Re: GetThreadContext and debug register problem

Dear Anton,

Again, thanks for the response. My goal is to detect a possible running
debugger while my app is executing. And like you've mentioned, one method a
debugger could go into debug mode is setting debug registers and generating
INT1 debug exception. My test to use SetThreadContext was simply to check if
GetThreadContext actually works for me or not, because seems it didn't. I
originally used the kernel debug to trigger the debug registers as I
mentioned in the previous post...

Or there are better ways to confirm the GetThreadContext API is doing what I
needed?

Thanks again,
Johnny

"anton bassov" wrote:

Johny,



Let's start with a theory. If you want to set a breakpoint in a debug
register, you have to specify it in one of DR0-DR3 registers, plus
modify DR7 accordingly (please consult Intel manuals for more info) in
CONTEXT structure, and then pass it to SetThreadContext. Just don't
forget that you cannot set IO breakpoints this way, and execution and
memory breakpoints have to be numerically below 0x80000000 - otherwise,
you would have to do it from a driver

The above is theory, so let's proceed to practice. Let's say you have
set a breakpoint. What are you going to do when it gets reached???? The
target thread will raise an exception, and it is your responsibility to
handle it - otherwise, the thread would crash. This is how debuggers
work - they have to handle an exception. BTW, when it comes to
execution breakpoints, debuggers just insert 0xCC opcode, i.e. do
everything via INT 3, rather than INT1


Shortly speaking, what are you trying to do???

Anton Bassov





Johnny wrote:
Dear Anton,

Thanks for the reply. In order to examine the function, I tried setting the
debug registers via two ways. First was to do it directly using a kernel
debugger, namely SoftICE, the result did not change (context return all 0s).
The second was doing it using SetThreadContext API function. In this case,
the context return was abnormal. Say, I first set only DR0 = 0x00F23212
using SetThreadContext, calling GetThreadContext returns DR0 as 0x00F23212,
DR1 = 0, however DR2 and DR3 not changing to zero but remain their
initialized values, which are non-zeros. With CONTEXT_DEBUG REGISTERS was
set, why were DR2 and DR3 not turning to zeros?

That is why I'd think of posting here to get help. The SetThreadContext and
GetThreadContext just didn't work consistently for me here.

Any ideas?
Thanks again,
Johnny

"anton bassov" wrote:

Hi mate

Just ask yourself a question - why should debug registers be
non-zero???? Did you take
any step to modify them?????

Anton Bassov

Johnny wrote:
Hi guys,
I am writing a standard user-mode Windows app that tries to retrieve debug
register values from the system. I used the GetThreadContext API function
call with context flags set like this:

CONTEXT context;
context.ContextFlags |= CONTEXT_DEBUG_REGISTERS;

and I created a dummy thread function in SUSPEND mode and uses its handle to
get thread context information:

HANDLE hThread = CreateThread(0, 0, &DummyThread, 0, CREATE_SUSPEND, &nID);
if (hThread != NULL)
{
GetThreadContext(hThread, &context);
}

As I tried to read the DR values from the context, they always return 0
(including DR6 and DR7). Even I have already set manually using a kernel
debugger. To me, the return information seems somehow invalid. I also
noticed the call don't just return the specified context set with the context
flag. When I traced in VS2005, I could see in debug window that other
context such as SegFs and SegFs were also updated. I am confused.

Any ideas on where I might have done wrong? Any help would be really
appreciated.

Thanks in advance,
Johnny




.

Relevant Pages

  • Re: GetThreadContext and debug register problem
    ... A decent app should not care about debugger. ... debugger could go into debug mode is setting debug registers and ... originally used the kernel debug to trigger the debug registers as I ... CONTEXT structure, and then pass it to SetThreadContext. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: ContextSwitchDeadlock error, index out of range and < size collect
    ... As I debug the C# code with a break point and by pressing F11 I ... COM context 0x17abd8 for 60 seconds. ... If I take out the break point and I dont press F11 to debug and just select ... The act of doing so necessarily causes other threads (which are also suspended when you're just sitting there interrupted in the debugger) to not be able to work. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: GetThreadContext and debug register problem
    ... Just ask yourself a question - why should debug registers be ... I am writing a standard user-mode Windows app that tries to retrieve debug ... call with context flags set like this: ... context such as SegFs and SegFs were also updated. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: How to connect to children process
    ... Main problem is amount of manual operations required per debug cycle. ... connection to DLL with debugger takes sensible amount of time and manual ... Is the main problem that the debugger keeps symbols file loaded ... AFAIK that's how VS2003 debugger works, but WinDbg should usually ...
    (microsoft.public.vsnet.debugging)
  • Re: Need Help Debugging
    ... you should use straight and plain ADPlus.VBS from the debugger package. ... debug info loaded, etc... ... does that avoid using the stack ?!? ... which is our custom CRITICAL_SECTION class. ...
    (microsoft.public.win32.programmer.kernel)