i am trying to hack together a dbgeng based usermode only debugger and
it seems i cant understand something very basic
at the moment all i want is a printf() from CreateProcess event and
return DEBUG_STATUS_BREAK
add a bp on the AddrOfEntryPoint in a simple MessageBox.exe (invoke
msgbox(); invoke ExitProc();
Addr of EntryPoint is 0x401000 and i want to test bp here only (no
complications reqd atm)
the loadmod msgs will be passed to console via OutputCallbacks
when the bp is hit Event callback is called for breakpoint
and i Want to return back DEBUG_STATUS_STEP_OVER
i have added
class EventCallbacks : public DebugBaseEventCallbacks {
addref,release,getinerestmask.bp,except,createproc,LoadMod,SessStat,ChgengStat}
class StdioOutputCallbacks : public IDebugOutputCallbacks
{Queryint,Addref,Release,Output}
class StdioInputCallbacks : public IDebugInputCallbacks
{QI,Ar,Rel,StartIn,Endin}
in
STDMETHODIMP EvtCb::Bp( Bp ) {printf(“EventCallbacks::Breakpoint Id %x
%I64x\n”,Id,dbgbpparm.Offset); GO_HAND}
STDMETHODIMP EvtCb::Cp(…) {printf (“EventCallbacks::CreateProcess
ImageName %s\n”,ImageName);STAT_BREAK}
STDMETHODIMP EvtCb::Lm(…) {NO_CHANGE}
STDMETHODIMP EvtCb::Exce(…) {printf (“…”);GO_HAND}
STDMETHODIMP EvtCb::SessStat(…) {printf (“…”);S_OK}
STDMETHODIMP EvtCb::ChgEngStat(…) {printf (“…”);S_OK}
STDMETHODIMP OutCb::Output(…) {fput();S_OK}
STDMETHODIMP InCb::StartIn(…) {fgets();S_OK}
STDMETHODIMP InCb::EndIn(…) {void;S_OK}
in main() {
create_interfaces( for
IDbgClient,IdbgControl,IdbgdataSapces,IdebugReg,IdebugSym)
SetEvetCb (event)
Createprocess(…,dbg_only_this);
SetOutCb(out)
SetInCb(in)
EvtLoop();
Exit()
}
now i get the createproc printf
but i dont seem to be called in any of the callbacks for DEBUG_STATUS_BREAK
and i land up in unhandled event in my event loop
which looks like this
plese dont nit pick this crap code for dots and crosses i just want
ideas or concept
th sample healer and remmon loops have comments that we shouldnt
normally land here
so wher should i land where do i add my bp and how to handle the break
void
EventLoop(void)
{
HRESULT Status;
ULONG type,pid,tid;
char Desc[0x20];
BYTE extinf[0x30];
ULONG64 endoffset;
ULONG64 bpoffset = 0x401000;
ULONG ExecStatus;
for (;
{
if ((Status = g_Control->WaitForEvent(DEBUG_WAIT_DEFAULT,
INFINITE)) != S_OK)
{
ULONG ExecStatus;
if (g_Control->GetExecutionStatus(&ExecStatus) == S_OK &&
ExecStatus == DEBUG_STATUS_NO_DEBUGGEE)
{
// The session ended so we can quit.
break;
}
// There was a real error.
Exit(1, “WaitForEvent failed, 0x%X\n”, Status);
}
according to windbg sdk sample i shouldnt be here unless i have an
unhandled event
g_Control->GetLastEventInformation(&type,&pid,&tid,(PVOID)&extinf,0x30,NULL,(PSTR)Desc,0x20,NULL);
printf(“we have broken into the target due to event %x %s\n”,type,Desc);
g_Control->OutputDisassembly(DEBUG_OUTCTL_THIS_CLIENT,dbgbpparm.Offset,DEBUG_DISASM_EFFECTIVE_ADDRESS,&endoffset);
if (( Status =
g_Control->AddBreakpoint(DEBUG_BREAKPOINT_CODE,DEBUG_ANY_ID,&g_Breakpoint))
!= S_OK)
{
printf(“AddBp failed %x\n”,Status);
}
if (( Status = g_Breakpoint->SetOffset(bpoffset)) != S_OK)
{
printf(“Setoffset failed %x\n”,Status);
}
if (( Status = g_Breakpoint->SetFlags(DEBUG_BREAKPOINT_ENABLED)) != S_OK)
{
printf(“SetFlags failed %x\n”,Status);
}
if (( Status = g_Breakpoint->SetCommand(“.echo This is a Bp From Our
Code”)) != S_OK)
{
printf(“SetCommand failed %x\n”,Status);
}
if ((Status = g_Control->
SetExecutionStatus(DEBUG_STATUS_GO_HANDLED)) != S_OK)
{
Exit(1, “SetExecutionStatus failed, 0x%X\n”, Status);
}
}
}
my output from compiled binary as follows
foo:\>dbgengdbg.exe msgbox.exe
wtf2
EventCallbacks::SessionStatus = 0
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00404000 msgbox.exe
EventCallbacks::CreateProcess ImageName msgbox.exe
wtf2
we have broken into the target due to event 10 Create process 0:9b0
00000000 ?? ???
wtf2
wtf2
ModLoad: 7c900000 7c9b2000 ntdll.dll
wtf2
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
wtf2
ModLoad: 64d00000 64d3c000 C:\Program Files\Alwil Software\Avast5\snxhk.dll
wtf2
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\user32.dll
wtf2
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
wtf2
wtf2
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
wtf2
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
wtf2
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
wtf2
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
wtf2
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
wtf2
This is a Bp From Our Code
EventCallbacks::Breakpoint Id 0 401000
wtf2
wtf2
we have broken into the target due to event 0
00401000 6a00 push 0
Breakpoints 1 and 0 match
wtf2
wtf2
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
wtf2
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
wtf2
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
wtf2
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\apphelp.dll
wtf2
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
wtf2
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
wtf2
wtf2
EventCallbacks::SessionStatus = 4
wtf2
foo:\>dbgengdbg.exe msgbox.exe
wtf2
EventCallbacks::SessionStatus = 0
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00404000 msgbox.exe
EventCallbacks::CreateProcess ImageName msgbox.exe
wtf2
we have broken into the target due to event 10 Create process 0:488
<--------- unhandled ? dont we land in Exception Callback ?
00000000 ?? ???
wtf2
wtf2
ModLoad: 7c900000 7c9b2000 ntdll.dll
wtf2
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
wtf2
ModLoad: 64d00000 64d3c000 C:\Program Files\Alwil Software\Avast5\snxhk.dll
wtf2
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\user32.dll
wtf2
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
wtf2
wtf2
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
wtf2
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
wtf2
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
wtf2
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
wtf2
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
wtf2
This is a Bp From Our Code <---------- the bp seems to be hit from
our unhandled code ???
EventCallbacks::Breakpoint Id 0 401000 <-------------------------
wtf2
wtf2
we have broken into the target due to event 0
00401000 6a00 push 0
Breakpoints 1 and 0 match <---------------------- yes this is crap we
should spin on it but not real concern atm
wtf2
wtf2
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
wtf2
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
wtf2
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
wtf2
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\apphelp.dll
wtf2
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
wtf2
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
the exe starts running here what happend to the int 3 ?? dont we crash ?
who eats my excpetion ?? how can i eat my own break ???
wtf2
wtf2
EventCallbacks::SessionStatus = 4 DEBUG_END_SESSION PASSIVE How
??? who gave the permission ??
wtf2
foo:\>