[NtSC]
April 11th, 2010, 13:36
Hi there..
I discussed the problem already with kayaker and he suggested its probably a topic for the forum..
I want to track access to a memory location (over 4 addresses so no HWBP, also no direct code-patch) thats why I use a VEH and set PAGE_GUARD to the page my address sits in.. On access I check if its my address / set SINGLESTEP and on trigger I re-apply PAGE_GUARD. Some location seems to trouble that since I end up in an endless loop. Problem is that I end up in NTDLL/KiUserExceptioDispatcher at some point.. Weird thing is I handle PAGE_GUARD / SINGLESTEP in my VEH all other exceptions are forwared (EXCEPTION_CONTINUE_SEARCH).
Here are some details:
from Debugview:
[2484] Single_Step at: 0x10d195cc
[2484] Page_Guard at: 0x10d1bff0
[2484] Single_Step at: 0x10d1bff3
[2484] Page_Guard at: 0x10d1bff3
[2484] Single_Step at: 0x10d1bff6
[2484] Page_Guard at: 0x10d1bff6
[2484] Single_Step at: 0x10d1bff7
[2484] Page_Guard at: 0x10d1bff7
[2484] Single_Step at: 0x10d1bffb
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
and from IDA:
.text:10D1BFF0 var_8 = dword ptr -8
.text:10D1BFF0 var_4 = dword ptr -4
.text:10D1BFF0 arg_0 = dword ptr 4
.text:10D1BFF0 arg_4 = dword ptr 8
.text:10D1BFF0 arg_8 = dword ptr 0Ch
.text:10D1BFF0
.text:10D1BFF0 83 EC 08 sub esp, 8
.text:10D1BFF3 0F 57 C0 xorps xmm0, xmm0
.text:10D1BFF6 56 push esi
.text:10D1BFF7 8B 74 24 10 mov esi, [esp+0Ch+arg_0]
.text:10D1BFFB C7 05 9C EA 83 11 00 00+ mov dword_1183EA9C, 0
.text:10D1C005 8B 46 0C mov eax, [esi+0Ch]
.text:10D1C008 F3 0F 11 44 24 04 movss [esp+0Ch+var_8], xmm0
.text:10D1C00E 0F B6 10 movzx edx, byte ptr [eax]
Anyone a guess what goes wrong?
Thanks in advance
I discussed the problem already with kayaker and he suggested its probably a topic for the forum..
I want to track access to a memory location (over 4 addresses so no HWBP, also no direct code-patch) thats why I use a VEH and set PAGE_GUARD to the page my address sits in.. On access I check if its my address / set SINGLESTEP and on trigger I re-apply PAGE_GUARD. Some location seems to trouble that since I end up in an endless loop. Problem is that I end up in NTDLL/KiUserExceptioDispatcher at some point.. Weird thing is I handle PAGE_GUARD / SINGLESTEP in my VEH all other exceptions are forwared (EXCEPTION_CONTINUE_SEARCH).
Here are some details:
from Debugview:
[2484] Single_Step at: 0x10d195cc
[2484] Page_Guard at: 0x10d1bff0
[2484] Single_Step at: 0x10d1bff3
[2484] Page_Guard at: 0x10d1bff3
[2484] Single_Step at: 0x10d1bff6
[2484] Page_Guard at: 0x10d1bff6
[2484] Single_Step at: 0x10d1bff7
[2484] Page_Guard at: 0x10d1bff7
[2484] Single_Step at: 0x10d1bffb
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
and from IDA:
.text:10D1BFF0 var_8 = dword ptr -8
.text:10D1BFF0 var_4 = dword ptr -4
.text:10D1BFF0 arg_0 = dword ptr 4
.text:10D1BFF0 arg_4 = dword ptr 8
.text:10D1BFF0 arg_8 = dword ptr 0Ch
.text:10D1BFF0
.text:10D1BFF0 83 EC 08 sub esp, 8
.text:10D1BFF3 0F 57 C0 xorps xmm0, xmm0
.text:10D1BFF6 56 push esi
.text:10D1BFF7 8B 74 24 10 mov esi, [esp+0Ch+arg_0]
.text:10D1BFFB C7 05 9C EA 83 11 00 00+ mov dword_1183EA9C, 0
.text:10D1C005 8B 46 0C mov eax, [esi+0Ch]
.text:10D1C008 F3 0F 11 44 24 04 movss [esp+0Ch+var_8], xmm0
.text:10D1C00E 0F B6 10 movzx edx, byte ptr [eax]
Anyone a guess what goes wrong?
Thanks in advance
