0

I'm writing a debugger on Windows. And I have this little useless assembly code I debug with it:

    global _start
section .text
_start:
    mov eax, 1
    mov ebx, 2
    mov ecx, 3
    mov edx, [myVar]
    push 0
    hlt
section .data
    myVar dw 1234h

Of course it will crash at hlt.

I write debugging events on the console, after running and continuing twice I have these:

Process created.
DLL loaded: ntdll.dll
DLL loaded: C:\WINDOWS\system32\kernel32.dll
Exception happened.
First chance exception.
>>> 0x7c90120e EXCEPTION_BREAKPOINT
Exception happened.
First chance exception.
>>> 0x00401017 EXCEPTION_PRIV_INSTRUCTION
Exception happened.
First chance exception.
>>> 0x00401017 EXCEPTION_PRIV_INSTRUCTION

Now the question is, why I get that breakpoint exception? I expect to get exceptions only for the privileged instruction.

Calmarius
  • 18,570
  • 18
  • 110
  • 157

1 Answers1

3

The Windows debugging API always injects a breakpoint exception as soon as a debugger is attached. This pauses the debugged application and gives the debugger a chance to access the application and do any initialization it needs to.

From the DebugActiveProcess documentation:

The system arranges for the first thread in the process to execute a breakpoint instruction after it resumes. Continuing this thread causes it to return to doing the same thing as before the debugger is attached.

shf301
  • 31,086
  • 2
  • 52
  • 86
  • Does this happen even if the debugger CreateProcess the debuggee with DEBUG_ONLY_THIS_PROCESS creation flag? My program is based on the tutorial I read [here](http://www.codeproject.com/Articles/43682/Writing-a-basic-Windows-debugger). – Calmarius Sep 13 '13 at 14:30
  • Yes it does. And your linked tutorial mentions this as well in the paragraph above "Winding up..." – shf301 Sep 13 '13 at 14:43
  • I only ran across the tutorial and I haven't read everything. Thanks. – Calmarius Sep 13 '13 at 14:54