Well inside the first int3 handler you can put a 0xCC (int3) on your OEP, but usually since it's packed of course it won't work right. In that case you can either single step (might take a while) or you can use BPM's to break on access. Like I said, for either of these you will need to do a GetThreadContext/SetThreadContext pair, and for apps that might be multithreaded, you have to make sure you kept track of thread creation so you set the context of the correct thread. (See above post near bottom)
It does add complexity unfortunately, but it's the only way to make the debugger more robust and reliable on real applications.
Examples:
setting the single step flag in a thread
Code:
// setting the single step flag
CurrentContext.EFlags = CurrentContext.EFlags | 0x0100;
SetThreadContext(hCurrentThread,&CurrentContext);
making a place to store thread handles as they are created
Code:
#include <map>
// global Threadmap list.
map<DWORD,HANDLE> ThreadMap;
storing thread handles when they are created
we do this since a debug event only gives us ThreadID's. It's a pain to get hThread from ThreadID, but we can track it ourselves with an "array" (map)
Code:
case CREATE_THREAD_DEBUG_EVENT:
//printf("Creating a new thread..\n");
ThreadMap[DebugEv.dwThreadId] = DebugEv.u.CreateThread.hThread;
dwContinueStatus = DBG_CONTINUE;
break;
remember to remove a thread when its done
Code:
case EXIT_THREAD_DEBUG_EVENT:
//printf("Exiting a thread..\n");
ThreadMap.erase(ThreadMap.find(DebugEv.dwThreadId));
dwContinueStatus = DBG_CONTINUE;
break;
getting the current thread when a debug exception occurs
Code:
WaitForDebugEvent(&DebugEv, INFINITE);
// Process the debugging event code.
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
ZeroMemory(&CurrentContext,sizeof(CurrentContext));
hCurrentThread = ThreadMap[DebugEv.dwThreadId];
switch (DebugEv.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
// Process the exception code. When handling
// exceptions, remember to set the c
-Lunar