Re: GetThreadContext and debug register problem

Tech-Archive recommends: Fix windows errors by optimizing your registry

A decent app should not care about debugger. It's a shame there are apps and
drivers that will barf in presence of kernel debugging enabled.

"Johnny" <Johnny@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:16E6172A-768F-4E90-BF3E-1738EF3C6707@xxxxxxxxxxxxxxxx
Dear Anton,

Again, thanks for the response. My goal is to detect a possible running
debugger while my app is executing. And like you've mentioned, one method
a
debugger could go into debug mode is setting debug registers and
generating
INT1 debug exception. My test to use SetThreadContext was simply to check
if
GetThreadContext actually works for me or not, because seems it didn't. I
originally used the kernel debug to trigger the debug registers as I
mentioned in the previous post...

Or there are better ways to confirm the GetThreadContext API is doing what
I
needed?

Thanks again,
Johnny

"anton bassov" wrote:

Johny,



Let's start with a theory. If you want to set a breakpoint in a debug
register, you have to specify it in one of DR0-DR3 registers, plus
modify DR7 accordingly (please consult Intel manuals for more info) in
CONTEXT structure, and then pass it to SetThreadContext. Just don't
forget that you cannot set IO breakpoints this way, and execution and
memory breakpoints have to be numerically below 0x80000000 - otherwise,
you would have to do it from a driver

The above is theory, so let's proceed to practice. Let's say you have
set a breakpoint. What are you going to do when it gets reached???? The
target thread will raise an exception, and it is your responsibility to
handle it - otherwise, the thread would crash. This is how debuggers
work - they have to handle an exception. BTW, when it comes to
execution breakpoints, debuggers just insert 0xCC opcode, i.e. do
everything via INT 3, rather than INT1


Shortly speaking, what are you trying to do???

Anton Bassov





Johnny wrote:
Dear Anton,

Thanks for the reply. In order to examine the function, I tried
setting the
debug registers via two ways. First was to do it directly using a
kernel
debugger, namely SoftICE, the result did not change (context return all
0s).
The second was doing it using SetThreadContext API function. In this
case,
the context return was abnormal. Say, I first set only DR0 =
0x00F23212
using SetThreadContext, calling GetThreadContext returns DR0 as
0x00F23212,
DR1 = 0, however DR2 and DR3 not changing to zero but remain their
initialized values, which are non-zeros. With CONTEXT_DEBUG REGISTERS
was
set, why were DR2 and DR3 not turning to zeros?

That is why I'd think of posting here to get help. The
SetThreadContext and
GetThreadContext just didn't work consistently for me here.

Any ideas?
Thanks again,
Johnny

"anton bassov" wrote:

Hi mate

Just ask yourself a question - why should debug registers be
non-zero???? Did you take
any step to modify them?????

Anton Bassov

Johnny wrote:
Hi guys,
I am writing a standard user-mode Windows app that tries to
retrieve debug
register values from the system. I used the GetThreadContext API
function
call with context flags set like this:

CONTEXT context;
context.ContextFlags |= CONTEXT_DEBUG_REGISTERS;

and I created a dummy thread function in SUSPEND mode and uses its
handle to
get thread context information:

HANDLE hThread = CreateThread(0, 0, &DummyThread, 0,
CREATE_SUSPEND, &nID);
if (hThread != NULL)
{
GetThreadContext(hThread, &context);
}

As I tried to read the DR values from the context, they always
return 0
(including DR6 and DR7). Even I have already set manually using a
kernel
debugger. To me, the return information seems somehow invalid. I
also
noticed the call don't just return the specified context set with
the context
flag. When I traced in VS2005, I could see in debug window that
other
context such as SegFs and SegFs were also updated. I am confused.

Any ideas on where I might have done wrong? Any help would be
really
appreciated.

Thanks in advance,
Johnny






.

Relevant Pages

  • Re: GetThreadContext and debug register problem
    ... debugger while my app is executing. ... debugger could go into debug mode is setting debug registers and generating ... CONTEXT structure, and then pass it to SetThreadContext. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: ContextSwitchDeadlock error, index out of range and < size collect
    ... As I debug the C# code with a break point and by pressing F11 I ... COM context 0x17abd8 for 60 seconds. ... If I take out the break point and I dont press F11 to debug and just select ... The act of doing so necessarily causes other threads (which are also suspended when you're just sitting there interrupted in the debugger) to not be able to work. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: GetThreadContext and debug register problem
    ... Just ask yourself a question - why should debug registers be ... I am writing a standard user-mode Windows app that tries to retrieve debug ... call with context flags set like this: ... context such as SegFs and SegFs were also updated. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: How to connect to children process
    ... Main problem is amount of manual operations required per debug cycle. ... connection to DLL with debugger takes sensible amount of time and manual ... Is the main problem that the debugger keeps symbols file loaded ... AFAIK that's how VS2003 debugger works, but WinDbg should usually ...
    (microsoft.public.vsnet.debugging)
  • gnome-settings-daemon crashed twice
    ... To debug your program, run it with the --sync command line ... backtrace from your debugger if you break on the gdk_x_errorfunction.) ...
    (GNOME)