Breakpoint problem

[donkey]

I am writing a tool that requires that the target application is opened with a debugger and am constructing a narrow focus debugger for that purpose. My current problem is that if I set an INT3 breakpoint I need to get and set the context of the thread in order to adjust ESP as certain information has to be passed on the stack but must be removed before execution is allowed to continue. Now this should have been simple but for some reason I am only getting 0 in the context structure even though GetThreadContext returns 1 which means it was executed successfully. The handler for breakpoints is as follows...

Code Select Expand

cmp D[dbe.dwDebugEventCode],EXCEPTION_DEBUG_EVENT
jne >>.LOAD_DLL_DEBUG_EVENT

.EXCEPTION_BREAKPOINT
cmp D[dbe.u.Exception.ExceptionRecord.ExceptionCode],EXCEPTION_BREAKPOINT
jne >>.EXCEPTION_STARTPROFILE
invoke SuspendThread,[pi.hThread]
invoke GetThreadContext,[pi.hThread],offset context
invoke ResumeThread,[pi.hThread]
PrintDec([context.Esp])
jmp >>.CONTINUE_DEBUG

In the code above when the breakpoint is reached the thread should already be suspended however context.Esp has a value of 0. In order to get the context I thought maybe the thread should be suspended, as is required, and still a value of 0 for esp. I have used the hThread from dbe.u.CreateProcessInfo.hThread, same result as well as trying to open the thread with THREAD_GET_CONTEXT rights, the OpenThread API completes successfully however esp is still 0. What am I missing here ?

Edgar

[drizz]

1) there is no need for suspend/resume funcs, all debugee threads are paused on debug event
2) CONTEXT structure must be aligned (dword boundary at least)
3) don't forget to set the ContextFlags field (CONTEXT_FULL, etc.)
4) don't forget to decrease Eip by 1 on breakpoint exception after restoring original byte

HtH

[donkey]

Thanks Drizz,

You solved my problem, didn't set the context flags, works fine now.

Edgar