Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> Hardware Breakpoint Detection

Technique Name Category Analysis By Download Added On Last Updated
Hardware Breakpoint Detection Debugging ap0x March 17 2006 March 18 2006
Description:
    .386
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

    .data
       DbgNotFoundTitle db "Debugger status:",0h
       DbgFoundTitle db "Debugger status:",0h
       DbgNotFoundText db "Debugger hardware bpx not found!",0h
       DbgFoundText db "Debugger hardware bpx found!",0h
    .data?
OrgEbp   dd ?
OrgEsp   dd ?
SaveEip  dd ?
    .code

start:

; Setup SEH

MOV EAX,offset @Exit
MOV DWORD PTR[OrgEbp],EAX
MOV DWORD PTR[SaveEip],EBP
ASSUME FS : NOTHING

PUSH offset @DetectHardwareBPX
PUSH FS:[0]
MOV DWORD PTR[OrgEsp],ESP
MOV  FS:[0], ESP

; Fire SEH

XOR EAX,EAX
XCHG DWORD PTR DS:[EAX],EAX
@Exit:
POP FS:[0]
ADD ESP,4

PUSH 0
CALL ExitProcess

@DetectHardwareBPX:
PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR SS:[EBP+10h]

; Restore ESP, EBP, EIP

MOV EBX,DWORD PTR[OrgEbp]
MOV DWORD PTR DS:[EAX+0B8h],EBX
MOV EBX,DWORD PTR[OrgEsp]
MOV DWORD PTR DS:[EAX+0C4h],EBX
MOV EBX,DWORD PTR[SaveEip]
MOV DWORD PTR DS:[EAX+0B4h],EBX

; Check DRx registers

CMP DWORD PTR DS:[EAX+4h],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+8h],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+0Ch],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+10h],0
JNE @hardware_bpx_found
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
  @hbpx_exit:
MOV EAX,0
LEAVE
RET
  @hardware_bpx_found:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
JMP @hbpx_exit

end start

There are 31,055 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit