public void Run()
{
if (!DebugActiveProcess(process.Id))
throw new Win32Exception();
DebugSetProcessKillOnExit(false);
var debugEvent = new DEBUG_EVENT();
while (isDebugging)
{
uint dbgStatus = 0x80010001; // DBG_EXCEPTION_NOT_HANDLED
if (!WaitForDebugEvent(ref debugEvent, 0xFFFFFFFF))
throw new Win32Exception();
if (debugEvent.IsProcessStoped)
isDebugging = false;
else if (debugEvent.IsSingleStep)
{
ProcessThreadContext(debugEvent.ThreadId, ContextFlags.Full, (ref CONTEXT context) => {
if (this.thread.Id == debugEvent.ThreadId && breakpoints.ContainsKey(debugEvent.ExceptionAddress))
{
breakpoints[debugEvent.ExceptionAddress](process, context); // exec handler
}
}, true);
dbgStatus = 0x00010002; // DBG_CONTINUE
}
if (!WinApi.ContinueDebugEvent(debugEvent.ProcessId, debugEvent.ThreadId, dbgStatus))
throw new Win32Exception();
}
Console.WriteLine("Exit from debugger");
}
private static CONTINUE_STATUS HandleDebugEvent(DEBUG_EVENT value)
{
if (value.dwDebugEventCode == DEBUG_EVENT_CODE.EXCEPTION_DEBUG_EVENT) {
return CONTINUE_STATUS.DBG_EXCEPTION_NOT_HANDLED;
}
return CONTINUE_STATUS.DBG_CONTINUE;
}
public bool HandleStepEvent(DEBUG_EVENT debugEvent, out DebuggerAction nextAction)
{
var thread = _session.GetProcessById((int)debugEvent.dwProcessId)
.GetThreadById((int)debugEvent.dwThreadId);
nextAction = FinalizeStep(thread);
return(true);
}
private static CONTINUE_STATUS HandleDebugEvent(DEBUG_EVENT value)
{
if (value.dwDebugEventCode == DEBUG_EVENT_CODE.EXCEPTION_DEBUG_EVENT)
{
return(CONTINUE_STATUS.DBG_EXCEPTION_NOT_HANDLED);
}
return(CONTINUE_STATUS.DBG_CONTINUE);
}
public int GetInterestMask(out DEBUG_EVENT Mask)
{
Mask = DEBUG_EVENT.BREAKPOINT | DEBUG_EVENT.CREATE_PROCESS
| DEBUG_EVENT.EXCEPTION | DEBUG_EVENT.EXIT_PROCESS
| DEBUG_EVENT.CREATE_THREAD | DEBUG_EVENT.EXIT_THREAD
| DEBUG_EVENT.LOAD_MODULE | DEBUG_EVENT.UNLOAD_MODULE;
return(0);
}
public int GetInterestMask(out DEBUG_EVENT Mask)
{
Mask = DEBUG_EVENT.BREAKPOINT;
#if DEBUG
Mask = (DEBUG_EVENT)uint.MaxValue;
#endif
return((int)HRESULT.S_OK);
}
public int GetInterestMask([Out] out DEBUG_EVENT Mask)
{
Mask = DEBUG_EVENT.BREAKPOINT | DEBUG_EVENT.CHANGE_DEBUGGEE_STATE
| DEBUG_EVENT.CHANGE_ENGINE_STATE | DEBUG_EVENT.CHANGE_SYMBOL_STATE
| DEBUG_EVENT.CREATE_PROCESS | DEBUG_EVENT.CREATE_THREAD | DEBUG_EVENT.EXCEPTION | DEBUG_EVENT.EXIT_PROCESS
| DEBUG_EVENT.EXIT_THREAD | DEBUG_EVENT.LOAD_MODULE | DEBUG_EVENT.SESSION_STATUS | DEBUG_EVENT.SYSTEM_ERROR
| DEBUG_EVENT.UNLOAD_MODULE;
return(0);
}
public static DEBUG_EVENT WaitForDebugEvent(uint dwMilliseconds)
{
var debugEvent = new DEBUG_EVENT();
if (!__WaitForDebugEvent(ref debugEvent, dwMilliseconds))
{
throw new Win32Exception();
}
return(debugEvent);
}
private static void DebuggerThread()
{
DEBUG_EVENT evt = new DEBUG_EVENT();
evt.bytes = new byte[1024];
while (true)
{
int continueFlag = DBG_CONTINUE;
ContinueDebugEvent(evt.dwProcessId, evt.dwThreadId, continueFlag);
}
}
private static string ProcessCreateProcessEvent(DEBUG_EVENT evt)
{
// // Get the file size.
uint dwFileSizeHi = 0;
uint dwFileSizeLo = NativeMethods.GetFileSize(evt.LoadDll.hFile, out dwFileSizeHi);
StringBuilder sb = new StringBuilder(2048);
NativeMethods.GetFinalPathNameByHandle(evt.CreateProcessInfo.hFile, sb, 2048, FinalPathFlags.FILE_NAME_NORMALIZED);
return($"[PROCESS CREATED] {sb.ToString()}");
}
public bool HandlePageGuardViolationEvent(DEBUG_EVENT debugEvent, out DebuggerAction nextAction)
{
// Memory breakpoints are implemented using page guards. We need to check if the page guard
// violation originated from a breakpoint or not, and pause or continue execution when appropriate.
const int ExceptionInformationReadWrite = 0;
const int ExceptionInformationAddress = 1;
var info = debugEvent.InterpretDebugInfoAs <EXCEPTION_DEBUG_INFO>();
var process = _session.GetProcessById((int)debugEvent.dwProcessId);
var thread = process.GetThreadById((int)debugEvent.dwThreadId);
if (info.ExceptionRecord.NumberParameters >= 2)
{
bool isWrite = info.ExceptionRecord.ExceptionInformation[ExceptionInformationReadWrite] == 1;
IntPtr address = (IntPtr)info.ExceptionRecord.ExceptionInformation[ExceptionInformationAddress];
var pageGuard = process.GetContainingPageGuard(address);
if (pageGuard != null)
{
// Restore page guard after continuing.
_pageGuardsToRestore.Add(pageGuard);
if (pageGuard.Breakpoints.TryGetValue(address, out var breakpoint) &&
(breakpoint.BreakOnRead == !isWrite || breakpoint.BreakOnWrite == isWrite))
{
// Violation originated from a breakpoint.
var eventArgs = new BreakpointEventArgs(thread, breakpoint)
{
NextAction = DebuggerAction.Stop
};
breakpoint.HandleBreakpointEvent(eventArgs);
OnBreakpointHit(eventArgs);
nextAction = eventArgs.NextAction;
}
else
{
// Violation did not originate from a breakpoint.
_isRestoringFromGuard = true;
PrepareContextForSingleStep(thread);
nextAction = DebuggerAction.Continue;
}
return(true);
}
}
nextAction = DebuggerAction.ContinueWithException;
return(false);
}
private static string ProcessExceptionDebugEvent(DEBUG_EVENT evt)
{
if (evt.Exception.dwFirstChance != decimal.Zero && evt.Exception.ExceptionRecord.ExceptionCode != decimal.Zero)
{
DBG_CONTINUE_NEXT_STATUS = ContinueStatus.DBG_EXCEPTION_NOT_HANDLED;
}
else
{
DBG_CONTINUE_NEXT_STATUS = ContinueStatus.DBG_CONTINUE;
}
return($"[EXCEPTION DEBUG] ExceptionCode: {evt.Exception.ExceptionRecord.ExceptionCode.ToHex()}");
}
private DebuggerAction HandleExitProcessDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <EXIT_PROCESS_DEBUG_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
process.ExitCode = (int)info.dwExitCode;
var eventArgs = new DebuggeeProcessEventArgs(process);
OnProcessTerminated(eventArgs);
_processes.Remove((int)debugEvent.dwProcessId);
return(eventArgs.NextAction);
}
public int GetInterestMask(out DEBUG_EVENT Mask)
{
Mask = DEBUG_EVENT.BREAKPOINT
| DEBUG_EVENT.CHANGE_ENGINE_STATE
| DEBUG_EVENT.CREATE_PROCESS
| DEBUG_EVENT.CREATE_THREAD
| DEBUG_EVENT.EXCEPTION
| DEBUG_EVENT.EXIT_PROCESS
| DEBUG_EVENT.EXIT_THREAD
| DEBUG_EVENT.SESSION_STATUS
| DEBUG_EVENT.SYSTEM_ERROR;
return(HResult.Ok);
}
private DebuggerAction HandleExitThreadDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <EXIT_THREAD_DEBUG_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
var thread = process.GetThreadById((int)debugEvent.dwThreadId);
thread.ExitCode = (int)info.dwExitCode;
var eventArgs = new DebuggeeThreadEventArgs(thread);
OnThreadTerminated(eventArgs);
process.RemoveThread(thread);
return(eventArgs.NextAction);
}
public static DEBUG_EVENT WaitForDebugEvent(uint timeOut = Constants.INFINITE)
{
var de = new DEBUG_EVENT();
if (!API.WaitForDebugEvent(out de, timeOut))
{
var errC = Marshal.GetLastWin32Error();
if (errC != 0x79)
{
throw new Win32Exception(errC);
}
}
return(de);
}
private DebuggerAction HandleCreateThreadDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <CREATE_THREAD_DEBUG_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
var thread = new DebuggeeThread(process, info.hThread, (int)debugEvent.dwThreadId, info.lpStartAddress);
process.AddThread(thread);
var eventArgs = new DebuggeeThreadEventArgs(thread);
OnThreadStarted(eventArgs);
return(eventArgs.NextAction);
}
public static string EventString(DEBUG_EVENT evt)
{
string log = null;
switch (evt.dwDebugEventCode)
{
case DebugEventType.RIP_EVENT:
log = ProcessRipEvent(evt);
break;
case DebugEventType.OUTPUT_DEBUG_STRING_EVENT:
log = ProcessOutputDebugStringEvent(evt);
break;
case DebugEventType.UNLOAD_DLL_DEBUG_EVENT:
log = ProcessUnloadDllDebugEvent(evt);
break;
case DebugEventType.LOAD_DLL_DEBUG_EVENT:
log = ProcessLoadDLLEvent(evt);
break;
case DebugEventType.EXIT_PROCESS_DEBUG_EVENT:
log = ProcessExitProcessEvent(evt);
break;
case DebugEventType.EXIT_THREAD_DEBUG_EVENT:
log = ProcessExitThreadEvent(evt);
break;
case DebugEventType.CREATE_PROCESS_DEBUG_EVENT:
log = ProcessCreateProcessEvent(evt);
break;
case DebugEventType.CREATE_THREAD_DEBUG_EVENT:
log = ProcessCreateThreadEvent(evt);
break;
case DebugEventType.EXCEPTION_DEBUG_EVENT:
log = ProcessExceptionDebugEvent(evt);
break;
default:
break;
}
return(log);
}
private DebuggerAction HandleOutputStringDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <OUTPUT_DEBUG_STRING_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
var thread = process.GetThreadById((int)debugEvent.dwThreadId);
var eventArgs = new DebuggeeOutputStringEventArgs(thread,
process.ReadString(
info.lpDebugStringData,
info.nDebugStringLength,
info.fUnicode == 0));
OnOutputStringSent(eventArgs);
return(eventArgs.NextAction);
}
private static string ProcessLoadDLLEvent(DEBUG_EVENT evt)
{
// // Get the file size.
uint dwFileSizeHi = 0;
uint dwFileSizeLo = NativeMethods.GetFileSize(evt.LoadDll.hFile, out dwFileSizeHi);
StringBuilder sb = new StringBuilder(2048);
NativeMethods.GetFinalPathNameByHandle(evt.LoadDll.hFile, sb, 2048, FinalPathFlags.FILE_NAME_NORMALIZED);
string dllName = sb.ToString();
LoadedDlls[evt.LoadDll.lpBaseOfDll] = dllName;
return($"[DLL LOAD] {dllName}");
}
private DebuggerAction HandleDebugEvent(DEBUG_EVENT nextEvent)
{
var nextAction = DebuggerAction.Continue;
switch (nextEvent.dwDebugEventCode)
{
case DebugEventCode.CREATE_PROCESS_DEBUG_EVENT:
nextAction = HandleCreateProcessDebugEvent(nextEvent);
break;
case DebugEventCode.EXIT_PROCESS_DEBUG_EVENT:
nextAction = HandleExitProcessDebugEvent(nextEvent);
break;
case DebugEventCode.OUTPUT_DEBUG_STRING_EVENT:
nextAction = HandleOutputStringDebugEvent(nextEvent);
break;
case DebugEventCode.CREATE_THREAD_DEBUG_EVENT:
nextAction = HandleCreateThreadDebugEvent(nextEvent);
break;
case DebugEventCode.EXCEPTION_DEBUG_EVENT:
nextAction = HandleExceptionDebugEvent(nextEvent);
break;
case DebugEventCode.EXIT_THREAD_DEBUG_EVENT:
nextAction = HandleExitThreadDebugEvent(nextEvent);
break;
case DebugEventCode.LOAD_DLL_DEBUG_EVENT:
nextAction = HandleLoadDllDebugEvent(nextEvent);
break;
case DebugEventCode.RIP_EVENT:
break;
case DebugEventCode.UNLOAD_DLL_DEBUG_EVENT:
nextAction = HandleUnloadDllDebugEvent(nextEvent);
break;
default:
throw new ArgumentOutOfRangeException();
}
return(nextAction);
}
private static void ProcessDebugEvent(DEBUG_EVENT evt)
{
if (evt.dwDebugEventCode != DebugEventType.NONE)
{
Events.Add(evt);
}
var log = EventString(evt);
if (!string.IsNullOrEmpty(log))
{
Timeline.Add(log);
DebuggerLog(log);
}
Prompt();
}
private DebuggerAction HandleCreateProcessDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <CREATE_PROCESS_DEBUG_INFO>();
var process = GetOrCreateProcess(info.hProcess, (int)debugEvent.dwProcessId);
process.BaseAddress = info.lpBaseOfImage;
// Create process event also spawns a new thread.
_currentThread = new DebuggeeThread(process, info.hThread, (int)debugEvent.dwThreadId, info.lpStartAddress);
process.AddThread(_currentThread);
var eventArgs = new DebuggeeProcessEventArgs(process);
OnProcessStarted(eventArgs);
return(eventArgs.NextAction);
}
public DbgLastEventInfo(DbgEngDebugger debugger,
DEBUG_EVENT eventType,
uint systemId,
uint processId,
uint threadId,
string description,
DEBUG_LAST_EVENT_INFO extraInformation)
{
EventType = eventType;
SystemId = systemId;
ProcessId = processId;
ThreadId = threadId;
Description = description;
ExtraInformation = extraInformation;
m_debugger = debugger;
}
private static string ProcessOutputDebugStringEvent(DEBUG_EVENT evt)
{
//var data = evt.DebugString.lpDebugStringData;
byte[] buffer = new byte[evt.DebugString.nDebugStringLength - 1];
IntPtr bytesReadPtr = IntPtr.Zero;
NativeMethods.ReadProcessMemory(
debuggee.Handle,
evt.DebugString.lpDebugStringData,
buffer,
evt.DebugString.nDebugStringLength - 1,
out bytesReadPtr);
var err = Marshal.GetLastWin32Error();
var text = Encoding.UTF8.GetString(buffer).TrimEnd('\r', '\n');
return(text);
}
private DebuggerAction HandleExceptionDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <EXCEPTION_DEBUG_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
var thread = process.GetThreadById((int)debugEvent.dwThreadId);
var nextAction = DebuggerAction.Stop;
bool handled = false;
switch (info.ExceptionRecord.ExceptionCode)
{
case ExceptionCode.EXCEPTION_BREAKPOINT:
{
handled = _executionController.HandleBreakpointEvent(debugEvent, out nextAction);
break;
}
case ExceptionCode.EXCEPTION_SINGLE_STEP:
{
handled = _executionController.HandleStepEvent(debugEvent, out nextAction);
break;
}
case ExceptionCode.EXCEPTION_GUARD_PAGE:
{
handled = _executionController.HandlePageGuardViolationEvent(debugEvent, out nextAction);
break;
}
}
if (!handled)
{
// Forward exception to debugger.
var eventArgs = new DebuggeeExceptionEventArgs(thread,
new DebuggeeException((uint)info.ExceptionRecord.ExceptionCode,
info.ExceptionRecord.ExceptionCode.ToString(),
info.dwFirstChance == 1,
info.ExceptionRecord.ExceptionFlags == 0));
OnExceptionOccurred(eventArgs);
nextAction = eventArgs.NextAction;
}
return(nextAction);
}
static DEBUG_EVENT GetDebugEvent(IntPtr nativeDebugEvent)
{
WinAPI.DEBUG_EVENT result = new DEBUG_EVENT();
if (IntPtr.Size == 8)
{
WinAPI.DEBUG_EVENT64 DebugEvent64 = (WinAPI.DEBUG_EVENT64)Marshal.PtrToStructure(nativeDebugEvent, typeof(WinAPI.DEBUG_EVENT64));
result.dwDebugEventCode = DebugEvent64.dwDebugEventCode;
result.dwProcessId = DebugEvent64.dwProcessId;
result.dwThreadId = DebugEvent64.dwThreadId;
result.u = DebugEvent64.u;
}
else
{
result = (WinAPI.DEBUG_EVENT)Marshal.PtrToStructure(nativeDebugEvent, typeof(WinAPI.DEBUG_EVENT));
}
return(result);
}
private DebuggerAction HandleUnloadDllDebugEvent(DEBUG_EVENT debugEvent)
{
var info = debugEvent.InterpretDebugInfoAs <UNLOAD_DLL_DEBUG_INFO>();
var process = GetProcessById((int)debugEvent.dwProcessId);
var thread = process.GetThreadById((int)debugEvent.dwThreadId);
var library = process.GetLibraryByBase(info.lpBaseOfDll);
if (library != null)
{
process.RemoveLibrary(library);
var eventArgs = new DebuggeeLibraryEventArgs(thread, library);
OnLibraryUnloaded(eventArgs);
return(eventArgs.NextAction);
}
return(DebuggerAction.Continue);
}
private void HandleNextAction(DebuggerAction nextAction, DEBUG_EVENT nextEvent)
{
switch (nextAction)
{
case DebuggerAction.Continue:
_nextContinueStatus = ContinueStatus.DBG_CONTINUE;
break;
case DebuggerAction.ContinueWithException:
_nextContinueStatus = ContinueStatus.DBG_EXCEPTION_NOT_HANDLED;
break;
case DebuggerAction.Stop:
var process = GetProcessById((int)nextEvent.dwProcessId);
var thread = process.GetThreadById((int)nextEvent.dwThreadId)
?? new DebuggeeThread(process, IntPtr.Zero, (int)nextEvent.dwThreadId, IntPtr.Zero);
var eventArgs = new DebuggeeThreadEventArgs(thread);
eventArgs.NextAction = DebuggerAction.Stop;
OnPaused(eventArgs);
switch (eventArgs.NextAction)
{
case DebuggerAction.Continue:
_nextContinueStatus = ContinueStatus.DBG_CONTINUE;
break;
case DebuggerAction.ContinueWithException:
_nextContinueStatus = ContinueStatus.DBG_EXCEPTION_NOT_HANDLED;
break;
case DebuggerAction.Stop:
_continueEvent.WaitOne();
break;
default:
throw new ArgumentOutOfRangeException();
}
break;
}
}
private void LogDebugEvent(DEBUG_EVENT debugEvent)
{
switch (debugEvent.dwDebugEventCode)
{
case DEBUG_EVENT_CODE.OUTPUT_DEBUG_STRING_EVENT:
Logger.LogInfo("{0}", GetOutputDebugString(debugEvent.DebugString));
break;
case DEBUG_EVENT_CODE.CREATE_THREAD_DEBUG_EVENT:
case DEBUG_EVENT_CODE.EXIT_THREAD_DEBUG_EVENT:
case DEBUG_EVENT_CODE.LOAD_DLL_DEBUG_EVENT:
case DEBUG_EVENT_CODE.UNLOAD_DLL_DEBUG_EVENT:
// Too noisy...
break;
default:
Logger.LogInfo("DBGEVENT: {0}: {1}", debugEvent.dwDebugEventCode, GetDebugEventText(debugEvent));
break;
}
}
private string GetDebugEventText(DEBUG_EVENT debugEvent)
{
switch (debugEvent.dwDebugEventCode)
{
case DEBUG_EVENT_CODE.EXIT_THREAD_DEBUG_EVENT:
return(string.Format("Thread Exit Code: 0x{0:x8}", debugEvent.ExitThread.dwExitCode));
case DEBUG_EVENT_CODE.EXIT_PROCESS_DEBUG_EVENT:
return(string.Format("Process Exit Code: 0x{0:x8}", debugEvent.ExitProcess.dwExitCode));
case DEBUG_EVENT_CODE.OUTPUT_DEBUG_STRING_EVENT:
return(GetOutputDebugString(debugEvent.DebugString));
case DEBUG_EVENT_CODE.EXCEPTION_DEBUG_EVENT:
var exceptionEvent = debugEvent.Exception;
return(string.Format("Code: 0x{0:x8}, Flags: 0x{1:x8}, FirstChance: {2}", exceptionEvent.ExceptionRecord.ExceptionCode, exceptionEvent.ExceptionRecord.ExceptionFlags, exceptionEvent.dwFirstChance));
default:
return("");
}
}
private static string GetExceptionHash(Process process, DEBUG_EVENT debugEvent)
{
var dumper = new StackDumper(process.Handle, debugEvent.dwThreadId);
var functionPointers = dumper.GetFunctionPointers();
if (functionPointers == null)
{
return("ERROR_" + ((ushort)(debugEvent.Exception.ExceptionRecord.ExceptionAddress & 0xFFFF)).ToString());
}
if (functionPointers.Count == 0 ||
functionPointers[0] != debugEvent.Exception.ExceptionRecord.ExceptionAddress)
{
functionPointers.Insert(0, debugEvent.Exception.ExceptionRecord.ExceptionAddress);
}
var fp2 = functionPointers.Select(x => (ushort)(x & 0xFFFF)).Take(4).ToArray();
return(string.Concat(fp2.Select(x => string.Format("{0:X4}", x))));
}
public static extern BOOL WaitForDebugEventEx(out DEBUG_EVENT @event, DWORD milliseconds);
private void LogDebugEvent(DEBUG_EVENT debugEvent) {
switch (debugEvent.dwDebugEventCode) {
case DEBUG_EVENT_CODE.OUTPUT_DEBUG_STRING_EVENT:
Logger.LogInfo("{0}", GetOutputDebugString(debugEvent.DebugString));
break;
case DEBUG_EVENT_CODE.CREATE_THREAD_DEBUG_EVENT:
case DEBUG_EVENT_CODE.EXIT_THREAD_DEBUG_EVENT:
case DEBUG_EVENT_CODE.LOAD_DLL_DEBUG_EVENT:
case DEBUG_EVENT_CODE.UNLOAD_DLL_DEBUG_EVENT:
// Too noisy...
break;
default:
Logger.LogInfo("DBGEVENT: {0}: {1}", debugEvent.dwDebugEventCode, GetDebugEventText(debugEvent));
break;
}
}
private string GetDebugEventText(DEBUG_EVENT debugEvent) {
switch (debugEvent.dwDebugEventCode) {
case DEBUG_EVENT_CODE.EXIT_THREAD_DEBUG_EVENT:
return string.Format("Thread Exit Code: 0x{0:x8}", debugEvent.ExitThread.dwExitCode);
case DEBUG_EVENT_CODE.EXIT_PROCESS_DEBUG_EVENT:
return string.Format("Process Exit Code: 0x{0:x8}", debugEvent.ExitProcess.dwExitCode);
case DEBUG_EVENT_CODE.OUTPUT_DEBUG_STRING_EVENT:
return GetOutputDebugString(debugEvent.DebugString);
case DEBUG_EVENT_CODE.EXCEPTION_DEBUG_EVENT:
var exceptionEvent = debugEvent.Exception;
return string.Format("Code: 0x{0:x8}, Flags: 0x{1:x8}, FirstChance: {2}", exceptionEvent.ExceptionRecord.ExceptionCode, exceptionEvent.ExceptionRecord.ExceptionFlags, exceptionEvent.dwFirstChance);
default:
return "";
}
}
private void Debugger(object value)
{
_continue = true;
var parameters = value as object[];
var filename = parameters[0] as string;
var arguments = parameters[1] as string;
if (!string.IsNullOrEmpty(arguments) && !arguments.StartsWith(" "))
arguments = string.Concat(" ", arguments);
var si = new STARTUPINFO();
PROCESS_INFORMATION pi;
//Create Process
if (!CreateProcess(null, string.Format("\"{0}\"{1}", filename, arguments),
IntPtr.Zero, IntPtr.Zero, true,
ProcessCreationFlags.DEBUG_ONLY_THIS_PROCESS | ProcessCreationFlags.DEBUG_PROCESS,
IntPtr.Zero, null, ref si, out pi))
throw new Exception(string.Format("Failed to start {0}.", Path.GetFileName(filename)));
//if (!CreateProcess(null, string.Format("\"{0}\"{1}", filename, arguments),
// IntPtr.Zero, IntPtr.Zero, false,
// ProcessCreationFlags.NORMAL_PRIORITY_CLASS,
// IntPtr.Zero, null, ref si, out pi))
// throw new Exception(string.Format("Failed to start {0}.", Path.GetFileName(filename)));
//Open Process Handle
_handle = OpenProcess(ProcessAccessPriviledges.PROCESS_VM_READ | ProcessAccessPriviledges.PROCESS_TERMINATE | ProcessAccessPriviledges.PROCESS_VM_WRITE | ProcessAccessPriviledges.PROCESS_VM_OPERATION,
false, pi.dwProcessId);
//Create debug event
var debugEvent = new DEBUG_EVENT()
{
dwProcessId = pi.dwProcessId,
dwThreadId = pi.dwThreadId
};
try
{
do
{
//DebugDetector.AssertCheckRunning();
if (WaitForDebugEvent(ref debugEvent, 100))
{
switch (debugEvent.dwDebugEventCode)
{
//Continue
case DebugEventTypes.EXCEPTION_DEBUG_EVENT:
case DebugEventTypes.CREATE_THREAD_DEBUG_EVENT:
case DebugEventTypes.LOAD_DLL_DEBUG_EVENT:
case DebugEventTypes.UNLOAD_DLL_DEBUG_EVENT:
case DebugEventTypes.OUTPUT_DEBUG_STRING_EVENT:
case DebugEventTypes.EXIT_THREAD_DEBUG_EVENT:
break;
case DebugEventTypes.CREATE_PROCESS_DEBUG_EVENT:
_fileHandle = debugEvent.u.CreateProcessInfo.hFile;
_processId = debugEvent.dwProcessId;
_processStarted = true;
break;
//Exit the loop
case DebugEventTypes.EXIT_PROCESS_DEBUG_EVENT:
case DebugEventTypes.RIP_EVENT:
default:
_continue = false;
break;
}
}
if (_signalEnd && _processStarted)
{
Process process;
if (TryGetAttachedProcess(out process) == true)
process.CloseMainWindow();
}
ContinueDebugEvent(debugEvent.dwProcessId,
debugEvent.dwThreadId, DebugStates.DBG_CONTINUE);
}
while (_continue);
}
finally
{
End();
TaskHandler.RunTask(delegate(object input)
{
if (OnExiting != null)
OnExiting(this, EventArgs.Empty);
});
}
}
public static extern bool WaitForDebugEvent(out DEBUG_EVENT debugEvent, uint timeout);
/* The base implementation does not implement GetInterestMask, that must be done by the child class */ public abstract int GetInterestMask(out DEBUG_EVENT Mask);
public int GetInterestMask(out DEBUG_EVENT Mask)
{
Mask = DEBUG_EVENT.BREAKPOINT | DEBUG_EVENT.CREATE_PROCESS
| DEBUG_EVENT.EXCEPTION | DEBUG_EVENT.EXIT_PROCESS
| DEBUG_EVENT.CREATE_THREAD | DEBUG_EVENT.EXIT_THREAD
| DEBUG_EVENT.LOAD_MODULE | DEBUG_EVENT.UNLOAD_MODULE;
return 0;
}
/*
Design:
ScripterResume MUST be called from within the debug loop
- BP callback
- or via plugin interface:
+ Call to ScripterAutoDebug which loads exe and calls DebugLoop and calls ScripterResume on EP
it will immediately return, this is needed for returning to the debug loop
and executing until a breakpoint/exception occurs:
/ + DebugLoop()
^ + OnBP/OnException callback
| + OllyLang::Step()
^ [do commands until return to loop is required (RUN, STI, etc.)]
| -
^ -
\ -
When done, call FinishedCallback
(if script loaded inside debug loop and not via ScripterExecuteScript)
or return
*/
// TitanEngine plugin callbacks
void TitanDebuggingCallBack(DEBUG_EVENT debugEvent, int CallReason)
{
switch (CallReason)
{
case Ue.UE_PLUGIN_CALL_REASON_POSTDEBUG:
break;
case Ue.UE_PLUGIN_CALL_REASON_EXCEPTION:
switch (debugEvent.dwDebugEventCode)
{
case DEBUG_EVENT.CREATE_PROCESS_DEBUG_EVENT:
scriptInterpreter.InitGlobalVariables();
break;
case DEBUG_EVENT.EXCEPTION_DEBUG_EVENT:
if (scriptInterpreter.script_running)
{
rulong NewIP = debugger.GetContextData(eContextData.UE_CIP);
//if(debugEvent.u.Exception.ExceptionRecord.ExceptionCode == 1) // EXCEPTION_BREAKPOINT)
NewIP--;
//DBG_LOG("Exception debug event @ " + Helper.rul2hexstr(NewIP)); //$LATER
if (NewIP != OldIP)
scriptInterpreter.debuggee_running = false;
//$LATER
//if(!debugEvent.u.Exception.dwFirstChance)
// ollylang.OnException();
OldIP = NewIP;
}
break;
}
break;
}
}
public static extern bool WaitForDebugEvent(
ref DEBUG_EVENT lpDebugEvent,
int dwMilliseconds);
