PDA

View Full Version : Question regarding VEH/PAGE_GUARD/SINGLESTEP


[NtSC]
April 11th, 2010, 13:36
Hi there..
I discussed the problem already with kayaker and he suggested its probably a topic for the forum..

I want to track access to a memory location (over 4 addresses so no HWBP, also no direct code-patch) thats why I use a VEH and set PAGE_GUARD to the page my address sits in.. On access I check if its my address / set SINGLESTEP and on trigger I re-apply PAGE_GUARD. Some location seems to trouble that since I end up in an endless loop. Problem is that I end up in NTDLL/KiUserExceptioDispatcher at some point.. Weird thing is I handle PAGE_GUARD / SINGLESTEP in my VEH all other exceptions are forwared (EXCEPTION_CONTINUE_SEARCH).

Here are some details:

from Debugview:
[2484] Single_Step at: 0x10d195cc
[2484] Page_Guard at: 0x10d1bff0
[2484] Single_Step at: 0x10d1bff3
[2484] Page_Guard at: 0x10d1bff3
[2484] Single_Step at: 0x10d1bff6
[2484] Page_Guard at: 0x10d1bff6
[2484] Single_Step at: 0x10d1bff7
[2484] Page_Guard at: 0x10d1bff7
[2484] Single_Step at: 0x10d1bffb
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb
[2484] Single_Step at: 0x7c91e480
[2484] Page_Guard at: 0x10d1bffb

and from IDA:
.text:10D1BFF0 var_8 = dword ptr -8
.text:10D1BFF0 var_4 = dword ptr -4
.text:10D1BFF0 arg_0 = dword ptr 4
.text:10D1BFF0 arg_4 = dword ptr 8
.text:10D1BFF0 arg_8 = dword ptr 0Ch
.text:10D1BFF0
.text:10D1BFF0 83 EC 08 sub esp, 8
.text:10D1BFF3 0F 57 C0 xorps xmm0, xmm0
.text:10D1BFF6 56 push esi
.text:10D1BFF7 8B 74 24 10 mov esi, [esp+0Ch+arg_0]
.text:10D1BFFB C7 05 9C EA 83 11 00 00+ mov dword_1183EA9C, 0
.text:10D1C005 8B 46 0C mov eax, [esi+0Ch]
.text:10D1C008 F3 0F 11 44 24 04 movss [esp+0Ch+var_8], xmm0
.text:10D1C00E 0F B6 10 movzx edx, byte ptr [eax]

Anyone a guess what goes wrong?

Thanks in advance

Indy
April 12th, 2010, 07:42
1. Use the watch pages for multithread applications impossible.
2. Any exception that is different from STATUS_SINGLE_STEP generated at TF = 1 will deadlock.

disavowed
April 12th, 2010, 23:28
1. Have you tried using PAGE_NO_ACCESS instead of PAGE_GUARD?
2. Are you sure you're the top-most VEH in the VEH chain?

[NtSC]
April 13th, 2010, 02:28
1. No, not by now. Will try it out later
2. How can I verify that (from an injected dll)?

Thanks

Indy
April 13th, 2010, 02:54
[NtSC]
Quote:
KiUserExceptioDispatcher

http://files.virustech.org/indy/Teory/Exceptions/vt_except_model.pdf(ru)
Quote:
2. Are you sure you're the top-most VEH in the VEH chain?

Quote:
2. How can I verify that (from an injected dll)?

RtlAddVectioredExceptionHandler:PLIST_ENTRY
> http://indy-vx.narod.ru/Bin/Barrier.zip
On the side(inject dll and dispatch in veh):
> http://indy-vx.narod.ru/Bin/Ldr.zip
> http://indy-vx.narod.ru/Bin/Ij.zip
Quote:
1. Have you tried using PAGE_NO_ACCESS instead of PAGE_GUARD?

http://virustech.org/f/viewtopic.php?id=88(ru)
> http://indy-vx.narod.ru/Bin/IDP.zip

[NtSC]
April 13th, 2010, 06:43
Thank you very much

disavowed
April 13th, 2010, 10:35
Quote:
[Originally Posted by '[NtSC];86060']2. How can I verify that (from an injected dll)?

You could hook RtlAddVectioredExceptionHandler.