Properly setting a hardware breakpoint via dll injection menu

User Tag List

Results 1 to 8 of 8
  1. #1
    noctural's Avatar Active Member Captain Copypasta CoreCoins Purchaser Authenticator enabled
    Reputation
    25
    Join Date
    Apr 2009
    Posts
    74
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Properly setting a hardware breakpoint via dll injection

    Hi guys, I'm having a little trouble with debug registers. I'm trying to set a breakpoint on execution of an address in WoWs main thread...but I must be doing something wrong because the breakpoint I set is never hit.

    I'm positive my dll injects and the exception handler works (verified by popping up test messages).

    Assume I found the address 0xDEADBEEF in a debugger of the WoW image. Can I use that address in dr0 or do I need to calculate the offset and add that to some other value? If so, what do I add that offset to to get the "real" address? Thanks again for your help, I think I'm extremely close.. I can feel it.

    Code:
    CONTEXT Context;
    DWORD myAddress = 0xDEADBEEF;
    BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
    {
       switch (ul_reason_for_call)
       {
          case DLL_PROCESS_ATTACH:
             {
                AddExceptionHandler();
                //set the debug register to the memory address we want a single step exception to be thrown.
    	    Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
    	    GetThreadContext(GetCurrentThread(), &Context); 
                Context.Dr0=myAddress;  // set breakpoint 
    	    Context.Dr7 =1;        // set the dr0 register active
    	    SetThreadContext(GetCurrentThread(), &Context);                     
                break;
             }
          case DLL_PROCESS_DETACH:
          case DLL_THREAD_ATTACH:
          case DLL_THREAD_DETACH:
             break;
       }
       return TRUE;
    }
    Last edited by noctural; 04-07-2010 at 12:28 AM. Reason: typo

    These ads disappear when you log in.

  2. #2
    Kryso's Avatar Active Member
    Reputation
    40
    Join Date
    Jul 2009
    Posts
    97
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    IIRC there should be the "real" address.

    a) How are you injecting your dll? Your code can work only if you inject via redirecting wows main thread. If you use CreateRemoteThread, then GetCurrentThread will return the loader thread, and setting debug registers there is useless.

    b) Check if SetThreadContext isn't failing, things you can do in dllmain are limited

  3. #3
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1356
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Debug registers are THREAD local, not process local.

    You need to modify the context of WoW's primary thread. In your code you're only modifying the thread that loads your DLL (with will usually be a new thread spawned by your injector).

    Unless of course you're using IAT-based injection (where you create the proc as suspended, modify the IAT to force in a new module, then resume the proc). In which case that should probably work (I say probably because I forget exactly how that process works. Take a look at ntdll!LdrInitializeThunk if you want to check)

  4. #4
    noctural's Avatar Active Member Captain Copypasta CoreCoins Purchaser Authenticator enabled
    Reputation
    25
    Join Date
    Apr 2009
    Posts
    74
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Kryso and Cypher. I'm actually using Cypher's LoaderGUI to inject, which I believe creates a thread that calls loadlibrary. So I think you guys are right that I'm modifying the context of the wrong thread. I need to find the wow process in the dllmain, suspend the thread, get that threads context, set my bp, set the thread context, then resume wow's thread.

    When GetProcessID returns a handle, can that same handle be used to call SuspendThread/ResumeThread?

  5. #5
    Kryso's Avatar Active Member
    Reputation
    40
    Join Date
    Jul 2009
    Posts
    97
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  6. #6
    noctural's Avatar Active Member Captain Copypasta CoreCoins Purchaser Authenticator enabled
    Reputation
    25
    Join Date
    Apr 2009
    Posts
    74
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Kryso, I think that'll work.. I"ll give it a shot when I get home from work

  7. #7
    zys924's Avatar Active Member
    Reputation
    20
    Join Date
    Nov 2009
    Posts
    112
    Thanks G/R
    0/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Recently, iv encountered simlar problems as this when I tried my first DRX hook to a game CFunction using C#.

    Ive already got the correct THREAD_ALL_ACCESS handle to the wow main thread which can be used to suspend & resume it. Besides, this handle can be used to retrieve the CONTEXT info(Iv tried to set CONTEXT.ContextFlags=CONTEXT_SEGMENTS and got some EDS,ECS value etc..)

    However, when i tried to set CONTEXT.ContextFlags=CONTEXT_DEBUG_REGISTERS and DR0=breakpointaddress, DR6=0, DR7=1, and add an SEH or VEH function, the breakpoint seemed never working.

    The C# codes are below
    Code:
    //My endscene hook
    private static uint MyEndScene(IntPtr D3D9Device)
    {
    	Win32.WriteUInt32(VTableAddr + memEndSceneOffset2, (uint)EndSceneOriginalPtr);
    	//Add a VEH
    	FilterExceptionHandlerOriginial = Win32.SetUnhandledExceptionFilter(GetGUIDByKeywordHandler);
    	Win32.MainThreadID = Win32.GetCurrentThreadId();
    	Win32.MainThreadHandle = Win32.OpenThread(Win32.THREAD_ACCESS.THREAD_ALL_ACCESS, false, Win32.MainThreadID);
    	return OriginalEndScene(D3D9Device);
    }
    //Install a DR hook to "GetGUIDByKeyword"
    private static void InstallDRHook()
    {
    	Win32.SuspendThread(Win32.MainThreadHandle);
    	Win32.CONTEXT ctx = new Win32.CONTEXT();
    	ctx.ContextFlags = Win32.CONTEXT_FLAGS.CONTEXT_DEBUG_REGISTERS;
    	Win32.GetThreadContext(Win32.MainThreadHandle, ref ctx);
    	ctx.Dr0 = memGetGUIDByKeyword;  //This is the address from INFO DUMP
    	ctx.Dr6 = 0;
    	ctx.Dr7 = 1;
    	Win32.SetThreadContext(Win32.MainThreadHandle, ref ctx);
    	Win32.ResumeThread(Win32.MainThreadHandle);
    }
    //SEH
    private static Win32.FilterExceptionHandlerDelegate GetGUIDByKeywordHandler = GetGUIDByKeywordException;
    private static uint GetGUIDByKeywordException([In] ref Win32.EXCEPTIONS breakException)
    {
    	Log("NOW BREAKPOINT:{0},{1}", breakException.ExceptionRecord.ExceptionCode, breakException.ExceptionRecord.ExceptionAddress);
    	return 0xffffffff;
    }
    Could anybody plz show me a way out? AM I missing sth?
    Last edited by zys924; 04-16-2010 at 02:18 AM.

  8. #8
    SimonaLan's Avatar Member
    Reputation
    1
    Join Date
    Aug 2022
    Posts
    3
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good day! Thanks for the useful information.

Similar Threads

  1. C# - Hardware breakpoint not working properly
    By Pwnmanship in forum Programming
    Replies: 1
    Last Post: 03-30-2015, 10:19 AM
  2. [WoW] [C++] Hack Loader (DLL Injection Example)
    By Cypher in forum WoW Memory Editing
    Replies: 28
    Last Post: 07-06-2010, 11:41 PM
  3. [Tutorial] DLL Injection
    By jagged software in forum Programming
    Replies: 22
    Last Post: 04-21-2009, 03:27 AM
  4. DLL injection with windows SP3
    By Therrm in forum World of Warcraft Bots and Programs
    Replies: 3
    Last Post: 12-06-2008, 03:03 PM
  5. What are the risks with DLL injection?
    By object in forum WoW Memory Editing
    Replies: 14
    Last Post: 08-22-2008, 09:23 PM
All times are GMT -5. The time now is 07:57 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2022 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2022 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search