编写一个非常基本的调试器 [英] Writing a very basic debugger

问题描述

是否可以在Windows下编写程序，从而在到达预定地址后导致远程进程线程中断（在该线程中停止执行）？

Is it possible to write a program under windows that will cause a remote process thread to break (stop execution in that thread) upon reaching a predefined address?

I一直在尝试Windows Debug API，但在设置断点方面似乎非常有限。 DebugBreakProcess函数似乎很有希望，但是我找不到有关如何使用此API调用的任何示例。

I have been experimenting with the Windows Debug API, but it seems very limited when it comes to setting breakpoints. The DebugBreakProcess function seemed promising, but I can't find any examples on how to use this API call.

推荐答案

您需要使用WriteProcessMemory将断点（在x86上，操作码为0xCC）写入地址。
在x86上，当调试对象在代码中到达该点时，0xCC将生成一个int 3异常。这是由调试器的WaitForDebugEvent拾取的，它将返回设置了EXCEPTION_DEBUG_EVENT的DEBUG_EVENT。

You need to use WriteProcessMemory to write a breakpoint (on x86, an opcode of 0xCC) to the address. On x86, when the debuggee hits that point in the code the 0xCC will generate an int 3 exception. This is picked up by your debugger's WaitForDebugEvent will return a DEBUG_EVENT with EXCEPTION_DEBUG_EVENT set.

然后，您需要将该地址修补回其原始代码，然后再继续。如果要再次中断，则需要单步执行，然后重新获取断点操作码。要单步执行，您需要在线程上下文的EFlag中设置单步标志。

You then need to patch the that address back to its original code before continuing. If you want to break again, you need to single step and then repatch the breakpoint opcode. To single step, you need to set the single step flag in EFlag in the thread context.

DebugBreakProcess用于生成正在调试的进程的远程中断-它不能用来在代码中的任意点处中断。

DebugBreakProcess is used to generate a remote break of a process you are debugging - it can't be used to break at an arbitrary point in the code.

这篇关于编写一个非常基本的调试器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！