When Hardware BP fail's ?

[ahmadmansoor]

Hi guys :
through my work in dll injection I found something strange .
when I use Hardware-BP on my PC on my ( all OS from xp till win8.1)
it work fine without any problem .
when I send this file to another PC's ( friend PC from other Country ) .
maybe this PC's have different in :
- OS lang (non English or multi lan OS ( Arabic + Englsih ).
- Hardware : CPU is different ( AMD maybe ) or intel with different speed or core- or less memory .
the Hardware BP could not reach ( or not happen ) .
so any one have any IDea's what could be happen here ?
Thanks

[DMichael]

im dont know if it helps but as i find out not all processor have support to hardware breakpoints(according to ollydbg manual)

[ahmadmansoor]

yes .. yes I note this .
so what could be the alternative for HW-BP on this processor except "CC"

[DMichael]

you can try memory-breakpoint or debugger breakpoint maybe there more but better listen someone who more know in this topic

[Mahmoudnia]

ahmadmansoor,
I doubt that understand your mean , but when I have a strong target that detect any type of break points like software, hardware, memory etc, I use “EB FE” trick. maybe, you can use “EB FE” in your target.

[Kerlingen]

My guess would be you've disabled UAC or are logged in as admin, while your friend is using a normal user account to run your software. The debug privilege is by default only enabled for the admin user group.

The next possibility would be that one of you is running the software inside a virtual machine and the software takes a different execution path depending on the environment either for compatibility or protection reasons.

It also could be that some IPS is running on your friend's system blocking this kind of action. Or it's some poorly configured anti-virus solution. If it really is the former, he shouldn't be running some software from some friend anyways.

[ahmadmansoor]

@Mahmoudnia : yes I know this trick EB FE loop but it is not as professional work ,and in another hande for hook a lot of places this is not effective and will slow programs (which is already heavy in loaded -like graphic prog- ).

@Kerlingen :

Quote:

My guess would be you've disabled UAC or are logged in as admin

put sometimes it happen on XP , I try it on my XP then send it to another friend with different OS Lang ( Spain ) (OS=XP) ,and it not work ( it have another CPU AMD ) and he use user with admin right .

Quote:

The next possibility would be that one of you is running the software inside a virtual machine and the software takes a different execution path depending on the environment either for compatibility or protection reasons.

this is right ,but what could be this affect on behaviorof the injeced dll ,and prevent hardware -BP.

Quote:

It also could be that some IPS is running on your friend's system blocking this kind of action

How could be that ...any example !!

Quote:

. Or it's some poorly configured anti-virus solution. If it really is the former,

no he not using any anti-virus .

Quote:

he shouldn't be running some software from some friend anyways.

Lol I am trust guy

[ZeNiX]

It depends on what type/method of dll injection you use.

[qkumba]

I agree with Kerlingen's suggestion that a different code path is taken. In that case, it's not that the hardware breakpoints are not working, but that the addresses are never reached. You can test this by breaking at OEP+next instead, you will probably find that it works on both machines. If so, then it confirms that the environment is different between the two machines. It might be the presence or absence of other software, for example missing DLLs or similar.
So, try the OEP break and tell us what happens.