public void Int3Check() { var addresses = new ulong[] { 0x7FF9C61653E0 }; foreach (var address in addresses) { var b = DebugProcessUtils.ReadByte(CurrentProcess, address); var overwritten = false; if (b == AssemblyUtil.Int3) { DebugProcessUtils.WriteByte(CurrentProcess, address, AssemblyUtil.Nop); overwritten = true; } LoggerInstance.WriteLine($"checking int3 at: 0x{address:X}, overwritten: {overwritten}"); } }
public bool ResumeBreak(bool trace = true) { //Console.WriteLine("ResumeBreak"); //for (var i = 0; i < 10000; i++) { var done = false; var goNextBreakPoint = false; var continueCode = Win32Imports.DbgContinue; while (!done) { Win32Imports.DebugEvent evt; if (!Win32Imports.WaitForDebugEvent(out evt, 0)) { //if (!handleDebugEvent(out evt, out continueCode)) { //Console.WriteLine("WaitForDebugEvent failed"); //throw new Win32Exception(); done = true; } else { CurrentInfo.EventCount++; // Multiple if's for easier debugging at this moment switch (evt.dwDebugEventCode) { case Win32Imports.DebugEventType.LoadDllDebugEvent: //Console.WriteLine($"resumed load dll event: {evt.dwThreadId}"); break; case Win32Imports.DebugEventType.UnloadDllDebugEvent: //Console.WriteLine($"resumed unload dll event: {evt.dwThreadId}"); break; case Win32Imports.DebugEventType.ExceptionDebugEvent: var exceptionAddress = (ulong) evt.Exception.ExceptionRecord.ExceptionAddress.ToInt64(); //Console.WriteLine($"first addr: {breakAddress:X} vs {address:X}"); var context = new Win32Imports.ContextX64(); var breakAddress = getRip((uint) evt.dwThreadId, ref context, GetRipAction.ActionGetContext); var code = evt.Exception.ExceptionRecord.ExceptionCode; //Console.WriteLine($"code: {code}, events: {eventCount}, thread: {evt.dwThreadId}, addr: {breakAddress2:X} vs {address:X}"); if (BreakPoints.ContainsKey(breakAddress) && BreakPoints[breakAddress].IsActive) { LoggerInstance.WriteLine($"match at {breakAddress:X}, trace: {trace}"); setTrace((uint)evt.dwThreadId); UninstallBreakPoint(breakAddress); _lastBreakAddress = breakAddress; CurrentInfo.LastContext = context; CurrentInfo.LastContextReady = true; // trace //setTrace((uint) evt.dwThreadId, false); if (BreakPoints[breakAddress].Description.Equals(CloseHandleDescription)) { LoggerInstance.WriteLine("CloseHandle hit"); LoggerInstance.WriteLine("Registers:" + AssemblyUtil.FormatContext(context)); } else { } done = BreakPointCallBack(this, evt.dwThreadId, context, trace).StepOver; goNextBreakPoint = done; //} else if (!CheckBreakPointActive()) { } else { // if we have seen it before var shouldTrace = !BreakPoints.ContainsKey(breakAddress) || !(BreakPoints.ContainsKey(breakAddress) && !BreakPoints[breakAddress].ShouldEnable) || !(BreakPoints.ContainsKey(breakAddress) && !BreakPoints[breakAddress].IsActive); // no breakpoint active, so we are tracing if (trace && shouldTrace) { LoggerInstance.WriteLine($"tracing thread {evt.dwThreadId} at 0x{breakAddress:X}"); var ret = BreakPointCallBack(this, evt.dwThreadId, context, true); done = ret.StepOver; goNextBreakPoint = done; if (ret.Ignore) { LoggerInstance.WriteLine("continuing with exception handlers"); continueCode = Win32Imports.DbgExceptionNotHandled; } } else { LoggerInstance.WriteLine("continuing with exception handlers"); continueCode = Win32Imports.DbgExceptionNotHandled; } } Instruction instr = null; string asm = "N/A"; string asm2 = "N/A"; try { instr = AssemblyUtil.Disassemble(CurrentProcess, exceptionAddress); asm = AssemblyUtil.FormatInstruction(AssemblyUtil.Disassemble(CurrentProcess, breakAddress)); asm2 = AssemblyUtil.FormatInstruction(AssemblyUtil.Disassemble(CurrentProcess, exceptionAddress)); } catch (Exception) { // ignored } string msg; switch (code) { case Win32Imports.ExceptionCodeStatus.ExceptionSingleStep: asm = AssemblyUtil.FormatInstruction(AssemblyUtil.Disassemble(CurrentProcess, breakAddress)); LoggerInstance.WriteLine($"single step at {breakAddress:X}, evtCount: {CurrentInfo.EventCount}, asm: {asm}"); continueCode = HasBreakPoint(breakAddress) ? Win32Imports.DbgContinue : Win32Imports.DbgExceptionNotHandled; break; case Win32Imports.ExceptionCodeStatus.ExceptionBreakpoint: asm = AssemblyUtil.FormatInstruction(instr); //if (instr.Mnemonic.Equals("INT") && instr.Operands.Equals("3")) { if (instr != null && instr.Mnemonic == ud_mnemonic_code.UD_Iint3) { LoggerInstance.WriteLine($"int3 breakpoint at: {exceptionAddress:X}, evtCount: {CurrentInfo.EventCount}, asm: {asm}"); LoggerInstance.WriteLine("overwriting with NOP"); DebugProcessUtils.WriteByte(CurrentProcess, exceptionAddress, AssemblyUtil.Nop); continueCode = Win32Imports.DbgContinue; } else { msg = $"breakpoint, chance: { evt.Exception.dwFirstChance}"; msg += $", at: 0x{breakAddress:X}, exc at: 0x{exceptionAddress:X}, asm: {asm}, exc asm: {asm2}"; LoggerInstance.WriteLine(msg); } break; case Win32Imports.ExceptionCodeStatus.ExceptionInvalidHandle: msg = $"invalid handle, chance: { evt.Exception.dwFirstChance}"; msg += $", at: 0x{breakAddress:X}, exc at: 0x{exceptionAddress:X}, asm: {asm}, exc asm: {asm2}"; LoggerInstance.WriteLine(msg); LoggerInstance.WriteLine(msg); AssemblyUtil.LogStackTrace(_importResolver, LoggerInstance, CurrentProcess, context.Rsp); continueCode = Win32Imports.DbgExceptionNotHandled; break; case Win32Imports.ExceptionCodeStatus.ExceptionInvalidOperation: msg = $"invalid operation, chance: { evt.Exception.dwFirstChance}"; msg += $", at: 0x{breakAddress:X}, exc at: 0x{exceptionAddress:X}, asm: {asm}, exc asm: {asm2}"; // anti-anti-debug measure if (instr != null && instr.Mnemonic == ud_mnemonic_code.UD_Iud2) { LoggerInstance.WriteLine("overwriting UD2 with NOP"); DebugProcessUtils.WriteBytes(CurrentProcess, exceptionAddress, new[] { AssemblyUtil.Nop, AssemblyUtil.Nop }); } // anti-anti-debug measure var instr2 = AssemblyUtil.Disassemble(CurrentProcess, exceptionAddress - 1); if (instr2.Mnemonic == ud_mnemonic_code.UD_Iint && instr2.Operands[0].Value == 0x2D) { ulong rip = context.Rip - 1; setRip((uint) evt.dwThreadId, false, rip); LoggerInstance.WriteLine("INT2D encountered, subtracting 1 from Rip"); continueCode = Win32Imports.DbgContinue; } else { continueCode = Win32Imports.DbgExceptionNotHandled; } LoggerInstance.WriteLine(msg); break; case Win32Imports.ExceptionCodeStatus.ExceptionAccessViolation: msg = $"access violation: {code:X}, chance: { evt.Exception.dwFirstChance}"; msg += $", at: 0x{breakAddress:X}, exc at: 0x{exceptionAddress:X}, asm: {asm}, exc asm: {asm2}"; LoggerInstance.WriteLine(msg); break; case 0: LoggerInstance.WriteLine($"event 0 at: {breakAddress:X}"); break; default: msg = $"unknown code: {code:X}, chance: { evt.Exception.dwFirstChance}"; msg += $", at: 0x{breakAddress:X}, exc at: 0x{exceptionAddress:X}, asm: {asm}, exc asm: {asm2}"; LoggerInstance.WriteLine(msg); break; } break; case Win32Imports.DebugEventType.CreateProcessDebugEvent: //Console.WriteLine($"resumed create process event for thread {evt.dwThreadId}"); break; case Win32Imports.DebugEventType.CreateThreadDebugEvent: //Console.WriteLine($"resumed create thread event for thread {evt.dwThreadId}"); break; case Win32Imports.DebugEventType.ExitThreadDebugEvent: //Console.WriteLine($"resumed exit thread event for thread {evt.dwThreadId}"); break; case Win32Imports.DebugEventType.ExitProcessDebugEvent: Console.WriteLine($"resumed exit process event for thread {evt.dwThreadId}"); break; default: Console.WriteLine($"resumed debug event for thread: {evt.dwThreadId} {evt.dwDebugEventCode}"); break; } //LoggerInstance.WriteLine($"debug event of type {evt.dwDebugEventCode}"); if (!Win32Imports.ContinueDebugEvent(evt.dwProcessId, evt.dwThreadId, continueCode)) { throw new Win32Exception(); } //ContinueDebugEvent(evt.dwProcessId, evt.dwThreadId, DBG_EXCEPTION_NOT_HANDLED); //setBreakPoint((uint) evt.dwThreadId, address, false); } } //Console.WriteLine("End ResumeBreak"); //return events; return goNextBreakPoint; }