[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [exelist] Q: What mechanism SoftICE BPR uses?
- To: exelist@egroups.com
- Subject: Re: [exelist] Q: What mechanism SoftICE BPR uses?
- From: "Ptasiek" <ptasiek@...>
- Date: Wed, 16 Aug 2000 18:46:33 +0200
- In-reply-to: <8ne15d+jc63@...>
- References: <8ne15d+jc63@...>
Hi
[..]
>I'm interested in programming protectors.
>
>If someone knows SoftICE BPR mechanism, or how to prevent BPR breaking,
>please tell me the information.
>
>I thought BPR changing PTE(Page Table Entry).
>And if page access fault raises, SoftICE compares the address with BPR
range.
>
>I can't find the way to get PTE information in user-level programs.
>When Checking it with SoftICE, BPR command doesn't change PTE.
>
>Is there another way to check page using?
>Is there any protector preventing BPR?
I don't know why it works in this way, but I had found and published the
solution of this problem.
I doubt that you would understand that because I've written it in polish
language only so
I will try to explain here some basics how to disable BPR by your program
in normal mode.
As you know BPR/Ms change the protection of the desired memory address to
PAGE_NOACCESS
so our task is to make the region of memory accessable again. You can do it
by calling VirtualProtect
and setting original attributes e. g. PAGE_READWRITE for data region. This
function also fills the specified
variable with the previos attribute so you can check if the BPR has been
set(you can simply compare
this variable to PAGE_NOACCESS). You can call this founction continously by
putting it into the thread
which would loop infinitely.
Below I attach a TASM source which belonged to the original polish article,
it differs a bit from the above description
but it is fully functional. You can check it by setting a BPR on 'serial'
variable.
---cut here------ bpx.asm
.386
locals
jumps
.model flat,STDCALL
include include\win32.inc
extrn VirtualQuery:Proc
extrn DialogBoxParamA:Proc
extrn EndDialog:Proc
extrn GetModuleHandleA:Proc
extrn GetDlgItemTextA:Proc
extrn ExitProcess:Proc
extrn MessageBoxA:Proc
extrn CreateThread:Proc
.data?
thWatek dd ?
uchwyt dd ?
serial db 32 dup (?)
membs MEMORY_BASIC_INFORMATION <?>
.data
isprot db 'Breakpoint on memory detected', 0
title db 'Warning', 0
.code
start:
call GetModuleHandleA, 0
mov uchwyt, eax
call DialogBoxParamA, eax, 1, 0, offset ProceduraGlowna, 0
call ExitProcess, 0
ProceduraGlowna PROC uses esi edi ebx, hwnd:DWORD, wmsg:DWORD,
wparam:DWORD, lparam:DWORD
mov edx, wparam
.IF wmsg==WM_CLOSE
call EndDialog, hwnd, 0
.ELSEIF wmsg==WM_COMMAND
.IF DX==105
call GetDlgItemTextA, hwnd, 101, offset serial, 32
nop
nop
nop
.ENDIF
.ELSEIF wmsg==WM_INITDIALOG
call CreateThread, 0, 0, offset BreakCheck, hwnd, 0, offset thWatek
.ENDIF
ret
ProceduraGlowna ENDP
BreakCheck Proc, hwnd:DWORD
petla:
call VirtualQuery, offset serial, offset membs, SIZE
MEMORY_BASIC_INFORMATION
mov ebx, membs.Protect
.IF ebx == PAGE_NOACCESS
call MessageBoxA, hwnd, offset isprot, offset title, MB_OK
.ENDIF
jmp petla
ret
BreakCheck ENDP
end start
-----cut here------bpx.rc
#define DIALOG_1 1
#define IDC_EDIT1 101
#define IDC_PUSHBUTTON1 105
DIALOG_1 DIALOG 6, 15, 161, 146
STYLE WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME |
WS_MINIMIZEBOX | WS_MAXIMIZEBOX
CAPTION "BPR/M tester by Ptasiek/CrackPL"
FONT 8, "MS Sans Serif"
{
EDITTEXT IDC_EDIT1, 33, 14, 102, 12, ES_UPPERCASE | WS_BORDER | WS_TABSTOP
DEFPUSHBUTTON "OK", IDC_PUSHBUTTON1, 55, 109, 50, 14
}
-------cut here
Pozdr
Ptasiek <ptasiek@...>
[member of CrackPL]
http://www.ptasiek.px.pl