handler for int 3 interrupt

OSR_Community_User · January 4, 2003, 1:37pm

Hi!

I am working on a project which involves patching the int 3 interrupt and
writing the 1 byte int 3 opcode (cc) in the kernel mode code (NTOSKRNL.EXE
loaded in memory).

I have written an int3 handler and changed the IDT entry to point to this
handler. The handler works fine with user-mode programs, however in kernel
mode drivers, the handler does not work fine. If no debugger is attached,
it gives a KMODE_EXCEPTION_NOT_HANDLED BugCheck. With SoftIce loaded, the
handler gets called and runs fine. How do I make the interrupt handler
work without any debugger?

How can I change the return address of the int 3 handler, and make it
return to some address specified by me?

Thanks a lot.

OSR_Community_User · January 4, 2003, 3:04pm

Sorry, but int3 is extensively used by KD, and your approach can make
the driver undebuggable.

----- Original Message -----
From: “Prashant”
To: “NT Developers Interest List”
Sent: Saturday, January 04, 2003 9:44 PM
Subject: [ntdev] handler for int 3 interrupt

>
> Hi!
>
> I am working on a project which involves patching the int 3
interrupt and
> writing the 1 byte int 3 opcode (cc) in the kernel mode code
(NTOSKRNL.EXE
> loaded in memory).
>
> I have written an int3 handler and changed the IDT entry to point to
this
> handler. The handler works fine with user-mode programs, however in
kernel
> mode drivers, the handler does not work fine. If no debugger is
attached,
> it gives a KMODE_EXCEPTION_NOT_HANDLED BugCheck. With SoftIce
loaded, the
> handler gets called and runs fine. How do I make the interrupt
handler
> work without any debugger?
>
> How can I change the return address of the int 3 handler, and make
it
> return to some address specified by me?
>
> Thanks a lot.
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · January 4, 2003, 4:26pm

I wonder if that is his goal… I hate that. I tried to run a piece of
software the other day that would not run until I unloaded the debugger. I
guess they thought I was trying to reverse engineer it. It popped up a
message saying “Debugger detected, terminating”.

-Justin

At 12:05 PM 1/4/2003, you wrote:

Sorry, but int3 is extensively used by KD, and your approach can make
the driver undebuggable.

----- Original Message -----
From: “Prashant”
>To: “NT Developers Interest List”
>Sent: Saturday, January 04, 2003 9:44 PM
>Subject: [ntdev] handler for int 3 interrupt
>
>
> >
> > Hi!
> >
> > I am working on a project which involves patching the int 3
>interrupt and
> > writing the 1 byte int 3 opcode (cc) in the kernel mode code
>(NTOSKRNL.EXE
> > loaded in memory).
> >
> > I have written an int3 handler and changed the IDT entry to point to
>this
> > handler. The handler works fine with user-mode programs, however in
>kernel
> > mode drivers, the handler does not work fine. If no debugger is
>attached,
> > it gives a KMODE_EXCEPTION_NOT_HANDLED BugCheck. With SoftIce
>loaded, the
> > handler gets called and runs fine. How do I make the interrupt
>handler
> > work without any debugger?
> >
> > How can I change the return address of the int 3 handler, and make
>it
> > return to some address specified by me?
> >
> > Thanks a lot.
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
>—
>You are currently subscribed to ntdev as: zeppelin@io.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

Gary_G_Little · January 4, 2003, 5:47pm

Oh gosh … that’s really effective too … until you trap the loader and
step into the assembly, find the little bugger that aborts and no-op the
little son of a bitch. Ooops … sorry … its been a bad day. IBM and
Microsof once got into a pissing contest over a DOS 5.x release. Common
programs would abort if it sensed the others version number. You could
easily defeat that using DEBUG and stepping through the assembly.

–
Gary G. Little
Have Computer, Will Travel …
909-698-3191
909-551-2105

“Justin Frodsham” wrote in message news:xxxxx@ntdev…
>
> I wonder if that is his goal… I hate that. I tried to run a piece of
> software the other day that would not run until I unloaded the debugger.
I
> guess they thought I was trying to reverse engineer it. It popped up a
> message saying “Debugger detected, terminating”.
>
> -Justin
>
>
> At 12:05 PM 1/4/2003, you wrote:
> >Sorry, but int3 is extensively used by KD, and your approach can make
> >the driver undebuggable.
> >
> >----- Original Message -----
> >From: “Prashant”
> >To: “NT Developers Interest List”
> >Sent: Saturday, January 04, 2003 9:44 PM
> >Subject: [ntdev] handler for int 3 interrupt
> >
> >
> > >
> > > Hi!
> > >
> > > I am working on a project which involves patching the int 3
> >interrupt and
> > > writing the 1 byte int 3 opcode (cc) in the kernel mode code
> >(NTOSKRNL.EXE
> > > loaded in memory).
> > >
> > > I have written an int3 handler and changed the IDT entry to point to
> >this
> > > handler. The handler works fine with user-mode programs, however in
> >kernel
> > > mode drivers, the handler does not work fine. If no debugger is
> >attached,
> > > it gives a KMODE_EXCEPTION_NOT_HANDLED BugCheck. With SoftIce
> >loaded, the
> > > handler gets called and runs fine. How do I make the interrupt
> >handler
> > > work without any debugger?
> > >
> > > How can I change the return address of the int 3 handler, and make
> >it
> > > return to some address specified by me?
> > >
> > > Thanks a lot.
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> >—
> >You are currently subscribed to ntdev as: zeppelin@io.com
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>