Hi,
I am developing a kernel driver as part of my research program.
The issue I am dealing with is how to debug it.
Let me explain why it is not trivial. In order to accomplish one of its
core tasks, I currently hook the interrupt 3 handler to modify the very
same code is being executed (basically I need to modify a process’ page
after a page fault has been re-solved).
However, AFAIK, windbg uses the same interrupt to insert breakpoints.
Therefore I’d need a way to “chain” the interrupt handlers, but I am
kinda lost. In order to make the handler work I had to use the “iretd”
instruction. Obviously, I would need to call the debug handler as well
in case the debugger is attached
but I can’t think of a clean solution. Any suggestion?
P.s.:
The code of the handler is the following (RemoveBreakPoint is a function
implemented in my driver, which removes the 0xCC opcode, replaces the
old instruction, and updates the EIP to the breakpointed instruction):
void __declspec( naked ) db_handler(void) {
__asm{
pushad
pushfd
push fs
mov bx,0x30
mov fs,bx
push ds
push es
call isProcessMonitored;
cmp eax, 1;
jne Finish;
Remove:
mov ebx, [esp+0x30]; // eip = esp + 0x04 (error_code)
push ebx
call RemoveBreakPoint
sub ebx, 1
mov [esp+0x30], ebx
Finish:
pop es
pop ds
pop fs
popfd
popad
iretd
}
}