[update: changed title to get better google seaches. OK. I suck ;-)]
I installed Vista in a VMWare image so I could test and debug my emulator against real malware from http://www.offensivecomputing.net. I haven’t been overy successful, but while unpacking one of the Netsky variants packed with telock which uses hardware breakpoints, I came across a bug in VMWare.
I haven’t spent too much time analyzing the bug, but it seems to be the following is occuring..
If you set an execution hardware breakpoint on an address and single step onto that instruction, it immediately should raise an exception before completing the instruction (Intel specs say the exception occurs before execution of the instruction). What happens in VMWare, is that the exception isn’t raised at this point. It is only raised when a subsequent single step operation occurs.