Add fix + tests to handle debugger memory-bp triggering twice on same instruction (when instruction write on 2 != pages)

Author: hakril

tests/test_debugger.py

@@ -367,6 +367,54 @@ def trigger(self, dbg, exc):
     for i in range(NB_NOP_IN_PAGE + 1):
         assert TSTBP.DATA[i] == addr + i
 
+def test_memory_breakpoint_trigger_multipage(proc32_64_debug):
+    """Check that a memory breakpoint triggering on multiple page on the same instruction restore are correctly restored on all pages"""
+
+    class MultiPageMemBP(windows.debug.MemoryBreakpoint):
+        ALL_TRIGGER_ADDR = []
+
+        def trigger(self, dbg, exc):
+            pc_fault_addr = dbg.current_thread.context.pc
+            self.ALL_TRIGGER_ADDR.append(pc_fault_addr)
+            print(hex(pc_fault_addr))
+            # Stop when we have a breakpoint in the 2nd page of the alloc
+            if shellcodeaddr + 0x1000 <= pc_fault_addr <=  shellcodeaddr + 0x2000:
+                dbg.current_process.exit()
+
+    # Trigger a write that will write on both page at once,
+    # Triggering both pages mem-bp on the same instruction.
+    # Then call an instruction at the end of page to see if both page of mem-bp still trigger the BP
+
+    shellcodeaddr = proc32_64_debug.virtual_alloc(0x2000)
+
+    if proc32_64_debug.bitness == 64:
+        shellcode = x64.MultipleInstr()
+        shellcode += x64.Mov("RAX", shellcodeaddr + 0xffe)
+        shellcode += x64.Mov("RCX", 0xc3909090) # Nopnopnopret
+        shellcode += x64.Mov(x64.mem("[RAX]"), "ECX") # Will write on both page at once
+        shellcode += x64.Push("RAX")
+        shellcode += x64.Ret() # Jump on the nop + ret
+    else:
+        shellcode = x86.MultipleInstr()
+        shellcode += x86.Mov("EAX", shellcodeaddr + 0xffe)
+        shellcode += x86.Mov("ECX", 0xc3909090) # Nopnopnopret
+        shellcode += x86.Mov(x86.mem("[EAX]"), "ECX") # Will write on both page at once
+        shellcode += x86.Push("EAX")
+        shellcode += x86.Ret() # Jump on the nop + ret
+
+    d = windows.debug.Debugger(proc32_64_debug)
+    bp = MultiPageMemBP(addr=shellcodeaddr, size=0x2000, events="XW")
+    proc32_64_debug.write_memory(shellcodeaddr, shellcode.get_code())
+    d.add_bp(bp)
+    proc32_64_debug.create_thread(shellcodeaddr, 0)
+
+    d.loop()
+    # Check that the 2 nop at the end of the first page of the membp trigger
+    # If access right where not correctly restored: this would not trigger on the first page
+    assert shellcodeaddr + 0xffe in bp.ALL_TRIGGER_ADDR
+    assert shellcodeaddr + 0xfff in bp.ALL_TRIGGER_ADDR
+    assert shellcodeaddr + 0x1000 in bp.ALL_TRIGGER_ADDR
+
 
 # breakpoint remove
 import threading
@@ -700,4 +748,6 @@ def WaitForDebugEvent_KeyboardInterrupt(debug_event):
         assert proc32_64_debug.read_memory(addr, len(TEST_CODE)) == TEST_CODE
         assert bad_thread.context.pc == addr
     else:
-        raise ValueError("Should have raised")
+        raise ValueError("Should have raised")
+
+

windows/debug/debugger.py

@@ -685,11 +685,24 @@ def _handle_exception_access_violation(self, exception, excp_addr):
             self._pass_memory_breakpoint(bp, original_prot, fault_page)
             return DBG_CONTINUE
 
+        # We may have setup the "EEFlags.TF" ourself if the membreakpoint triggered twice on the same instruction
+        # Ex: write on two pages handled by our breakpoint (unaligned write on 0xfff-0x1000)
+
+        originalctx = self.current_thread.context
+        original_tf = originalctx.EEFlags.TF
+        # Temporary disable EEFlags.TF to see if user callback explicit ask for it
+        originalctx.EEFlags.TF = 0
+        self.current_thread.set_context(originalctx)
+
         with self.DisabledMemoryBreakpoint():
             continue_flag = mem_bp.trigger(self, exception)
         if self._killed_in_action():
             return continue_flag
-        self._explicit_single_step[self.current_thread.tid] = self.current_thread.context.EEFlags.TF
+        # Update explicit trigger based on new value of EEFlags.TF
+        self._explicit_single_step[self.current_thread.tid] |= self.current_thread.context.EEFlags.TF
+        # Reupdate the real EEFlags.TF based on its current value and the original one
+        if original_tf != 0 and not self.current_thread.context.EEFlags.TF:
+            self.single_step()
         if self._explicit_single_step[self.current_thread.tid]:
             dbgprint("Someone ask for an explicit Single step - 5", "DBG")
         # If BP has not been removed in trigger, pas it