OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, August 23 2007 11:07.59 CDT Modified: Thursday, August 23 2007 11:11.05 CDT

Printer Friendly ...

Reliability of Pseudo Registers in Bug Tracking

Author: adityaks

# Views: 3149

Kicking with Pseudo Registers
I have always been fascinated by the anatomy of pseudo registers. From one perspective the pseudo registers are not considered as hardware registers but they are displayed as though. Considering the application vector view the pseudo registers some what reliable in checking of errors with simulated error values. The practical layout can be undertaken by looking at the functionality of @ERR pseudo register.

Analytical View : @ERR Register

Usually it is encountered that the @ERR pseudo register returns the error number. It means from windows API scene it returns the error number as GetLastError() API. This can be reliable in debugging functions with return value check.

-=[Code Snippet 1]=-

[Direct Modular Calling]





HFILE hwnd_file;

[brk **] hwnd_file = OpenFile(

                               LPCSTR lpFileName, [ Dont specify name ]

                               LPOFSTRUCT lpReOpenBuff,

                               UINT uStyle

                            );

A code snippet is provided above. Like if debugging breakpoint is set and the code is executed , the pseudo register conditional value is checked by debugger for performing debugging. If specified value of @ERR matches with the exectuion flow the breakpoint will execute.If we synthesize it properly then we will get an error number 2 response. It means the handle to file failed as no file name is specified. This turns out to be useful in direct modular check of applied functions.

[Conditional Checks]

The pseudo registers are reliable in checking conditional debugging as per modular specifications.Generically the pseudo registers are effective in scrutinizing return value of conditional modules.

-=[ Code Snippet 2 ]=-



        char szProcessName[MAX_PATH] = "unknown";

	HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID );

[brk ***]if (NULL != hProcess )

        {

                  HMODULE hMod;

                  DWORD cbNeeded;



        if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),&cbNeeded) )

        {

            GetModuleBaseName( hProcess, hMod, szProcessName,sizeof(szProcessName) );

        }

        else return;

    }

    else return;

    printf( "%s (Process ID: %u)\n", szProcessName, processID );



    CloseHandle( hProcess );

Now by selecting a breakpoint and setting a value of @ERR register to 2 i.e. @ERR==2 or any other GetLastError() value. When the debugger is triggered up and condition is checked againt given @ERR pseudo register value. If the value specific error is undertaken the debugger breaks the execution flow there by displaying the various register positions. If the @ERR value not matches the debugger will not break the application even any other error is occurred.

The multithreaded debugging can be possible by @TIBpseudo register. The value can be set during active debugging of code which act as a filter for debugger to work. Like the debugger breaks only at that
specific address which is defined for @TIB pseudo register.

This circumvents the problem for multithreaded debugging in a module. This is because if filter is
not set properly for various threads in a module the debugger will break every time when a module is executed.So the Thread Information Block can be managed by @TIB pseudo register.

View Specific

Any specific trick that can be undertaken with the use of Pseudo registers. More technical view point is required. The incore technical stuff is welcomed.

----
aks

There are 28,220 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
	waleedassar	Jan/01
Another OllyDbg Anti-Debug ...
More ...

Recent Blog Comments
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
	NirIzr on:	Jan/31
Yet Another Anti-Debug Trick
	jackchen on:	Jan/10
nike mercurial vapor iii
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit