[APP CRASH] Missing EIP in SEH Context when application sets trap flag to 1
Created by: dcdelia
Describe the bug
DynamoRIO provides a zero EIP value in the SEH Context for the application handler when the program sets TF=1 using popf, while Windows provides the address of the instruction after the one that follows popf.
To Reproduce
I have attached both ASM source and EXE (compiled with MASM32 with Console target) of a PoC that saves the EIP value available in the SEH Context and prints to screen the provided and the expected one. To run the program just use drrun.exe -- trapflag.exe. No difference observed when -debug enabled.
Expected behavior
DynamoRIO should be providing in Context->EIP the address of the instruction next to the one after popf (it is different to the int 2d anti-debugger trick that expects a simple +1 in Context->EIP, so I used a longer instruction here). The detection works also without setting also IF=1 but just TF=1 (i.e. constant 102h for pushf).
PUSH @SehExit
PUSH DWORD PTR fs:[0]
MOV DWORD PTR fs:[0], esp
MOV [SavedESP], esp
PUSH 302h ; or 102h
POPF
MOV eax, 0abcdefh ; any instruction is good here
@AfterInt:
JMP @AfterSeh
NOP
@SehExit:
MOV eax, DWORD PTR ds:[esp + 0ch]
MOV eax, DWORD PTR ds:[eax + 0b8h]
MOV [ContextEIP], eax
CMP eax, @AfterInt
JNZ @AfterSehVersions I have used v.8.0.0 build 1 as well as the latest build 18585. 32-bit application executed on Windows 7 SP1 x64.
Additional context I did not try to see if the general purpose registers are exposed correctly, but I can easily extend the detection program to track and print some of those too if this may help you. Issue #3783 references a simpler version of this anti-debug trick that is documented for instance here. That PoC just looks for a single-step exception being fired, while the one I wrote validates the context as suggested in a detection method proposed by corkami.