yeah all right so we’re not starting yet but the attack is up on the board so if you can so here’s what I’ll say about this in order to understand it now you know it just describes it anyways you look at it and see if you can see what what I’m trying to imply here about maybe a little bit see the captions all right it is time to start again and we’ll take you right up till 5:00 but before we leave segmentation and interrupts and stuff like that I want to talk about this recent variant attack that I found okay so in a normal so when we had like that break on through to the other side we did what I’ll call normal interrupt descriptor table looking what we did is we went into the IDT we went to index EE right so we took the size of each entry so the kernel module says okay read the ID TR to find the base address of the IDT whatever thing you want a hook you take and you say that index ee times the size of each entry right eighth so you add those together you have the base plus eight times ee and that’s where there should be an interrupt descriptor right it should have an off it should I have a logical address in it as well as DPL and stuff we don’t we don’t care about the issue is in normal hooking how kernel rootkits another you know third-party software do it is they go into the IDT and they changed that 32-bit offset right and that works fine because base is always zero for the normal IDT so you changed the 32-bit offset and now you point at your new code right so if you go back and you hit the bang IDT you see that yeah this new address is break on through the other side plus whatever that’s how normal things do it and that’s how normal you know Luke it detectors look at this so if you get some of the best detectors like G mer toluca they go through and they check the IDT by checking each of these 32-bit offset fields out of that you know 64-bit descriptor so the issue is what we found was instead of doing that let’s go ahead and leave that 32-bit offset which they’re checking that they’re checking let’s leave that the same but instead let’s change the segment selector so that it selects just some random segment here I just took like hex 50 as an index into the GD T so hex 50 shifted by 3 bits to the left is 280 so I took index 50 and I changed it to have a base of you know 777 whatever but the whole point of setting the base was that base plus the existing unchanged 32-bit offset equals the linear address where my attack code is right so back here just straight up change the 32-bit address you get to your attack code when someone calls the interrupt here leave the dress the same change the segment selector and create a new segment which has a base which is nonzero and when you add that nonzero base to the 32-bit offset you get the address of the attackers code the really interesting thing here is that this technique can actually be used to go from you can leave your 32-bit offset the same and get to an address which is negative relative to it so this one is a little I could have wrote in this fourth box two different ways but what I’m trying to show here is let’s say that the attacker is still trying to get to the same linear address right he could have changed the 32-bit offset to you know some new address which is seven f7e something something something but he’s trying to get to f7d something something something and by setting the base to ff0000 you take f7e without got that plus FFF and you add those together and it wraps around with a 32-bit address space and you now are at f7d not that that so the reason that negative one is very interesting is because you know in the case of the existing kernel handlers they’re typically at address ranges like eight zero something and the kernel module gets loaded at some higher address so yeah positive hooking yeah you just need to have a base address which is sort of the difference between your high address and the kernels low address but what if you’re trying to hook some third party software which got installed at the system on a high address too and what if you got a lower high address than it

right so now you’re trying to hook this but you’re literally lower than it you need some way to are you you’re trying to hook this but you’re literally lower than it but you still want to leave this 32-bit offset the same so that’s what was you know ambiguous about this fourth thing I could have also shown a you and it wraps around to 8:04 something something something it’s just that in this context 8:04 means nothing to me other than that it’s negative relative to the existing thing so the point is if that existing thing were some other third-party software which got loaded at a high address and you got loaded at a lower address the fact that you can wrap around the entire 32 bit segment space and pop back in on the negative side negative relative to what’s already there that’s very interesting and potentially a bug not sure where I emailed Intel about that we’ll find it so that was this is the little variant showing that you know I can either go positive or negative from the existing 32-bit offset by just setting either you know really big or a sort of small base address to some new segment which I’m selecting from that base plus the existing is positive to the existing or negative to the existing this was sort of interesting and again you could only understand this sort of attack and this paper here if you understand segmentation and interrupts to the level that you get in this class which is why even you know the really good rootkit detectors didn’t didn’t look at the full logical address right it’s not that much harder to look at the full logical address because those segment selectors are always selecting segments eight they’re always selecting the kernel code segment and so an easy defense for this sort of attack is just if you’re a detector you go through and you look at every interrupt entry that’s not a trap gate or task gate rather you go through and look at them all and you say is one of them suspiciously not pointing to the normal code segment which goes 0 to FFF right and so every interrupt entry should always point to a descriptor which describes 0 to F F F that’s sort of thing so easy to defend against and and so we contacted some vendors to hopefully get them to you to check this before this papers made public if we get accepted anyways when is your now lead enough to understand them alright moving on to debugging quickly that’s the last topic we can cover for today unfortunately well we’re gonna try to get through i/o but we may just cheat and just show you it for the sake of showing it to you alright so we already learned that I eighty-three of is the breakpoint you’re exception or a breakpoint interrupt and there is a one byte form of breakpoint at cc so if you put in a cc and then you know code executes cc it’s gonna be interrupt three and it’s going to vector to the kernel and the kernel will then you know have to pass that to a debugger if one exists so in reality anytime that you just ask a debugger for like a normal break point typically you know in almost every case it should be using this software a breakpoint because you can set an unlimited number of software breakpoints right you just hack in these cc bytes wherever you want the debugger to stop and so how the software would do it when we click the little icon over to the side of the thing it the you know the burger says okay what assembly line corresponds to this location in the C source code and for that assembly line go ahead take a copy of the first byte of that assembly instruction you know an opcode byte or whatever overwrite it with CC and when you’re running around down through your assembly you hit Bank cc interrupt gets called back you know the OS talks back to the debugger debugger catches the interrupt and says okay what do you want to do human continued step one instruction what are you going to do if you say you know step one instruction or can for or just continue in general it’s going to replace that CC temporarily with the original byte execute the original instruction and then you know once again take it out put the CC back it depends on if you you know you turned off the breakpoint or not but if the breakpoint still on gonna put back the original byte execute the instruction and put back the CC so that if you have like a loop or something like that that every time through the loop hit the breakpoint so the thing is the buggers hide this from you they hide the fact that when you ask them for a breakpoint whether it’s wind a bug or gdb or Visual Studio when you ask them for a breakpoint at a specific memory address they have overwritten that one

bite at that address with CC and then they just expect to catch that later so what we’re gonna do is we’re going to run a little lab where we’re gonna set the breakpoint we’re gonna look at the instruction then we’re gonna look at it in the memory window and it’s not going to show us CC hiding it from you it shows you the byte sequence for the instruction which should have been there but if we write special code which reads our own memory and prints out what we see then we can get around the fact that it’s hiding it from us because we really are reading our own memory don’t we see that see see this is proof pudding yes yes all right so this is again going towards an anti debug check they don’t you don’t necessarily check one byte at a time they will for instance create a checksum over an entire range of memory right so there’s for instance there’s a dedicated CRC cyclic redundant cyclic redundancy check instruction in the Intel instruction set so you can say like take all of this memory range CRC it together and if CRC does not match the clean code and somebody’s stuck a breakpoint in there somewhere right and so then they can issue different code so yes it definitely is used as an anti debug trick and we’re now going to get around to the debuggers lies and we can just do this from outside of the vm if we want or inside it doesn’t matter in Visual Studio you want to set proof pudding as the startup project and we’re just going to look at it really quick so this is gonna be a little complex and yeah John Ericsson suggested a way that I could make this a little less complex here but this hard-coded instruction I’ve generated here e8 zero zero zero zero this is actually a call instruction and it’s calling zero bytes passed the next instruction so we know that we can have relative calls where it’s saying you know it’s just like relative jumps relative calls you can I want you to go however many bytes past the next instruction if I say go zero bytes past the next instruction it means it functionally just jumps down to the next instruction but the side effect is that like any call the address of the next instruction is put onto the stack so you’re calling the next instruction which is kind of like pushing the EIP of the next instruction and then that next instruction can go ahead and pop that back off the stack and you know you can start trying to read it you can pop it into a register and put the register into a local variable and then in that way you have read the address at the next instruction you can also you know hard code some offsets into there add or subtract from that so all 0 so you just call the next instruction the next instruction is a pop EAX instruction which turns out to be a single literal opcode byte of 58 anytime you have poppy IX it is the byte 58 that’s where I want you to set your breakpoint right so what I’m claiming is when you set a breakpoint on this poppy ax the debugger is going in there and taking this 58 and replacing it with the CCE but keeping a copy off to the sides that it knows how to like put it back when it wants to actually execute the instruction so whether it’s a one byte instruction or a five by instruction doesn’t matter the first byte gets overwritten with the CC and so what we’re going to see is we set the breakpoint on poppy ax put the breakpoint at the very end on return feeble and so now the point is when we execute this we expect it to say so it popped the address of this right here this on its own instruction and then it’s moving it to a pointer and it’s printing out the pointer and stuff like that so when we run this with the debugger enabled we expect this to say well okay let’s run it once without the debugger and we expect this to say 58 it sees 58 because that’s what a pop is Oh hit f5 to run we run it once we look at the output window it says the proof is in the pointer hex 58 okay so no breakpoint we are correct poppy ax is hex viii all right go ahead and stop it I’ll manage slide my window probably someone else did this earlier well go ahead and set a breakpoint on now set a breakpoint on papier X and just run it again and then step past the breakpoint or just continue when you hit the breakpoint and then you should see it’s saying see see there okay good so right this is the key point which um is often not understood

by people when they’re trying to understand how the what the complete flow is from interrupt back to debugger right so in order for the interrupt to get to the right place right and OS typically has to export some sort of debugging API where it says look if you want to put if you want to debug someone you need to register as a debugger for this process so that when I get a debug breakpoint or you know software breakpoint or a hardware breakpoint when I get a hardware or software breakpoint I don’t know what to do with it right so that happened if you as a debugger want to actually handle that and like you know manipulate your data however you want to you need to register to me the OS so that when this breakpoint fires I know to call you back I can see oh you’ve got a breakpoint let me check the EIP cuz you know yappy gets pushed on the stack anytime we got interrupts check the IP you know which process was running at the time you know check my see are three that was Co three doesn’t get changed like we said before we go kernel the user space whatever the CR three doesn’t actually change and so so the OS needs to know who to tell about this right if there’s no debugger registered it just considers it like you know an invalid breakpoint it’ll just you know crash the program but if there’s a debugger registered Visual Studio here is said to the OS hey I’m acting as the debugger for this process call me back when any sort of or in threes occur and so that’s the full flow right here you click on the side that fills in Assisi you step through the code one instruction at a time and when it hits the CC it transfers to the interrupt descriptor table host index 3 looks at the offset and the segment selector it selects the kernel segment flex the offset which is just the you know default handler for in our break points and that default handler then says do I know about any you know debuggers which have registered themselves right now and if so then okay you know which process did this occur in who is the registered debugger and I will go ahead and tell the registered debugger for this process hey you’ve got an interrupt and it occurred at this address go ahead and run register debugger so instead of passing control back to the program they pass control to the register that’s the part which is not implemented in many sort of hardware specification thing like the OS has to come up with some sort of API by which you can say I want to debug this now so anyways I’ll run mine one more time and actually I’m going to stop here where it says pop Dax because I know at that point EA X holds the address of that instruction so I’m gonna put it into a memory window and literally like try to see that it’s EC but the debugger is going to lie to me so I start my debugger I’m stopped here at poppy ax and I know that immediately after I activate this so I’m going to step one instruction I know that after I’ve executed this a X holds the address of the poppy ax instruction so if I take that address and I put it into a memory window by going bug dose memory put that in press return you but in reality we read our own memory we printed out our own memory and we see that our own memory is si si so that’s how we know that yes software breakpoints are interrupts each software breakpoints are implemented by debuggers as having a CC bite in there and if you want you know a technique which sometimes is useful to malware analysts is if you want something to hit a breakpoint you don’t like if you’re going to load something up and you want it to eventually break at some specific location say that entry point which is specifying the P headers you can hard code a cc into the little binary on disk and when it gets loaded up as long as that CC was in you know some code section and along it as long as you knew that it was like the start of an instruction not you know you’re not corrupting the middle of an instruction ISM and when the CPU loads it you know OS loads it up into memory starts executing it when it hits that CPU it’ll just go ahead and you know call whatever debuggers registered and for instance things like Ida can say I want to be registered for any process any process that has a very point let me know it so you can hack in a cc in the file on disk register Ida as I want to debug everything and then go ahead and run the file and it’ll eventually hit that’s a trick which has utility in some cases it’s typically you’re gonna go from within Ida you’re just going to say I want to start this process and item will just automatically set a breakpoint on

the very first instruction the the address of entry point that’s on the PE headers all right so that was proof pudding showing that software interrupts are done with cc all right so finally we want to talk about hardware support for debugging so those were software breakpoints and we call it that because you’re putting in a software instruction hardware breakpoints are a way that the hardware will actually automatically for you check if you are meeting some condition on a virtual memory access so the hardware all will say for every virtual memory access is this am i executing at this virtual memory address am i reading from this virtual memory address or am i reading to this virtual memory if you’ve set a Hardware break point where you say dear hardware execute an interrupt three no sorry interrupt one the bug breakpoint interrupt execute an interrupt one when you see any virtual address trying to execute that address or this address if you ever see anyone trying to read to this virtual address cause an interrupt if you see anyone ever trying to write to this virtual address causing interrupts and even you can set it on like port IO so if you’re trying to talk to devices you can say tell me give me any interrupt when someone’s trying to talk out on this port and unfortunately I don’t think we’re gonna have enough time to talk about port IO because that was the next section the but anyways just so you’re aware of that capability so the thing is though you’re very limited with hardware breakpoints because there’s essentially four registers where you can specify a virtual memory address that you want these breakpoints to occur on so you can set up to four Hardware breakpoints where the hardware will just automatically be checking am I currently have this virtual address and am i doing it execute am i doing a read am i doing a write which goes back to those notions of the hardware knows whether it’s executing the hardware knows whether it’s reading or writing alright so typically you have to look for this explicitly in the documentation if you just say give me a break point you’re going to get a software break point because the debugger can set an unlimited number of those as many cc’s as you have instructions if you want a hardware breakpoint you have to find the specific thing we’ll see for window bug what it is there is definitely a way to set it in Visual Studio I think but I almost never use it there if you go to gdb I think hardware breakpoints are secretly behind the scenes they’re called like watches or something like that so you’re gonna have to look at the documentation to find out but there should be some hint in there saying you know you’re setting if if it tells you that you can set a breakpoint on lead or a breakpoint on light and you have to be dealing with a hardware breakpoint because those software great points aren’t going to know anything about reads or writes so there is some specific registers which control these and knowing these registers one as a good guy you could set your own breakpoints when you want and as a bad guy knowing these registers you can just wipe them out so that the debugger never catches any hardware breakpoints right so you may you as a reverse engineer may be saying oh well I want to set a breakpoint on this virtual address and because I know you know the attacker is writing to that virtual address I want to know when he writes that virtual address can you say okay set the breakpoint go alright and then the attacker in his code may have some instruction which says okay clear all the debug registers right and then none of those Hardware breakpoints are going to fire they have to be aware of the capabilities and limitations of Hardware breakpoints in the conference delicious code so first of all accessing the debug registers requires technically requires Cpl zero so it’s a register to register thing again you’ve got these 32-bit registers and you can move from EAX to them or ax the instructions for the actual moves require CPL 0 it turns out on Windows for instance it exposes in remembering those mega data structures for thread information and process information it it turns out the windows exposes information about your thread context right now and some of the fields that it exposed are the debug register fields so if you and you use a space process change those debug register fields in your context then when you get context switched out and context switch back alright so you set those in your you know hacked version of kelp that exe you’ve just broken into calc dot exe you as the malicious person have changed the thread context to set some hardware breakpoints you got swapped out because notepad turned to run he got swapped back in we get swapped back in and the kernel is swapping in all your context it’s setting these debug registers based on that so it is the case that users please code on Windows anyways can set the debug registers even though you’re supposed to only be able

to do it for me zero I don’t know if there’s anything equivalent on window on Linux alright so right there’s technically eight registers PR four and five are not even used so dr is zero through three these are the four registers where you can set an address where you want to break and then dr six is status this tells you when a break happens you need to go check this status register to find out what kind of breakpoint up and was it read break was the right break because you could set maybe two break points on the same virtual memory address and maybe one of them is a break on execute and the other is a break on lead and so you have to check this status register to know which of those just fired did someone just write to my instruction or did someone just execute mine the status flags and the status register will tell you and then finally dr7 the control register this is just saying turn on or off breakpoints on the virtual address and 0 the virtual address anyone free it also will say things like turn on execute breakpoints turn on read breakpoints turn on right breakpoints read my breakpoints anyways so those are the straight up values so 0 through 3 just plug in any virtual address and that’ll say here’s where i want to break and then up in the control register that’s where you need to say whether you enable it or not and if you do enable it what type is it and what size of memory do you want a breakpoint you can break it say I only want to break if that virtual address one bite one bite at that virtual address has changed or you may say auto break if anywhere in 4 bytes after that virtual address have changed you can go one two four and on some systems eight bytes at the virtual address if anywhere within those bytes execute or read or write and it’ll break so here’s the control register the key points are there’s two different things one of them is called local enable and the other is called global enable mo Cole has to do with tasks which is which we said we mostly don’t care about so if you switch tasks using Intel’s tasks which notion this local enable stuff gets cleared so you may locally enable in this task that I want a break point on that virtual address you switch over to that one that task you don’t want that break point to still be in effect right so local enable is saying like let’s lock it down to here as I said that Windows doesn’t really use task switching so in reality you’re always in the same task except for a few of those weird interrupts and stuff so what the point there would be it’s sort of like gdt ldt right so local could be per process if you want it to be locally descriptive Cable global is for everyone right so if you say global enable it doesn’t matter which process you’re in right now it’s gonna break on that virtual address so you could see how in user space for instance if you could turn on you know break on virtual address this but then it turns out you got swapped over to some other process context you’d be breaking where you didn’t actually care about it so anyways local versus global is just global is always in effect you turn it on in global it doesn’t matter which process you’re in well it’s about tasks and since you’re always in one task anyways it doesn’t matter local is clear out the stuff if you switch tasks and do yeah these are just some le stand for an a local exact a global exact something like that dag there we go yeah I can read local exact and global exact are saying in the specific case of a data breakpoint typically on a data breakpoint it’s going to break at the instruction after the data was written to right so the data is going to be written there’s going to be an interrupt and the EIP is going to point at the instruction afterwards and what kind of fault trap or abort what kind of interrupt is that I’m saying data usually is the EIP points at the address after trap right and so the point is in some cases you may really want to say like the actual instruction which caused the right I want to know that instruction so in those cases there’s ways you can flip bits to say I want to know exactly the instruction which caused the right and I want that guy’s the IP instead of the EIP after yes yes basically it’s causing an attacked as a fall to sub trap and that’s why if you go back to that here’s all of Intel’s defined things there was fault flash trap and there’s there’s another reason as well all right then there’s general detect this one’s sort of interesting this is trying to be a protection mechanism for debug registers but I don’t think it actually works general detect flag you set that to one

and that says I want to now cause an interrupt if someone tries to touch my debug registers so it’s like I’m gonna set up the debug registers I’m going to set general detect so if someone tries to move into my debug registers I want to cause it interrupt I want to catch that interrupt and I want to say ah no you know kill whoever tried to touch my debugger registers right off with their head the reason this wouldn’t really necessarily work in kernel space is because why can’t the attacker just go hope your interrupt one to make it so that yes I can’t touch your registers but then it vectors to interrupt one and that vectors to attacker code and at that point they can just you know turn off the general detect because obviously your code also has to have a way to turn off the general detect you can’t have it be that no you gets locked down like for evermore not even you may do it so in the context of the interrupt handler yes it can reset this flag so Packers could get around that but certainly for sanity checking purposes again it is good to know if few debuggers are trying to fight over the hardware breakpoints right and to be able to no context switch between them potentially there’s only four of them for everyone right so if you if you’re if this debugger expects exclusive access to those debug breakpoints and if you know it’s being context switched out or something like that then you have to have a way to well to make sure that things don’t smash each other’s Hardware breakpoints all right finally this RW 0 through 3 this is essentially telling this is remember 1 on the control register and this is telling the hardware and we’re not actually finally this is telling the hardware what type of action do I want you to break on so the local enable global enable we’re saying which of those d r0 through d r3 do I want you to care about the virtual address for so the hardware will check for every virtual address it’ll go over and check the hardware breakpoint d r0 through d r3 and say if local enable is set to 0 or if vocal enable is 0 is set to 1 for instance and it says dear hardware please enable checking against a bug register 0 so it says check every virtual address against the virtual address I’ve put into debug registers 0 alright so local enable this flag L 0 turns on no Hardware checking this this flag L 1 turns on Hardware checking this cetera right but for each of those then you have to tell the hardware when do I want you to actually issue the thing so it may see ok this is enabled and I’m checking this debug register 0 through 3 but what type of breakpoint do I actually want so this R 0 through R this RW 0 through RW 3 interpreters follow right so there’s this right here RW 0 if these two bet bits are set to 0 0 it’s telling the hardware please break when you see that someone is trying to access this virtual memory address as an instruction if you are trying to execute code at this location hardware I want you to issue an interrupt one if this RW 0 is set to 0 1 it says if you the hardware are seeing someone is trying to reach our sorry write only to this virtual address which I’ve specified in debug registers zero if you’re trying to write their hardware please please give me an interrupt let me know about that then this one is potentially undefined the one zero case is maybe undefined but in other cases it’s about input/output on this port IO so you can actually say if someone is trying to talk out to some peripheral via port IO I want to know about it I want to intercept that finally one one is for brakes on reads or writes but not execution so unfortunately well it’s no good say you can go either way but I would say this is for purposes of concert no it’s not true okay you have a break on right only you have a break on read or write that you have no break on read only right so if you just want to know when someone read that data you can’t do it you need to set a break on read and write a break on read and then you need to end up those should both fire at the same time and you check status flags did they both fire did one of them fire but not the other and if one of them fired without the other maybe it’s a weak that’s neither here nor there because as far as I’m aware right now no debugger is exporting the ability to break on read oh so but if you wanted it you could you know burn two of your four debug registers and so you can have two

break on read only sort of interrupts all right and so the final part of the control is saying for what virtual memory range do I care about this break point so you can say break on execute only if it is within one byte of the address I specified so if I say eight zero zero whatever and if someone tries to execute the first byte there then I care if I set the size to four bytes then if someone tries to execute the first byte or if someone tries to execute the second byte or someone tries to execute it or anyone tries to execute the fourth for any of those four bytes you know still cause an interrupt so it’s really just about regions because you can think of cases this is probably well I should say explicitly in the context of execute it doesn’t make as much of sense and and because of that wind above doesn’t even give you the ability to say one versus four window bugs says you may only set an execute breakpoint on one bite and you better give it the first bite of an instruction because oh maybe this one versus four or two this makes more sense in data access ones right let’s say you’ve got a data structure it’s all compressed together and there’s a short field in it right there’s a C short that’s a two byte field you want to set that size to two so that if there’s a short and another short but you only want to see when that short is written you don’t want to see when the next one is you can’t flip that to four otherwise it’ll break on rights to either of them gotta set that size to choose that you can check you know a single character or a single short or a D word for instance or maybe you have you know four characters and you don’t care if any of them are hit and you just set it like that so in terms of functionalities that the control register gives us we’ve got four to bug registers we put a virtual address into that’s debug 0 1 2 so you set up a 0 1 2 or 3 you turn them on by saying local label or global enable 0 1 2 or 3 you set the type by saying RW is 0 0 or break on instruction 0 1 4 break on read/write 1 0 4 break on io in which case the virtual address right in that dr0 would actually be an i/o port it wouldn’t be a it support io you’re giving it an i/o port and the other option is 1 1 in which case you’re saying break on read or write and finally you say how big of a memory region proximate to this virtual address do I actually care about that’s good for when you only care about a single byte or 2 bytes structure all right I know you’re almost done at this point we can get through this finally we just saw the control register right this is saying what do I want to turn on in terms of breakpoints and so you can go in in the kernel any kernel module and you can access these you know things subsequent to well subject to whether or not someone has already turned on the global detect flag so that if you try to access it it causes an interrupt but most of the time you can just go ahead and set all you can go and turn these on manually to your heart’s content or as we will see you can just set you know the debugger to turn it on and you’ll see exactly how when we ask the debugger for a break on execute one bite we’ll see exactly how these days then the only thing is because there’s all these different types of breakpoints you can set all those different configurations you can set in the control register first of all you need to know so you need to know when an INT one happened what kind of breakpoint was it which one fired what was the type and all that doesn’t really tell you the type because you can go look at the control register to find them but you at least need to know what breakpoint fired so if I set virtual address a into debug registers zero and I said virtual address B into the bug register one if virtual address B fires right so debug register one virtual address was found it was an execute breakpoint whatever then when that int one is when that int one is issued by the hardware it’s going to set B one right here to say breakpoint one was just found like I said before you could have the same address for two different types of breakpoints like we said right vs. read right in order to get a read-only kind of thing so in case where you had two of the same address and two different things right it’s a b0 and b1 both fired right and it’s up to you to figure out what that means to you but it’s just trying to tell you look I saw the address that you gave me the bug register zero I saw that address I saw an execute I saw it within one byte after that address I fired the interrupts I set this to say look breakpoint zero is the one that just fired do whatever you’re going to do about it similarly BD that was for that general

detect so if someone said general the text so that they wanted to know when someone tried to write to the debug registers that will cause an interrupt and the hardware will say BD you know debug register access detected so so I just fired the interrupt and you need to know someone’s trying to mess with your debug registers kill them or compensate or you know act like kill them is the only solution but maybe you can negotiate with them maybe you can give them equal access equal to damn hippie finally there are two things which invoke two flags that we haven’t seen yet in the eflags register break single step and so this is an interesting one if this is set it turns out there was just a single step exception which is again a type of debug one so when you go into the debugger and you know you say step over step over step into stuff like that it turns out the debugger is not setting a software break point for each next instruction and like you know moving them along it’s using a different kind of thing called a single step exception in order to fire off a debug one and in that way you execute one instruction and then you fire off a debug one you execute one instruction you fire off at the bug one this is called single stepping and that’s enabled by setting a flag in the e flies register which was like the next slide so just keep in mind that there’s you’re not using single you’re not using software breakpoints when you hit a breakpoint and go step step step step behind the scenes the debugger is smart enough to know hey I want to use a single step exception alright good and then bTW we don’t care about because this is saying break on task switch so if I am switching between those Intel tasks related to the TSS which we don’t care about go ahead and you can set a breakpoint on that as well all right right so we were just talking about the you know what happens when you set a hardware breakpoint so we already mentioned this if you set a hardware breakpoint you get an int one occurs right so if the hardware all matches up it sees I got that virtual address I got a read access I got you know within four bytes from that virtual address bang into one that’s what happens the bug exception now if it is an execute break point it is a fault meaning all right VIP points that yappy points that the instruction which caused the break point so I executed this and and it’s important here to say that in an instruction break point it didn’t actually execute that instruction yet so the breakpoint occurs it says you set a breakpoint on for instance that poppy ax and if I had done a hardware breakpoint he would have given me the interrupt before it actually executed the poppy ax I would catch the interrupt I would handle it and if I want I can return back and let it execute that poppy ax so that’s slightly different from the way software interrupts will like you know put a cc in and then hit the CC and then maybe put back in the original bites stuff like that if you can go out if you have to go feel free anyone who’s got appointment ID go for it so the point here is and I mean the videos will be available later so you can catch the last part all right maybe I’ll just like keep talking for like half an hour after you guys are gone and then we can like get all this material and you can watch you later all right I would be awesome I’ll be like oh all right sure but the problem is he wants to leave right so but still if he keeps the camera right here all right so when you have a hardware break point that says break on execute its default and for everything else it’s a trap so that was before we said for those data break points it points out the instruction after the actual right and maybe you want to know the exact instruction so you want to turn it from a trap to a fault there are means by which to do that but anyways because of the case now here’s the the trickiness here if you have a break on execute and if it’s pointing at the exact a IP that would have caused that break on execute but which has not yet executed right you you’re tempted to just you know okay I saw that and I’m just going to issue an interrupt return to go back to that instruction and let that instruction execute right the problem is like we said the hardware is checking for breakpoints before it’s allowing code to execute so if you return from that fault you get that fault right again right so you can get an infinite loop if you keep returning to the EIP which the hardware keeps saying oh yeah hardware breakpoint their return hardware breakpoint their return so that’s where a special flag in the e Flags called resume flag comes into play the zoom flag lets

you bypass this little interrupt in an infinite loop they here Oh any flags there is a flag which can be set held the resumed flag and what happens when the resumed flag is in effect is the hardware knows it needs to execute the next instruction without any sort of hardware breakpoints in effect but then immediately clear the resumed flag and for the next instruction go ahead and check if it’s you know break one of it and that’s how it gets around and when resumed flag is set the hardware temporarily knows okay I can see that this virtual address matches something that you want to break on I can also see that resumed flag is set so I’ll go ahead and clear the resumed flag execute that instruction and then now I’ll move on to the next thing and start again checking the virtual address verses yeah I think it would be nice if you could leave that on so that they can now see the video later I’ll have to double-check my flight information but yeah so anyways resume flag if you are some you know interrupt one handler and you’re implementing you know some hardware breakpoint debugging you as the bugger need to know if I’m going to resume from if I’m going to return from an int one on a break on execute the EIP is a fault right it’s pointing at to the address which caused it and if I just straight up return back to that AIP the hardware will just kick off the int one again therefore in order to return first set the resume flag then go ahead and return and everything will be great it’ll ignore breakpoints for exactly one instruction then it’ll turn them back on again alright so you can set the resume flag yeah that’s interesting that’s conflicting it’s saying you manipulate the you manipulate the flags you manipulate I’ve bee flags on the stack and then you call IRET but then something is this is saying I Rhett does not oh maybe it’s it’s probably meaning I rent versus I ret D so whatever you mostly just you’ve modified them eflags on the stack do some bit math and or turn on the resumed flag and then do an i ret to return back to the EIP that caused the fault but then because the resumed flag is set if you skip no handling debug interrupts for that single instruction finally the last a flag of the day and then we will have seen many eflags is the trap flag this is another thing where a kernel interrupt handler can set this flag and when trap flag is set to 1 this is how single stepping are cursed so if you set trap flag to one and you I ret back to wherever you were at the time the hardware automatically says oh trap flag equals one executes one instruction into one right and if you set trap flag again the next time you return o and execute one instruction and then interrupt one so the trap flag is how you get the single stepping mode it’s like you don’t want to have to like update the code every time to put cc’s in so therefore you just set the trap flag it’s a temporary thing the hardware automatically clears it after each you know single step that it took so setting the trap flag says dear hardware executes one instruction and then let me know with an inch one and again it’s going to that’s a you know it’s a good question of whether it points VIP points at the that’s a fault not I’m pretty sure it is to a fault I think it’s doing beautiful anyways so that’s all I want to say about trap flag just to say that if you set the trap flag return back the processor will execute exactly one instruction before absolutely no matter what doesn’t care about what hardware breakpoints you set it’ll execute one instruction that I kick off and into one that would be a case that’s interesting well that would be case where all of those be 0 through B 3 are not set but BTW don’t be s for Bingle break single step and my mind is really going now yeah for break single step is saying you know the only way that you would know that a single step exception just happened you know none of your break point 0 through 3 would be set because this virtual address didn’t necessarily match anything you were trying to stop on because you’re just you know continuing on after something you stopped on therefore the only way you would know that that reason you just got the int 1 is if you consult the status and C B s is equal to 1 that tells you ok I’m single stepping and as a debugger as software which implements

debugging you’re always on each interrupt you’re always asking the user what do you want to do next right if the user says step one instruction you know use the S instruction in or si instruction in gdb or you just click the arrows and you know other things that’s telling the debugger please debugger set the trap flag execute one instruction and then ask me again what I want to do right but if you just say go then the thing just you know sets the resume flag and you continues on its merry way all right so we’re going to quick set some I think don’t worry about following along on this one we’re going to set some hardware breakpoints in wind a bug and just see if I set this sort of break point I’m going to see the debug registers change correspondingly right so if I set any sort of hardware breakpoint I expect that debug zero one two or three is going to be set to the virtual address I asked to break up so in particular this is just the syntax of window bug instead of a normal software breakpoint is VP for breakpoint hardware breakpoint is break on access and then you have to tell it what type of access okay it can be read right can be only write can be execute or it can be poor die out so then it asks you then you have to say okay what size do I want us to break on one buy it to buy it’s four bytes or maybe eight bytes yes so this is mapping the syntax of this window bug command is mapping very one-to-one to what we need to set up these debug registers right and finally give it an address and oh hey that’s probably the thing which goes into the bug register zero bug register one alright so in window bug this is what I used secretly before when I was like trying to you know break at the exact instruction then an interrupt occurred at and I should maybe make this point venue ously maybe if you’re trying to debug an interrupt handler you do not want to use a software breakpoint inside of that interrupt handler right because then you’re calling an interrupt inside of an interrupt and bad miss connect especially you don’t want to use it when you’re debugging the breakpoint ever so don’t debugging in 3 by sticking in and in 3 instruction ok if you wanted to bug the interrupt the in 3 use a hardware breakpoint and then when you hit that actual address and it 1 will kick off right alright so what I’m going to do is I’m going to break and so for instance I’ll show you exactly what I did before when I was trying to set a breakpoint at the beginning of my into EE which I have hooked ok so I can do like bang I I – E that’s aren’t trained in IDT and I can say EE to say tell me you know just the basic like address where the impactors – it’s going to say ok and that’s FA like falafel it’s break on through to the other side + 6:30 so this is the only thing I really care about because our breakpoints are breaking on virtual addresses and this is an interesting point as well trying to book some windows code one time that was modifying itself and it turned out this was inhaled at the ll it turned out that had dropped down to virtual 8086 mode that other little come backwards compatibility ho 16-bit mode that we talked about briefly he was dropping down to 16-bit mode and I had set a break on right to memory I said I can see that when I call this code eventually it like overwrite some memory but like where does it break up right where does it overwrite that I want to stop exactly when the hell that DLL code modifies its own memory that a break on right executes nothing happens so it’s because it’s dropping down into virtual 8086 mode and these Hardware breakpoints are looking for virtual addresses 32-bit virtual addresses and this thing’s dropped down to 16-bit mode and so for instance this also has implications for what if you have memory mapped in two different locations right maybe you think the bad guys code is here but they’ve copied it into the different virtual address space for the same physical memory and because of that different virtual address space your hardware breakpoint will never hit on it right because different virtual addresses it’s only checking virtual addresses and all of the virtual to physical manipulation that you can do can make it so the hardware never sees stuff so for what that’s worth now we’re going to do breakout access want to do and execute so my access type is execute my access size is 1 because window bug only lets me set 1 on execute and then finally just the address so before I execute the command I’m gonna go find my debug registers that registers window there they are oh oh that’s right I

already said it before right I said I was telling you that thing I did before I’m going to set a different virtual address plus 1 right so we can see that from before I already have the bug register 0 filled in with the address I was gonna just set and if I went in in like parsed debug register 7 I would see you know what’s enabled what’s disabled stuff like that but so for now it suffices for my purposes to say okay I want a new break point and unfortunately this thing is not updating immediately so I’m gonna like just execute one instruction I don’t know where I am in memory right now I’m just gonna ask you one instruction so that the debugger updates its memory all right so I’ll step over all right there we go so it turns out in this case and that kind of was guessing this was gonna be the case because when I was looking at this bug status or control register it didn’t say the zeroth bit was not set so neither the zeroeth or the first bit were set so I knew that previous breakpoint was no longer enabled so there was actually that thing was still in the debug register but it wasn’t enabled if I just set a new breakpoint and now I can see yes definitely it did set the local enable zero to tell the hardware all right go look at debug registers zero and that’s the virtual address I want you to break on so that’s how we saw the offset and if for instance I kind of is going to work they don’t know if the first instruction is one byte so I’m going to like run the break on through to the other side to call that into EE and we’ll see whether this works or not now that it’s pointing at the wrong address but all right where’s my breakdown through the other side or I try to run try to hide rather all right so since this thing continued on and didn’t like just stop I know that this breakpoint didn’t hit so let’s go ahead and clear that one out and set the correct breakpoint so I’m gonna break because I want to show you the status registers being updated right I expect that the status register B 0 should say you had a break on debug registers here so be c4 clear gonna clear everything set my axis again though now within the VM I’m going to do the try to run shot oh hi I did it again and I run and we don’t see that error message because right now this entire VM is stopped I can’t you know move anything around VM is stopped we are now broken into the kernel debugger because that int 1 kicked off window bug caught it and says hey user what do you want me to do you omit a single step do you want me to continue what’s up alright so right now we’re in the debugger it said break point zero hit because it has like a list of breakpoints both software and hardware that you can do breakpoint list and so right now I saw that my 1 is set here so debug registers 0 is that and then right there the debug status register the least significant bit is set to 1 that means you had a breakpoint on hardware breakpoint 0 right because it is like like this right it’s trying to tell me any significant bit 0 set it to 1 that tells you you just had debug registers 0 kick off an alert and so then it’s up to you as the you know user decide what you want to do and that sort of thing alright so that is pretty much it for hardware breakpoints and you have some examples in there if you want to place that was us just doing the lab watching the debugger to bug alright so just a couple of things on the I already kind of mentioned with the bug registers for instance there’s a packer which sets some data into the debug registers zero or one or two or three and it reads that data back out as part of you know a quote like a key that I use for unpacking right so if you are setting a hardware breakpoint while you it’s unpacking it’s gonna be reading this key out and the key is gonna be wrong right so it’s setting some value that it expects in the debug registers it’s reading it out as its unpacking and if it sees it doesn’t have to see anything if it’s reading in the wrong data from those debug registers other than what it set it to because you the human have come along and set up break on access okay it reads out the wrong data and the unpacking just straight up fails right so that one’s kind of interesting and you see some of these other lengths in order to find

more information about how our can use Forrester’s and this right here this contact structure that’s what I was talking about before where the kernel exports to user space this contact strucker’s or contact structure has the debug registers so if user space sets them in there gets context switched out context switched in when it gets context switched in the hardware the OS takes all the registers and everything else the saved state for the process and it dumps it into all the registers before it says go ahead go Cal that exe so that’s a way that from user space and Windows you could actually set the bug registers and you can screw it the bone registers it means your user space code is potentially you know messing with your debugging of it Glacius code and finally we talked about single stepping right we said typically you you can use that trap flag to single step and you can tell the debugger move one instruction at a time but and in in some cases where you’d like to trace the code right you’d like to just let the code run and you want to see which control flow path it takes how diverters typically do this when they allow this they’ll they’ll let you know the control flow run and they’ll maybe give you a nice little graph of like where did all the code execute so you can see if I just let this run here’s the path it takes but I actually wanted to take that path so it turns out I need to set a breakpoint there and force it down that path like that how buggers typically implement this is that they use single step in to do that so they execute it they you know make sure they set the trap flag xq1 instruction trap flag one instruction and the point is just at each step they update their little control flow graph there is a capability that’s added in new hardware where the hardware will actually take source and destination a ip’s at control flow transfer instructions for you and put them into a nice little list store and elsewhere in the hardware so this is an optimized way so that when your code is executing it’s you know walking down and the hardware by itself without having to do an interrupts and interrupt your turn each time we go in there and when it sees a call instruction it will say AHA this virtual address there’s a call instruction that’s your source and here’s the destination of the call continue on lalala in a jump instruction at this virtual address there is a jump and this is the destination of the jump so this tracing thing you can go look at this and open start RCE he’s showing that you know when he modified his debugger to use this built-in new capability for tracing it was like extremely much faster than stopping after every instruction right now it’s the hardware’s problem and the hardware only updates this little list of what does it call it a branch trace it only updates the list of branch traces when it sees a branching instruction and branching instructions are calls jumps returns right you’re branching you’re changing the EIP there’s only so many instructions that can do presumably interrupts as well not sure