Log in

View Full Version : NTDLL patch to disallow DR0-DR7 writes from ring3


0xebfe
August 31st, 2005, 13:51
Hi, from SOTM33, Nicolas Brulez mentioned there's a way to patch the ntdll.dll to disallow writting into the debug registers from the user space. I guess that sort of functionality is invaluable to me and I guess to lots of other reversers out there. However, there's no public info on this available. Any one know how to do this? Or better yet, have a patch for WinXP's ntdll.dll? I am just tired of working around polymorphic code that erases DRxs which makes both software and hardware breaks really hard to set.

Any info would be nice!

Ricardo Narvaja
September 3rd, 2005, 07:23
i use superBPM for NT and the debug registers not can be changed, but there are program, than change debug regusters and check the change and don´t run, others detect the super bpm running etc, but if you need the hardware bpx in olly not will be erased by program running use super bpm and you have the solution.

Ricardo Narvaja

blabberer
September 3rd, 2005, 11:49
hi Ricardo
are you talking about the superBPM.sys by ddc ?? it never seemed to work always crashed with illegal operation

or are you talking about the superbpm by ElicZ ?? (iirc its 9x only vxd and
elicz didnt release a nt version i think and mostly for softice ) dunno never had the neccessity to look deep into them

Ricardo Narvaja
September 3rd, 2005, 12:58
superbpm.sys y sue in winXP mas sp1 in varuous tuts and in crackslatinos i´m not the only use in tuts, in sp1 work perfect for me, i don´t try in sp2.

Ricardo Narvaja

0xebfe
September 7th, 2005, 13:20
Thanks guys.. I could only find superbpm by ElicZ which indeed is a 9x VXD. Ricardo, any links for the .sys for NT? If you have used it, I guess it must be working fine. Would love to get my hands on it, and also learn how it does that..

blabberer
September 8th, 2005, 05:09
search some chinese forums it was written by ddcrack at yeah.net
i only have the .sys and its tester with me dont know where i downlaoded it but a smart google with translate the page option should be able to fetch it for you but as i said the testbpm.exe always crashed the few times i tested it and the .nfo file is in chinese so i understand nothing
and i didnt have the time to look into the .sys disassembly
i think it uses cr0.wp bit to remove the page protection and write back

Ricardo Narvaja
September 9th, 2005, 17:34
http://www.ricnar456.dyndns.org/HERRAMIENTAS/Q-R-S-T-U/superbpmfornt.z ip
("http://www.ricnar456.dyndns.org/HERRAMIENTAS/Q-R-S-T-U/superbpmfornt.zip
")

you can download from here and work for me, i use in several times.

Ricardo Narvaja