2

An application I am debugging somehow manages to clear my hardware breakpoints. I am using TitanHide and x64dbg.

I am observing the following behaviour:

  • When placing the first hw breakpoint, it is hit only once - still appears visible in x64dbg but I guess it is disabled in reality and x64dbg doesn't know that.
  • When placing another breakpoint, the first breakpoint is hit exactly once.

I am not sure what causes this obscure behaviour, but what I do know is that my hardware breakpoints are not getting hit, so I researched what could possibly clear them. I have come up with:

  • ZwSetInformationThread to hide the thread from the debugger.
  • SetThreadContext to reset the debug registers .
  • Installing a vectored exception handler, cause an exception deliberately, and modify the context from there

However all 3 methods should be caught by TitanHide, and exceptions should show up in the log of x64dbg (which they don't). Are there any further methods to clear hardware breakpoints?

Improve this question
2
  • Are you sure that the instruction on which you set the HW breakpoint is actually being executed? The program may detect a HW breakpoint (using GetThreadContext and reading debug registers). The program may then behave differently. Commented Mar 3, 2020 at 9:11
  • @Yotamz possible, I'll check Commented Mar 3, 2020 at 13:58

1 Answer 1

Reset to default
0

This turned out to be a mixture of hardware breakpoint related bugs in x64dbg (which are fixed by now), and a driver denying access to some threads of the target application (meaning the hardware breakpoint could not be set on those). If you encounter this, I suggest updating and checking OpenThread permissions, as x64dbg fails silently here :/

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.