[BUGFIX] In AntiDbg::WatchCompareSoftBrk: moved checks before the ins…

…trumentation function. Do not use ins.q() to pass instruction
hasherezade · Aug 26, 2023 · 05a820c · 05a820c
1 parent 780a70b
commit 05a820c
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 18 deletions.
diff --git a/AntiDebug.cpp b/AntiDebug.cpp
@@ -151,28 +151,19 @@ VOID AntiDbg::WatchMemoryAccess(ADDRINT addr, UINT32 size, const ADDRINT insAddr
 /* ==================================================================== */
 
 std::map<ADDRINT, size_t> cmpOccurrences;
-VOID AntiDbg::WatchCompareSoftBrk(const CONTEXT* ctxt, ADDRINT Address, INT32 insArg)
+VOID AntiDbg::WatchCompareSoftBrk(ADDRINT Address, ADDRINT immVal)
 {
     PinLocker locker;
     const WatchedType wType = isWatchedAddress(Address);
     if (wType == WatchedType::NOT_WATCHED) return;
 
-    INS ins;
-    ins.q_set(insArg);
-    if (!ins.is_valid() || INS_OperandCount(ins) < 2) {
-        return;
-    }
-
     bool isSet = false;
-    const UINT32 opIdx = 1;
     const size_t kMinOccur = 3;
 
-    if (INS_OperandIsImmediate(ins, opIdx) && INS_OperandSize(ins, opIdx) == sizeof(UINT8)) {
-        const UINT8 val = (INS_OperandImmediate(ins, opIdx) & 0xFF);
-        if (val == 0xCC) {
-            cmpOccurrences[Address]++;
-            if (cmpOccurrences[Address] == kMinOccur) isSet = true;
-        }
+    const UINT8 val = immVal & 0xFF;
+    if (val == 0xCC) {
+        cmpOccurrences[Address]++;
+        if (cmpOccurrences[Address] == kMinOccur) isSet = true;
     }
 
     if (isSet) {

diff --git a/AntiDebug.h b/AntiDebug.h
@@ -8,7 +8,7 @@
 namespace AntiDbg {
 	VOID WatchMemoryAccess(ADDRINT addr, UINT32 size, const ADDRINT insAddr);
 	VOID WatchThreadStart(THREADID threadid, CONTEXT* ctxt, INT32 flags, VOID* v);
-	VOID WatchCompareSoftBrk(const CONTEXT* ctxt, ADDRINT Address, INT32 insArg);
+	VOID WatchCompareSoftBrk(ADDRINT Address, ADDRINT immVal);
 	VOID MonitorAntiDbgFunctions(IMG Image);
 	VOID FlagsCheck(const CONTEXT* ctxt, THREADID tid);
 	VOID FlagsCheck_after(const CONTEXT* ctxt, THREADID tid, ADDRINT eip);

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -806,13 +806,18 @@ VOID InstrumentInstruction(INS ins, VOID *v)
         ////////////////////////////////////
         if (m_Settings.antidebug >= ANTIDEBUG_DEEP) {
             // Check all comparison for 0xCC byte (anti stepinto/stepover checks)
-            if (INS_Opcode(ins) == XED_ICLASS_CMP) {
+            const UINT32 opIdx = 1;
+            if (INS_Opcode(ins) == XED_ICLASS_CMP 
+                && INS_OperandCount(ins) >= (opIdx + 1) 
+                && INS_OperandIsImmediate(ins, opIdx)
+                && INS_OperandSize(ins, opIdx) == sizeof(UINT8))
+            {
                 INS_InsertCall(
                     ins,
                     IPOINT_BEFORE, (AFUNPTR)AntiDbg::WatchCompareSoftBrk,
-                    IARG_CONTEXT,
+                    IARG_FAST_ANALYSIS_CALL,
                     IARG_INST_PTR,
-                    IARG_ADDRINT, ins.q(),
+                    IARG_ADDRINT, INS_OperandImmediate(ins, opIdx),
                     IARG_END);
             }
         }