Hi,
I know this page is devoted to win kernel stuff but actually this is the only site where I could find any related information with code
about how to write code using Debugger Engine API documented here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/introduction
So might I ask some help how to get started with this please. I tried various things but I am still unable to achieve a simple scenario like this:
1 attach to an existing process in user mode
2 break into debugger
3 go
4 detach
5 cleanup resources without getting errors
int main()
{
IDebugClient5* cl = 0;
if (HRESULT hr = DebugCreate(__uuidof(IDebugClient5), (void**)&cl); hr != S_OK)
bye(hr);
IDebugControl7* ctrl = 0;
if (HRESULT hr = cl->QueryInterface(__uuidof(IDebugControl7), (void**)&ctrl); hr != S_OK)
bye(hr);
StdOutputCallbacks stdoutCb;
if (HRESULT hr = cl->SetOutputCallbacks(&stdoutCb); hr != S_OK)
bye(hr);
StdInputCallbacks stdinputCb;
stdinputCb.ctrl = ctrl;
if (HRESULT hr = cl->SetInputCallbacks(&stdinputCb); hr != S_OK)
bye(hr);
DebugEventCallbacks dbgCb;
if (HRESULT hr = cl->SetEventCallbacks(&dbgCb); hr != S_OK)
bye(hr);
char cmd[255];
ULONG inputSize = 0;
static volatile bool loop = true;
while (loop) {
if (HRESULT hr = ctrl->Input(cmd, 255, &inputSize); hr != S_OK)
std::cout << "*** WARNING *** Input failed with " << std::hex << hr << "\n";
cmd[inputSize] = 0;
if (!std::strcmp(cmd, "bb")) {
ctrl->SetExecutionStatus(DEBUG_STATUS_BREAK);
ctrl->WaitForEvent(0, INFINITE);
continue;
}
if (!std::strcmp(cmd, "bye")) {
break;
}
if (HRESULT hr = ctrl->Execute(DEBUG_OUTCTL_THIS_CLIENT, cmd, DEBUG_EXECUTE_ECHO); hr != S_OK) {
std::cout << "*** WARNING *** Execute failed with " << std::hex << hr << "\n";
}
}
if (HRESULT hr = ctrl->Release(); hr != S_OK)
bye(hr);
if (HRESULT hr = cl->Release(); hr != S_OK)
bye(hr);
std::cout << "Hello World!\n";
}
Actually I would have a lot of questions I don’t know how to organize them:
- why is this so difficult? Is this inherently as difficult or just it is me who approach this wrongly?
- after attaching to the process I cannot switch to the process while attaching in WinDbg I can switch to the process
- why there is no break command for ctrl->Execute? I checked it multiple times… and it seems it does not exist, how to break running application in a command line debugger?
- It seems msdn docs are far from being enough to me to learning this stuff where can I find some docs from which I can learn this?
- is this hard to write my own debugger? I have the bad feeling anytime I will have a problem with this I will be stuck…
- When I just tried to create the client and then the control I was unable to release them I tried all combinations and I got errors for all of them.
I didn’t even attached to a target??? What is happening here? Actually what I did was something like this
if (HRESULT hr = DebugCreate(__uuidof(IDebugClient5), (void**)&cl); hr != S_OK)
bye(hr);
IDebugControl7* ctrl = 0;
if (HRESULT hr = cl->QueryInterface(__uuidof(IDebugControl7), (void**)&ctrl); hr != S_OK)
bye(hr);
if (HRESULT hr = ctrl->Release(); hr != S_OK)
bye(hr);
if (HRESULT hr = cl->Release(); hr != S_OK)
bye(hr); - Isn’t there any opensource code where this win api is used? but actually I would be happier with a tutorial than a full featured debugger code…
Any help would be really appreciated. Thanks in advance.
OUTPUT
.tlist note*
.tlist note*
WARNING: The debugger does not have a current process or thread
WARNING: Many commands will not work
0n25184 notepad++.exe
[info] cb ChangeDebuggeeState 0x4 2
.attach 0n25184
.attach 0n25184
WARNING: The debugger does not have a current process or thread
WARNING: Many commands will not work
[info] cb ChangeEngineState 800 0
No .natvis files found at C:\Windows\SYSTEM32\Visualizers.
No .natvis files found at C:\Users\Attila\AppData\Local\Dbg\Visualizers.
Microsoft (R) Windows Debugger Version 10.0.19041.1503 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Attach will occur on next execution
[info] cb ChangeDebuggeeState 0x4 2
bb
[info] cb ChangeEngineState 10 1
*** wait with pending attach
Unable to add extension DLL: ntsdexts
Unable to add extension DLL: uext
Unable to add extension DLL: exts
SECURE: File not allowed to be loaded - C:\Windows\SYSTEM32\dbghelp.dll
Error code: Win32 error 0n5
The call to LoadLibrary(ext) failed, Win32 error 0n2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
[info] cb ChangeEngineState 400 0
[info] cb SessionStatus
[info] cb ChangeDebuggeeState 0xffffffff 0
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff6b3960000 00007ff6
b3f70000 C:\Program Files\Notepad++\notepad++.exe
[info] cb ChangeEngineState 10 100000006
[info] cb ChangeEngineState 1 0
[info] cb ChangeDebuggeeState 0xffffffff 0
[info] cb CreateProcess
[info] cb ChangeEngineState 10 6
r
r
rax=0000000000001006 rbx=000000be7bafec88 rcx=000000be7bafec88
rdx=0000000000000000 rsi=00000217a939f790 rdi=0000000000000001
rip=00007ffeab141104 rsp=000000be7bafeb78 rbp=0000000000000000
r8=000000be7bafeb18 r9=000000be7b8fd000 r10=0000000000000bf0
r11=0000000000100bf0 r12=0000000000000001 r13=0000000000000000
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
00007ffeab141104 c3 ret [info] cb ChangeDebuggeeState 0x4 2 g [info] cb ChangeEngineState 10 1 g [info] cb ChangeDebuggeeState 0x4 2 r r [info] cb ChangeDebuggeeState 0x4 2 bl bl [info] cb ChangeDebuggeeState 0x4 2 bb [info] cb ChangeEngineState 10 1 [info] cb ChangeSymbolState ModLoad: 00007ffe
ad5f0000 00007ffead7e8000 C:\Windows\SYSTEM32\ntdll.dll [info] cb ChangeEngineState 10 100000006 [info] cb ChangeEngineState 1 0 [info] cb ChangeDebuggeeState 0xffffffff 0 [info] cb LoadModule [info] cb ChangeEngineState 10 1 [info] cb ChangeEngineState 10 100000006 [info] cb ChangeEngineState 1 1 [info] cb ChangeDebuggeeState 0xffffffff 0 [info] cb CreateThread [info] cb ChangeEngineState 10 1 [info] cb ChangeSymbolState ... further module loads ModLoad: 00007ffe
9ca40000 00007ffe`9ccf1000 C:\Windows\SYSTEM32\iertutil.dll
[info] cb ChangeEngineState 10 100000006
[info] cb ChangeEngineState 1 0
[info] cb ChangeDebuggeeState 0xffffffff 0
[info] cb LoadModule
[info] cb ChangeEngineState 10 1
[info] cb ChangeEngineState 10 100000006
[info] cb ChangeEngineState 1 2
[info] cb ChangeDebuggeeState 0xffffffff 0
[info] cb CreateThread
[info] cb ChangeEngineState 10 1
[info] cb ChangeDebuggeeState 0x1 10
[info] cb ChangeEngineState 10 1
[info] cb ChangeEngineState 10 100000006
[info] cb ChangeEngineState 1 2
[info] cb ChangeDebuggeeState 0xffffffff 0
[info] cb ExitThread
[info] cb ChangeEngineState 10 1
I am deadlocked in waitforevent somehow.