Properly setting a hardware breakpoint via dll injection

[noctural]

Hi guys, I'm having a little trouble with debug registers. I'm trying to set a breakpoint on execution of an address in WoWs main thread...but I must be doing something wrong because the breakpoint I set is never hit.

I'm positive my dll injects and the exception handler works (verified by popping up test messages).

Assume I found the address 0xDEADBEEF in a debugger of the WoW image. Can I use that address in dr0 or do I need to calculate the offset and add that to some other value? If so, what do I add that offset to to get the "real" address? Thanks again for your help, I think I'm extremely close.. I can feel it.

Code:

CONTEXT Context;
DWORD myAddress = 0xDEADBEEF;
BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
{
   switch (ul_reason_for_call)
   {
      case DLL_PROCESS_ATTACH:
         {
            AddExceptionHandler();
            //set the debug register to the memory address we want a single step exception to be thrown.
	    Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
	    GetThreadContext(GetCurrentThread(), &Context); 
            Context.Dr0=myAddress;  // set breakpoint 
	    Context.Dr7 =1;        // set the dr0 register active
	    SetThreadContext(GetCurrentThread(), &Context);                     
            break;
         }
      case DLL_PROCESS_DETACH:
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
         break;
   }
   return TRUE;
}

[Kryso]

IIRC there should be the "real" address.

a) How are you injecting your dll? Your code can work only if you inject via redirecting wows main thread. If you use CreateRemoteThread, then GetCurrentThread will return the loader thread, and setting debug registers there is useless.

b) Check if SetThreadContext isn't failing, things you can do in dllmain are limited

[Cypher]

Debug registers are THREAD local, not process local.

You need to modify the context of WoW's primary thread. In your code you're only modifying the thread that loads your DLL (with will usually be a new thread spawned by your injector).

Unless of course you're using IAT-based injection (where you create the proc as suspended, modify the IAT to force in a new module, then resume the proc). In which case that should probably work (I say probably because I forget exactly how that process works. Take a look at ntdll!LdrInitializeThunk if you want to check)

[noctural]

Thanks Kryso and Cypher. I'm actually using Cypher's LoaderGUI to inject, which I believe creates a thread that calls loadlibrary. So I think you guys are right that I'm modifying the context of the wrong thread. I need to find the wow process in the dllmain, suspend the thread, get that threads context, set my bp, set the thread context, then resume wow's thread.

When GetProcessID returns a handle, can that same handle be used to call SuspendThread/ResumeThread?

[Kryso]

No you can't use process id to suspend thread. Check

GetWindowThreadProcessId Function (Windows)

or

CreateToolhelp32Snapshot Function (Windows)
Thread32First Function (Windows)
Thread32Next Function (Windows)

[noctural]

Thanks Kryso, I think that'll work.. I"ll give it a shot when I get home from work

[zys924]

Recently, iv encountered simlar problems as this when I tried my first DRX hook to a game CFunction using C#.

Ive already got the correct THREAD_ALL_ACCESS handle to the wow main thread which can be used to suspend & resume it. Besides, this handle can be used to retrieve the CONTEXT info(Iv tried to set CONTEXT.ContextFlags=CONTEXT_SEGMENTS and got some EDS,ECS value etc..)

However, when i tried to set CONTEXT.ContextFlags=CONTEXT_DEBUG_REGISTERS and DR0=breakpointaddress, DR6=0, DR7=1, and add an SEH or VEH function, the breakpoint seemed never working.

The C# codes are below

Code:

//My endscene hook
private static uint MyEndScene(IntPtr D3D9Device)
{
	Win32.WriteUInt32(VTableAddr + memEndSceneOffset2, (uint)EndSceneOriginalPtr);
	//Add a VEH
	FilterExceptionHandlerOriginial = Win32.SetUnhandledExceptionFilter(GetGUIDByKeywordHandler);
	Win32.MainThreadID = Win32.GetCurrentThreadId();
	Win32.MainThreadHandle = Win32.OpenThread(Win32.THREAD_ACCESS.THREAD_ALL_ACCESS, false, Win32.MainThreadID);
	return OriginalEndScene(D3D9Device);
}
//Install a DR hook to "GetGUIDByKeyword"
private static void InstallDRHook()
{
	Win32.SuspendThread(Win32.MainThreadHandle);
	Win32.CONTEXT ctx = new Win32.CONTEXT();
	ctx.ContextFlags = Win32.CONTEXT_FLAGS.CONTEXT_DEBUG_REGISTERS;
	Win32.GetThreadContext(Win32.MainThreadHandle, ref ctx);
	ctx.Dr0 = memGetGUIDByKeyword;  //This is the address from INFO DUMP
	ctx.Dr6 = 0;
	ctx.Dr7 = 1;
	Win32.SetThreadContext(Win32.MainThreadHandle, ref ctx);
	Win32.ResumeThread(Win32.MainThreadHandle);
}
//SEH
private static Win32.FilterExceptionHandlerDelegate GetGUIDByKeywordHandler = GetGUIDByKeywordException;
private static uint GetGUIDByKeywordException([In] ref Win32.EXCEPTIONS breakException)
{
	Log("NOW BREAKPOINT:{0},{1}", breakException.ExceptionRecord.ExceptionCode, breakException.ExceptionRecord.ExceptionAddress);
	return 0xffffffff;
}

Could anybody plz show me a way out? AM I missing sth?

[SimonaLan]

Good day! Thanks for the useful information.