Directory
common breakpoints
1.INT 3 breakpoint
detection
bypass
2. Hardware breakpoint
principle
We give the example of hardware interrupt
remove hardware breakpoint
3. Memory breakpoint
principle
example
delete
the difference
Summarize
4. Memory access one-time breakpoint
5. Message breakpoint
example
delete
6. Conditional breakpoints
(1) Interrupt by register condition
(2) Interrupt by memory condition
7. Conditional record breakpoint
We debugged a program in (1) and then we started to continue learning
Common breakpoints
here has
INT 3 breakpoint hardware breakpoint memory breakpoint Message breakpoint, etc.
1.INT 3 breakpoint
We can use the command bp or F12 to breakpoint in OllyDbg
INT3 breakpoint is to replace the code at this position in the program
Replace with INT3
INT3 is a soft interrupt instruction Trigger in x86 frame for debugging INT3 is the most commonly used breakpoint Among them, the soft interrupt is triggered by the code rather than the interrupt triggered by the hardware problem
In ollydbg, in fact, when we press F2, the program will set INT3 here, but ollydbg hides it
What is displayed is the instruction before the interrupt
INT3 machine code is 0xCC also called CC instruction When the program executes to the exception caused by the INT3 instruction The debugger will catch the exception thus stopping at the breakpoint Then restore the code at the breakpoint to the previous code The advantage of INT3 is that you can set an infinite number of breakpoints The disadvantage is that changing the code is easy to be detected by software
Detect
If the software prevents the API from being broken Some software detects whether the first address of the API is 0xCC Here is the detection method Detection in C language This method is to get the address of the detection function then read the first byte Judging whether it is CC
Here is the detection code for MessageBoxA FARPROC Uaddr; BYTE Mark = 0; (FARPROC & amp;) Uaddr = GetProcAddress (LoadLibrary("user32.dll"),"MessageBoxA"); Load the MessageBoxA function in the user32.dll library Mark = *((BYTE*))Uaddr; Set Mark as a pointer to Uaddr if(Mark == 0xCC) to determine whether the first byte is 0xCC or INT3 return TRUE
After the program is executed, set a breakpoint on MessageBoxA and the program will find
Bypass
If we want to avoid detection, set the breakpoint at the end or inside of the function For example, set the breakpoint on the next line of the function entry so that we can bypass the detection
2. Hardware breakpoint
Hardware breakpoints are related to the BRx debug register
x in the RBx debug register can be a number from 0 to 3 The RBx debug register is used to set a hardware breakpoint when the CPU executes to the set address It will trigger an interrupt and then hand it over to the debugger for debugging
DRx debug register has 8 registers (DR0~DR7) some of which have their own characteristics DR0~DR3: Debug address registers are used to save addresses that need to be monitored, such as setting hardware breakpoints DR4~DR5: reserved, undisclosed role DR6: Debug Register Set Status Register DR7: Debug register group control register
Principle
The principle of hardware breakpoint is Use DR0 DR1 DR2 DR3 to set the address (set up to 4 breakpoints) Then use DR7 to set the status The function of the hardware execution breakpoint is the same as that of the CC instruction execution breakpoint However, the hardware does not modify the first byte of the address to CC, so it is more difficult to detect When the debugger detects the address in DR0~DR3, it will trigger an interrupt and hand it over to the debugger Instead of modifying the code to break
Hardware interrupts can also be set in ollydbg
We give examples of hardware interrupts
Or the previous TraceMe.exe
In the register window of the CPU window, right-click -> view debug registers
Then we set the hardware interrupt at 004013AA
Then F9 executes the program
We found that DR0 becomes the interrupt address
After we set the breakpoint In fact, OllyDbg is set as an interrupt address in DR0~DR3 Then set the corresponding control bit in DR7 When the program debugs to the middle segment address, the CPU will send an exception message to OllyDbg Then you can interrupt
Delete hardware breakpoint
Debug -> Hardware Breakpoints
Of course there are shortcut keys
Press F4 at the address to perform a hardware interrupt and automatically delete the breakpoint after the interrupt
Compared with INT3 interrupt, hardware interrupt is not easy to be detected by the program and runs faster The disadvantage is that only 4 breakpoints can be set
3. Memory breakpoint
OllyDbg can set memory access breakpoints or memory write breakpoints
Principle
Give non-accessible and non-writable attributes to the set address In this way, when accessing and writing, an exception will occur OllyDbg catch exception Compare whether the exception is that we set the breakpoint address If it is, interrupt and the user will operate
Because the comparison is performed every time to determine whether to interrupt, the execution speed will be slow Therefore, OllyDbg may only set a breakpoint for memory interruption due to execution considerations
There are 3 states of program running, which are read, write and execute
mov dword ptr [405528], edx writes to memory mov dword ptr edx,[405528] read memory data
Example
Debugging TraceMe.exe with OllyDbg
We can see that this is an assembly instruction written into memory
We use this memory breakpoint
We need to go to the data panel
First follow this address in the data panel
Then F9 to run
Found him interrupted at this address
Delete
If we want to delete the interrupt, right click -> delete memory breakpoint
In this scenario, hardware breakpoints can also achieve the same effect as memory breakpoints A single hardware write/access breakpoint can be set to 1 byte, 2 bytes, 4 bytes And no matter how large the selected data range is, only the first 4 bytes will work
Still in the memory address, select the hardware to write to the address and then select the word, which is 4 bytes
will still interrupt the next instruction at this address
Difference
The hardware write/access breakpoint is interrupted at the next line of execution A memory breakpoint is to interrupt at the instruction of the trigger point
You can also set memory access breakpoints for code
Right click on the code, memory access and then run the program, it will break at this place
Summary
Where memory is executed, it can also be interrupted by memory access The memory access breakpoint will not modify the code, and will not modify the code like INT3 and be verified by the program So if you encounter program verification and hardware breakpoints fail, you can use memory breakpoints
4. Memory access one-time breakpoint
Windows uses segment paging management for memory
in OllyDbg
Press ALT + M to view memory
There are many segments here and each segment has inaccessible read write execute attributes
Right click on the corresponding segment
This can be used to set this type of breakpoint for the entire memory
This breakpoint is a one-time breakpoint. The segment where it is located will be interrupted when it is read or executed.
After the break, the breakpoint will be deleted
If you want to capture calls or return a module This type of breakpoint is particularly useful
There are also breakpoints Set a breakpoint on memory access This breakpoint is roughly the same as the set breakpoint on access command The difference is that this memory access breakpoint is not a one-time And this breakpoint is to be used under the NT framework and only used in this framework
5. Message breakpoint
Windows itself is message-driven If there is no suitable breakpoint when debugging
You can try to use message breakpoint
When a specific window receives a specific message A message breakpoint interrupts the program The difference between a message breakpoint and an INT3 breakpoint is: INT3 breakpoints can be set before the program starts The message breakpoint can only be set after the window is created and intercept the message
When the user clicks a button, moves the cursor, or enters text into a text box A message is sent to the current form All sent messages have 4 parameters 1 hwnd (window handle) 1 msg (message number) 2 longs (32-bit long parameters) Windows uses the handle to identify the handle it represents e.g. clicking a button Windows recognizes which button was pressed by the handle Then send a relative message to notify the program
We pass the example
Example
Trace Me
We run the program directly with F9
We enter the user name and serial number, enter casually and then do not click check
Let’s enter the message window first
This is the window we have now, and it is also where we break the message window
We find the check line
Mark a message breakpoint
In the message column, select the function of 202
Our check type is a button button, so if we click this button The WM_LBUTTONUP message will be sent, so we need to interrupt at this message
Then we go back to the program and click check
He will interrupt in the Windows system code to pass the message
At this time, we are in the airspace of the system and in the bottom code of the system It does not belong to the TraceMe program code, so we cannot return to the program airspace through the shortcut key ALT + F9 or CTRL + F9
We use shortcut keys ALT + M
Follow this TraceMe program and then its code segment because we want to go back to the code segment and find this key function
So we put a breakpoint here When the program finishes executing the underlying code, it will return to the program code
means that after clicking check, he will send a message to windows Then the message is delivered, return to the program, and we are back in the airspace of the program.
We put a breakpoint on F2
F9 to execute
The code here is the message loop of the program
This code is a message loop Constantly processing TraceMe messages At this time, the button event will not be directly processed If we do a F7 single-step trace will re-enter the system code
Here we re-enter the system code
then we repeat
Set a breakpoint in the program code area and execute
Indicates whether to pass the button message
let’s go on
Successfully reached the place in the program where the button passes the message
Delete
ALT + B to delete
6. Conditional breakpoint
during debugging We often expect to be able to meet what condition guess will break These are called conditional breakpoints. Moreover, in OllyDbg, you can set and break according to conditions such as registers, memory, and messages.
A conditional breakpoint is a normal INT3 breakpoint with a conditional expression When the debugger encounters such a breakpoint, the breakpoint evaluates the expression If the result is non-zero or the expression is valid Then the breakpoint will take effect
(1) interrupt by register condition
Open Conditional_bp.exe
Find 00401476
Then set the condition here
or in the command line plugin
bp 401476 eax==0400000
Then the program executes here. If eax=0400000, an interruption will occur
(2) Interrupt by memory condition
We continue to use this program to
Let’s assume that this program needs to open a file
Then use the CreatFileA function This function is used to open a file
The structure of the function is given here HANDLE CreateFile{ LPCTSTR lpFileName, pointer to file name DWORD dwDesireAccess, access mode DWORD dwShareMode, share mode LPSECURITY_ATTRIBUTES, pointer to security attributes DWORD dwCreationDistribution, how to create the file DWORD dwFlagsAndAttribute, file attribute HANDLE hTemplateFile Handle to copy file };
After we understand, run the program to see if there is a button to open the folder
here we are
Found that CreateFileA was called four times
So there must be this function, so we breakpoint this function
Then re-execute the program
breakpoint at this
Then we go to the stack
It is found that the parameters of the function have been pushed into the stack, so here we can make a breakpoint
But we need to know where this is on the stack
so we
Suppose we need to get filename, then it is stored at the address of esp + 4
[esp + 4] This is to get the first parameter, which is the memory address of filename [[esp + 4]] This is to get the first parameter, which is the string stored in the memory address of filename
Suppose we need to get the string
[STRING[esp + 4]]=="c:\1212.txt"
This is what will be returned When the CreateFileA function opens c:\1212.txt, what is stored in the filename of this function
Using the command line is the following
bp CreateFileA,[STRING[esp + 4]]=="c:\1212.txt"
rerun the program
Here is where the breakpoint is when the program opens 1212.txt
7. Conditional record breakpoint
Conditional record breakpoint In addition to the role of conditional breakpoints, it can also record function expressions or parameter values of functions at breakpoints You can also set the number of breakpoints, each time the pause condition is met, the counter -1
Or take the CreateFileA function as an example
In the first instruction of this program
or SHIFT + F4
Enter conditional record breakpoint
pay attention to this
If it is [esp + 4] in the expression, then it is the address We'll just set the pointer to the ASCII string This works just like [STRING] does
Then we make sure to start executing
A breakpoint occurs
Then the shortcut key ALT + L to open the log data window
Our data emerges
This is where the usual interruption ends