NeonFlash
March 6th, 2012, 10:50
Hi,
I have a sample which makes use of some antidebugging tricks. A brief overview is that, it jumps to a subroutine which installs an exception handler and then triggers a memory access violation. When you pass the exception to the installed exception handler it brings you back to the instruction which triggered the exception and this cycle continues until the value of one register becomes 0.
In short,
call <subroutine1>
Exception Handler Code comes here
....
....
....
<subroutine1>
xor eax, eax
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
add eax, 40
sub dword ptr ds:[004xxxxx], eax
Now, the memory address, 004xxxxx lies inside the code section which is not writable and hence a memory access violation is triggered. I pass the exception to the program which brings it to the Exception Handler code. However, this cycle repeats. It checks the value of a particular register, edx which was set to a large value like 15000 at the starting of the program.
dec edx
jnz <section>
Now, I want it to skip that jump to section which will happen only when edx = 0. If I do it manually, I need to pass the exception of memory access violation to the program every time. That is not possible.
How do I achieve something like this?
What I did to resolve?
Instead of stepping through the code and passing the exception to the program, I set a breakpoint on KiUserExceptionDispatcher routine. Now, I run the program and anytime an exception is triggered, I hit my breakpoint. I can see the value of the edx register decrementing everytime I do this, so I thought of running a trace.
TOC edx == 0
and then started the trace, but it runs only once. I need to press enter everytime in the Command Bar to make it run once everytime which does not serve the purpose.
I hope my question is clear.
Thanks.
I have a sample which makes use of some antidebugging tricks. A brief overview is that, it jumps to a subroutine which installs an exception handler and then triggers a memory access violation. When you pass the exception to the installed exception handler it brings you back to the instruction which triggered the exception and this cycle continues until the value of one register becomes 0.
In short,
call <subroutine1>
Exception Handler Code comes here
....
....
....
<subroutine1>
xor eax, eax
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
add eax, 40
sub dword ptr ds:[004xxxxx], eax
Now, the memory address, 004xxxxx lies inside the code section which is not writable and hence a memory access violation is triggered. I pass the exception to the program which brings it to the Exception Handler code. However, this cycle repeats. It checks the value of a particular register, edx which was set to a large value like 15000 at the starting of the program.
dec edx
jnz <section>
Now, I want it to skip that jump to section which will happen only when edx = 0. If I do it manually, I need to pass the exception of memory access violation to the program every time. That is not possible.
How do I achieve something like this?
What I did to resolve?
Instead of stepping through the code and passing the exception to the program, I set a breakpoint on KiUserExceptionDispatcher routine. Now, I run the program and anytime an exception is triggered, I hit my breakpoint. I can see the value of the edx register decrementing everytime I do this, so I thought of running a trace.
TOC edx == 0
and then started the trace, but it runs only once. I need to press enter everytime in the Command Bar to make it run once everytime which does not serve the purpose.
I hope my question is clear.
Thanks.