Re: GetThreadContext and debug register problem

Johny,



Let's start with a theory. If you want to set a breakpoint in a debug
register, you have to specify it in one of DR0-DR3 registers, plus
modify DR7 accordingly (please consult Intel manuals for more info) in
CONTEXT structure, and then pass it to SetThreadContext. Just don't
forget that you cannot set IO breakpoints this way, and execution and
memory breakpoints have to be numerically below 0x80000000 - otherwise,
you would have to do it from a driver

The above is theory, so let's proceed to practice. Let's say you have
set a breakpoint. What are you going to do when it gets reached???? The
target thread will raise an exception, and it is your responsibility to
handle it - otherwise, the thread would crash. This is how debuggers
work - they have to handle an exception. BTW, when it comes to
execution breakpoints, debuggers just insert 0xCC opcode, i.e. do
everything via INT 3, rather than INT1


Shortly speaking, what are you trying to do???

Anton Bassov





Johnny wrote:
Dear Anton,

Thanks for the reply. In order to examine the function, I tried setting the
debug registers via two ways. First was to do it directly using a kernel
debugger, namely SoftICE, the result did not change (context return all 0s).
The second was doing it using SetThreadContext API function. In this case,
the context return was abnormal. Say, I first set only DR0 = 0x00F23212
using SetThreadContext, calling GetThreadContext returns DR0 as 0x00F23212,
DR1 = 0, however DR2 and DR3 not changing to zero but remain their
initialized values, which are non-zeros. With CONTEXT_DEBUG REGISTERS was
set, why were DR2 and DR3 not turning to zeros?

That is why I'd think of posting here to get help. The SetThreadContext and
GetThreadContext just didn't work consistently for me here.

Any ideas?
Thanks again,
Johnny

"anton bassov" wrote:

Hi mate

Just ask yourself a question - why should debug registers be
non-zero???? Did you take
any step to modify them?????

Anton Bassov

Johnny wrote:
Hi guys,
I am writing a standard user-mode Windows app that tries to retrieve debug
register values from the system. I used the GetThreadContext API function
call with context flags set like this:

CONTEXT context;
context.ContextFlags |= CONTEXT_DEBUG_REGISTERS;

and I created a dummy thread function in SUSPEND mode and uses its handle to
get thread context information:

HANDLE hThread = CreateThread(0, 0, &DummyThread, 0, CREATE_SUSPEND, &nID);
if (hThread != NULL)
{
GetThreadContext(hThread, &context);
}

As I tried to read the DR values from the context, they always return 0
(including DR6 and DR7). Even I have already set manually using a kernel
debugger. To me, the return information seems somehow invalid. I also
noticed the call don't just return the specified context set with the context
flag. When I traced in VS2005, I could see in debug window that other
context such as SegFs and SegFs were also updated. I am confused.

Any ideas on where I might have done wrong? Any help would be really
appreciated.

Thanks in advance,
Johnny



.

Relevant Pages