Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-15-2005, 00:38
deXep deXep is offline
Friend
 
Join Date: Aug 2004
Posts: 42
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
deXep Reputation: 0
how does ollydbg memory breakpoint works

memory breakpoints is a nice function in unpacking

it doesn't use debug registers...

I think maybe it lock page with PAGE_GUARD?

but I found few information about the usage of this flag

plz gimme an example thx
Reply With Quote
  #2  
Old 10-15-2005, 01:18
JuneMouse
 
Posts: n/a
try to find john robbins book he has some nice details about debugging applications in his book

or find his bugslayer column in msdn and read through those articles
many of them come with precompiled binary as well as source code

or if you really would prefer to read all the murky details untar the gdb
source codes and look through the code (massive 17 mb dense c code)
but worth having a peek

a memory break point works by the way of setting permissions to a virtual page
if you look at VirtualAlloc() VirtualQuery() VirtualProtect() apis you can see
you can set various permissions like read,write ,execute, read write
read execute ,write execute etc etc

now if you set a permission like read execute then when ever a write access
occurs the processer or os triggers a exception
and ollydbg which is waiting for the debug event catches it
checks if the access violation is because of a break point set
and if yes it breaks

hope it was understandble explanation
Reply With Quote
  #3  
Old 10-15-2005, 03:52
The Day Walker!
 
Posts: n/a
dunno where 2 ask, but as the topic was goin on, i thiought i could ask here...
when i set bp in olly, using the commandline plugin,
1 way is by, bpx command, but it only breaks on calls,

wot r other commands the works??
bpm doesnt work,,,,

help needed.

thanx

TDW {RES}
Reply With Quote
  #4  
Old 10-15-2005, 12:04
deXep deXep is offline
Friend
 
Join Date: Aug 2004
Posts: 42
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
deXep Reputation: 0
Thank you JuneMouse.

I knew this.
OllyDbg seems protect pages with PAGE_GUARD
then wait for debug event and catch 80000001h event
and compare if it is read/write/execute
I don't know how to get RWE state (
Reply With Quote
  #5  
Old 10-15-2005, 17:16
heXer heXer is offline
Friend
 
Join Date: Aug 2005
Posts: 25
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
heXer Reputation: 0
VirtualQueryEx can get the state
Reply With Quote
  #6  
Old 10-15-2005, 21:48
JuneMouse
 
Posts: n/a
all break points that are availbale via gui is available via commandline plugin too bpx ,bp etc including conditinal break point
open the help file for details about various formats
or type help in commandline plugin itself

@dexep
use VirtualQuery() for calling process related page information
or VirtualQueryEx for remote process related page info
it returns a MEMORY_BASIC_INFORMATION struct filled with all those details

Code:
typedef struct _MEMORY_BASIC_INFORMATION {  
PVOID BaseAddress;  PVOID AllocationBase;  
DWORD AllocationProtect; 
SIZE_T RegionSize;  
DWORD State;  
DWORD Protect;  
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
the allocationprotect has the constant that defines the pages protection status

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/memory_protection_constants.asp
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Whether IDA can set memory breakpoint when use Remote Linux debugger? bridgeic General Discussion 7 09-10-2014 18:07
Is there anything wrong with OllyDbg's conditional breakpoint BlackWhite General Discussion 4 05-16-2013 00:47
Olly Memory Breakpoint no-show bgrimm General Discussion 1 04-22-2004 11:15


All times are GMT +8. The time now is 21:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )