address for a general breakpoint
|---------------|----------------|
dr1| Linear address for a general breakpoint
|---------------|----------------|
dr2| Linear address for a general breakpoint
|---------------|----------------|
dr3| Linear address for a general breakpoint
|---------------|----------------|
dr4| Keep
|---------------|----------------|
dr5| Keep
|---------------|----------------|
dr6| | BBB BBB B |
| | TSD 3 2 1 0 |
|---------------|----------------|
dr7|       LEN RWE ...  LEN RWE | G GL GL GL GL GL |
|                    3 3 ...  0 0 | D EE 33 22 11 00 |
|---------------|----------------|
31 15 0 0


L0~L3 Local breakpoint Valid bit corresponds to DR0~DR3 when a task switch occurs, the processor will L0~L3
G0~G3 Global Breakpoint Valid bit corresponds to DR0~DR3SetThreadContext Set These bits is also not effectiveShould be used in real mode.


LEN0: Two bits, starting at bit 17, to control the breakpoint length of the Dr0, possibly value:
00 1 bytes
01 2 bytes
10 reserved
11 4 bytes
RWE0: Starting with the 15th bit, which takes up two bits, the breakpoint that controls Dr0 is read, write, or execute breakpoint or I/O port breakpoint:
00 Execute only
01 Writing a Data breakpoint
I/O port breakpoint (for pentium+ only, need to set CR4 de bit)
11 read or write data breakpoints
Rwe1~3,len1~3 is used to control the dr1~3 of the breakpoint, meaning as above.

This information is basically enough to set a breakpoint.

The hardware breakpoint provided by OD is Dword,word,byte, which is related to memory address. For example:

Addr = = 4n You can set a DWORD breakpoint
addr = = 4n + 2 to set word breakpoints
addr = = 2n+1 only a byte breakpoint.
For example, at 00401000, you can set three breakpoints.
At 00401002, you can only set word and byte breakpoints
At 00401005, you can set a byte breakpoint

If you want to access the DRX register directly with the MOV command, you need to be in real address mode, System Management mode (SMM) or in protected mode (CPL 0).

You can use GetThreadContext or Wow64getthreadcontext (64-bit system) in Windows systems. In kernel mode, you can use Psgetthreadcontext or catch exceptions and then read them.

The thread context set by SetThreadContext is valid for the current thread, so why is the hardware breakpoint on the OD valid for the current process?
because OD is a traverse thread down, the new thread also breaks down .

Precautions for using SetThreadContext:

• The time to get the thread context. When loading the target process occurs the first time except_breakpoint occurs in APC, the thread's true context is temporarily stored on the stack, and when the APC ends the call to ntcontinue back to the kernel, write back, If SetThreadContext is called at this point, the breakpoint is only valid during APC , but we can rewrite the context on the stack, so we can set the breakpoint in advance.

• Enough permission to open the target process.

As long as you can use the Drx breakpoint function can be used with SEH, debugging API for some anti-tracking.

The following is an example of a anti-od:

[CPP]View PlainCopyPrint?

2. //OD Sets the value of the DRX to its own value each time it obtains control of the debugged program   
4. //If the hardware breakpoint is not set, the DRX will be 0 each time .   
8. #include "stdafx.h"   
10. #include <stdio.h>   
12. #include <windows.h>   
16. void Initdetect ()
18. {
20. Context context;
22. HANDLE  hthread = GetCurrentThread ();
24. Context. Contextflags = context_debug_registers;
26. GetThreadContext (Hthread, &context);
28. Context. Dr0 = 0xFF;
30. Context. DR1 = 0xFE;
32. Context. DR2 = 0xFD;
34. Context. DR3 = 0xFC;
38. SetThreadContext (Hthread, &context);
40. }
44. ///Only for OD other debugger does not validate Microsoft debugger is invalid   
46. //Anti OD breakpoint   
48. BOOL isdebuged ()
50. {
52. Context context;
54. HANDLE  hthread = GetCurrentThread ();
56. Context. Contextflags = context_debug_registers;
58. GetThreadContext (Hthread, &context);
62. printf ("dr0:%x\n", context.)  DR0);
64. printf ("dr1:%x\n", context.)  DR1);
66. printf ("dr2:%x\n", context.)  DR2);
68. if (context. Dr0! = 0xFF | | Context. Dr1! = 0xFE | | Context. Dr2! = 0xFD)
70. {
72. return  TRUE;
74. }
76. return  FALSE;
78. }

Each time OD gets the control of the debugged program, the value of the DRX is set to its own setpoint//If the hardware breakpoint is not set, the DRX will always be 0#include "stdafx.h" #include <stdio.h> #include < Windows.h>void Initdetect () {context context; HANDLE hthread = GetCurrentThread (); context. Contextflags = context_debug_registers; GetThreadContext (Hthread, &context); context. Dr0 = 0xff;context. DR1 = 0xfe;context. DR2 = 0xfd;context. DR3 = 0xFC; SetThreadContext (Hthread, &context);} Only for OD other debugger does not verify that Microsoft Debugger is invalid//anti OD breakpoint BOOL isdebuged () {context context; HANDLE hthread = GetCurrentThread (); context. Contextflags = context_debug_registers; GetThreadContext (Hthread, &context);p rintf ("dr0:%x\n", context. DR0);p rintf ("dr1:%x\n", context. DR1);p rintf ("dr2:%x\n", context. DR2); if (context. Dr0! = 0xFF | | Context. Dr1! = 0xFE | | Context. Dr2! = 0xFD) {return TRUE;} return FALSE;}

JPG change rar

Ring3 Hardware Breakpoints