private uint OnLoadDllDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
var LoadDll = DebugEv.u.LoadDll;
UnsafeMethods.CloseHandle(LoadDll.hFile);
return(DBG_CONTINUE);
}
private uint OnCreateThreadDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
var CreateThread = DebugEv.u.CreateThread;
openHandles.Add(DebugEv.dwThreadId, CreateThread.hThread);
return(DBG_CONTINUE);
}
private uint OnOutputDebugStringEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
if (!logger.IsTraceEnabled)
{
return(DBG_CONTINUE);
}
var hProc = openHandles[DebugEv.dwProcessId];
var DebugString = DebugEv.u.DebugString;
int len = DebugString.nDebugStringLength;
if (DebugString.fUnicode != 0)
{
len *= 2;
}
byte[] buf = new byte[len];
uint lenRead;
if (!UnsafeMethods.ReadProcessMemory(hProc, DebugString.lpDebugStringData, buf, (uint)len, out lenRead))
{
var ex = new Win32Exception(Marshal.GetLastWin32Error());
logger.Trace(" Failed to read debug string. {0}.", ex.Message);
}
else
{
var encoding = DebugString.fUnicode != 0 ? Encoding.Unicode : Encoding.ISOLatin1;
string str = encoding.GetString(buf, 0, (int)lenRead);
logger.Trace(" {0}", str);
}
return(DBG_CONTINUE);
}
private uint OnCreateProcessDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
var CreateProcessInfo = DebugEv.u.CreateProcessInfo;
UnsafeMethods.CloseHandle(CreateProcessInfo.hFile);
_openHandles.Add(DebugEv.dwProcessId, CreateProcessInfo.hProcess);
_openHandles.Add(DebugEv.dwThreadId, CreateProcessInfo.hThread);
return(DBG_CONTINUE);
}
private uint OnExitProcessDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
if (dwProcessId == DebugEv.dwProcessId)
{
processExit = true;
}
_openHandles.Remove(DebugEv.dwProcessId);
return(DBG_CONTINUE);
}
private uint OnExitProcessDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
lock (mutex)
{
processHandles.Remove(openHandles[DebugEv.dwProcessId]);
}
openHandles.Remove(DebugEv.dwProcessId);
openHandles.Remove(DebugEv.dwThreadId);
return(DBG_CONTINUE);
}
private uint OnExceptionDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
// Filter for target process id. It is possible to get a 2nd
// chance exception for a process that we stopped wanting
// to monitor after processing a 1st chance exception. Or anytime
// the ContinueDebugging callback returns false before processExit is true.
uint result = DBG_EXCEPTION_NOT_HANDLED;
var Exception = DebugEv.u.Exception;
if (logger.IsTraceEnabled)
{
logger.Trace(" {0}", ExceptionToString(Exception));
}
bool notify = DebugEv.dwProcessId == this.dwProcessId && HandleAccessViolation != null;
if (Exception.dwFirstChance == 0 && notify)
{
HandleAccessViolation(DebugEv);
notify = false;
result = DBG_CONTINUE;
}
switch (Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
// First chance: Pass this on to the system.
// Last chance: Display an appropriate error.
if (notify)
{
HandleAccessViolation(DebugEv);
}
break;
case EXCEPTION_BREAKPOINT:
// From: http://stackoverflow.com/questions/3799294/im-having-problems-with-waitfordebugevent-exception-debug-event
// If launch a process and expect to debug it using the Windows API calls,
// you should know that Windows will send one EXCEPTION_BREAKPOINT (INT3)
// when it first loads. You must DEBUG_CONTINUE this first breakpoint
// exception... if you DBG_EXCEPTION_NOT_HANDLED you will get the popup
// message box: The application failed to initialize properly (0x80000003).
if (!initialBreak)
{
result = DBG_CONTINUE;
}
initialBreak = true;
break;
}
return(result);
}
private uint OnCreateProcessDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
var CreateProcessInfo = DebugEv.u.CreateProcessInfo;
UnsafeMethods.CloseHandle(CreateProcessInfo.hFile);
lock (mutex)
{
processHandles.Add(CreateProcessInfo.hProcess);
}
openHandles.Add(DebugEv.dwProcessId, CreateProcessInfo.hProcess);
openHandles.Add(DebugEv.dwThreadId, CreateProcessInfo.hThread);
if (ProcessId == DebugEv.dwProcessId && ProcessCreated != null)
{
ProcessCreated();
}
return(DBG_CONTINUE);
}
private uint OnExceptionDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
var Exception = DebugEv.u.Exception;
if (logger.IsTraceEnabled)
{
logger.Trace(" Pid: {0}, Exception: {1}", DebugEv.dwProcessId, ExceptionToString(Exception));
}
switch (Exception.ExceptionRecord.ExceptionCode)
{
case STATUS_WX86_BREAKPOINT:
case EXCEPTION_BREAKPOINT:
// From: http://stackoverflow.com/questions/3799294/im-having-problems-with-waitfordebugevent-exception-debug-event
// If launch a process and expect to debug it using the Windows API calls,
// you should know that Windows will send one EXCEPTION_BREAKPOINT (INT3)
// when it first loads. You must DEBUG_CONTINUE this first breakpoint
// exception... if you DBG_EXCEPTION_NOT_HANDLED you will get the popup
// message box: The application failed to initialize properly (0x80000003).
return(DBG_CONTINUE);
}
bool stop = HandleAccessViolation == null ? false : !HandleAccessViolation(DebugEv);
// If 1st chance, only stop if HandleAccessViolation returns false
// If 2nd chance, always stop
// Stop by calling TerminateProcess and continuing
// so we get thread & process exit notifications
if (stop || Exception.dwFirstChance == 0)
{
TerminateProcess();
return(DBG_CONTINUE);
}
return(DBG_EXCEPTION_NOT_HANDLED);
}
private uint OnExitThreadDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
openHandles.Remove(DebugEv.dwThreadId);
return(DBG_CONTINUE);
}
private uint OnUnloadDllDebugEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
return(DBG_CONTINUE);
}
private uint ProcessDebugEvent(ref UnsafeMethods.DEBUG_EVENT DebugEv)
{
uint dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
switch (DebugEv.dwDebugEventCode)
{
case UnsafeMethods.DebugEventType.EXCEPTION_DEBUG_EVENT:
// Process the exception code. When handling
// exceptions, remember to set the continuation
// status parameter (dwContinueStatus). This value
// is used by the ContinueDebugEvent function.
logger.Trace("EXCEPTION_DEBUG_EVENT");
dwContinueStatus = OnExceptionDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.CREATE_THREAD_DEBUG_EVENT:
// As needed, examine or change the thread's registers
// with the GetThreadContext and SetThreadContext functions;
// and suspend and resume thread execution with the
// SuspendThread and ResumeThread functions.
logger.Trace("CREATE_THREAD_DEBUG_EVENT");
dwContinueStatus = OnCreateThreadDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.CREATE_PROCESS_DEBUG_EVENT:
// As needed, examine or change the registers of the
// process's initial thread with the GetThreadContext and
// SetThreadContext functions; read from and write to the
// process's virtual memory with the ReadProcessMemory and
// WriteProcessMemory functions; and suspend and resume
// thread execution with the SuspendThread and ResumeThread
// functions. Be sure to close the handle to the process image
// file with CloseHandle.
logger.Trace("CREATE_PROCESS_DEBUG_EVENT");
dwContinueStatus = OnCreateProcessDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.EXIT_THREAD_DEBUG_EVENT:
// Display the thread's exit code.
logger.Trace("EXIT_THREAD_DEBUG_EVENT");
dwContinueStatus = OnExitThreadDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.EXIT_PROCESS_DEBUG_EVENT:
// Display the process's exit code.
logger.Trace("EXIT_PROCESS_DEBUG_EVENT");
dwContinueStatus = OnExitProcessDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.LOAD_DLL_DEBUG_EVENT:
// Read the debugging information included in the newly
// loaded DLL. Be sure to close the handle to the loaded DLL
// with CloseHandle.
logger.Trace("LOAD_DLL_DEBUG_EVENT");
dwContinueStatus = OnLoadDllDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.UNLOAD_DLL_DEBUG_EVENT:
// Display a message that the DLL has been unloaded.
logger.Trace("UNLOAD_DLL_DEBUG_EVENT");
dwContinueStatus = OnUnloadDllDebugEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.OUTPUT_DEBUG_STRING_EVENT:
// Display the output debugging string.
logger.Trace("OUTPUT_DEBUG_STRING_EVENT");
dwContinueStatus = OnOutputDebugStringEvent(DebugEv);
break;
case UnsafeMethods.DebugEventType.RIP_EVENT:
logger.Trace("RIP_EVENT");
dwContinueStatus = OnRipEvent(DebugEv);
break;
default:
logger.Trace("UNKNOWN DEBUG EVENT: 0x" + DebugEv.dwDebugEventCode.ToString("X8"));
break;
}
return(dwContinueStatus);
}
private uint OnOutputDebugStringEvent(UnsafeMethods.DEBUG_EVENT DebugEv)
{
return(DBG_CONTINUE);
}
