CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums
Results 1 to 4 of 4

Thread: What is INT 3 ?

  1. #1
    Join Date
    Sep 2003

    What is INT 3 ?

    When debug an exe file using debug.exe, debugger can stop at INT 3.
    This behavior is fantastic!

    I set Trap Flag 1 in my program, write a INT 3 instruction in my code and then expect my programe can be stopped at there.

    When I run my program, the program isn't be sopped.

    In a word, I don't understand the mechanism of INT 3:
    A. Who handles INT 3 when CS:IP points to it?
    B. Is its behavior defined by CPU or debug.exe ?

    Who can give me an explanation ?

    Thanks a lot!

  2. #2
    Join Date
    Dec 2005

    Re: What is INT 3 ?

    INT 3 causes an interrupt and calls an interrupt vector set up by the OS. Which OS are you using?

  3. #3
    Join Date
    Dec 2004

    Re: What is INT 3 ?

    In each operating system exists structure called IDT (Interrupt Descriptor Table). It contains various entries, and entry No. 3 always contains entry point of INT 3 exception handler. This handler is always defined by OS, and can be overriden by debugger. The way exception handlers (and therefore INT 3) work is quite complicated, so I would advice you to read "IA32 Architecture System Programming Guide" available for free download at Especially chapter 5 (Interrupt and Exception Handling) and 15 (DEBUGGING AND PERFORMANCE MONITORING).

    Last edited by Hobson; December 28th, 2005 at 09:51 AM.
    'There is no cat' - A. Einstein

    Use [code] [/code] tags!

    Did YOU share your photo with us at CG Members photo gallery ?

  4. #4
    Join Date
    Nov 2009

    Re: What is INT 3 ?

    First of all INT3 is only for x86 systems other systems may have other trap/breakpoint instructions.
    Programs (usually) don't call INT 3. It's usage is mostly dedicated for debuggers to set temporary breakpoints in running code.

    In some cases the developers (during development) may put explicit INT 3 instructions in the code they are developing, knowing that if that condition happens, their program will *break* and the debugger they are using will take the charge.

    When active the debugger sets his own interrupt handler for INT3 in the system. Any call to INT3 will cause the running program to *break* (stop execution) and branch out execution to the debugger's INT3 handler. After some basic state saving, the INT3 handler usually yields the control to the debugger GUI.

    When you want to debug a program, debugger loads the program code and if available it's source code in memory. Then the programmer goes and sets breakpoint using the source code. If the program is compiled with debug code, debugger easily locates the assembly instruction generated for the marked source code line. Then it saves this instruction into some memory and replaces it with INT3. This code is restored back after INT3 is invoked.

    This was a powerful mechanism back in the days for debugging and also cracking programs. One could easily write a TSR (Terminate and Stay Resident) in DOS for handling INT3 then place an INT3 in the code which he wants to patch.

    L.S. Mizrahi
    Software Specialist
    Centrillium IT Consulting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width