A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #20407  by sn0w
 Tue Aug 06, 2013 9:19 pm
hi, need an advice in the following question:
Winxp sp3 running with KD enabled in VitrualBox, i'm connecting to it through kernel pipe connection.
i have one prog which is protected with execryptor, that should be started in VM.

but as soon as the target launched - kd invoked immediately:
Single step exception - code 80000004 (first chance (further(excl int3) will looks the same))
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:006dece4 e98c070000 jmp 006df475
disasm:
001b:006decd9 81c800010000 or eax,100h
001b:006decdf 870424 xchg eax,dword ptr [esp]
001b:006dece2 9d popfd
001b:006dece3 90 nop
001b:006dece4 e98c070000 jmp GFTPpro+0x2df475 (006df475) <<<<<<<<<<<<<<<<<<
001b:006dece9 0000 add byte ptr [eax],al
001b:006deceb 81c036e0fbfe add eax,0FEFBE036h
001b:006decf1 03c8 add ecx,eax
i still can not to determine which is the reason triggering the exception (this is not only one, it will be several, including obvious int3 breaks)
i checked out DR registers - empty.
call stack at the moment:
kd> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f9cc 7c93acb0 0x6dece4
0012fa18 7c935e50 ntdll!LdrpCallTlsInitializers+0x83
0012fb18 7c921194 ntdll!LdrpRunInitializeRoutines+0x48b
0012fc94 7c92108f ntdll!LdrpInitializeProcess+0x1131
0012fd1c 7c90e437 ntdll!_LdrpInitialize+0x183
00000000 00000000 ntdll!KiUserApcDispatcher+0x7
looks like this is tls and oep not executed yet (protection code both in tls and oep)
and there is only one thread at the moment.

so any ideas about what protector could do to raise exceptions?
actually, this is not a problem, anyway i could avoid it with gN, but because there lots of same situations, i need a solution how to force KD to ignore all of exceptions in the predefined timeband.
 #20413  by sn0w
 Wed Aug 07, 2013 11:16 am
sounds good, thx. but i need KD back to handle usermode after protector complete its work, so anyway without restarting a target.

looks like i should to see towards KdInitSystem, watching the dependency from init opts.
or maybe patch temporarily something in KdIsThisAKdTrap
 #20415  by sn0w
 Wed Aug 07, 2013 2:15 pm
i found a solution, so i share it:

first, disassembling ntos. then looking for "NOUMEX" literal - the launch key, that tolds debugger to avoid UM exceptions.
PAGEKD:005C93FB push offset aNoumex ; "NOUMEX"
PAGEKD:005C9400 push eax ; char *
PAGEKD:005C9401 call _strncmp
PAGEKD:005C9406 add esp, 0Ch
PAGEKD:005C9409 test eax, eax
PAGEKD:005C940B jnz short loc_5C9414
PAGEKD:005C940D mov _KdIgnoreUmExceptions, 1
and here we are - the variable, manipulating whom directly from debugger we can control exception handling.
successfully tested on win2k3 R2.
 #20454  by r3shl4k1sh
 Sun Aug 11, 2013 8:04 am
sn0w wrote:i found a solution, so i share it:

first, disassembling ntos. then looking for "NOUMEX" literal - the launch key, that tolds debugger to avoid UM exceptions.
PAGEKD:005C93FB push offset aNoumex ; "NOUMEX"
PAGEKD:005C9400 push eax ; char *
PAGEKD:005C9401 call _strncmp
PAGEKD:005C9406 add esp, 0Ch
PAGEKD:005C9409 test eax, eax
PAGEKD:005C940B jnz short loc_5C9414
PAGEKD:005C940D mov _KdIgnoreUmExceptions, 1
and here we are - the variable, manipulating whom directly from debugger we can control exception handling.
successfully tested on win2k3 R2.
So you basically starts the VM with /noumex and after the protected program loaded you toggle the _KdIgnoreUmExceptions var using the KD?