找回密码
 立即注册
OllyDbg断点ZwContinueNTDLL | 程序非源代码 2021-06-28 517 0star收藏 版权: . 保留作者信息 . 禁止商业使用 . 禁止修改作品

调试引擎现在更加稳定,尤其是在进入异常处理程序时。有一个新的调试选项,“在系统调用上设置永久断点”。当激活时,它请求 OllyDbg 在 KERNEL32.UnhandledExceptionFilter()、NTDLL.KiUserExceptionDispatcher()、NTDLL.ZwContinue() 和 NTDLL.NtQueryInformationProcess() 上设置断点。例如,如果 CPU 在异常处理程序中并且您设置了硬件断点,它就不会命中! NTDLL.ZwContinue() 恢复寄存器的原始内容,修改丢失。因此 OllyDbg 在 ZwContinue() 上设置临时 INT3 中断并将更改应用于内存中的上下文副本。但有时它根本不知道临时断点是必要的。如果正在调试进程,Windows 不会调用未处理的异常过滤器。相反,它会通知调试器。为了向过滤器传递异常,OllyDbg 拦截了 NtQueryInformationProcess()。如果处理程序询问操作系统是否调试了进程,OllyDbg 会报告“否”。等等。好吧,如果这个新选项如此有利,为什么不将其设为默认值呢?因为有些病毒会在这些 API 上检查 INT3 断点。

(Debugging engine is now more stable, especilally if one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints on system calls". When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue() and NTDLL.NtQueryInformationProcess(). For example, if CPU is in the exception handler and you set hardware breakpoint, it won't hit! NTDLL.ZwContinue() restores original contents of registers and modifications get lost. Therefore OllyDbg sets temporary INT3 break on ZwContinue() and applies changes to the copy of the context in memory. But sometimes it simply doesn't know that temporary breakpoint is necessary. If process is being debugged, Windows don't call the unhandled exception filter. Instead, it notifies debugger. To pass exception to the filter, OllyDbg intercepts NtQueryInformationProcess(). If handler asks OS whether process is debugged, OllyDbg reports "no". And so on. Well, if this new option is so advantageous, why not to make it default? Because some viruses check for INT3 breakpoints on these APIs.)

1624868987649.rar


上一篇:Crack MD5 Tool
下一篇:Xpatcher v1.0 最新补丁制作工具