Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-10-2014, 11:26
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Arrow Whether IDA can set memory breakpoint when use Remote Linux debugger?

Whether IDA can set memory breakpoint when use Remote Linux debugger?

I want to observe and catch which instruction modify the content of some memory block.
Reply With Quote
  #2  
Old 09-10-2014, 13:45
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 278
Rept. Given: 191
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 134
Thanks Rcvd at 244 Times in 96 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Yes its possible, there are some ways.
If adress is known you can set them when debugging and restart.
Or if its a condition, make new breakpoint and under condition file set future condition, and breakpoint type.
i like the script way, but thats just me.

simple BP script
Code:
ea = GetEntryPoint(1) # entrypoint or adress
ea2 = MaxEA
LoadDebugger("gdb", 1) # typedebugger and remote
AddBptEx(0x020000, 0x1, BPT_BRK) #adress or condition, lenght 
SetDebuggerOptions(DOPT_BPT_MSGS) #debugger atributes
path = GetInputFilePath()
args = ''
sdir = ''
StartDebugger(path, args, sdir)
https://www.hex-rays.com/products/ida/support/idadoc/1076.shtml

It might be usefull if you wanna see how it modifyes, and use trace replayer.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #3  
Old 09-10-2014, 14:10
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 868
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 170
Thanks Rcvd at 377 Times in 212 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
>I want to observe and catch which instruction modify the content of some memory block.
Does the HW breakpoint work in your case?
Reply With Quote
  #4  
Old 09-10-2014, 14:23
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 278
Rept. Given: 191
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 134
Thanks Rcvd at 244 Times in 96 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
You can opserve what instructions are been modified with trace replayer.
havent used it much , but the modifications shows there.Trace replayer can trace functions / instructions and basic blocks
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #5  
Old 09-10-2014, 17:11
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by sendersu View Post
>I want to observe and catch which instruction modify the content of some memory block.
Does the HW breakpoint work in your case?
Dear sendersu,

How to set HW breakpoing in IDA? Would you give more details?

I'll search google at the same time, thank you.
Reply With Quote
  #6  
Old 09-10-2014, 17:13
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by Storm Shadow View Post
Yes its possible, there are some ways.
If adress is known you can set them when debugging and restart.
Or if its a condition, make new breakpoint and under condition file set future condition, and breakpoint type.
i like the script way, but thats just me.

simple BP script
......

https://www.hex-rays.com/products/ida/support/idadoc/1076.shtml

It might be usefull if you wanna see how it modifyes, and use trace replayer.
Dear Storm,

I'll study it, seems it's more complex than that in OD.
Reply With Quote
  #7  
Old 09-10-2014, 17:58
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 868
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 170
Thanks Rcvd at 377 Times in 212 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Set regular BP (F2)
Edit that BP (right click on red dot and go to Edit breakpoint menu item
than you'll see this: http://prntscr.com/4lfwfa
check the HW checkbox and the rest of options!
Reply With Quote
  #8  
Old 09-10-2014, 18:07
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 278
Rept. Given: 191
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 134
Thanks Rcvd at 244 Times in 96 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by bridgeic View Post
Dear Storm,

I'll study it, seems it's more complex than that in OD.
Well it sounds more complex than it is.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows debugger that can run code on breakpoint? jonwil Community Tools 5 01-17-2022 21:28
[Linux] Memory dumper alexandernst Community Tools 0 12-11-2017 11:48
IDA remote debug Linux Kernel Sergey Nameless General Discussion 3 04-03-2012 04:12
how does ollydbg memory breakpoint works deXep General Discussion 5 10-15-2005 21:48
Olly Memory Breakpoint no-show bgrimm General Discussion 1 04-22-2004 11:15


All times are GMT +8. The time now is 13:27.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )