Dailydave mailing list archives
Re: Tool announce: user mode single stepping
From: <Rafal_Wojtczuk () McAfee com>
Date: Thu, 30 Nov 2006 10:27:58 -0000
Hi, Yes, I have seen tcodetrace before (and it was very inspiring); in the article, when speaking of in-process EXCEPTION_SINGLE_STEP trapping technique, there is a link to http://www.cybertech.net/~sh0ksh0k/projects/ ; it used to be a link to http://www.cybertech.net/~sh0ksh0k/projects/tcodetrace/Self%20Single-Ste pping.txt But the latter is taken offline (this URL it is still included in umss-0.2 package documentation). Is it going to be available somewhere besides google cache ? And naturally umss does a different thing than TRAP_STATIC_CODE_START/TRAP_STATIC_CODE_END. RW -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Matt Conover Sent: Wednesday, November 29, 2006 5:15 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] Tool announce: user mode single stepping I guess you never heard of tcodetrace... http://72.14.203.104/search?q=cache:gDeAFf4bIJ4J:www.cybertech.net/~sh0k sh0k/projects/tcodetrace There was been a documented included with the code since March 2006 named "Self Single-Stepping.txt" which as title implies, utilizes this exact technique. The source code has also been posted there for a long time.. these are the contents of "Self Single-Stepping.txt": For static code, every instruction between TRAP_STATIC_CODE_START/TRAP_STATIC_CODE_END is trapped For dynamic code, you specify the code address and code size all within TRAP_DYNAMIC_CODE You specify all callback that will be called for each instruction about to be executed. The callback can analyze the instruction and chose one of these options: 1. Execute the instruction (return TRAP_EXECUTE) 2. Stop trapping (return TRAP_STOP) and continue after the trapping code (e.g., first instruction after TRAP_STATIC_CODE_END/TRAP_DYNAMIC_CODE) 3. Kick in a debugger (return TRAP_DEBUG) by leaving the single-step exception unhandled 4. Skip the instruction (return TRAP_SKIP). 5. Disable trapping and execute until a breakpoint is reached (TRAP_GO) 6. Step over the current instruction (TRAP_STEP_OVER). If the next instruction is a call, for example, it will execute the function and then break after the call completes. 7. Step out of the current function (TRAP_STEP_OUT). Non single-step exceptions are left unhandled so that the program will function as it normally would have The benefit of doing it this is way as opposed to using the native Win32 debugging technique is that: 1. You can load whatever code you want to execute within the current process 2. You don't leave signs the code is being debugged like debugging does Currently it will skip int1/int3/into/popf automatically, but anything more advanced should be done by the user-defined handler. [cut] _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Tool announce: user mode single stepping Rafal_Wojtczuk (Nov 29)
- Re: Tool announce: user mode single stepping Jared DeMott (Nov 29)
- Re: Tool announce: user mode single stepping Dave Korn (Nov 29)
- Re: Tool announce: user mode single stepping Thomas Ptacek (Nov 29)
- Re: Tool announce: user mode single stepping Matt Conover (Nov 29)
- Re: Tool announce: user mode single stepping Thomas Ptacek (Nov 29)
- <Possible follow-ups>
- Re: Tool announce: user mode single stepping Rafal_Wojtczuk (Nov 30)
- Re: Tool announce: user mode single stepping Matt Conover (Nov 30)