📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Pydbg: Too Many Breakpoints?

Topic created on: June 18, 2007 22:26 CDT by jms .

Has anyone here ran into a problem where if you set too many breakpoints (think CC with func heads as the bp's) that it throws an access violation? I am having a problem setting ~4500 bp's on function heads, for some reason it gets acessv'd everytime, and I tried it on multiple executables. I also looked into the process_stalker.py and I am not doing anything different, that I can tell....any love out there?

  gera     June 19, 2007 07:32.23 CDT
a guy at the office ran into a similar problem. It was not related to the number of breakponts AFAIK, but to a multithreading issue. He submitted a patch to Pedram, but I think that it was not released yet (although it's quite likely in the svn tree).

uhm... I founf the changes, but they are in diff format. I'll paste here, I hope you can decode them and make them real. (and that they fix the problem). The guy doing the changes (oren) said that this fixes an Unhandled exception generated in pydbg.py, and that a simple change in hooking.py makes it remove some bps when they are not needed anymore:

hooking.py:

278a279,280
>         if self.exit_bps[pydbg.context.Eip]==0:
>             pydbg.breakpoints[pydbg.context.Eip].restore=False


pydbg.py

43a44,71
> class restore_bp(object):
>     def __init__(self):
>         self.bp_dict=dict()
>         self.prioritized_bp=None
>     def add(self,addr, bp):
>         if self.bp_dict.has_key(addr):
>             self.bp_dict[addr][0]=self.bp_dict[addr][0]+1
>         else:
>             self.bp_dict[addr]=[1, bp]
>     def pop_bp(self,addr):
>         for bp_addr in self.bp_dict:
>             if addr>bp_addr and addr -bp_addr<8:
>                 self.bp_dict[bp_addr][0]-=1
>                 bp=self.bp_dict[bp_addr][1]
>                 if self.bp_dict[bp_addr][0]==0:
>                     del self.bp_dict[bp_addr]
>                 return bp
>         return None
>     def get_prioritized(self):
>         if self.prioritized_bp:
>             return self.prioritized_bp
>     def set_prioritized(self, bp):
>         self.prioritized_bp=bp
>     def has_bps(self):
>         return len(self.bp_dict)
>
>
>
67c95,96
<     _restore_breakpoint      = None      # breakpoint to restore
---
>     _restore_breakpoint      = restore_bp()      # breakpoint to res=
tore
>     _step_suspended_threads  = set()   # threads suspended for singl=
e  =

> stepping
103c132
<         self._restore_breakpoint      = None      # breakpoint to re=
store
---
>         self._restore_breakpoint      = restore_bp()      # breakpoi=
nt  =

> to restore
163a193
>             self.pydbg_log("restoring original byte %02x at %08x" %  =

> (ord(self.breakpoints[address].original_byte),address))
168c198
<             del self.breakpoints[address]
---
>             self.breakpoints[address].zomby=True
432c462
<         if not self.breakpoints.has_key(address):
---
>         if not self.breakpoints.has_key(address) or  =

> self.breakpoints[address].zomby:
435a466
>                 self.pydbg_log("saving original byte %02x at %08x" %  =

> (ord(original_byte),address))
648c679
<         for address in self.breakpoints:
---
>         for address in [x for x in self.breakpoints if not  =

> self.breakpoints[x].zomby]:
897c928,931
<             context_list["esp+%02x"%(offset*4)]["desc"]  =

self.smart_dereference(esp, print_dots)
---
>             try:
>                 context_list["esp+%02x"%(offset*4)]["desc"]  =

> self.smart_dereference(esp, print_dots)
>             except:
>                 pass
1046a1081
>                 print ("first windows driven system breakpoint at %08x=
"  =

> % self.exception_address)
1058a1094,1097
>                 print("unhandled system breakpoint at %08x" %  =

> self.exception_address)
>                 for b in self.breakpoints:
>                     print b, self.breakpoints[b].__dict__
>                 continue_status =

> self.callbacks[EXCEPTION_BREAKPOINT](self)
1062c1101
<             self.pydbg_log("restoring original byte at %08x" %  =

self.exception_address)
---
>             self.pydbg_log("restoring original byte %02x at %08x" %  =

> (ord(self.breakpoints[self.exception_address].original_byte)
,self.exception_address))
1088c1127,1128
<                     self._restore_breakpoint =

self.breakpoints[self.exception_address]
---
>                     self.pydbg_log("_restore_breakpoint.add(0x%08x)" %=
  =

> self.exception_address)
>                     self._restore_breakpoint.add(self.exception_addres=
s,self.breakpoints[self.exception_address])
1142c1182,1183
<             self._restore_breakpoint = memory_breakpoint(None, None,=
  =

mbi, None)
---
>             self.pydbg_log("_restore_breakpoint.set_prioritized(None, =
=

> None, %r, None)" % mbi)
>             self._restore_breakpoint.set_prioritized(memory_breakpoint=
(None,  =

> None, mbi, None))
1159c1200,1206
<
---
>         bp=self._restore_breakpoint.get_prioritized()
>         if bp:
>             self.pydbg_log("_restore_breakpoint.set_prioritized(None)"=
)
>             self._restore_breakpoint.set_prioritized(None)
>         else:
>             self.pydbg_log("_restore_breakpoint.pop_bp(0x%08x)" %  =

> self.exception_address)
>             bp=self._restore_breakpoint.pop_bp(self.exception_addres=
s)
1161,1163c1208

<         if self._restore_breakpoint:
<             bp = self._restore_breakpoint
<
---
>         if bp:
1203c1248
<         elif self._restore_breakpoint:
---
>         elif bp:
1207a1253
>             print("unhandled single step at %08x" %  =

> self.exception_address)
1221d1266
<                         self._restore_breakpoint = prev
1228d1272
<         self._restore_breakpoint     = None


I could send you the modified files by private if you prefer, but then again, I think the svn version has the fixes included. http://paimei.openrce.org/

  jms     June 19, 2007 11:11.15 CDT
Thanks I appreciate it, I will update to svn and see what happens.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit