Re: [twsocket] breakpoint in NTDll
Hello Arno, procedure PatchINT3; This procedure works great. But something is strange. If I run this in a separate application then it does not work. However as far as I know a DLL is loaded only once in memory. So then it should work also if I run this in a separate app and let the other applicaiton run like this: eg a console app: begin PatchInt3; ReadLn(); end. --- Rgds, Wilfried [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html http://www.mestdagh.biz -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Wilfried Mestdagh wrote: Hello Arno, procedure PatchINT3; This procedure works great. But something is strange. If I run this in a separate application then it does not work. However as far as I know a DLL is loaded only once in memory. So then it should work also if I run this in a separate app I don't think so, each process uses its private, virtual address space and WriteProcessMemory() writes to the virtual memory of the process specified by parameter hProcess. -- Arno Garrels and let the other applicaiton run like this: eg a console app: begin PatchInt3; ReadLn(); end. --- Rgds, Wilfried [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html http://www.mestdagh.biz -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Arno Garrels wrote: Wilfried Mestdagh wrote: Hello Arno, procedure PatchINT3; This procedure works great. But something is strange. If I run this in a separate application then it does not work. However as far as I know a DLL is loaded only once in memory. So then it should work also if I run this in a separate app I don't think so, each process uses its private, virtual address space and WriteProcessMemory() writes to the virtual memory of the process specified by parameter hProcess. You could change it to take a process handle, PatchINT3(hProc: THandle). The entry points should be the same in all processes, AFAIR (it's a long time ago when I wrote my last virus ;-). -- Arno Garrels -- Arno Garrels and let the other applicaiton run like this: eg a console app: begin PatchInt3; ReadLn(); end. --- Rgds, Wilfried [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html http://www.mestdagh.biz -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Hoby Smith wrote: Anyway, if that is the case, there is nothing you can do but just live with it or upgrade the OS. :) Actually you can, see OverbyteIcsNtlmSsp.pas: { Get rid of some ntdll.DbgBreakPoints M$ forgot to remove from their DLLs } { popping up the CPU window. Written by Francois Piette, published 2002 in } { HowToDoThings website, based on code written by Pete Morris. } { Tiny change by myself - to be very correct ;-)} procedure PatchINT3; var NOP : Byte; NTDLL: THandle; BytesWritten : DWORD; Address : Pointer; begin if Win32Platform VER_PLATFORM_WIN32_NT then Exit; NTDLL := GetModuleHandle('NTDLL.DLL'); if NTDLL = 0 then Exit; Address := GetProcAddress(NTDLL, 'DbgBreakPoint'); if Address = nil then Exit; try if Byte(Address^) $CC then Exit; NOP := $90; if WriteProcessMemory(GetCurrentProcess, Address, @NOP, 1, BytesWritten) and (BytesWritten = 1) then FlushInstructionCache(GetCurrentProcess, Address, 1); except //Do not panic if you see an EAccessViolation here, it is perfectly harmless! on EAccessViolation do ; else raise; end; end; initialization if DebugHook 0 then PatchINT3; -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Hello Arno, This is interesting. If I see it clear you change the int 3 with a nop instruction. The only strange thing is, that I never had that problem (win xp sp3, D7), but it could be by a recent upgrade service pack maibe... --- Rgds, Wilfried [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html http://www.mestdagh.biz Thursday, January 22, 2009, 13:13, Arno Garrels wrote: Hoby Smith wrote: Anyway, if that is the case, there is nothing you can do but just live with it or upgrade the OS. :) Actually you can, see OverbyteIcsNtlmSsp.pas: { Get rid of some ntdll.DbgBreakPoints M$ forgot to remove from their DLLs } { popping up the CPU window. Written by Francois Piette, published 2002 in } { HowToDoThings website, based on code written by Pete Morris. { Tiny change by myself - to be very correct ;-) procedure PatchINT3; var NOP : Byte; NTDLL: THandle; BytesWritten : DWORD; Address : Pointer; begin if Win32Platform VER_PLATFORM_WIN32_NT then Exit; NTDLL := GetModuleHandle('NTDLL.DLL'); if NTDLL = 0 then Exit; Address := GetProcAddress(NTDLL, 'DbgBreakPoint'); if Address = nil then Exit; try if Byte(Address^) $CC then Exit; NOP := $90; if WriteProcessMemory(GetCurrentProcess, Address, @NOP, 1, BytesWritten) and (BytesWritten = 1) then FlushInstructionCache(GetCurrentProcess, Address, 1); except //Do not panic if you see an EAccessViolation here, it is perfectly harmless! on EAccessViolation do ; else raise; end; end; initialization if DebugHook 0 then PatchINT3; -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] breakpoint in NTDll
Hello, I run a certain application using TWSocket, and when I run it in the debugger, then every time when a re Connect is happening (if no server available) the debugger stops at a hardcoded break: NTdll.DBGBreakPoint int 3 ret any idea how this can happen ? -- Rgds, Wilfried http://www.mestdagh.biz -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Wilfried said... NTdll.DBGBreakPoint int 3 ret What OS and version? I can't remember exactly what version it was, but I seem to recall that, quite some time ago, MS accidentally released a WinSock (or some related DLL) build into production that still had a hard break in it from one of the testers. It was really annoying, because it was actually in the MS code and would break under certain circumstances when running in debug mode. Like I said, I don't remember what build and all, but seems like it was an NT version some years back. But, from your info, it sure looks like the same issue. Anyway, if that is the case, there is nothing you can do but just live with it or upgrade the OS. :) -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] breakpoint in NTDll
Hi, Wilfried, If my guess is correct and I'm not mistaken the issue is not specific to TWSocket, but to the way how Borland and MS live together. I've stumbled upon it several years ago in an application without ICS components (WinXP + BCB5). I don't remember exactly what solution was applied that time, but what I've found just now - http://cc.codegear.com/Item.aspx?id=15804. Please check if it helps in your case. Some clarifications may be found in the Net, for example - http://www.delphiturkiye.com/forum/viewtopic.php?f=19t=11275 Best wishes, Stanislav Korotky. - Original Message - From: Wilfried Mestdagh wilfr...@mestdagh.biz To: ICS support mailing twsocket@elists.org Sent: Wednesday, January 21, 2009 7:28 PM Subject: [twsocket] breakpoint in NTDll Hello, I run a certain application using TWSocket, and when I run it in the debugger, then every time when a re Connect is happening (if no server available) the debugger stops at a hardcoded break: NTdll.DBGBreakPoint int 3 ret any idea how this can happen ? -- Rgds, Wilfried http://www.mestdagh.biz -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be