Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   how does ollydbg memory breakpoint works (https://forum.exetools.com/showthread.php?t=8307)

deXep 10-15-2005 00:38
how does ollydbg memory breakpoint works
 
memory breakpoints is a nice function in unpacking

it doesn't use debug registers...

I think maybe it lock page with PAGE_GUARD?

but I found few information about the usage of this flag

plz gimme an example thx

JuneMouse 10-15-2005 01:18
try to find john robbins book he has some nice details about debugging applications in his book

or find his bugslayer column in msdn and read through those articles
many of them come with precompiled binary as well as source code

or if you really would prefer to read all the murky details untar the gdb
source codes and look through the code (massive 17 mb dense c code)
but worth having a peek

a memory break point works by the way of setting permissions to a virtual page
if you look at VirtualAlloc() VirtualQuery() VirtualProtect() apis you can see
you can set various permissions like read,write ,execute, read write
read execute ,write execute etc etc

now if you set a permission like read execute then when ever a write access
occurs the processer or os triggers a exception
and ollydbg which is waiting for the debug event catches it
checks if the access violation is because of a break point set
and if yes it breaks

hope it was understandble explanation

The Day Walker! 10-15-2005 03:52
dunno where 2 ask, but as the topic was goin on, i thiought i could ask here...
when i set bp in olly, using the commandline plugin,
1 way is by, bpx command, but it only breaks on calls,

wot r other commands the works??
bpm doesnt work,,,,

help needed.

thanx

TDW {RES}

deXep 10-15-2005 12:04
Thank you JuneMouse.

I knew this.
OllyDbg seems protect pages with PAGE_GUARD
then wait for debug event and catch 80000001h event
and compare if it is read/write/execute
I don't know how to get RWE state :((

heXer 10-15-2005 17:16
VirtualQueryEx can get the state

JuneMouse 10-15-2005 21:48
all break points that are availbale via gui is available via commandline plugin too bpx ,bp etc including conditinal break point
open the help file for details about various formats
or type help in commandline plugin itself

@dexep
use VirtualQuery() for calling process related page information
or VirtualQueryEx for remote process related page info
it returns a MEMORY_BASIC_INFORMATION struct filled with all those details

Code:
typedef struct _MEMORY_BASIC_INFORMATION { 
PVOID BaseAddress;  PVOID AllocationBase; 
DWORD AllocationProtect;
SIZE_T RegionSize; 
DWORD State; 
DWORD Protect; 
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
the allocationprotect has the constant that defines the pages protection status

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/memory_protection_constants.asp


All times are GMT +8. The time now is 15:03.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX