Tuesday, October 23, 2012

Single Step Debugging Explained



Single Step debugging of machine instructions is a technique often used during vulnerability research and exploit development to debug a program at an atomic level. At this level of granularity, one can see the individual assembly instructions as they are being executed by the CPU chip, and the states of the registers and memory as each instruction is executed.


Single step debugging is supported in part by the operating system and in part by the CPU. On Intel's x86 architecture, the EFLAGS register's bit 8 is the TF(Trap Flag) bit. If this bit is set before an assembly instruction is executed, the CPU raises an exception (Interrupt 1) after the execution of the assembly instruction is completed. Once the CPU raises the exception, the following events happen in order(see Windows Internals 5th Edition, Chapter 3):

  1. The TF bit is cleared. This is why the 3rd least significant digit of "efl" register as displayed in windbg is always an even digit when single stepping. The CPU clears the TF bit before calling the exception handler, which is invoked much before the debugger ever gets it.
  2. The kernel looks up entry number 1 in the system's IDT(Interrupt Descriptor Table).
  3. If a debugger is attached, it is alerted about the single step exception.
  4. If no debugger is attached or the exception is not handled by the debugger, the Operating System's Exception Handling mechanism is invoked.
  5. If the Exception Handling mechanism still does not handle the exception, the debugger is given a second chance to handle the exception.
  6. If no debugger is available, the process is killed.

The following test program manually sets the TF bit in the EFLAGS register:

#include <stdio.h>

void main()
{
    while(1)
    {
        printf("inside loop\n");
        __asm{
            pushfd
            pop eax
            or eax, 0x00000100 //set TF bit in EFLAGS
            push eax
            popfd
        }
    }
}

This program was run with and without a debugger(windbg) attached. When run with a debugger attached, there were no breakpoints set, but single step exceptions were set to be handled, as seen by the following:

0:000> sx
sse - Single step exception - break

When the test program was run with the debugger attached, a single step exception was caught by windbg:

(bf4.d98): Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

This proves that setting the TF flag from within a program will cause an exception that an attached debugger can catch for single stepping. In this case, the exception mentioned in step 3 above is handled by the debugger.

The next experiment was to run the program again, but without a debugger attached. Below is the result:

step 6 was reached, and the process was killed due to the unhandled exception(no debugger to handle it)
 As is clear, single step debugging is supported in part by hardware, and in part by software.

Sources:
Windows Internals 5th Edition, Chapter 3
Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C


7 comments:

  1. Thank you for writing this. I've recently been interested in debugging at this level and I feel this is an important piece to starting. So, again, thank you for putting your time into it. I think I'll be following your blog to see what else comes up. :)

    ReplyDelete
  2. Hey man. I am honored that you read my blog! Let me know if you ever have any suggestions/questions. Thanks for reading :)

    ReplyDelete
  3. This like advice's really make a good support and aware to all the one for a better stable. The real beauty of writing is here with a good study of latest support.

    ReplyDelete
  4. Wow....... Awesome weblog structure.......! you make blogging look very easy. The entire glance of your site is fantastic, The content material also really nice.

    ReplyDelete
  5. Not only this, Windows 7 and WIndows 10 have been experiencing same issues. Program automatically closes or stop responding whenever working on system. Dissertation writing service

    ReplyDelete
  6. i have an on board debugger (Jtag) is there some flags to set in order to make the processor aware that thee is a debugger .... my program freeze in the int 1 handler , so i guess its a debugger issue ? thanks a lot for your info

    ReplyDelete
  7. thanks for sharing your post about single step debugging explained.Cheap dissertation writing services

    ReplyDelete