Debugging Fundamentals Module 6 - Software Breakpoints (Patreon)

Further Research

• INT (x86 instruction) 
• OllyDBG Breakpoints 
• EXCEPTION_DEBUG_INFO structure 
• EXCEPTION_RECORD structure 
• Writing a Primitive Debugger: Part 2 (Breakpoints/Stepping)
• CONTEXT structure 
• What are all those instructions before the initally selected instruction in OllyDbg?
• NTSTATUS Values 

Lab 6

When launched the debugger will use the CREATE_PROCESS_DEBUG_EVENT to set a breakpoint on the entry point of the target. The EXCEPTION_BREAKPOINT events will then be captured to display when the breakpoint is hit. 

Note that the EXCEPTION_BREAKPOINT handler also captures the “system breakpoint”.

Lab 6 - Exercise A

Use what you have learned in the previous labs to set a breakpoint on the NTDLL NtWriteFile function instead of the entry point. When the breakpoint is triggered read the arguments from the stack and print the buffer to the console.

• Use the code from Lab 4 to set a breakpoint on NtWriteFile in the LOAD_DLL_DEBUG event handler
• When the breakpoint is triggered retrieve the CONTEXT for the thread and get the stack pointer in ESP
• Use the NtWriteFile function prototype documented on MSDN to calculate the offset to the Buffer and Length arguments. *Remember to account for the caller return address on the stack above ESP
• Use the code from Lab 5 to read the Buffer and print it to the console

Lab 6 - Exercise B 

Try your new debugger with the target_antidebug.exe file. What are the results?