-
-
[旧帖] Win32DebugAPI怎么使用? 0.00雪花
-
2010-11-27 21:20 2873
-
Dim Si As New STARTUPINFO
Dim Pi As New PROCESS_INFORMATION
Dim Sa As New SECURITY_ATTRIBUTES
Si.cb = Marshal.SizeOf(Si)
Sa.nLength = Marshal.SizeOf(Sa)
CreateProcess(src, "", Sa, Sa, False, 2, IntPtr.Zero, IntPtr.Zero, Si, Pi)
我这样调用进去,但是只能拦截到dwDebugEventCode(我当然有调用WaitForDebugEvent和ContinueDebugEvent。
但是
如果获取
dh.u.Exception.pExceptionRecord.ExceptionCode
的话他始终是0。
所有
dh.u.*他得到的都是0……
求解……
【
实际上我是想要单步调试某个程序(只是统计他运行的指令数)
如果直接
Case DebugEventTypes.EXCEPTION_DEBUG_EVENT
Dim CONTEXT1 As New CONTEXT
CONTEXT1.ContextFlags = CONTEXT_CONTROL
GetThreadContext(Pi.hThread, CONTEXT1)
CONTEXT1.EFlags = CONTEXT1.EFlags Or &H100
runcount = runcount + 1
SetThreadContext(Pi.hThread, CONTEXT1)
被调试程序会卡死。
如果根据大多数教程的话u又取不到值。
我的CONTEXT是这样定义的(vb.net主要是vc.net的dllimport什么用不熟啊……至于VC啊,VB啊,pascal或者是汇编……UI实在麻烦……)
我的数据结构和API是这样定义的……
主程序是这样的
Dim Pi As New PROCESS_INFORMATION
Dim Sa As New SECURITY_ATTRIBUTES
Si.cb = Marshal.SizeOf(Si)
Sa.nLength = Marshal.SizeOf(Sa)
CreateProcess(src, "", Sa, Sa, False, 2, IntPtr.Zero, IntPtr.Zero, Si, Pi)
我这样调用进去,但是只能拦截到dwDebugEventCode(我当然有调用WaitForDebugEvent和ContinueDebugEvent。
但是
如果获取
dh.u.Exception.pExceptionRecord.ExceptionCode
的话他始终是0。
所有
dh.u.*他得到的都是0……
求解……
【
实际上我是想要单步调试某个程序(只是统计他运行的指令数)
如果直接
Case DebugEventTypes.EXCEPTION_DEBUG_EVENT
Dim CONTEXT1 As New CONTEXT
CONTEXT1.ContextFlags = CONTEXT_CONTROL
GetThreadContext(Pi.hThread, CONTEXT1)
CONTEXT1.EFlags = CONTEXT1.EFlags Or &H100
runcount = runcount + 1
SetThreadContext(Pi.hThread, CONTEXT1)
被调试程序会卡死。
如果根据大多数教程的话u又取不到值。
我的CONTEXT是这样定义的(vb.net主要是vc.net的dllimport什么用不熟啊……至于VC啊,VB啊,pascal或者是汇编……UI实在麻烦……)
我的数据结构和API是这样定义的……
#Region "Structs"
<StructLayout(LayoutKind.Sequential)> _
Public Structure PROCESS_INFORMATION
Dim hProcess As System.IntPtr
Dim hThread As System.IntPtr
Dim dwProcessId As Integer
Dim dwThreadId As Integer
End Structure
<StructLayout(LayoutKind.Sequential)> _
Public Structure STARTUPINFO
Dim cb As Integer
Dim lpReserved As System.IntPtr
Dim lpDesktop As System.IntPtr
Dim lpTitle As System.IntPtr
Dim dwX As Integer
Dim dwY As Integer
Dim dwXSize As Integer
Dim dwYSize As Integer
Dim dwXCountChars As Integer
Dim dwYCountChars As Integer
Dim dwFillAttribute As Integer
Dim dwFlags As Integer
Dim wShowWindow As Short
Dim cbReserved2 As Short
Dim lpReserved2 As System.IntPtr
Dim hStdInput As System.IntPtr
Dim hStdOutput As System.IntPtr
Dim hStdError As System.IntPtr
End Structure
<StructLayout(LayoutKind.Sequential)> _
Public Structure SECURITY_ATTRIBUTES
Dim nLength As Integer
Dim lpSecurityDescriptor As IntPtr
Dim bInheritHandle As Boolean
End Structure
#End Region
'Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
<DllImport("kernel32.dll", SetlastError:=True, CharSet:=CharSet.Auto)> _
Public Function CreateProcess(ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _
ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, _
ByVal bInheritHandles As Boolean, _
ByVal dwCreationFlags As Integer, _
ByVal lpEnvironment As IntPtr, _
ByVal lpCurrentDirectory As IntPtr, _
ByRef lpStartupInfo As STARTUPINFO, _
ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean
End Function
Public Declare Function DebugActiveProcess Lib "kernel32" (ByVal dwProcessId As Integer) As Integer
<DllImport("kernel32.dll", CharSet:=CharSet.Auto)> _
Function WaitForDebugEvent(ByRef lpDebugEvent As DEBUG_EVENT_HEADER, ByVal dwMilliseconds As Integer) As Integer
End Function
Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Integer, ByRef lpContext As CONTEXT) As Integer
<DllImport("kernel32.dll")> _
Function ContinueDebugEvent(ByVal dwProcessId As Integer, _
ByVal dwThreadId As Integer, _
ByVal dwContinueStatus As DebugStates) As Integer
End Function
Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Integer, ByRef lpContext As CONTEXT) As Integer
'ApiOver
Public Enum DebugStates
DBG_CONTINUE = &H10002
DBG_TERMINATE_THREAD = &H40010003
DBG_TERMINATE_PROCESS = &H40010004
DBG_CONTROL_C = &H40010005
DBG_CONTROL_BREAK = &H40010008
DBG_EXCEPTION_NOT_HANDLED = &H80010001
End Enum
Public Structure DEBUG_EVENT_HEADER
Public dwDebugEventCode As DebugEventTypes
Public dwProcessId As Integer
Public dwThreadId As Integer
Public u As uu
End Structure
Public Structure uu
Public Exception As EXCEPTION_DEBUG_INFO
Public CreateProcessInfo As CREATE_PROCESS_DEBUG_INFO
Public ExitThread As EXIT_THREAD_DEBUG_INFO
Public ExitProcess As EXIT_PROCESS_DEBUG_INFO
Public LoadDll As LOAD_DLL_DEBUG_INFO
' UNLOAD_DLL_DEBUG_INFO UnloadDll;
' OUTPUT_DEBUG_STRING_INFO DebugString;
' RIP_INFO RipInfo;
Public UnloadDll As UNLOAD_DLL_DEBUG_INFO
Public DebugString As OUTPUT_DEBUG_STRING_INFO
Public RipInfo As RIP_INFO
End Structure
Public Structure RIP_INFO
Public dwError As Integer
Public dwType As Integer
End Structure
Public Structure OUTPUT_DEBUG_STRING_INFO
Public lpDebugStringData As Integer
Public fUnicode As Integer
Public nDebugStringLength As Integer
End Structure
Public Structure UNLOAD_DLL_DEBUG_INFO
Public lpBaseOfDll As Integer
End Structure
Public Structure LOAD_DLL_DEBUG_INFO
Public hFile As Integer
Public lpBaseOfDll As Integer
Public dwDebugInfoFileOffset As Integer
Public nDebugInfoSize As Integer
Public lpImageName As Integer
Public fUnicode As Integer
End Structure
Public Structure EXIT_THREAD_DEBUG_INFO
Public dwExitCode As Integer
End Structure
Public Structure EXIT_PROCESS_DEBUG_INFO
Public dwExitCode As Long
End Structure
Public Structure CREATE_PROCESS_DEBUG_INFO
Public hFile As Integer
Public hProcess As Integer
Public hThread As Integer
Public lpBaseOfImage As Integer
Public dwDebugInfoFileOffset As Integer
Public nDebugInfoSize As Integer
Public lpThreadLocalBase As Integer
Public lpStartAddress As Integer
Public lpImageName As Integer
Public fUnicode As Integer
End Structure
Public Structure CREATE_THREAD_DEBUG_INFO
Public hThread As Integer
Public lpThreadLocalBase As Integer
Public lpStartAddress As Integer
End Structure
Structure EXCEPTION_RECORD
Public ExceptionCode As Integer
Public ExceptionFlags As Integer
Public pExceptionRecord As Integer ' Pointer to an EXCEPTION_RECORD structure
Public ExceptionAddress As Integer
Public NumberParameters As Integer
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=15 - 1)> _
Public ExceptionInformation() As Short
End Structure
Structure EXCEPTION_DEBUG_INFO
Dim pExceptionRecord As EXCEPTION_RECORD
Dim dwFirstChance As Integer
End Structure
' EXCEPTION_DEBUG_INFO Exception;
' CR 'EATE_THREAD_DEBUG_INFO CreateThread;
' C REATE_PROCESS_DEBUG_INFO CreateProcessInfo;
'EXIT_THREAD_DEBUG_INFO ExitThread;
'EXIT_PROCESS_DEBUG_INFO ExitProcess;
' LOAD_DLL_DEBUG_INFO LoadDll;
' UNLOAD_DLL_DEBUG_INFO UnloadDll;
' OUTPUT_DEBUG_STRING_INFO DebugString;
' RIP_INFO RipInfo;
Public Enum DebugEventTypes
EXCEPTION_DEBUG_EVENT = 1&
CREATE_THREAD_DEBUG_EVENT = 2&
CREATE_PROCESS_DEBUG_EVENT = 3&
EXIT_THREAD_DEBUG_EVENT = 4&
EXIT_PROCESS_DEBUG_EVENT = 5&
LOAD_DLL_DEBUG_EVENT = 6&
UNLOAD_DLL_DEBUG_EVENT = 7&
OUTPUT_DEBUG_STRING_EVENT = 8&
RIP_EVENT = 9&
End Enum
Public Enum ExceptionCodes
EXCEPTION_GUARD_PAGE_VIOLATION = &H80000001
EXCEPTION_DATATYPE_MISALIGNMENT = &H80000002
EXCEPTION_BREAKPOINT = &H80000003
EXCEPTION_SINGLE_STEP = &H80000004
EXCEPTION_ACCESS_VIOLATION = &HC0000005
EXCEPTION_IN_PAGE_ERROR = &HC0000006
EXCEPTION_INVALID_HANDLE = &HC0000008
EXCEPTION_NO_MEMORY = &HC0000017
EXCEPTION_ILLEGAL_INSTRUCTION = &HC000001D
EXCEPTION_NONCONTINUABLE_EXCEPTION = &HC0000025
EXCEPTION_INVALID_DISPOSITION = &HC0000026
EXCEPTION_ARRAY_BOUNDS_EXCEEDED = &HC000008C
EXCEPTION_FLOAT_DENORMAL_OPERAND = &HC000008D
EXCEPTION_FLOAT_DIVIDE_BY_ZERO = &HC000008E
EXCEPTION_FLOAT_INEXACT_RESULT = &HC000008F
EXCEPTION_FLOAT_INVALID_OPERATION = &HC0000090
EXCEPTION_FLOAT_OVERFLOW = &HC0000091
EXCEPTION_FLOAT_STACK_CHECK = &HC0000092
EXCEPTION_FLOAT_UNDERFLOW = &HC0000093
EXCEPTION_INTEGER_DIVIDE_BY_ZERO = &HC0000094
EXCEPTION_INTEGER_OVERFLOW = &HC0000095
EXCEPTION_PRIVILEGED_INSTRUCTION = &HC0000096
EXCEPTION_STACK_OVERFLOW = &HC00000FD
EXCEPTION_CONTROL_C_EXIT = &HC000013A
End Enum
Public Enum ExceptionFlags
EXCEPTION_CONTINUABLE = 0
EXCEPTION_NONCONTINUABLE = 1 '\\ Noncontinuable exception
End Enum
Public Structure CONTEXT
Dim ContextFlags As Integer
Dim Dr0 As Integer
Dim Dr1 As Integer
Dim Dr2 As Integer
Dim Dr3 As Integer
Dim Dr6 As Integer
Dim Dr7 As Integer
Dim FloatSave As FLOATING_SAVE_AREA
Dim SegGs As Integer
Dim SegFs As Integer
Dim SegEs As Integer
Dim SegDs As Integer
Dim Edi As Integer
Dim Esi As Integer
Dim Ebx As Integer
Dim Edx As Integer
Dim Ecx As Integer
Dim Eax As Integer
Dim Ebp As Integer
Dim Eip As Integer
Dim SegCs As Integer
Dim EFlags As Integer
Dim Esp As Integer
Dim SegSs As Integer
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512 - 1)> _
Dim ExtendedRegisters() As Byte
End Structure
Public Structure FLOATING_SAVE_AREA
Dim ControlWord As Integer
Dim StatusWord As Integer
Dim TagWord As Integer
Dim ErrorOffset As Integer
Dim ErrorSelector As Integer
Dim DataOffset As Integer
Dim DataSelector As Integer
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80 - 1)> _
Dim RegisterArea() As Byte
Dim Cr0NpxState As Integer
End Structure
'Structure Over
Public Const NORMAL_PRIORITY_CLASS As UInt32 = &H2
Public Const DEBUG_ONLY_THIS_PROCESS = &H2
Public Const CONTEXT_i386 = &H10000
Public Const CONTEXT_CONTROL = (CONTEXT_i386 Or &H1&)
'Const Over主程序是这样的
Function test(ByVal src, ByVal time) As Char
test = Ac
'Begin
Dim Si As New STARTUPINFO
Dim Pi As New PROCESS_INFORMATION
Dim Sa As New SECURITY_ATTRIBUTES
Si.cb = Marshal.SizeOf(Si)
Sa.nLength = Marshal.SizeOf(Sa)
CreateProcess(src, "", Sa, Sa, False, 2, IntPtr.Zero, IntPtr.Zero, Si, Pi)
' MsgBox(Pi.dwProcessId)
' Dim sb As Boolean
' sb = DebugActiveProcess(Pi.dwProcessId)
' dh.dwProcessId = Pi.dwProcessId
' dh.dwThreadId = Pi.dwThreadId
Dim exited As Boolean
Dim runcount As Long = 0
' MsgBox("hello")
' GetThreadContext(Pi.dwThreadId, CONTEXT1)
' CONTEXT1.ContextFlags = &H10000 Or &H1&
' SetThreadContext(Pi.dwThreadId, CONTEXT1)
Dim tt As Integer = 0
While (Not exited)
WaitForDebugEvent(dh, -1)
' GetThreadContext(Pi.dwThreadId, CONTEXT1)
'SetThreadContext(Pi.dwThreadId, CONTEXT1)
Select Case dh.dwDebugEventCode
Case DebugEventTypes.EXIT_PROCESS_DEBUG_EVENT
exited = True
ContinueDebugEvent(dh.dwProcessId, dh.dwThreadId, DebugStates.DBG_EXCEPTION_NOT_HANDLED)
Exit While
'EXCEPTION_DEBUG_EVENT()
Case DebugEventTypes.CREATE_PROCESS_DEBUG_EVENT
'MsgBox(tt)
'EXCEPTION_DEBUG_EVENT
Case DebugEventTypes.EXCEPTION_DEBUG_EVENT 'DebugEventTypes.CREATE_PROCESS_DEBUG_EVENT
' MsgBox(dh.dwDebugEventCode)
' If dh.u.Exception.pExceptionRecord.ExceptionCode = &H80000003 Then
Dim CONTEXT1 As New CONTEXT
CONTEXT1.ContextFlags = CONTEXT_CONTROL
GetThreadContext(Pi.hThread, CONTEXT1)
'MsgBox(CONTEXT1.EFlags)
CONTEXT1.EFlags = CONTEXT1.EFlags Or &H100
runcount = runcount + 1
Form1.Label1.Text = runcount
Form1.Label2.Text = dh.u.Exception.pExceptionRecord.ExceptionCode
Application.DoEvents()
SetThreadContext(Pi.hThread, CONTEXT1)
' ContinueDebugEvent(dh.dwProcessId, dh.dwThreadId, DebugStates.DBG_CONTINUE)
' Continue While
' End If
' If dh.u.Exception.pExceptionRecord.ExceptionCode = &H80000004 Then
'Dim CONTEXT1 As New CONTEXT
'CONTEXT1.ContextFlags = CONTEXT_CONTROL
'GetThreadContext(Pi.hThread, CONTEXT1)
'MsgBox(CONTEXT1.EFlags)
'CONTEXT1.EFlags = CONTEXT1.EFlags Or &H100
'runcount = runcount + 1
'SetThreadContext(Pi.hThread, CONTEXT1)
'ContinueDebugEvent(dh.dwProcessId, dh.dwThreadId, DebugStates.DBG_CONTINUE)
'Continue While
'End If
End Select
ContinueDebugEvent(dh.dwProcessId, dh.dwThreadId, DebugStates.DBG_CONTINUE)
End While
'
MsgBox(runcount)
End Function [培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
