6

I'm reversing some malware on an OSX VM when I noticed something peculiar. While stepping through the instructions, the instruction just after a int 0x80 gets skipped i.e. gets executed without me stepping through this.

Example:

 int 0x80
 inc eax ; <--- this gets skipped
 inc ecx ; <--- stepping resumes here

Why does this happen? Have you encountered something similar to this?

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79

1 Answers1

12

When single-stepping through code, the T flag is set so that the CPU can break after the instruction completes execution. When an interrupt occurs, the state of the T flag is placed on the stack, and used when the iret instruction is executed by the handler. However, the iret instruction is one of a few instructions that causes a one-instruction delay in the triggering of the T flag, due to legacy issues relating to the initialization of the stack.

So the skipped instruction is executing but you can't step into it (but if you set a breakpoint at that location and run to that point instead, then you will get a break).

perror
  • 19,083
  • 29
  • 87
  • 150
peter ferrie
  • 4,709
  • 4
  • 19
  • 33
  • +1. Didn't sound like the OP was interested in those low-level details, but now I understand why you were arguing that my answer didn't contain the information asked for. But it turns out I misread the question. Thanks for pointing it out. – 0xC0000022L Apr 29 '13 at 17:09
  • Do we observe the same behavior in other OSes ? *BSD, Linux, OpenSolaris, ... ? – perror Apr 29 '13 at 18:04
  • @perror: should for all practical purposes whenever an interrupt handler is used and therefore iret is used. – 0xC0000022L Apr 29 '13 at 19:46