judging by my analysis of kiuserexceptiondispatcher under wow64 you can of course set the debug registers, however they do not fire. Here is an example -
SetThreadContext() on a thread with Dr0 to some instruction, then set Dr7 to 1 for locale detect and leave the other flags 0 because it would be an instruction fetch. (dosent matter, same issue with read/write)
now the thread is moving along and decides it will call NtContinue, before the call it sets Dr0 to a different address.
after the thread begins execution at EIP specified in the CONTEXT struct we passed to NtContinue it hits instruction fetch Dr0 specified to NtContinue but does NOT raise an exception, instead it will raise exception on what we originally set with SetThreadContext.
I saw this today when analyzing some user-mode malware that was using debug registers to hold data, I wasn't sure if it was normal but after confirming it through several tests in my own program it seems this is the case.
So question is, is this intended? or this just wow64? :D
thanks
SetThreadContext() on a thread with Dr0 to some instruction, then set Dr7 to 1 for locale detect and leave the other flags 0 because it would be an instruction fetch. (dosent matter, same issue with read/write)
now the thread is moving along and decides it will call NtContinue, before the call it sets Dr0 to a different address.
after the thread begins execution at EIP specified in the CONTEXT struct we passed to NtContinue it hits instruction fetch Dr0 specified to NtContinue but does NOT raise an exception, instead it will raise exception on what we originally set with SetThreadContext.
I saw this today when analyzing some user-mode malware that was using debug registers to hold data, I wasn't sure if it was normal but after confirming it through several tests in my own program it seems this is the case.
So question is, is this intended? or this just wow64? :D
thanks
