OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, August 23 2007 11:07.59 CDT Modified: Thursday, August 23 2007 11:11.05 CDT

Printer Friendly ...

Reliability of Pseudo Registers in Bug Tracking

Author: adityaks

# Views: 5947

Kicking with Pseudo Registers
I have always been fascinated by the anatomy of pseudo registers. From one perspective the pseudo registers are not considered as hardware registers but they are displayed as though. Considering the application vector view the pseudo registers some what reliable in checking of errors with simulated error values. The practical layout can be undertaken by looking at the functionality of @ERR pseudo register.

Analytical View : @ERR Register

Usually it is encountered that the @ERR pseudo register returns the error number. It means from windows API scene it returns the error number as GetLastError() API. This can be reliable in debugging functions with return value check.

-=[Code Snippet 1]=-

[Direct Modular Calling]





HFILE hwnd_file;

[brk **] hwnd_file = OpenFile(

                               LPCSTR lpFileName, [ Dont specify name ]

                               LPOFSTRUCT lpReOpenBuff,

                               UINT uStyle

                            );

A code snippet is provided above. Like if debugging breakpoint is set and the code is executed , the pseudo register conditional value is checked by debugger for performing debugging. If specified value of @ERR matches with the exectuion flow the breakpoint will execute.If we synthesize it properly then we will get an error number 2 response. It means the handle to file failed as no file name is specified. This turns out to be useful in direct modular check of applied functions.

[Conditional Checks]

The pseudo registers are reliable in checking conditional debugging as per modular specifications.Generically the pseudo registers are effective in scrutinizing return value of conditional modules.

-=[ Code Snippet 2 ]=-



        char szProcessName[MAX_PATH] = "unknown";

	HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID );

[brk ***]if (NULL != hProcess )

        {

                  HMODULE hMod;

                  DWORD cbNeeded;



        if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),&cbNeeded) )

        {

            GetModuleBaseName( hProcess, hMod, szProcessName,sizeof(szProcessName) );

        }

        else return;

    }

    else return;

    printf( "%s (Process ID: %u)\n", szProcessName, processID );



    CloseHandle( hProcess );

Now by selecting a breakpoint and setting a value of @ERR register to 2 i.e. @ERR==2 or any other GetLastError() value. When the debugger is triggered up and condition is checked againt given @ERR pseudo register value. If the value specific error is undertaken the debugger breaks the execution flow there by displaying the various register positions. If the @ERR value not matches the debugger will not break the application even any other error is occurred.

The multithreaded debugging can be possible by @TIBpseudo register. The value can be set during active debugging of code which act as a filter for debugger to work. Like the debugger breaks only at that
specific address which is defined for @TIB pseudo register.

This circumvents the problem for multithreaded debugging in a module. This is because if filter is
not set properly for various threads in a module the debugger will break every time when a module is executed.So the Thread Information Block can be managed by @TIB pseudo register.

View Specific

Any specific trick that can be undertaken with the use of Pseudo registers. More technical view point is required. The incore technical stuff is welcomed.

----
aks

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit