lborup
January 12th, 2009, 07:25
Hi
I'm debugging my way through the (in my view) fairly complex unpacking of a windows malware binary. After some interesting use of SEH, creation of new segments and a jump into such a new section, i come across the following statements:
int 3
push ebp
hlt
No exception handler is registrered except the standard in kernel32.dll, and in my view the program should be allowed to continue while passing exceptions to the application instead of the debugger. And hlt should throw an exception since the cpu is not in protected mode, but be allowed to continue afterwards.
But when i set a hardware breakpoint on the following statement, and allow the process to run, it shuts down.
Could anyone please tell me whether i am wrong in my assumptions on this particular part, or if it looks like i have made some error earlier in the unpacking?
Best regards,
Lasse
I'm debugging my way through the (in my view) fairly complex unpacking of a windows malware binary. After some interesting use of SEH, creation of new segments and a jump into such a new section, i come across the following statements:
int 3
push ebp
hlt
No exception handler is registrered except the standard in kernel32.dll, and in my view the program should be allowed to continue while passing exceptions to the application instead of the debugger. And hlt should throw an exception since the cpu is not in protected mode, but be allowed to continue afterwards.
But when i set a hardware breakpoint on the following statement, and allow the process to run, it shuts down.
Could anyone please tell me whether i am wrong in my assumptions on this particular part, or if it looks like i have made some error earlier in the unpacking?
Best regards,
Lasse