Tuesday, October 23, 2012

Single Step Debugging Explained



Single Step debugging of machine instructions is a technique often used during vulnerability research and exploit development to debug a program at an atomic level. At this level of granularity, one can see the individual assembly instructions as they are being executed by the CPU chip, and the states of the registers and memory as each instruction is executed.


Single step debugging is supported in part by the operating system and in part by the CPU. On Intel's x86 architecture, the EFLAGS register's bit 8 is the TF(Trap Flag) bit. If this bit is set before an assembly instruction is executed, the CPU raises an exception (Interrupt 1) after the execution of the assembly instruction is completed. Once the CPU raises the exception, the following events happen in order(see Windows Internals 5th Edition, Chapter 3):

  1. The TF bit is cleared. This is why the 3rd least significant digit of "efl" register as displayed in windbg is always an even digit when single stepping. The CPU clears the TF bit before calling the exception handler, which is invoked much before the debugger ever gets it.
  2. The kernel looks up entry number 1 in the system's IDT(Interrupt Descriptor Table).
  3. If a debugger is attached, it is alerted about the single step exception.
  4. If no debugger is attached or the exception is not handled by the debugger, the Operating System's Exception Handling mechanism is invoked.
  5. If the Exception Handling mechanism still does not handle the exception, the debugger is given a second chance to handle the exception.
  6. If no debugger is available, the process is killed.

The following test program manually sets the TF bit in the EFLAGS register:

#include <stdio.h>

void main()
{
    while(1)
    {
        printf("inside loop\n");
        __asm{
            pushfd
            pop eax
            or eax, 0x00000100 //set TF bit in EFLAGS
            push eax
            popfd
        }
    }
}

This program was run with and without a debugger(windbg) attached. When run with a debugger attached, there were no breakpoints set, but single step exceptions were set to be handled, as seen by the following:

0:000> sx
sse - Single step exception - break

When the test program was run with the debugger attached, a single step exception was caught by windbg:

(bf4.d98): Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

This proves that setting the TF flag from within a program will cause an exception that an attached debugger can catch for single stepping. In this case, the exception mentioned in step 3 above is handled by the debugger.

The next experiment was to run the program again, but without a debugger attached. Below is the result:

step 6 was reached, and the process was killed due to the unhandled exception(no debugger to handle it)
 As is clear, single step debugging is supported in part by hardware, and in part by software.

Sources:
Windows Internals 5th Edition, Chapter 3
Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C


Posted by Neil Sikka at 2:42 AM
Labels: , ,

12 comments:

  1. DBurkeNovember 21, 2012 at 4:37 PM

    Thank you for writing this. I've recently been interested in debugging at this level and I feel this is an important piece to starting. So, again, thank you for putting your time into it. I think I'll be following your blog to see what else comes up. :)

    ReplyDelete
  2. Neil SikkaNovember 22, 2012 at 12:21 AM

    Hey man. I am honored that you read my blog! Let me know if you ever have any suggestions/questions. Thanks for reading :)

    ReplyDelete
  3. dissertation writing helpFebruary 15, 2016 at 4:01 AM

    This like advice's really make a good support and aware to all the one for a better stable. The real beauty of writing is here with a good study of latest support.

    ReplyDelete
  4. C Host CApril 9, 2016 at 2:12 AM

    Wow....... Awesome weblog structure.......! you make blogging look very easy. The entire glance of your site is fantastic, The content material also really nice.

    ReplyDelete
  5. Albert BarkleyApril 14, 2016 at 12:52 AM

    Not only this, Windows 7 and WIndows 10 have been experiencing same issues. Program automatically closes or stop responding whenever working on system. Dissertation writing service

    ReplyDelete
  6. UnknownMay 19, 2016 at 12:49 PM

    i have an on board debugger (Jtag) is there some flags to set in order to make the processor aware that thee is a debugger .... my program freeze in the int 1 handler , so i guess its a debugger issue ? thanks a lot for your info

    ReplyDelete
  7. writing tipsSeptember 3, 2016 at 4:04 AM

    thanks for sharing your post about single step debugging explained.Cheap dissertation writing services

    ReplyDelete
  8. mayazoeJune 9, 2017 at 5:46 AM

    If you own a blog you know the importance of keeping your blog fresh and your audience interested. It can be challenging to come up with blog posts that won't bore your visitors and is interesting enough to keep them coming back.
    homework helo

    ReplyDelete
  9. AnonymousSeptember 23, 2017 at 8:14 AM

    I appreciated your work very thanks
    Kitchen Faucets

    ReplyDelete
  10. writing tipsOctober 24, 2017 at 2:03 AM

    Excellent and nice article. when user want to get important information then visit our site.
    dissertation Writing Service

    ReplyDelete
  11. UnknownFebruary 19, 2020 at 1:16 AM

    Thanks from Bangladesh.

    ReplyDelete
  12. ArunaMay 21, 2020 at 12:04 PM

    Thoughtful Articles are Represented here in this Site...I am Very Thankful for all the Writers...Keep it Up!!!
    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

    ReplyDelete

Subscribe to: Post Comments (Atom)