mirror of https://github.com/x64dbg/TitanEngine
fixed some detection problems with PUSHFD/PUSHFQ
This commit is contained in:
parent
3c348c7882
commit
3e061ab773
|
|
@ -48,9 +48,16 @@ __declspec(dllexport) void TITCALL ForceClose()
|
||||||
}
|
}
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
|
__declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
|
||||||
|
{
|
||||||
|
ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP);
|
||||||
|
unsigned char instr[16];
|
||||||
|
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
|
||||||
|
char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
|
||||||
|
if(strstr(DisassembledString, "PUSHF"))
|
||||||
|
StepOver(StepCallBack);
|
||||||
|
else
|
||||||
{
|
{
|
||||||
ULONG_PTR ueContext = NULL;
|
ULONG_PTR ueContext = NULL;
|
||||||
|
|
||||||
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
|
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
|
||||||
ueContext |= UE_TRAP_FLAG;
|
ueContext |= UE_TRAP_FLAG;
|
||||||
SetContextData(UE_EFLAGS, ueContext);
|
SetContextData(UE_EFLAGS, ueContext);
|
||||||
|
|
@ -58,17 +65,13 @@ __declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
|
||||||
engineStepCallBack = StepCallBack;
|
engineStepCallBack = StepCallBack;
|
||||||
engineStepCount = NULL;
|
engineStepCount = NULL;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack)
|
__declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack)
|
||||||
{
|
{
|
||||||
ULONG_PTR ueCurrentPosition = NULL;
|
ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP);
|
||||||
#if !defined(_WIN64)
|
|
||||||
ueCurrentPosition = (ULONG_PTR)GetContextData(UE_EIP);
|
|
||||||
#else
|
|
||||||
ueCurrentPosition = GetContextData(UE_RIP);
|
|
||||||
#endif
|
|
||||||
unsigned char instr[16];
|
unsigned char instr[16];
|
||||||
ReadProcessMemory(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
|
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
|
||||||
char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
|
char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
|
||||||
if(strstr(DisassembledString, "CALL") || strstr(DisassembledString, "REP") || strstr(DisassembledString, "PUSHF"))
|
if(strstr(DisassembledString, "CALL") || strstr(DisassembledString, "REP") || strstr(DisassembledString, "PUSHF"))
|
||||||
{
|
{
|
||||||
|
|
@ -88,7 +91,6 @@ __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal)
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
|
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
|
||||||
{
|
{
|
||||||
|
|
||||||
ULONG_PTR ueContext = NULL;
|
ULONG_PTR ueContext = NULL;
|
||||||
|
|
||||||
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
|
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
|
||||||
|
|
@ -102,7 +104,6 @@ __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBa
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode)
|
__declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode)
|
||||||
{
|
{
|
||||||
|
|
||||||
if(SetDbgCode != DBG_CONTINUE)
|
if(SetDbgCode != DBG_CONTINUE)
|
||||||
{
|
{
|
||||||
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
|
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
{
|
{
|
||||||
bool FirstBPX = true;
|
bool FirstBPX = true;
|
||||||
bool ResetBPX = false;
|
bool ResetBPX = false;
|
||||||
|
bool PushfBPX = false;
|
||||||
bool BreakDBG = false;
|
bool BreakDBG = false;
|
||||||
bool ResetHwBPX = false;
|
bool ResetHwBPX = false;
|
||||||
bool ResetMemBPX = false;
|
bool ResetMemBPX = false;
|
||||||
|
|
@ -543,7 +544,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
GetThreadContext(hActiveThread, &myDBGContext);
|
GetThreadContext(hActiveThread, &myDBGContext);
|
||||||
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
|
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
|
||||||
myDBGContext.EFlags |= UE_TRAP_FLAG;
|
myDBGContext.EFlags |= UE_TRAP_FLAG;
|
||||||
myDBGContext.EFlags |= UE_RESUME_FLAG;
|
|
||||||
#if defined(_WIN64)
|
#if defined(_WIN64)
|
||||||
myDBGContext.Rip = myDBGContext.Rip - FoundBreakPoint.BreakPointSize;
|
myDBGContext.Rip = myDBGContext.Rip - FoundBreakPoint.BreakPointSize;
|
||||||
#else
|
#else
|
||||||
|
|
@ -552,6 +552,12 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
SetThreadContext(hActiveThread, &myDBGContext);
|
SetThreadContext(hActiveThread, &myDBGContext);
|
||||||
EngineCloseHandle(hActiveThread);
|
EngineCloseHandle(hActiveThread);
|
||||||
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);
|
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);
|
||||||
|
ULONG_PTR ueCurrentPosition = FoundBreakPoint.BreakPointAddress;
|
||||||
|
unsigned char instr[16];
|
||||||
|
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
|
||||||
|
char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
|
||||||
|
if(strstr(DisassembledString, "PUSHF"))
|
||||||
|
PushfBPX = true;
|
||||||
myCustomBreakPoint = (fCustomBreakPoint)((LPVOID)FoundBreakPoint.ExecuteCallBack);
|
myCustomBreakPoint = (fCustomBreakPoint)((LPVOID)FoundBreakPoint.ExecuteCallBack);
|
||||||
//execute callback
|
//execute callback
|
||||||
__try
|
__try
|
||||||
|
|
@ -656,6 +662,15 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
DBGCode = DBG_CONTINUE;
|
DBGCode = DBG_CONTINUE;
|
||||||
if(ResetBPX) //restore 'normal' breakpoint
|
if(ResetBPX) //restore 'normal' breakpoint
|
||||||
{
|
{
|
||||||
|
if(PushfBPX) //remove trap flag from stack
|
||||||
|
{
|
||||||
|
PushfBPX = false;
|
||||||
|
void* csp=(void*)GetContextData(UE_CSP);
|
||||||
|
ULONG_PTR data=0;
|
||||||
|
ReadProcessMemory(dbgProcessInformation.hProcess, csp, &data, sizeof(ULONG_PTR), 0);
|
||||||
|
data &= ~UE_TRAP_FLAG;
|
||||||
|
WriteProcessMemory(dbgProcessInformation.hProcess, csp, &data, sizeof(ULONG_PTR), 0);
|
||||||
|
}
|
||||||
if(ResetBPXAddressTo + ResetBPXSize != (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress)
|
if(ResetBPXAddressTo + ResetBPXSize != (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress)
|
||||||
{
|
{
|
||||||
EnableBPX(ResetBPXAddressTo);
|
EnableBPX(ResetBPXAddressTo);
|
||||||
|
|
@ -1146,7 +1161,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
GetThreadContext(hActiveThread, &myDBGContext);
|
GetThreadContext(hActiveThread, &myDBGContext);
|
||||||
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
|
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
|
||||||
myDBGContext.EFlags |= UE_TRAP_FLAG;
|
myDBGContext.EFlags |= UE_TRAP_FLAG;
|
||||||
myDBGContext.EFlags |= UE_RESUME_FLAG;
|
|
||||||
SetThreadContext(hActiveThread, &myDBGContext);
|
SetThreadContext(hActiveThread, &myDBGContext);
|
||||||
EngineCloseHandle(hActiveThread);
|
EngineCloseHandle(hActiveThread);
|
||||||
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);
|
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue