Results 1 to 7 of 7

Thread: Question regarding VEH/PAGE_GUARD/SINGLESTEP

  1. #1
    Registered User
    Join Date
    Jan 2002
    Location
    Ger***y
    Posts
    39

    Question regarding VEH/PAGE_GUARD/SINGLESTEP

    Hi there..
    I discussed the problem already with kayaker and he suggested its probably a topic for the forum..

    I want to track access to a memory location (over 4 addresses so no HWBP, also no direct code-patch) thats why I use a VEH and set PAGE_GUARD to the page my address sits in.. On access I check if its my address / set SINGLESTEP and on trigger I re-apply PAGE_GUARD. Some location seems to trouble that since I end up in an endless loop. Problem is that I end up in NTDLL/KiUserExceptioDispatcher at some point.. Weird thing is I handle PAGE_GUARD / SINGLESTEP in my VEH all other exceptions are forwared (EXCEPTION_CONTINUE_SEARCH).

    Here are some details:

    from Debugview:
    [2484] Single_Step at: 0x10d195cc
    [2484] Page_Guard at: 0x10d1bff0
    [2484] Single_Step at: 0x10d1bff3
    [2484] Page_Guard at: 0x10d1bff3
    [2484] Single_Step at: 0x10d1bff6
    [2484] Page_Guard at: 0x10d1bff6
    [2484] Single_Step at: 0x10d1bff7
    [2484] Page_Guard at: 0x10d1bff7
    [2484] Single_Step at: 0x10d1bffb
    [2484] Page_Guard at: 0x10d1bffb
    [2484] Single_Step at: 0x7c91e480
    [2484] Page_Guard at: 0x10d1bffb
    [2484] Single_Step at: 0x7c91e480
    [2484] Page_Guard at: 0x10d1bffb
    [2484] Single_Step at: 0x7c91e480
    [2484] Page_Guard at: 0x10d1bffb

    and from IDA:
    .text:10D1BFF0 var_8 = dword ptr -8
    .text:10D1BFF0 var_4 = dword ptr -4
    .text:10D1BFF0 arg_0 = dword ptr 4
    .text:10D1BFF0 arg_4 = dword ptr 8
    .text:10D1BFF0 arg_8 = dword ptr 0Ch
    .text:10D1BFF0
    .text:10D1BFF0 83 EC 08 sub esp, 8
    .text:10D1BFF3 0F 57 C0 xorps xmm0, xmm0
    .text:10D1BFF6 56 push esi
    .text:10D1BFF7 8B 74 24 10 mov esi, [esp+0Ch+arg_0]
    .text:10D1BFFB C7 05 9C EA 83 11 00 00+ mov dword_1183EA9C, 0
    .text:10D1C005 8B 46 0C mov eax, [esi+0Ch]
    .text:10D1C008 F3 0F 11 44 24 04 movss [esp+0Ch+var_8], xmm0
    .text:10D1C00E 0F B6 10 movzx edx, byte ptr [eax]

    Anyone a guess what goes wrong?

    Thanks in advance

  2. #2
    1. Use the watch pages for multithread applications impossible.
    2. Any exception that is different from STATUS_SINGLE_STEP generated at TF = 1 will deadlock.

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    1. Have you tried using PAGE_NO_ACCESS instead of PAGE_GUARD?
    2. Are you sure you're the top-most VEH in the VEH chain?

  4. #4
    Registered User
    Join Date
    Jan 2002
    Location
    Ger***y
    Posts
    39
    1. No, not by now. Will try it out later
    2. How can I verify that (from an injected dll)?

    Thanks

  5. #5
    [NtSC]
    KiUserExceptioDispatcher
    http://files.virustech.org/indy/Teory/Exceptions/vt_except_model.pdf(ru)
    2. Are you sure you're the top-most VEH in the VEH chain?
    2. How can I verify that (from an injected dll)?
    RtlAddVectioredExceptionHandler:PLIST_ENTRY
    > http://indy-vx.narod.ru/Bin/Barrier.zip
    On the side(inject dll and dispatch in veh):
    > http://indy-vx.narod.ru/Bin/Ldr.zip
    > http://indy-vx.narod.ru/Bin/Ij.zip
    1. Have you tried using PAGE_NO_ACCESS instead of PAGE_GUARD?
    http://virustech.org/f/viewtopic.php?id=88(ru)
    > http://indy-vx.narod.ru/Bin/IDP.zip

  6. #6
    Registered User
    Join Date
    Jan 2002
    Location
    Ger***y
    Posts
    39
    Thank you very much

  7. #7
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by [NtSC] View Post
    2. How can I verify that (from an injected dll)?
    You could hook RtlAddVectioredExceptionHandler.

Similar Threads

  1. IDA Pro IDC API Question
    By cr0w in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: June 7th, 2012, 22:55
  2. Replies: 1
    Last Post: July 27th, 2009, 05:17
  3. How To Ask A Question
    By LLXX in forum Off Topic
    Replies: 7
    Last Post: September 11th, 2006, 22:52
  4. PAGE_GUARD protected memory
    By 0rp in forum The Newbie Forum
    Replies: 14
    Last Post: March 31st, 2005, 08:10
  5. IDA Question
    By Unregistered- in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 14th, 2001, 02:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •