Posted: Thu Aug 31, 2017 4:25 pm Post subject: Find out what addresses this instruction accesses
Hi.
I've an instruction like this:
ASM
Code:
145623710 mov rax, [rcx+8]
How does 'Find out what addresses this instruction accesses' differs in terms of setting a breakpoint?
I've just got a working debugger implemented in .NET that currently works with "Find out what accesses this address" && "Find out what writes to this address"
I figured it all out. One could expect to receive at least a basic hint but nothing. Well this topic is is one of the most advanced features in CE.
Regardless here is the solution:
1) Set your debugger to track instruction execution on the instruction you need: flags in hex 0x403 -> dr7.Value = 0x403
2)
My VEH debugger is fully coded in .NET so I do it this way:
if (evt.DebugInfo.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP) ...
Then set the RF after getting a context from the thread that caused the expection (debug loop is posted here for those who work with C++, use google like I did)
ctx.EFlags |= RESUME_FLAG;
3)
RemoveBreakPoint(evt.ThreadId); for the thread that caused it
4)
Then handle the exception and set the breakpoint immediately back to track any new instruction execution
This allows me to track the exact time for how long a function executed. Really cool feature
That's all I am going to share on this topic, figure the rest out on your own like I did. _________________
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum