?? lion-tutorial30.htm
字號:
<html>
<head>
<link rel="stylesheet" href="../../asm.css">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Iczelion's win32 asm tutorial</title>
</head>
<body bgcolor="#FFFFFF" background="../../images/back01.jpg">
<p align="center">Tutorial 30: Win32 Debug API part 3</p>
<hr size="1">
In this tutorial, we continue the exploration of win32 debug api. Specifically,
we will learn how to trace the debuggee.<br>
Download <b><a href="files/tut30.zip" style="text-decoration:none">the example</a></b>.
<h3>Theory:</h3>
<p>If you have used a debugger before, you would be familiar with tracing. When
you "trace" a program, the program stops after executing each instruction,
giving you the chance to examine the values of registers/memory. Single-stepping
is the official name of tracing.<br>
The single-step feature is provided by the CPU itself. The 8th bit of the flag
register is called <b>trap flag</b>. If this flag(bit) is set, the CPU executes
in single-step mode. The CPU will generate a debug exception after each instruction.
After the debug exception is generated, the trap flag is cleared automatically.<br>
We can also single-step the debuggee, using win32 debug api. The steps are as
follows:</p>
<ol>
<li>Call <b>GetThreadContext</b>, specifying <b>CONTEXT_CONTROL</b> in<b> ContextFlags</b>,
to obtain the value of the flag register.</li>
<li>Set the trap bit in <b>regFlag</b> member of the <b>CONTEXT</b> structure</li>
<li>call<b> SetThreadContext </b></li>
<li>Wait for the debug events as usual. The debuggee will execute in single-step
mode. After it executes each instruction, we will get <b>EXCEPTION_DEBUG_EVENT</b>
with <b>EXCEPTION_SINGLE_STEP</b> value in <b>u.Exception.pExceptionRecord.ExceptionCode</b></li>
<li>If you need to trace the next instruction, you need to set the trap bit
again.</li>
</ol>
<h3>Example:</h3>
<p>.386<br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
includelib \masm32\lib\user32.lib <br>
<br>
.data <br>
AppName db "Win32 Debug Example no.4",0 <br>
ofn OPENFILENAME <> <br>
FilterString db "Executable Files",0,"*.exe",0 <br>
db
"All Files",0,"*.*",0,0 <br>
ExitProc db "The debuggee exits",0Dh,0Ah <br>
db "Total Instructions executed
: %lu",0 <br>
TotalInstruction dd 0<br>
<br>
.data? <br>
buffer db 512 dup(?) <br>
startinfo STARTUPINFO <> <br>
pi PROCESS_INFORMATION <> <br>
DBEvent DEBUG_EVENT <> <br>
context CONTEXT <> <br>
<br>
.code <br>
start: <br>
mov ofn.lStructSize,SIZEOF ofn <br>
mov ofn.lpstrFilter, OFFSET FilterString <br>
mov ofn.lpstrFile, OFFSET buffer <br>
mov ofn.nMaxFile,512 <br>
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER
or OFN_HIDEREADONLY <br>
invoke GetOpenFileName, ADDR ofn <br>
.if eax==TRUE <br>
invoke GetStartupInfo,addr startinfo <br>
invoke CreateProcess, addr buffer, NULL, NULL, NULL, FALSE,
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS, NULL, NULL, addr startinfo, addr pi
<br>
.while TRUE <br>
invoke WaitForDebugEvent, addr DBEvent,
INFINITE <br>
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
<br>
invoke wsprintf, addr
buffer, addr ExitProc, TotalInstruction <br>
invoke MessageBox, 0,
addr buffer, addr AppName, MB_OK+MB_ICONINFORMATION <br>
.break <br>
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
<br>
mov
context.ContextFlags, CONTEXT_CONTROL <br>
invoke
GetThreadContext, pi.hThread, addr context <br>
or
context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE <br>
.continue
<br>
.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_SINGLE_STEP
<br>
inc
TotalInstruction <br>
invoke
GetThreadContext,pi.hThread,addr context or context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId,DBG_CONTINUE <br>
.continue
<br>
.endif <br>
.endif <br>
invoke ContinueDebugEvent, DBEvent.dwProcessId,
DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED <br>
.endw <br>
.endif <br>
invoke CloseHandle,pi.hProcess <br>
invoke CloseHandle,pi.hThread <br>
invoke ExitProcess, 0 <br>
end start </p>
<h3>Analysis:</h3>
<p>The program shows the openfile dialog box. When the user chooses an executable
file, it executes the program in single-step mode, couting the number of instructions
executed until the debuggee exits. </p>
<p> .elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
</p>
<p>We take this opportunity to set the debuggee into single-step mode. Remember
that Windows sends an EXCEPTION_BREAKPOINT just before it executes the first
instruction of the debuggee.</p>
<p> mov
context.ContextFlags, CONTEXT_CONTROL <br>
invoke
GetThreadContext, pi.hThread, addr context </p>
<p>We call <b>GetThreadContext</b> to fill the <b>CONTEXT </b>structure with the
current values in the registers of the debuggee. More specifically, we need
the current value of the flag register.</p>
<p> or
context.regFlag,100h </p>
<p>We set the trap bit (8th bit) in the flag register image.</p>
<p> invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE <br>
.continue
</p>
<p>Then we call <b>SetThreadContext</b> to overwrite the values in the <b>CONTEXT</b>
structure with the new one(s) and call <b>ContinueDebugEvent </b>with <b>DBG_CONTINUE</b>
flag to resume the debuggee.</p>
<p> .elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_SINGLE_STEP
<br>
inc
TotalInstruction </p>
<p>When an instruction is executed in the debuggee, we receive an <b>EXCEPTION_DEBUG_EVENT</b>.
We must examine the value of <b>u.Exception.pExceptionRecord.ExceptionCode</b>.
If the value is <b>EXCEPTION_SINGLE_STEP</b>, then this debug event is generated
because of the single-step mode. In this case, we can increment the variable<b>
TotalInstruction</b> by one because we know that exactly one instruction was
executed in the debuggee.</p>
<p> invoke
GetThreadContext,pi.hThread,addr context or context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId,DBG_CONTINUE <br>
.continue
<br>
</p>
<p>Since the trap flag is cleared after the debug exception is generated, we must
set the trap flag again if we want to continue in single-step mode.<br>
<b>Warning: Don't use the example in this tutorial with a large program: tracing
is SLOW. You may have to wait for ten minutes before you can close the debuggee.</b><strong>
</strong></p>
<hr size="1">
<div align="center"> This article come from Iczelion's asm page, Welcom to <a href="http://asm.yeah.net">http://asm.yeah.net</a></div>
</body>
</html>
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -