/// <summary>
/// Starts the characterbuilder and modifies the in-memory representation of LOADED_FILE to
/// support unencrypted data.
/// </summary>
/// <param name="patchFile"></param>
public static void StartProcessAndPatchMemory()
{
Log.Debug("About to start loading character builder.");
//// start character builder
NativePipeline np = new NativePipeline();
Log.Debug("Creating process and attaching debugger");
NativeDbgProcess proc = np.CreateProcessDebug(EXECUTABLE, EXECUTABLE_ARGS);
while (true)
{
Log.Debug("Waiting for next event");
NativeEvent ne = np.WaitForDebugEventInfinite();
Log.Debug(ne.ToString());
ne.Process.HandleIfLoaderBreakpoint(ne);
if (ne.EventCode == NativeDebugEventCode.LOAD_DLL_DEBUG_EVENT)
{
DllBaseNativeEvent ev = (DllBaseNativeEvent)ne;
if (ev.Module.Name.Contains(LOADED_FILE))
{
patchMemory(ev, (uint)proc.Id);
np.ContinueEvent(ne);
np.Detach(proc);
break;
}
}
np.ContinueEvent(ne);
}
}
public void DebugEventHandler()
{
NativePipeline dbg = new NativePipeline();
NativeDbgProcess process = dbg.Attach(_pid);
_attached = true;
// Tell the process it is ready to resume
try
{
_process.PyProcess.on_handle_first_bp();
}
catch (Exception ex)
{
Console.WriteLine(string.Format("ERROR: Python class 'Process' {0} failed when executing 'on_handle_first_bp()':", _process.GetName()));
Console.WriteLine(ex.ToString());
// attempt to continue anyways
}
// Initialize the printing variables
DateTime numEvents_lastPrintTime = DateTime.Now;
Hashtable numEventsByTarget = new Hashtable(0x1000);
_breakpointInfo = new Hashtable(10);
bool printReport = false;
bool processReady = false;
bool loaderBreakpointReceived = false;
bool wx86BreakpointReceived = false;
while (_processingEvents)
{
if (DateTime.Now.Subtract(numEvents_lastPrintTime).TotalSeconds >= 1)
{
// Print the number of events in the last second
if (printReport && numEventsByTarget.Count > 0)
{
PrintReport(numEventsByTarget);
}
numEvents_lastPrintTime = DateTime.Now;
numEventsByTarget.Clear();
}
// Check to see if the process has loaded
if (!processReady)
{
processReady = HandleProcessReady(wx86BreakpointReceived);
}
NativeEvent e = dbg.WaitForDebugEvent(100);
// Check to see if the process has loaded
if (!processReady)
{
processReady = HandleProcessReady(wx86BreakpointReceived);
}
if (_keepOnExit && dbg.KillOnExit)
{
dbg.KillOnExit = false;
}
if (e != null)
{
//Console.WriteLine(e.ToString());
e.Process.HandleIfLoaderBreakpoint(e, ref loaderBreakpointReceived);
switch (e.EventCode)
{
case NativeDebugEventCode.EXCEPTION_DEBUG_EVENT:
HandleNativeDebugEvent((ExceptionNativeEvent)e, ref numEventsByTarget, ref wx86BreakpointReceived);
break;
case NativeDebugEventCode.LOAD_DLL_DEBUG_EVENT:
// Start of the process, ntdll.dll and kernel32.dll should now be loaded. Trigger a Process.HandleProcessLoaded() event.
if (_process.PyProcess.print_debugger_messages)
{
Console.WriteLine(e.ToString());
}
//Console.WriteLine(((LoadDllNativeEvent)e).Module.Name );
_process.HandleModuleLoaded((LoadDllNativeEvent)e);
break;
case NativeDebugEventCode.EXIT_PROCESS_DEBUG_EVENT:
// Process crashed, send Process.ProcessTerminated() event and finish.
if (printReport && numEventsByTarget.Count > 0)
{
PrintReport(numEventsByTarget);
}
_process.HandleProcessTerminated();
dbg.Dispose();
_attached = false;
return;
default:
break;
}
// Resume event
dbg.ContinueEvent(e);
}
}
// Detach
dbg.KillOnExit = false;
_attached = false;
}