Credits to rover_turbo, uNrEaL
Source Code Example
Code:
//=====================================================================================
#include <windows.h>
//=====================================================================================
LPTOP_LEVEL_EXCEPTION_FILTER Original_TopLevelExceptionFilter = NULL;
//=====================================================================================
LONG WINAPI UnhandledExceptionFilter_Callback(_EXCEPTION_POINTERS* ExceptionInformation)
{
if(ExceptionInformation->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{
if((DWORD)ExceptionInformation->ExceptionRecord->ExceptionAddress == 0x04000000)
{
/* do whatever, move instruction pointer or read register(s)... */
return EXCEPTION_CONTINUE_EXECUTION;
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
//=====================================================================================
VOID WINAPI Initiate_SEH_HWBP(VOID)
{
Original_TopLevelExceptionFilter = SetUnhandledExceptionFilter(UnhandledExceptionFilter_Callback);
CONTEXT ctx = { CONTEXT_DEBUG_REGISTERS };
ctx.Dr6 = 0x00000000;
ctx.Dr0 = 0x04000000;
ctx.Dr7 = 0x00000001;
SetThreadContext(GetCurrentThread(), &ctx);
}
//=====================================================================================
BOOL WINAPI DllMain(HINSTANCE hinstModule, DWORD dwReason, LPCVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
Initiate_SEH_HWBP();
}
else if(dwReason == DLL_PROCESS_DETACH)
{
if(Original_TopLevelExceptionFilter != NULL)
SetUnhandledExceptionFilter(Original_TopLevelExceptionFilter);
}
return TRUE;
}
//=====================================================================================
You can have upto four breakpoint's, when you work out how to add more. It can also be detected easily so you might want to take control of GetThreadContext(...) for example to help in the undetected department.
And just to add, there is another more common way to intercept the info also, just need to open your eye's and look for it.