使用 IDebugControl::Disassemble 查看子程序的指令 [英] Using IDebugControl::Disassemble to view the instructions of a subroutine

问题描述

所以我试图使用 windows API (DbgEng.h/.lib) 'Disassemble' 函数来查看模块中某个函数(我知道它是导出的)的指令.但是......它返回了一个意外错误.

So I'm attempting to use the windows API (DbgEng.h /.lib) 'Disassemble' function to view the instructions of a certain function (which i know is exported) in a module. However....It's returning an unexpected error.

IDebugClient* clt;
IDebugControl* ctrl;

void InitializeInterfaces(void)
{
    HRESULT status;

    if ((status = DebugCreate(__uuidof(IDebugClient), (void**)&clt)) != S_OK) {
        Utils::add_log("IDebugClient DebugCreate failed: 0x%X\n", status);
    }

    clt->AttachProcess(NULL, GetProcessId(GetCurrentProcess()), DEBUG_ATTACH_NONINVASIVE | DEBUG_ATTACH_NONINVASIVE_NO_SUSPEND);

    if ((status = clt->QueryInterface(__uuidof(IDebugControl), (void**)&ctrl)) != S_OK) {
        Utils::add_log("IDebugControl QueryInterface failed: 0x%X\n", status);
    }
}

void print_bytes(const void *object, size_t size, const char* funcname)
{
    size_t i;
    Utils::add_log("|%s function bytes| ", funcname);

    for (i = 0; i < size; i++)
    {
        Utils::add_log_raw("%02x ", ((const unsigned char *)object)[i] & 0xff);
    }

    Utils::add_log_raw("\n");
}

void main()
{
    InitializeInterfaces();

    ULONG64 bc = (ULONG64)GetProcAddress(GetModuleHandleA("lua_shared.dll"), "luaL_loadbufferx");

    PSTR buff;
    HRESULT size = ctrl->Disassemble(bc, DEBUG_DISASM_EFFECTIVE_ADDRESS, (PSTR)&buff, 16, NULL, NULL);

    //error catching incase the disassemble fails (which it does fuck -___-)
    if (size == S_OK) {
        Utils::add_log("%s", buff);
    }
    else if (size == S_FALSE) {
        Utils::add_log("[error] buffer too small to recieve proccess instructions");
    }
    else {
        Utils::add_log("IDebugControl process disassemble failed: 0x%X\n", size);
    }

    //troubleshooting
    Utils::add_log_raw("\nTROUBLESHOOTING INFO\n");
    Utils::add_log("|bc function pointer| 0x%p\n", bc);
    print_bytes((const void*)bc, sizeof bc, "bc");
}

这是我正在使用的当前代码，这是它输出的内容:

This is current code I'm using, and this is what it outputs:

[04:09:56] IDebugControl 进程反汇编失败:0x8000FFFF

[04:09:56] IDebugControl process disassemble failed: 0x8000FFFF

故障排除信息

[04:09:56] |bc 函数指针|0x640FE750

[04:09:56] |bc function pointer| 0x640FE750

[04:09:56] |bc 函数字节|55 8b ec 83 e4 f8 83 ec

[04:09:56] |bc function bytes| 55 8b ec 83 e4 f8 83 ec

有人知道我缺少什么导致它抛出那个错误吗?0x8000FFFF 相当于 E_UNEXPECTED 枚举.函数指针有效，字节看起来不错，我迷路了.

Anyone know what I'm missing to cause it to throw that error? 0x8000FFFF is equivalent to E_UNEXPECTED enum. The function pointer is valid, the bytes seem fine, I'm lost.

提前致谢.

推荐答案

您需要调用 IDebugControl::WaitForEvent(DEBUG_WAIT_DEFAULT, timeout) 首先.

You need to call IDebugControl::WaitForEvent(DEBUG_WAIT_DEFAULT, timeout) first.

这篇关于使用 IDebugControl::Disassemble 查看子程序的指令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！