Speicherzugriff ueberwachen
-
hallo, ich wollte mal gern wissen, wie man speicherzugriff ueberwacht.
z.B hab ich eine addresse einer variable von einem fremden programm nehme ich mal an, es waere 0xAB45CD, wie bekomme ich heraus, durch welche code dieser speicherstelle veraendert wird.
-
Hallo JnZn558, probier mal mein altes Projekt:
#include <windows.h> #ifdef __GNUC__ #include <excpt.h> #endif static TCHAR g_MutexName[] = TEXT("SetHardwareBreakpoint"); static DWORD g_index=0, g_address=0, g_flags=0; static DWORD masks[] = { // LL LL LL LL 00 001 // EERREERR EERREERR G GL // NNWWNNWW NNWWNNWW D EE GLGLGLGL // 33332222 11110000 33221100 0x000F0003,// 00000000 00001111 00000000 00000011 0x00F0000C,// 00000000 11110000 00000000 00001100 0x0F000030,// 00001111 00000000 00000000 00110000 0xF00000C0 // 11110000 00000000 00000000 11000000 }; enum { // local/global: 3 HWBP_LOCAL = 0x00000001, // shifted to bit 0,2,4,8 HWBP_GLOBAL = 0x00000002, // shifted to bit 1,3,5,7 // type: 3 shifted to bit 16-17, 20-21, 24-25, 28-29 HWBP_EXECUTION = 0x00000000, // 0000 do not specify HWBP_*BYTES HWBP_WRITE = 0x00010000, // 0001 HWBP_INOUT = 0x00020000, // 0010 HWBP_READ = 0x00030000, // 0011 // size: C shifted to bit 18-19, 22-23, 26-27, 30-31 HWBP_1BYTES = 0x00000000, // 0000 HWBP_2BYTES = 0x00040000, // 0100 invalid:1000 HWBP_4BYTES = 0x000C0000 // 1100 }; static LONG __cdecl handler(EXCEPTION_RECORD *rec, void *reg, CONTEXT *ctx, void *DispatcherContext) { DWORD mask = masks[g_index]; DWORD flags = g_flags & mask; DWORD *paddr = &ctx->Dr0; ctx->Dr7 = (ctx->Dr7 & ~mask) | ((g_flags & 0x00000003)<<(g_index<<1)) | ((g_flags & 0x000F0000)<<(g_index<<2)) | 0x400; *(paddr+g_index) = g_address; ctx->Eip++; return ExceptionContinueExecution; } BOOL __stdcall SetHardwareBreakpoint(DWORD index, DWORD address, DWORD flags) { HANDLE hMutex; if (index > 3) return FALSE; hMutex = CreateMutex(0, TRUE, g_MutexName); g_index = index; g_address = address; g_flags = flags; // install SEH #ifdef __GNUC__ asm(".intel_syntax noprefix"); asm("push offset _handler"); asm("push dword ptr fs:[0]"); asm("mov fs:[0],esp"); asm("int3"); asm("pop dword ptr fs:[0]"); asm("pop eax"); asm(".att_syntax prefix"); #else __asm push handler __asm push dword ptr fs:[0] __asm mov fs:[0],esp // generate exception __asm _emit 0xCC // uninstall SEH __asm pop dword ptr fs:[0] __asm pop eax #endif ReleaseMutex(hMutex); return CloseHandle(hMutex); } int main() { DWORD var0, var1; // execution breakpoint is signalled before executing instruction SetHardwareBreakpoint(0, (DWORD)&Sleep, HWBP_LOCAL|HWBP_EXECUTION); // read/write breakpoint is signalled after read/write instruction SetHardwareBreakpoint(1, (DWORD)&var0, HWBP_LOCAL|HWBP_READ|HWBP_4BYTES); SetHardwareBreakpoint(2, (DWORD)&var1, HWBP_LOCAL|HWBP_WRITE|HWBP_4BYTES); //SetHardwareBreakpoint(3, (DWORD)&ExitThread, HWBP_LOCAL|HWBP_EXECUTION); // to disable a breakpoint, call HardwareBreakpoint(index, 0); var1 = var0; return 0; }
-
sapero schrieb:
Hallo JnZn558, probier mal mein altes Projekt:
#include <windows.h> #ifdef __GNUC__ #include <excpt.h> #endif static TCHAR g_MutexName[] = TEXT("SetHardwareBreakpoint"); static DWORD g_index=0, g_address=0, g_flags=0; static DWORD masks[] = { // LL LL LL LL 00 001 // EERREERR EERREERR G GL // NNWWNNWW NNWWNNWW D EE GLGLGLGL // 33332222 11110000 33221100 0x000F0003,// 00000000 00001111 00000000 00000011 0x00F0000C,// 00000000 11110000 00000000 00001100 0x0F000030,// 00001111 00000000 00000000 00110000 0xF00000C0 // 11110000 00000000 00000000 11000000 }; enum { // local/global: 3 HWBP_LOCAL = 0x00000001, // shifted to bit 0,2,4,8 HWBP_GLOBAL = 0x00000002, // shifted to bit 1,3,5,7 // type: 3 shifted to bit 16-17, 20-21, 24-25, 28-29 HWBP_EXECUTION = 0x00000000, // 0000 do not specify HWBP_*BYTES HWBP_WRITE = 0x00010000, // 0001 HWBP_INOUT = 0x00020000, // 0010 HWBP_READ = 0x00030000, // 0011 // size: C shifted to bit 18-19, 22-23, 26-27, 30-31 HWBP_1BYTES = 0x00000000, // 0000 HWBP_2BYTES = 0x00040000, // 0100 invalid:1000 HWBP_4BYTES = 0x000C0000 // 1100 }; static LONG __cdecl handler(EXCEPTION_RECORD *rec, void *reg, CONTEXT *ctx, void *DispatcherContext) { DWORD mask = masks[g_index]; DWORD flags = g_flags & mask; DWORD *paddr = &ctx->Dr0; ctx->Dr7 = (ctx->Dr7 & ~mask) | ((g_flags & 0x00000003)<<(g_index<<1)) | ((g_flags & 0x000F0000)<<(g_index<<2)) | 0x40; *(paddr+g_index) = g_address; ctx->Eip++; return ExceptionContinueExecution; } BOOL __stdcall SetHardwareBreakpoint(DWORD index, DWORD address, DWORD flags) { HANDLE hMutex; if (index > 3) return FALSE; hMutex = CreateMutex(0, TRUE, g_MutexName); g_index = index; g_address = address; g_flags = flags; // install SEH #ifdef __GNUC__ asm(".intel_syntax noprefix"); asm("push offset _handler"); asm("push dword ptr fs:[0]"); asm("mov fs:[0],esp"); asm("int3"); asm("pop dword ptr fs:[0]"); asm("pop eax"); asm(".att_syntax prefix"); #else __asm push handler __asm push dword ptr fs:[0] __asm mov fs:[0],esp // generate exception __asm _emit 0xCC // uninstall SEH __asm pop dword ptr fs:[0] __asm pop eax #endif ReleaseMutex(hMutex); CloseHandle(hMutex); } int main() { DWORD var0, var1; // execution breakpoint is signalled before executing instruction SetHardwareBreakpoint(0, (DWORD)&Sleep, HWBP_LOCAL|HWBP_EXECUTION); // read/write breakpoint is signalled after read/write instruction SetHardwareBreakpoint(1, (DWORD)&var0, HWBP_LOCAL|HWBP_READ|HWBP_4BYTES); SetHardwareBreakpoint(2, (DWORD)&var1, HWBP_LOCAL|HWBP_WRITE|HWBP_4BYTES); //SetHardwareBreakpoint(3, (DWORD)&ExitThread, HWBP_LOCAL|HWBP_EXECUTION); // to disable a breakpoint, call HardwareBreakpoint(index, 0); var1 = var0; return 0; }kannst bitte erklaeren, wie ich mein vorhaben mit hardware breakpoint loesen koennte??
-
Naja, sorry. Ich habe neue example gebastelt:
// 4 monitored 32-bit variables void *g_pVariable[4]; LONG CALLBACK VectoredHandler(EXCEPTION_POINTERS* ExceptionInfo) { if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { BOOL handled = FALSE; if (ExceptionInfo->ContextRecord->Dr6 & 1) // breakpoint 0 { handled = printf("First monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[0], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 2) // breakpoint 1 { handled = printf("Second monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[1], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 4) // breakpoint 2 { handled = printf("Third monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[2], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 8) // breakpoint 3 { handled = printf("Fourth monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[3], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (handled) return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } int main() { int variable_a, variable_b, variable_c, variable_d; int a; // install part AddVectoredExceptionHandler(TRUE, VectoredHandler); g_pVariable[0] = &variable_a; g_pVariable[1] = &variable_b; g_pVariable[2] = &variable_c; g_pVariable[3] = &variable_d; for (a=0; a<4; a++) SetHardwareBreakpoint(a, (DWORD)g_pVariable[a], HWBP_LOCAL|HWBP_WRITE|HWBP_4BYTES); // test/demo part variable_a = 30; variable_b = 41; variable_c = 52; variable_d = 63; // uninstall part for (a=0; a<4; a++) SetHardwareBreakpoint(a, (DWORD)g_pVariable[a], 0); RemoveVectoredExceptionHandler(VectoredHandler); return 0; }
-
sapero schrieb:
Naja, sorry. Ich habe neue example gebastelt:
// 4 monitored 32-bit variables void *g_pVariable[4]; LONG CALLBACK VectoredHandler(EXCEPTION_POINTERS* ExceptionInfo) { if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { BOOL handled = FALSE; if (ExceptionInfo->ContextRecord->Dr6 & 1) // breakpoint 0 { handled = printf("First monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[0], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 2) // breakpoint 1 { handled = printf("Second monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[1], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 4) // breakpoint 2 { handled = printf("Third monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[2], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (ExceptionInfo->ContextRecord->Dr6 & 8) // breakpoint 3 { handled = printf("Fourth monitored variable changed to %d (code at 0x%.8X)\n", *(int*)g_pVariable[3], ExceptionInfo->ExceptionRecord->ExceptionAddress); } if (handled) return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } int main() { int variable_a, variable_b, variable_c, variable_d; int a; // install part AddVectoredExceptionHandler(TRUE, VectoredHandler); g_pVariable[0] = &variable_a; g_pVariable[1] = &variable_b; g_pVariable[2] = &variable_c; g_pVariable[3] = &variable_d; for (a=0; a<4; a++) SetHardwareBreakpoint(a, (DWORD)g_pVariable[a], HWBP_LOCAL|HWBP_WRITE|HWBP_4BYTES); // test/demo part variable_a = 30; variable_b = 41; variable_c = 52; variable_d = 63; // uninstall part for (a=0; a<4; a++) SetHardwareBreakpoint(a, (DWORD)g_pVariable[a], 0); RemoveVectoredExceptionHandler(VectoredHandler); return 0; }vielen dank fuer deine muehe, kannst du auch ein paar worte zu deiner code kommentieren, das waere viel nett.
-
Jo Sapero,
Sieht net schlecht aus,
ich checke jetze gerade zwo dinge nicht:a) fs:[0] ?
b) wo hinterlegst du die unterschiedlichen var addys,..n paar worte wären nicht schlecht,..
greetz
-
zeusosc schrieb:
b) wo hinterlegst du die unterschiedlichen var addys,..
Guckst du Code an, wohl in g_pVariable. Musst dich dann halt in den Prozess einhooken und die/den Zeiger entsprechend setzen. Ist cooler Code, gib dir selbst auch mal n bissi Mühe.