; INFO:    Detekcia HW breakpointov prehladavanim struktury CONTEXT.
;	   !!Trik funguje len pod OllyDbg 2.0 so zapnutym debuggovanim prostrednictvom HW breakpointov!!
;	   Na otestovanie je potrebne zapnut si v OllyDbg automaticke spracovavanie vynimiek.
;	   Pre aktivovanie je potrebne stlacit klaves "F7/F8" pred instrukciou "idiv eax"
;
; Princip: Aplikacie nemoze priamo pristupit k HW Debug registrom (DR0-DR3,DR6,DR7)
;	   Umyselnym sposobenim vynimky sposobime, ze sa spusti handler "SEH_HANDLER", ktory
;	   ma pristup k strukture CONTEXT a moze si z nej precitat hodnoty Debug-registrov.
;
;	   V tejto konkretnej ukazke sa obmedzujeme len na porovnavanie DR3 s konkretnou adresou.
;	   V praxi je samozrejme omnoho lepsie pouzit porovnavanie s akoukolvek nenulovou adresou,
;	   nakolko tym mozme odhalit aj inak nastaveny HW break-point na uplne inej adrese.
; Nastavenie:
;	   Zapnut: "Options->Options | Exceptions | Integer division by 0"
;	   Zapnut: "Options->Options | Dbugging   | Use HW breakpoints for stepping"
;


format PE GUI 4.0 at 0x400000

include 'win32a.inc'

section '.text' code readable executable
		; We clear our information about HW DR3 breakpoint
		mov dword [DR3_FOUND], 0
	
		; we "install" SEH Handler..
		push SEH_HANDLER
		push dword [fs:0]
		mov [fs:0], ESP
	
		xor eax, eax
		idiv eax  ;<<-- this cause exception (0 div 0 = error :-) , handler "SEH_HANDLER" is executed!)
	
	SEH_UNWIND:
		pop dword [fs:0]
		add esp, 4
	
		cmp [DR3_FOUND], 1
		je MSG_FOUND
	MSG_OK:
		invoke MessageBoxA, 0, message_ok	,message_caption, MB_OK+MB_ICONINFORMATION
		jmp EXIT
	MSG_FOUND:
		invoke MessageBoxA, 0, message_found,message_caption, MB_OK+MB_ICONINFORMATION
	EXIT:
		ret
	
	;---------------------------------------------------
	SEH_HANDLER:
		mov edx, [esp+0Ch]	     ; CONTEXT
		mov eax, dword [edx+10h] ; CONTEXT.DR3
		;mov dword [edx+10h], 0  ; mozme sa pokusit vymazat HW breakpoint
		cmp eax, SEH_UNWIND  ;DR3 <<---debugger check hw breakpoint on next instruction after idiv eax.
		jne SEH_HANDLER_SET_EIP
		mov dword [DR3_FOUND], 1
	
	SEH_HANDLER_SET_EIP:
		mov dword [edx+0B8h], SEH_UNWIND  ; NEW EIP. CONTEXT.EIP = .....
		mov eax,0
		ret
	;---------------------------------------------------

section '.bss' readable writeable
	DR3_FOUND	dd ?

section '.data' readable
	message_caption db 'MSG',0
	message_ok	    db 'OK',0
	message_found   db 'Debugger found!',0

section '.idata' import data readable writeable
	library \
		kernel32,'KERNEL32.DLL',\
		user32	,'USER32.DLL'
	import kernel32,\
		VirtualProtect	   ,'VirtualProtect'
	import user32,\
		MessageBoxA	   ,'MessageBoxA'

;section '.reloc' fixups data readable discardable