The previous chapter explains how to use debug API to open a debugging program and give a simple example, this chapter will be detailed
Speaking of the contents of the debug message.
Similar to the message structure TMESSAGE in the message processing, debugging events also have their own specific event structure, that is, TDEB
UGEvent, TDebugevent is defined in Delphi:
TDEBUGEVENT = _debug_event;
_Debug_event = record
Dwdebugeventcode: DWORD;
DWPROCESSID: DWORD;
DWTHREADID: DWORD;
Case Integer of
0: (Exception: TexceptionDebuginfo);
1: (Createthread: TcreateThreadDebuginfo);
CREATEPROCESSINFO: TCREATEPROCESSDEBUGINFO);
3: (exitthread: texitthreaddebuginfo);
4: (EXITPROCESS: TEXITTHREADDEBUGINFO);
5: (loaddll: tloaddlldebuginfo);
6: (UnloadDll: tunloaddlldebuginfo);
7: (Debugstring: ToutputdebugstringInfo);
8: (Ripinfo: Tripinfo);
END;
This structure is complicated, including three basic types and a combined type of data. DWProcessID and DWTHREADID specified
The ID of the process and threads that produce debug events, DwdeBugeventCode indicates what debugging events, possible values
As shown in the following table (taken from << Win32 assembler design >>):
1.create_process_debug_event: The process is created. When the debug process is just created (not yet run) or our process
The event occurs when bundled into a running process in DebugActiveProcess. This is our program should get
The first event.
2.Exit_process_debug_event: This message is generated when the debug process exits.
3.create_thead_debug_event: When a new thread is created in the debugged process or we first bundled up
This event occurs when the process in the line is. It is important to note that the notification will not be received when the main thread of the debug process is created.
4.Exit_thread_debug_event: The event occurred when the thread in the debug process is exited. The main thread of the debugged process exits
This notification will not be received. We can think that the main thread and the debug process are synonymous with the debugged process. So when we
When the program sees the CREATE_PROCESS_DEBUG_EVENT flag, the main thread is CREATE_THREAD_DEBUG_E.
VENT logo.
5.Load_dll_debug_event: The debug process is loaded into a DLL. When the PE loader first decomposed the link to the DLL
We will receive this incident. (When the calling of createProcess is loaded into the debugged process) and when the debug process calls LO
ADLIBRAR will also occur.
6.unload_dll_debug_event: This event occurs when a DLL is uninstalled from the debug process.
7.Exception_debug_event: The event occurs when an abnormality occurs in the debug process. Exception is actually a debug interrupt
(INT 3H). If you want to recover the debugged process, call the ContinueDeBugevent function with the DBG_CONTINUE flag.
Don't use the DBG_EXCEPTION_NOT_HANDLED flag, otherwise the debugged process will refuse to run in NT (Win98 running off
well).
8.output_debug_string_event: Sends the debugoutputString function to our program when the debug process is called
This event happens when the message string is.
9.Rip_Event: An error occurred in system debugging.
According to DWDeBugeventCode, the corresponding structure in the joint should be called to obtain relevant debugging information. For example we have
The structure of the TDEBGUEVENT named debug, when the debug information is received after calling WaitFordeBugevent (Debug, Infinite), and the value of dwdebootcode is create_process_debug_event, we can use D
ebug.createProcessInfo.hprocess To get the process handle of the debugged process you just created.
The following will explain the meaning of each structure that may be included in the TDebugevent structure. Because there is no relevant auspicious information, large
Part of the result is the test result, if there is an error, please refer to.
A .createProcessinfo structure: Corresponding debug message CREATE_PROCESS_DEBUG_EVENT.
CreateProcessInfo.hfile: The exe file that is debugged process is mapped to memory file mapping handle in memory,
Read this EXE file by opening this handle (with OpenFilemapping and MapViewOffile). If introduced
Export tables, etc.
CreateProcessInfo.hprocess: Procedure handle of the process, if you want to use ReadProcessMemory and WRI
TeprocessMemory and other functions to modify the debugged process, you need to use this handle, you can save it with a variable
In the future.
CreateProcessInfo.hthread: The main thread handle.
CreateProcessInfo.lpBaseOfImage: Executable file is loaded into the base address in the virtual address space.
CreateProcessInfo.dwdebugInfofileOffset: Debugging the offset address in the executable (usually 0
No debug information).
CreateProcessInfo.ndebuginFoSize: The length of debugging information.
CreateProcessInfo.lpthreadLocalBase: Main thread base.
CREATEPROCESSINFO.LPSTARTADDRESS: The main thread thread function address.
CREATEPROCESSINFO.LPIMAGENAME: File Image Name, Note This is a RVA address (relative virtual address).
CreateProcessInfo.funicode: If this value is greater than 0, the files pointing to LPIMAGENAME are named Unicode.
II.Exitprocess structure: Corresponding debug message EXIT_PROCESS_DEBUG_EVENT.
EXITPROCESS.DWEXITCODE: The exit code that is incorporated when the debugger calls the EXITPROCESS function.
Three .createthread structure: Corresponding debug messages create_thead_debug_event.
CreateTHRead.hthread: The handle of the new thread. Thread handle, if you will involve the operation of threads, such as hang
Thread, etc., you can save the process ID (TDEBUGEVENT.DWTHREADID) and the corresponding handle with a TLIST.
When it debugs the event, get the thread handle according to DWTHREADID.
CreateThread.lpthreadLocalBase: The base address of the new thread.
CreateThread.lpstartaddress: The thread function address of the new thread.
Four .exitthread structure: Corresponding debug message exit_thread_debug_event.
EXITTHREAD.DWEXITCODE: The exit code incorporated when the exitthread function is called.
5.LoadDLL structure: Corresponding debug message LOAD_DLL_DEBUG_EVENT.
Loaddll.hfile: The loaded DLL file is mapped to the memory file map of the memory, which can open this handle.
To read information about this DLL file.
Loaddll.lpbaseofdll: DLL file is loaded into the base address in the virtual address space. This address plus the DLL file.
The address of the function is the address of this function in memory.
Loaddll.dwdebugInfofileOffset: Debug information in the DLL file.
Loaddll.ndebuginFoSize: The length of debugging information.
The address of the DLL file name is a RVA. Loaddll.Funicode: If this value is greater than 0, the file named by LPIMAGENAME is named Unicode.
Six .unloadDLL Structure: Corresponding debug messages unload_dll_debug_event.
Unloaddll.lpbaseofdll: The base address of the uninstalled DLL file can pass the LOAD_DLL_DEBUG_EVENT message
Save the DLL information and the corresponding baseline method to get the uninstalled DLL information.
Seven. EXCEPTION Structure: Corresponding debug messages exception_debug_event.
Exception.exceptionRecord: This is a TexceptionRecord structure that contains the debugger generated.
Interrupt or abnormal code, generated interrupt or abnormal address, and the like.
Eight. DEBUGSTRING Structure: Corresponding debug messages OUTPUT_DEBUG_STRING_EVENT.
Debugstring.lpdebugstringData: The debug process calls the message string sent by the debugoutputstring function
the address of.
Debugstring.ndebugstringLength: The debug process calls the message character sent by the debugoutputString function
The length of the string.
Debugstring.Funicode: If this value is greater than 0, the message string is Unicode code.
Nine.Ripinfo Structure: Corresponding debug messages RIP_EVENT.
Ripinfo.dwerror: Error code.
Ripinfo.dwtype: Error Type.
Understand the above knowledge, we can monitor these debug messages in the debugger and get the information we are interested. But this
Just achieve a monitoring of the debugging program. The next chapter will explain how to modify the debugged program.
Attachment: A monitoring target program starts, loads the DLL, exits the example, and demonstrates how to read the RVA address to get the loaded DLL
File name method. Please download it below.
http://qxccccc.8u8.com/debug.rar
