(Debugging engine is now more stable, especilally if one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints on system calls". When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue() and NTDLL.NtQueryInformationProcess(). For example, if CPU is in the exception handler and you set hardware breakpoint, it won't hit! NTDLL.ZwContinue() restores original contents of registers and modifications get lost. Therefore OllyDbg sets temporary INT3 break on ZwContinue() and applies changes to the copy of the context in memory. But sometimes it simply doesn't know that temporary breakpoint is necessary. If process is being debugged, Windows don't call the unhandled exception filter. Instead, it notifies debugger. To pass exception to the filter, OllyDbg intercepts NtQueryInformationProcess(). If handler asks OS whether process is debugged, OllyDbg reports "no". And so on. Well, if this new option is so advantageous, why not to make it default? Because some viruses check for INT3 breakpoints on these APIs.)
收藏
