;Этот код перреписан на ассемблере основан на статье "Using_Memory_Breakpoints_by_Shub-Nigurrath_;v10"
;macro step
; cmp context.regFlag,1

; and context.regFlag,100h

;endm
.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
includelib user32.lib

.data

tname db "pexplorer.exe",0
message db "Memory breakpoint!",0
mregeip db " EXCEPTION_GUARD_PAGE address",0
;pb db 0C7h, 005h, 0C4h, 072h, 05Ch, 000h, 001h, 000h, 000h, 000h, 090h, 090h, 090h
mname db "kernel32",0
fname db "DebugActiveProcessStop",0
pva dd 004B2D6Ch;address we want to stop
mbva dd 00487908h;this place need to be patching, its give the unlimited trial
pb db 0C9h;patching byte

ek db 13,10
;mb db 01h
;nb db 090h,090h,090h,090h,090h,90h,90h
dwOldProtect dd -1
handle dd ?
count dd 0
format db "%d.",0
.data?


buffer db 5 dup(?)
buffer2 db 6 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
align dword
context CONTEXT <>
.code
start:
main proc
invoke GetStdHandle,STD_OUTPUT_HANDLE
mov handle,eax
invoke GetStartupInfo,addr startinfo
invoke CreateProcess, addr tname, NULL, NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, addr startinfo, addr pi
cmp eax,0
je endd
;invoke WriteProcessMemory,pi.hProcess,mbva,addr pb,1,0
invoke VirtualProtectEx,pi.hProcess,pva,1,PAGE_READONLY or PAGE_GUARD,addr dwOldProtect
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, 1000 ;wait for debug event
invoke GetThreadContext, pi.hThread, addr context ;read context

.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT ;process exit

.break

.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT



.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==80000001h ;EXCEPTION_GUARD_PAGE
mov context.ContextFlags, CONTEXT_FULL
; invoke SuspendThread,pi.hThread;stop thread
;Show address of exceptions
; invoke wsprintf,addr buffer2,addr format, DBEvent.u.Exception.pExceptionRecord.ExceptionAddress
; invoke WriteConsole,handle,addr buffer2,sizeof buffer2,0,0
;invoke WriteConsole,handle,addr mregeip,sizeof mregeip,0,0
;invoke WriteConsole,handle,addr ek,sizeof ek,0,0

invoke VirtualProtectEx,pi.hProcess,pva,1,PAGE_READONLY or PAGE_GUARD,0
;mov ecx,DBEvent.u.Exception.pExceptionRecord.ExceptionAddress
invoke GetThreadContext, pi.hThread, addr context ;read context
cmp DBEvent.u.Exception.pExceptionRecord.ExceptionAddress,004B2D6Ch
je win
jmp next
win:
inc count

invoke wsprintf,addr buffer,addr format, count
invoke WriteConsole,handle,addr buffer,sizeof buffer,0,0
;invoke WriteConsole,handle,addr ek,sizeof ek,0,0
invoke WriteConsole,handle,addr message,sizeof message,0,0
invoke WriteConsole,handle,addr ek,sizeof ek,0,0

;invoke MessageBox,0,addr message,addr tname,MB_OK
invoke VirtualProtectEx,pi.hProcess,pva,1,addr dwOldProtect,0
;invoke VirtualProtectEx,pi.hProcess,pva,1,PAGE_EXECUTE_READWRITE,0
;ACTION IS BEGIN!
; invoke GetThreadContext, pi.hThread, addr context
;mov context.regEax,1
;inc context.regEip
invoke WriteProcessMemory,pi.hProcess,mbva,addr pb,1,0
;invoke SetThreadContext,pi.hThread,addr context
; invoke GetModuleHandle,addr mname
; invoke GetProcAddress,eax,addr fname
;call eax; Stop debuging
;jmp endd
;invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED

jmp enddebug
;jnz next


next:
; invoke ResumeThread,pi.hThread
invoke VirtualProtectEx,pi.hProcess,pva,2,PAGE_EXECUTE_READWRITE,0
invoke GetThreadContext, pi.hThread, addr context
;cmp context.regEip,005492A4h
; je win
or context.regFlag,100h ;continue tracing
invoke SetThreadContext,pi.hThread, addr context
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue

.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==80000003h
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
.continue

;A trace trap or other single-instruction mechanism signaled that one instruction has been executed.
.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_SINGLE_S TEP

invoke GetThreadContext,pi.hThread,addr context
and context.regFlag,0FFFFFEFFh ;

invoke SetThreadContext,pi.hThread, addr context
invoke VirtualProtectEx,pi.hProcess,pva,1,PAGE_READONLY or PAGE_GUARD,addr dwOldProtect
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId,DBG_CONTINUE

.continue
.endif
.endif

enddebug:
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED
.endw
endd:
;invoke VirtualProtectEx,pi.hProcess,pva,1,addr dwOldProtect,0
;invoke MessageBox,0,addr tname,addr tname,MB_OK

invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
invoke ExitProcess, 0
ret
main endp
invoke ExitProcess, 0
end start

| Сообщение посчитали полезным:

ewgeny1987
Этот код перреписан на ассемблере основан на статье "Using_Memory_Breakpoints_by_Shub-Nigurrath_;v10"
И что дальше?

-----
Stuck to the plan, always think that we would stand up, never ran.

| Сообщение посчитали полезным:

А ничего. Дальше может быть только по лбу за некропостерство.

| Сообщение посчитали полезным: