View previous topic :: View next topic |
Author |
Message |
vitdor Newbie cheater Reputation: 0
Joined: 08 Feb 2018 Posts: 18
|
Posted: Thu Jan 17, 2019 12:22 pm Post subject: How to hide debug register dr7 |
|
|
Simple code SetThreadContext->GetThreadContext detects the debugger in global mode.
The driver gives fake registers dr0-dr3 but dr7 is always real. How to hide it?
Description: |
|
Filesize: |
13.29 KB |
Viewed: |
2232 Time(s) |
|
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Thu Jan 17, 2019 12:39 pm Post subject: |
|
|
because global bits dont reset in global (unlike local), you should refer to intel's sdm.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Thu Jan 17, 2019 2:35 pm Post subject: |
|
|
is the option to override existing breakpoints set ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
vitdor Newbie cheater Reputation: 0
Joined: 08 Feb 2018 Posts: 18
|
Posted: Thu Jan 17, 2019 4:10 pm Post subject: |
|
|
Dark Byte wrote: | is the option to override existing breakpoints set ? |
No, this is without an override.
If override is set, all registers will have 0x0 for the GetThreadContext function and debugging will also be detected.
If I comment out these 2 lines in interrupt1_handler(...)
//gpvalue=0xf0401;
//debugger_dr7_setValueDword(gpvalue);
DebuggerState.FakedDebugRegisterState[cpunr()].DR7=debugger_dr7_getValueDword();
dr7 can be hidden, but the target program writes to dr7 0xF0455 and I remain without debug registers
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Thu Jan 17, 2019 5:24 pm Post subject: |
|
|
is this for singlestepping or for finding code that accesses imsomething? if just finding out try the dbvm version of find what accesses
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
vitdor Newbie cheater Reputation: 0
Joined: 08 Feb 2018 Posts: 18
|
Posted: Fri Jan 18, 2019 2:41 am Post subject: |
|
|
Dark Byte wrote: | is this for singlestepping or for finding code that accesses imsomething? if just finding out try the dbvm version of find what accesses |
This was done very simply, but effectively, when launched, the program writes fake addresses to the debug registers once (sets dr7 to 0xF0455), and then simply controls the changes through any exception and the _CONTEXT structure. Differences = debugger.
UPD
I found a way around this problem, but the method is not very elegant and situational. In the driver (IOCTL_CE_DEBUGPROCESS), the DR7 already appears with the value 0x400, the remaining registers retain their original state.
|
|
Back to top |
|
|
|