Hi there:

I was much impressed with SuperBPM under Win9x with the way it prevents most anti-DRx tricks. It would help immensely if such a tool were to be available for Win2K and WinXP. In that I'm trying to understand how SuperBPM works. My understanding is that most packers generate an exception and resets the DRx registers in the exception handler code? Is this correct? Also, how can I "port" SuperBPM's functionality to Win2K. I'm willing to put my "full" efforts on this problem (even if it requires writing a KMD) as it immensely help a lot of us who are reversing under Win2K. Ofcourse, another way would be to go to ring0 and reset the DRx registers. However, I presume this would be platform dependent (the ring0 transition I mean).

Mostly, I find SoftICE does not break on BPMs at all. So, I am willing to code up a SuperBPM variant, provided I have enough understanding. Any pointers/tips to the right direction is highly appreciated.

Thanks,

Signed,
-- FoxThree

foxthree,

I havent studied SuperBPM, only 80386 protected mode books

There is a bit in the DR7 register (GD (general detect enable) flag (bit 13)) that protects the debug registers (even from Ring0 apps)

Now, you have the idea

Cheers,
Ni2

Hi Ni2:

Thanks for your post. I too know about it. However, my understanding is that if GD in DR7 is enabled any r/w access to DRx is prevented and an INT 1 is generated. Right? But if I enable GD I'll no longer be able to set any breakpoints in the DRx register, right?

Thanks for clarifying,

Signed,
-- FoxThree

Hi Foxthree,

When you protect the debug registers, any read/write to them will enter in your debug exception handler as you already know. The processor clears the GD flag inside of your debug excepcion handler, so you can play again with the debug registers and set the GD flag back again if you want before leaving your exception handler.

Let me know if this answer your question.

Cheers,
Ni2

Hi Ni2:

Thanks for your post. Yes, now I understand ... atleast theoretically. Time to code some stuff and test the theory

Signed,
-- FoxThree

Hi foxthree,

Good luck coding your new little devil I can't wait to see it in action Keep us in touch with you progress

cheers,
Ni2

Hey fox3,

Are u done with the super BPM on win2k yet? .. LOL...

Anyway, stumbled upon this while searching for info on writing loader in the board... the board is a maze... but the search feature is REAL good... U might have seen this, you might have not so ah well...
http://www.woodmann.net/forum/showthread.php?s=&threadid=1112&highlight=loader

It has some info by R!sc on how old AsProtect clear DRx, not sure if it is still relevant but it might helps...

cheers,

binh:

Howz it going? No I'm not done yet... I'm afraid I might crash my HD by writing a KMD However, I'm learning KMB basics. Have a hello world driver running

Thanks for your link man, I think it would take 2 days for me to understand what is written in that post LOL .... Okey back to my books Ugh

Thanks once again....

Signed,
-- FoxThree

I also want to know how to write a SuperBPM for win2k

Currently I have such an idea:
1. write a KMD
2. The KMD hooks INT 1, INT 3 and sets GD bit in DR7.
3. When INT1 occurs, its INT1 handler checks the BD bit of DR6.
If BD is set, it checks the current thread ID or current process name to ensure that this INT1 is triggered by desired ring-3 apps(if we don't do this, we may not set any BPM breakpoint in SoftICE).

If so, it saves all the debug registers and inserts an INT3 instruction right after the instruction which accesses the debug register. When INT3 is triggered, it restores the patched bytes of the ring 3 apps and restores all the debug registers, then sets GD bit of DR7.

Instead of inserting INT 3, we may also use single-step flag to let the ring 3 apps access the debug registers, then we restore them.

I don't know whether the above is correct or not. gurus pls show your comments.

I don't know if I follow all of your reasoning but have you considered the following points?

... inserts an INT3 instruction right after the instruction which accesses the debug register...

This presumably requires you to know the length of every instruction, you will need to include some disassembler code. I think tsehp, or was it ArthaXerXes, or both used code like this in their programs.

Also, what do you do in the event of conditional jumps where the next instruction to execute could be one of two locations? What do you do with calls or returns? Sounds to me that you need to use the Int 1 not the Int 3.

Hi Solomon:

Welcome aboard! Thanks for sharing my idea. I haven't made *ANY* progress on this (stuck in LOTZZZZZ of questions about SEH and things like that). I have a few questions for you:

90% of our ideas are ideally the same. I sent a PM to Ni2 almost along the same lines as what you've written but I think the latest MB fiasco wiped out his PMs and he did not respond (yet).

My questions are:

(1) How will you check the current thread ID and process ID from your driver to compare with the target PID/thread ID?
(2) Why the INT3 tricks? When the INT 1 interrupt is triggered and after you've verified it is for you, (remember at this point GD is cleared), why not simply reset the GD and continue? Any problems with this approach. If yes, can you please outline it.

Also, I came to know from some friends that INT1 will not only be generated for this and it will be generated for a *VARIETY* of reasons. How do we handle this?

Gurus, please help us by posting your thoughts / comments on this problem. Solomon, I'd glad to be of any help in this work.

Thanks again for your interest. [IMHO, such a tool is *STRONGLY* needed for Win2K. It is such a pain to notice your BPM's wiped out by the packer code. Grrrrr....]

Signed,
-- FoxThree

PS: Solomon, I've the source code for Elicz's SuperBPM for Win9x. I went through it and understood 90% of it but there are still a lot of questions unanswered. If you're interested, we can combinedly take a look at it. It looks to me that he is playing around with SetThreadContext in R0. May be we can get off by just doing this...