From 3e061ab773fcc484de6ff3110cd6c38033f54a4e Mon Sep 17 00:00:00 2001 From: "Mr. eXoDia" Date: Fri, 25 Jul 2014 20:40:47 +0200 Subject: [PATCH] fixed some detection problems with PUSHFD/PUSHFQ --- TitanEngine/TitanEngine.Debugger.Control.cpp | 37 ++++++++++--------- .../TitanEngine.Debugger.DebugLoop.cpp | 18 ++++++++- 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/TitanEngine/TitanEngine.Debugger.Control.cpp b/TitanEngine/TitanEngine.Debugger.Control.cpp index 10b3845..87a34d4 100644 --- a/TitanEngine/TitanEngine.Debugger.Control.cpp +++ b/TitanEngine/TitanEngine.Debugger.Control.cpp @@ -49,28 +49,31 @@ __declspec(dllexport) void TITCALL ForceClose() __declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack) { - ULONG_PTR ueContext = NULL; - - ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS); - ueContext |= UE_TRAP_FLAG; - SetContextData(UE_EFLAGS, ueContext); - engineStepActive = true; - engineStepCallBack = StepCallBack; - engineStepCount = NULL; + ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP); + unsigned char instr[16]; + MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); + char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr); + if(strstr(DisassembledString, "PUSHF")) + StepOver(StepCallBack); + else + { + ULONG_PTR ueContext = NULL; + ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS); + ueContext |= UE_TRAP_FLAG; + SetContextData(UE_EFLAGS, ueContext); + engineStepActive = true; + engineStepCallBack = StepCallBack; + engineStepCount = NULL; + } } __declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack) { - ULONG_PTR ueCurrentPosition = NULL; -#if !defined(_WIN64) - ueCurrentPosition = (ULONG_PTR)GetContextData(UE_EIP); -#else - ueCurrentPosition = GetContextData(UE_RIP); -#endif + ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP); unsigned char instr[16]; - ReadProcessMemory(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); + MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr); - if(strstr(DisassembledString, "CALL")||strstr(DisassembledString, "REP")||strstr(DisassembledString, "PUSHF")) + if(strstr(DisassembledString, "CALL") || strstr(DisassembledString, "REP") || strstr(DisassembledString, "PUSHF")) { ueCurrentPosition+=StaticLengthDisassemble((void*)instr); SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3+UE_SINGLESHOOT, StepCallBack); @@ -88,7 +91,6 @@ __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal) __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack) { - ULONG_PTR ueContext = NULL; ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS); @@ -102,7 +104,6 @@ __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBa __declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode) { - if(SetDbgCode != DBG_CONTINUE) { DBGCode = DBG_EXCEPTION_NOT_HANDLED; diff --git a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp index 0358d36..512ee4f 100644 --- a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp +++ b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp @@ -18,6 +18,7 @@ __declspec(dllexport) void TITCALL DebugLoop() { bool FirstBPX = true; bool ResetBPX = false; + bool PushfBPX = false; bool BreakDBG = false; bool ResetHwBPX = false; bool ResetMemBPX = false; @@ -543,7 +544,6 @@ __declspec(dllexport) void TITCALL DebugLoop() GetThreadContext(hActiveThread, &myDBGContext); if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT) myDBGContext.EFlags |= UE_TRAP_FLAG; - myDBGContext.EFlags |= UE_RESUME_FLAG; #if defined(_WIN64) myDBGContext.Rip = myDBGContext.Rip - FoundBreakPoint.BreakPointSize; #else @@ -552,6 +552,12 @@ __declspec(dllexport) void TITCALL DebugLoop() SetThreadContext(hActiveThread, &myDBGContext); EngineCloseHandle(hActiveThread); VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect); + ULONG_PTR ueCurrentPosition = FoundBreakPoint.BreakPointAddress; + unsigned char instr[16]; + MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); + char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr); + if(strstr(DisassembledString, "PUSHF")) + PushfBPX = true; myCustomBreakPoint = (fCustomBreakPoint)((LPVOID)FoundBreakPoint.ExecuteCallBack); //execute callback __try @@ -656,6 +662,15 @@ __declspec(dllexport) void TITCALL DebugLoop() DBGCode = DBG_CONTINUE; if(ResetBPX) //restore 'normal' breakpoint { + if(PushfBPX) //remove trap flag from stack + { + PushfBPX = false; + void* csp=(void*)GetContextData(UE_CSP); + ULONG_PTR data=0; + ReadProcessMemory(dbgProcessInformation.hProcess, csp, &data, sizeof(ULONG_PTR), 0); + data &= ~UE_TRAP_FLAG; + WriteProcessMemory(dbgProcessInformation.hProcess, csp, &data, sizeof(ULONG_PTR), 0); + } if(ResetBPXAddressTo + ResetBPXSize != (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress) { EnableBPX(ResetBPXAddressTo); @@ -1146,7 +1161,6 @@ __declspec(dllexport) void TITCALL DebugLoop() GetThreadContext(hActiveThread, &myDBGContext); if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT) myDBGContext.EFlags |= UE_TRAP_FLAG; - myDBGContext.EFlags |= UE_RESUME_FLAG; SetThreadContext(hActiveThread, &myDBGContext); EngineCloseHandle(hActiveThread); VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);