Software breakpoints are implemented by overwriting the instruction at the break location with 0xCC which is a INT 3 instruction. This allows control passed to the debugger when execution reach that point. The debugger will show the instruction before patching but if one inspect the memory, the value has changed to INT 3.
Software breakpoints may not work when a code is self modifying (e.g. malware). In this case, the patch may be overwritten and the breakpoint will not be effective
Hardware breakpoints are assisted by hardware. For each instruction being executed, hardware will compare the address with the special register to determine if a breakpoint is reached. One major drawback is that there are only 4 debug register in x86. DR0 to DR3 store the addresses of breakpoints. DR7 is the control register which indicates if any of the DR0-3 is active and if the address represent a read, write or execute breakpoint. Read/write breakpoint allow the program to break out when an address is referenced.
To protect the DR from modified by malware, set the General Detect flag in DR7. It will break prior to any mov instruction that modify the DR0-3.
Conditional breakpoint breaks when certain predefined condition is reached. For example, break when the second parameter of a function is of a particular value. This facilitates debugging to stop frequently executed point only on condition of interest. Conditional breakpoints are implemented as software breakpoints
No comments:
Post a Comment