我正在学习在VS2015和Windows10上使用Visual C++制作内存补丁。所以我用DEBUG_PROCESS'CreateProcess'| DEBUG_ONLY_THIS_PROCESS。
然后我很快得到CREATE_PROCESS_DEBUG_EVENT,在这里我将0xcc写入要中断的位置。之后,仅卡在此处的调试目标和“WaitForDebugEvent”无法获取任何调试事件。
我转储目标,并且INT3确实应该存在,运行转储文件并按应有的方式执行。
这是代码:
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
HANDLE PatchProcess;
BYTE ReadBuffer[MAX_PATH] = { 0 };
BYTE int3Code[1] = { 0xcc };
BYTE dwOldStyle[4] = { 0x65,0x65,0x65,0x65 };
if (!CreateProcess(FILE_NAME, NULL, NULL, NULL, FALSE, DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
std::cout << "CreateProcess failed" << std::endl;
return false;
}
GetLastError();
PatchProcess = pi.hProcess;
DEBUG_EVENT dbEvent;
CONTEXT Regs;
DWORD dwState, Oldpp;
Regs.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
BOOL WhileDoFlag = true;
while (WhileDoFlag) {
WaitForDebugEvent(&dbEvent, INFINITE);
std::cout << "Waiting" << std::endl;
std::cout << "Debug event code:" << dbEvent.dwDebugEventCode << std::endl;
dwState = DBG_EXCEPTION_HANDLED;
switch (dbEvent.dwDebugEventCode)
{
case CREATE_PROCESS_DEBUG_EVENT:
ReadProcessMemory(pi.hProcess, (LPVOID)(BP), &ReadBuffer, 2, NULL);
GetLastError();
std::cout << "Code at" << BP << ":" << ReadBuffer[0] << std::endl;
system("pause");
VirtualProtectEx(pi.hProcess, (LPVOID)BP, 4, PAGE_EXECUTE_READWRITE, &Oldpp);
GetLastError();
WriteProcessMemory(pi.hProcess, (LPVOID)(BP), &int3Code, 2, NULL);
GetLastError();
dwState = DBG_CONTINUE;
break;
case EXIT_PROCESS_DEBUG_EVENT:
WhileDoFlag = false;
break;
case EXCEPTION_DEBUG_EVENT:
switch (dbEvent.u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_BREAKPOINT:
{
GetThreadContext(pi.hThread, &Regs);
if (Regs.Eip == BP + 1) {
Regs.Eip--;
WriteProcessMemory(pi.hProcess, (LPVOID)BP, &dwOldStyle, 4, 0);
GetLastError();
ReadProcessMemory(pi.hProcess, (LPVOID)(Regs.Ebp), &ReadBuffer, 1, 0);
GetLastError();
MessageBox(0, (char*)ReadBuffer, "patch test", MB_OK);
SetThreadContext(pi.hThread, &Regs);
}
dwState = DBG_CONTINUE;
break;
}
}
break;
}
ContinueDebugEvent(pi.dwProcessId, pi.dwThreadId, dwState);
}
Windows(XP之后)是否有某种安全保护?
PS:IDA可以使用默认的本地win32调试器从转储文件中的正确位置获取断点。
PS2:使用ollydbg调试转储文件,执行时目标崩溃
mov dword ptr ss:[esp+0x4],eax
eax是一个ModuleEntryPoint
esp + 0x4也是ModuleEntryPoint
我添加的坏断点是否引起了问题?
最佳答案
0xCC是一个字节,您要写入2个字节,导致目标进程崩溃,您要写入的字节之一只是随机垃圾。在对WriteProcessMemory()
的调用中仅写入一个字节
关于c++ - 调试器不接收断点事件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32697238/