Hi all,

First of all, thanks to Iczelion for his tutorial on Win32 Debug API.

I've read different examples of the use of WaitForDebugEvent. I've implemented that in a little programm to handle Exception by the $CC (Int 3). All works fine except when i've rewrite the original memory code by the $CC.

Explanation:

- CreateProcess of the target
- WriteProcessMemory to put the $CC code at the right memory address for the breakpoint
- WaitForDebugEvent
- Handle the EXCEPTION_BREAKPOINT
- GetThreadContext
- WriteProcessMemory with the original 1 byte memory code at EIP - 1 to continue the execution of the target program
- SetThreadContext with the EFlags using $100
- ContinueDebugEvent
- Handle EXCEPTION_SINGLE_STEP
- WriteProcessMemory to put the $CC code at the right memory address for the breakpoint
- ContinueDebugEvent

=> The code of the target programm is executed after the breakpoint.

My problems is that after that, the WaitForDebugEvent give me EXCEPTION_ACCESS_VIOLATION so the target programm freeze and loop.

Do you have an idea for that problem ?

Thanks for your help.
Yousky

Yes the INT 3 is executed so EIP is after it. So when you replace with the original byte, you have to set EIP=EIP-1