I'm learning assembly and after assembly of:
format PE64 NX GUI 6.0
entry start
section '.text' code readable executable
start:
int3
ret
running in my debugger (at the end of the OS loader code and also ) I see
...
00007fff`bc78070d 4889442428 mov qword ptr [rsp+28h], rax
00007fff`bc780712 488364242000 and qword ptr [rsp+20h], 0
00007fff`bc780718 e8cf90f9ff call ntdll!RtlStringCbPrintfExW (00007fff`bc7197ec)
00007fff`bc78071d 488b8c24e0010000 mov rcx, qword ptr [rsp+1E0h]
00007fff`bc780725 4833cc xor rcx, rsp
00007fff`bc780728 e813bbfbff call ntdll!_security_check_cookie (00007fff`bc73c240)
00007fff`bc78072d 4881c4f0010000 add rsp, 1F0h
00007fff`bc780734 5b pop rbx
00007fff`bc780735 c3 ret
00007fff`bc780736 cc int 3
00007fff`bc780737 cc int 3
00007fff`bc780738 cc int 3
00007fff`bc780739 cc int 3
00007fff`bc78073a cc int 3
00007fff`bc78073b cc int 3
00007fff`bc78073c cc int 3
00007fff`bc78073d cc int 3
00007fff`bc78073e cc int 3
00007fff`bc78073f cc int 3
ntdll!LdrpDoDebuggerBreak:
00007fff`bc780740 4883ec38 sub rsp, 38h
00007fff`bc780744 488364242000 and qword ptr [rsp+20h], 0
00007fff`bc78074a 41b901000000 mov r9d, 1
00007fff`bc780750 4c8d442440 lea r8, [rsp+40h]
00007fff`bc780755 418d5110 lea edx, [r9+10h]
00007fff`bc780759 48c7c1feffffff mov rcx, 0FFFFFFFFFFFFFFFEh
00007fff`bc780760 e84bcbfcff call ntdll!NtQueryInformationThread (00007fff`bc74d2b0)
00007fff`bc780765 85c0 test eax, eax
00007fff`bc780767 780a js ntdll!LdrpDoDebuggerBreak+0x33 (00007fff`bc780773)
00007fff`bc780769 807c244000 cmp byte ptr [rsp+40h], 0
00007fff`bc78076e 7503 jne ntdll!LdrpDoDebuggerBreak+0x33 (00007fff`bc780773)
00007fff`bc780770 cc int 3
...
Can someone explain what the purpose of multiple int3's in a row? It reminds me of a nop slide but I can't imagine why you'd need to do such a thing with a debug command. Or is this just bad disassembly?
