Single Step debugging of machine instructions is a technique often used during vulnerability research and exploit development to debug a program at an atomic level. At this level of granularity, one can see the individual assembly instructions as they are being executed by the CPU chip, and the states of the registers and memory as each instruction is executed.
Single step debugging is supported in part by the operating system and in part by the CPU. On Intel's x86 architecture, the EFLAGS register's bit 8 is the TF(Trap Flag) bit. If this bit is set before an assembly instruction is executed, the CPU raises an exception (Interrupt 1) after the execution of the assembly instruction is completed. Once the CPU raises the exception, the following events happen in order(see Windows Internals 5th Edition, Chapter 3):
- The TF bit is cleared. This is why the 3rd least significant digit of "efl" register as displayed in windbg is always an even digit when single stepping. The CPU clears the TF bit before calling the exception handler, which is invoked much before the debugger ever gets it.
- The kernel looks up entry number 1 in the system's IDT(Interrupt Descriptor Table).
- If a debugger is attached, it is alerted about the single step exception.
- If no debugger is attached or the exception is not handled by the debugger, the Operating System's Exception Handling mechanism is invoked.
- If the Exception Handling mechanism still does not handle the exception, the debugger is given a second chance to handle the exception.
- If no debugger is available, the process is killed.
The following test program manually sets the TF bit in the EFLAGS register:
or eax, 0x00000100 //set TF bit in EFLAGS
This program was run with and without a debugger(windbg) attached. When run with a debugger attached, there were no breakpoints set, but single step exceptions were set to be handled, as seen by the following:
sse - Single step exception - break
When the test program was run with the debugger attached, a single step exception was caught by windbg:
(bf4.d98): Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
This proves that setting the TF flag from within a program will cause an exception that an attached debugger can catch for single stepping. In this case, the exception mentioned in step 3 above is handled by the debugger.
The next experiment was to run the program again, but without a debugger attached. Below is the result:
|step 6 was reached, and the process was killed due to the unhandled exception(no debugger to handle it)|
As is clear, single step debugging is supported in part by hardware, and in part by software.
Windows Internals 5th Edition, Chapter 3
Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C