/// <summary>
/// Handles the OUTPUT_DEBUG_STRING_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnOutputDebugStringEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.OUTPUT_DEBUG_STRING_EVENT))
{
bool isAscii = de.DebugString.fUnicode == 0;
ushort size = de.DebugString.nDebugStringLength;
byte[] data = new byte[size];
if (!this.Read(de.DebugString.lpDebugStringData, data))
{
return(base.OnOutputDebugStringEvent(ref de));
}
string debugString = string.Empty;
if (isAscii)
{
debugString = Encoding.ASCII.GetString(data);
}
else
{
debugString = Encoding.Unicode.GetString(data);
}
debugString = debugString.TrimEnd(new char[] { '\r', '\n', '\0' });
this.monitorLogger.Log(
this.AppendInstanceIdentifier("Debug string received: \"" + debugString + "\""));
}
return(base.OnOutputDebugStringEvent(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_FLT_INEXACT_RESULT debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnFltInexactResultDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.FLT_INEXACT_RESULT))
{
this.LogGenericException(ref de);
}
return(base.OnFltInexactResultDebugException(ref de));
}
/// <summary>
/// Logs the registers at the time the debug event was caught.
/// </summary>
/// <param name="de">The debug event that was caught.</param>
protected void LogRegisters(ref WinApi.DEBUG_EVENT de)
{
IntPtr threadHandle;
WinApi.CONTEXT cx;
this.BeginEditThread(de.dwThreadId, out threadHandle, out cx);
this.LogRegisters(ref cx);
this.EndEditThread(de.dwThreadId, ref threadHandle, ref cx);
}
/// <summary>
/// Logs information about an EXCEPTION_NONCONTINUABLE_EXCEPTION debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnNoncontinuableExceptionDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.NONCONTINUABLE_EXCEPTION))
{
this.LogGenericException(ref de);
}
return(base.OnNoncontinuableExceptionDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_IN_PAGE_ERROR debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnInPageErrorDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.IN_PAGE_ERROR))
{
this.LogGenericException(ref de);
}
return(base.OnInPageErrorDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_FLT_STACK_CHECK debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnFltStackCheckDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.FLT_STACK_CHECK))
{
this.LogGenericException(ref de);
}
return(base.OnFltStackCheckDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_FLT_INVALID_OPERATION debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnFltInvalidOperationDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.FLT_INVALID_OPERATION))
{
this.LogGenericException(ref de);
}
return(base.OnFltInvalidOperationDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_FLT_UNDERFLOW debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnFltUnderflowDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.FLT_UNDERFLOW))
{
this.LogGenericException(ref de);
}
return(base.OnFltUnderflowDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_INVALID_DISPOSITION debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnInvalidDispositionDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.INVALID_DISPOSITION))
{
this.LogGenericException(ref de);
}
return(base.OnInvalidDispositionDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_DATATYPE_MISALIGNMENT debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnDatatypeMisalignmentDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.DATATYPE_MISALIGNMENT))
{
this.LogGenericException(ref de);
}
return(base.OnDatatypeMisalignmentDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_FLT_DENORMAL_OPERAND debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnFltDenormalOperandDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.FLT_DENORMAL_OPERAND))
{
this.LogGenericException(ref de);
}
return(base.OnFltDenormalOperandDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_ARRAY_BOUNDS_EXCEEDED debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnArrayBoundsExceededDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.ARRAY_BOUNDS_EXCEEDED))
{
this.LogGenericException(ref de);
}
return(base.OnArrayBoundsExceededDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_INT_DIVIDE_BY_ZERO debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnIntDivideByZeroDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.INT_DIVIDE_BY_ZERO))
{
this.LogGenericException(ref de);
}
return(base.OnIntDivideByZeroDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_PRIV_INSTRUCTION debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnPrivInstructionDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.PRIV_INSTRUCTION))
{
this.LogGenericException(ref de);
}
return(base.OnPrivInstructionDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_SINGLE_STEP debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnSingleStepDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.SINGLE_STEP))
{
this.LogGenericException(ref de);
}
return(base.OnSingleStepDebugException(ref de));
}
/// <summary>
/// Logs generic information about an exception.
/// </summary>
/// <param name="de">The debug event that contains the exception that was thrown.</param>
protected void LogGenericException(ref WinApi.DEBUG_EVENT de)
{
this.monitorLogger.Log(this.AppendInstanceIdentifier(
"An exception occurred: " +
this.ExceptionCodeToPrettyString(de.Exception.ExceptionRecord.ExceptionCode)));
this.LogRegisters(ref de);
this.LogSurroundingInstructions(de.Exception.ExceptionRecord.ExceptionAddress, 5, 2);
this.LogExceptionRecord(de.Exception.ExceptionRecord);
}
/// <summary>
/// Logs information about an EXCEPTION_GUARD_PAGE debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnGuardPageDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.GUARD_PAGE))
{
this.GetExceptionAddressData(de.Exception.ExceptionRecord.ExceptionAddress);
this.LogGenericException(ref de);
}
return(base.OnGuardPageDebugException(ref de));
}
/// <summary>
/// Handles the EXIT_THREAD_DEBUG_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnExitThreadDebugEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.EXIT_THREAD_DEBUG_EVENT))
{
string message = "Thread " + de.dwThreadId + " has exited.";
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
}
return(base.OnExitThreadDebugEvent(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_STACK_OVERFLOW debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnStackOverflowDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.STACK_OVERFLOW))
{
this.GetExceptionAddressData(de.Exception.ExceptionRecord.ExceptionAddress);
this.LogGenericException(ref de);
}
return(base.OnStackOverflowDebugException(ref de));
}
/// <summary>
/// Handles the LOAD_DLL_DEBUG_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnLoadDllDebugEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.LOAD_DLL_DEBUG_EVENT))
{
string dllName = Auxiliary.GetFileNameFromHandle(de.LoadDll.hFile);
string message = "DLL loaded: " + dllName;
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
}
return(base.OnLoadDllDebugEvent(ref de));
}
/// <summary>
/// Handles the EXIT_PROCESS_DEBUG_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnExitProcessDebugEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.EXIT_PROCESS_DEBUG_EVENT))
{
string message =
"Process exited with code " + de.ExitProcess.dwExitCode + ". (PID: " + de.dwProcessId + ")";
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
}
return(base.OnExitProcessDebugEvent(ref de));
}
/// <summary>
/// Handles the CREATE_PROCESS_DEBUG_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnCreateProcessDebugEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.CREATE_PROCESS_DEBUG_EVENT))
{
string imageName = Auxiliary.GetFileNameFromHandle(de.CreateProcessInfo.hFile);
uint pid = de.dwProcessId;
string message = "Process created: " + imageName + " (PID: " + pid + ")";
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
}
return(base.OnCreateProcessDebugEvent(ref de));
}
/// <summary>
/// Handles the UNLOAD_DLL_DEBUG_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnUnloadDllDebugEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.UNLOAD_DLL_DEBUG_EVENT))
{
// TODO: Fix the name resolution function that is used when logging DLL unload events.
string dllName = this.GetFileNameFromHModule(de.UnloadDll.lpBaseOfDll);
string message = "DLL unloaded: " + dllName;
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
}
return(base.OnUnloadDllDebugEvent(ref de));
}
/// <summary>
/// Handles the EXCEPTION_BREAKPOINT debug exception.
/// Causes the process to trigger a single step debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnBreakpointDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.InitialBreakpointHit)
{
this.Restore(de.Exception.ExceptionRecord.ExceptionAddress, false);
//this.SetIP(de.Exception.ExceptionRecord.ExceptionAddress);
//this.PrepareForSingleStep(de.Exception.ExceptionRecord.ExceptionAddress);
this.BreakpointAddressJustHit = de.Exception.ExceptionRecord.ExceptionAddress;
this.RestoreBreakpointOnExceptionSingleStep = true;
}
return(base.OnBreakpointDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_ACCESS_VIOLATION debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnAccessViolationDebugException(ref WinApi.DEBUG_EVENT de)
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.ACCESS_VIOLATION))
{
string message = this.GetExceptionAddressData(de.Exception.ExceptionRecord.ExceptionAddress);
this.monitorLogger.Log(this.AppendInstanceIdentifier(message));
this.LogRegisters(ref de);
this.LogSurroundingInstructions(de.Exception.ExceptionRecord.ExceptionAddress, 5, 2);
this.LogExceptionRecord(de.Exception.ExceptionRecord);
}
return(base.OnAccessViolationDebugException(ref de));
}
/// <summary>
/// Handles the RIP_EVENT debug event.
/// </summary>
/// <param name="de">The debug event that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnRipEvent(ref WinApi.DEBUG_EVENT de)
{
if (this.EventsMonitored.HasFlag(EventFilter.RIP_EVENT))
{
StringBuilder msg = new StringBuilder();
msg.Append("A RIP event occured");
if (Enum.IsDefined(typeof(WinApi.RipInfoTypes), (WinApi.RipInfoTypes)de.RipInfo.dwType))
{
msg.Append(" (" + ((WinApi.RipInfoTypes)de.RipInfo.dwType).ToString() + ")");
}
msg.Append(". Error code: " + de.RipInfo.dwError);
}
return(base.OnRipEvent(ref de));
}
/// <summary>
/// Handles the EXCEPTION_SINGLE_STEP debug exception.
/// Logs information about the thread state when the exception is hit.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnSingleStepDebugException(ref WinApi.DEBUG_EVENT de)
{
IntPtr threadHandle;
WinApi.CONTEXT cx;
this.BeginEditThread(de.dwThreadId, out threadHandle, out cx);
if (this.LogRegistersOnBreakpoint)
{
this.LogRegisters(ref cx);
}
uint prevInstSize = this.GetPreviousInstructionSize(new IntPtr((long)cx._ip));
IntPtr prevInstruction = new IntPtr((long)cx._ip - prevInstSize);
if (this.LogBreakpointAccesses)
{
this.Status.Log(
"Modifying address is " +
this.IntPtrToFormattedAddress(prevInstruction) +
" with instruction length " + prevInstSize);
}
if (this.RestoreBreakpointOnExceptionSingleStep == true)
{
// TODO: eventually replace breakpointAddressJustHit with a check of Dr6.
if (this.BreakpointAddressJustHit != IntPtr.Zero)
{
this.Write(this.BreakpointAddressJustHit, (byte)0xcc, WriteOptions.None);
this.Status.Log(
"Restoring breakpoint at " +
this.IntPtrToFormattedAddress(this.BreakpointAddressJustHit));
this.BreakpointAddressJustHit = IntPtr.Zero;
}
else
{
this.Status.Log(
"Unexpected series of events during breakpoint restoration.",
Logger.Logger.Level.HIGH);
}
this.RestoreBreakpointOnExceptionSingleStep = false;
}
return(base.OnSingleStepDebugException(ref de));
}
/// <summary>
/// Logs information about an EXCEPTION_BREAKPOINT debug exception.
/// </summary>
/// <param name="de">The debug exception that was caught by the debugger.</param>
/// <returns>Returns the continue debugging status code.</returns>
protected override WinApi.DbgCode OnBreakpointDebugException(ref WinApi.DEBUG_EVENT de)
{
if (!this.InitialBreakpointHit)
{
this.InitialBreakpointHit = true;
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.BREAKPOINT))
{
this.monitorLogger.Log("Initial breakpoint hit.");
}
return(WinApi.DbgCode.CONTINUE);
}
else
{
if (this.ExceptionsMonitored.HasFlag(ExceptionFilter.BREAKPOINT))
{
this.monitorLogger.Log(
"Breakpoint hit at: " +
this.IntPtrToFormattedAddress(de.Exception.ExceptionRecord.ExceptionAddress));
}
}
return(base.OnBreakpointDebugException(ref de));
}