-
-
[求助]DebugAPI单步调试
-
发表于: 2007-1-22 13:52
-
不知道怎么成空的了 还出现了两个帖子,
补充:
代码如下:
.while TRUE
invoke WaitForDebugEvent,offset DebugEvent,INFINITE
.if DebugEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT
.break
.elseif DebugEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke WriteProcessMemory,pi.hProcess,\
BREAK_POINT1,addr dbInt3,1,NULL ;入口处设置断点
.elseif DebugEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT
.if DebugEvent.u.Exception.pExceptionRecord.ExceptionCode\
== EXCEPTION_BREAKPOINT
mov ThreadContext.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pi.hThread,addr ThreadContext
.if ThreadContext.regEip == BREAK_POINT1+1
dec ThreadContext.regEip
invoke WriteProcessMemory,pi.hProcess,BREAK_POINT1,addr dbOldByte,1,NULL ;清除入口处断点
or ThreadContext.regFlag,100h
invoke SetThreadContext,pi.hThread,addr ThreadContext
.endif
.elseif DebugEvent.u.Exception.pExceptionRecord.ExceptionCode\
== EXCEPTION_SINGLE_STEP
mov ThreadContext.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pi.hThread,addr ThreadContext
.if ThreadContext.regEip == BREAK_POINT2
mov eax,offset Regbuffer
mov ebx,ThreadContext.regEax
mov dword ptr [eax],ebx
invoke MessageBox,hWinMain,addr Regbuffer,addr\ Regbuffer,MB_OK
.break
.else
or ThreadContext.regFlag,100h
invoke SetThreadContext,\
pi.hThread,addr ThreadContext
.endif
.endif
.endif
invoke ContinueDebugEvent,DebugEvent.dwProcessId,\
DebugEvent.dwThreadId,DBG_CONTINUE
.endw
此单步功能是完成了的
BREAK_POINT1 equ 0049CC5Ch ;入口点
BREAK_POINT2 equ 00497497h ;中断在这里取此时EAX的值
BREAK_POINT2是我想单步调试的重点地方,取得此处的eax值,但是OD调试发现一直无法满足 ThreadContext.regEip == BREAK_POINT2
入口点周围的代码是能够单步到的
也不至于是BREAK_POINT2距BREAK_POINT1太远不适合单步调试吧?OD中调试程序F9会运行到00497497,OD单步会出现"不知如何单步,因为内存XXXX不可读,请尝试更改EIP.." 我该如何解决呢?
补充:代码如下:
.while TRUE
invoke WaitForDebugEvent,offset DebugEvent,INFINITE
.if DebugEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT
.break
.elseif DebugEvent.dwDebugEventCode==CREATE_PROCESS_DEBUG_EVENT
invoke WriteProcessMemory,pi.hProcess,\
BREAK_POINT1,addr dbInt3,1,NULL ;入口处设置断点
.elseif DebugEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT
.if DebugEvent.u.Exception.pExceptionRecord.ExceptionCode\
== EXCEPTION_BREAKPOINT
mov ThreadContext.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pi.hThread,addr ThreadContext
.if ThreadContext.regEip == BREAK_POINT1+1
dec ThreadContext.regEip
invoke WriteProcessMemory,pi.hProcess,BREAK_POINT1,addr dbOldByte,1,NULL ;清除入口处断点
or ThreadContext.regFlag,100h
invoke SetThreadContext,pi.hThread,addr ThreadContext
.endif
.elseif DebugEvent.u.Exception.pExceptionRecord.ExceptionCode\
== EXCEPTION_SINGLE_STEP
mov ThreadContext.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pi.hThread,addr ThreadContext
.if ThreadContext.regEip == BREAK_POINT2
mov eax,offset Regbuffer
mov ebx,ThreadContext.regEax
mov dword ptr [eax],ebx
invoke MessageBox,hWinMain,addr Regbuffer,addr\ Regbuffer,MB_OK
.break
.else
or ThreadContext.regFlag,100h
invoke SetThreadContext,\
pi.hThread,addr ThreadContext
.endif
.endif
.endif
invoke ContinueDebugEvent,DebugEvent.dwProcessId,\
DebugEvent.dwThreadId,DBG_CONTINUE
.endw
此单步功能是完成了的
BREAK_POINT1 equ 0049CC5Ch ;入口点
BREAK_POINT2 equ 00497497h ;中断在这里取此时EAX的值
BREAK_POINT2是我想单步调试的重点地方,取得此处的eax值,但是OD调试发现一直无法满足 ThreadContext.regEip == BREAK_POINT2
入口点周围的代码是能够单步到的
也不至于是BREAK_POINT2距BREAK_POINT1太远不适合单步调试吧?OD中调试程序F9会运行到00497497,OD单步会出现"不知如何单步,因为内存XXXX不可读,请尝试更改EIP.." 我该如何解决呢?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
