/*
#<pydoc>
def dbg_read_memory(ea, sz):
"""
Reads from the debugee's memory at the specified ea
@return:
- The read buffer (as a string)
- Or None on failure
"""
pass
#</pydoc>
*/
static PyObject *dbg_read_memory(PyObject *py_ea, PyObject *py_sz)
{
PYW_GIL_CHECK_LOCKED_SCOPE();
uint64 ea, sz;
if ( !dbg_can_query() || !PyW_GetNumber(py_ea, &ea) || !PyW_GetNumber(py_sz, &sz) )
Py_RETURN_NONE;
// Create a Python string
PyObject *ret = PyString_FromStringAndSize(NULL, Py_ssize_t(sz));
if ( ret == NULL )
Py_RETURN_NONE;
// Get the internal buffer
Py_ssize_t len;
char *buf;
PyString_AsStringAndSize(ret, &buf, &len);
if ( (size_t)read_dbg_memory(ea_t(ea), buf, size_t(sz)) != sz )
{
// Release the string on failure
Py_DECREF(ret);
// Return None on failure
Py_RETURN_NONE;
}
return ret;
}
static void op_t_set_specval(PyObject *self, PyObject *value)
{
PYW_GIL_CHECK_LOCKED_SCOPE();
op_t *link = op_t_get_clink(self);
if ( link == NULL )
return;
uint64 v(0);
PyW_GetNumber(value, &v);
link->specval = ea_t(v);
}
static void insn_t_set_ea(PyObject *self, PyObject *value)
{
PYW_GIL_CHECK_LOCKED_SCOPE();
insn_t *link = insn_t_get_clink(self);
if ( link == NULL )
return;
uint64 v(0);
PyW_GetNumber(value, &v);
link->ea = ea_t(v);
}
/*
#<pydoc>
def dbg_write_memory(ea, buffer):
"""
Writes a buffer to the debugee's memory
@return: Boolean
"""
pass
#</pydoc>
*/
static PyObject *dbg_write_memory(PyObject *py_ea, PyObject *py_buf)
{
PYW_GIL_CHECK_LOCKED_SCOPE();
uint64 ea;
if ( !dbg_can_query() || !PyString_Check(py_buf) || !PyW_GetNumber(py_ea, &ea) )
Py_RETURN_NONE;
size_t sz = PyString_GET_SIZE(py_buf);
void *buf = (void *)PyString_AS_STRING(py_buf);
if ( write_dbg_memory(ea_t(ea), buf, sz) != sz )
Py_RETURN_FALSE;
Py_RETURN_TRUE;
}
//---------------------------------------------------------- main thread ---
void win32_debmod_t::handle_pdb_request()
{
if ( pdbthread.req_kind == 1 )
{
// read input file
bytevec_t cmd;
append_dq(cmd, pdbthread.off_ea);
append_dd(cmd, pdbthread.count);
void *outbuf = NULL;
ssize_t outsize = 0;
// send request to IDA
int rc = send_ioctl(WIN32_IOCTL_READFILE, &cmd[0], cmd.size(), &outbuf, &outsize);
if ( rc == 1 && outbuf != NULL )
{
// OK
size_t copylen = qmin(pdbthread.count, outsize);
memcpy(pdbthread.buffer, outbuf, copylen);
pdbthread.count = copylen;
pdbthread.req_result = true;
}
else
{
pdbthread.req_result = false;
}
if ( outbuf != NULL )
qfree(outbuf);
}
else if ( pdbthread.req_kind == 2 )
{
// read memory
ssize_t rc = _read_memory(ea_t(pdbthread.off_ea), pdbthread.buffer, pdbthread.count);
if ( rc >= 0 )
pdbthread.count = rc;
pdbthread.req_result = rc >= 0;
}
else
{
// unknown request
pdbthread.req_result = false;
}
}
/*
#<pydoc>
# Conversion options for get_strlit_contents():
STRCONV_ESCAPE = 0x00000001 # convert non-printable characters to C escapes (\n, \xNN, \uNNNN)
def get_strlit_contents(ea, len, type, flags = 0):
"""
Get bytes contents at location, possibly converted.
It works even if the string has not been created in the database yet.
Note that this will <b>always</b> return a simple string of bytes
(i.e., a 'str' instance), and not a string of unicode characters.
If you want auto-conversion to unicode strings (that is: real strings),
you should probably be using the idautils.Strings class.
@param ea: linear address of the string
@param len: length of the string in bytes (including terminating 0)
@param type: type of the string. Represents both the character encoding,
<u>and</u> the 'type' of string at the given location.
@param flags: combination of STRCONV_..., to perform output conversion.
@return: a bytes-filled str object.
"""
pass
#</pydoc>
*/
static PyObject *py_get_strlit_contents(
ea_t ea,
PyObject *py_len,
int32 type,
int flags = 0)
{
uint64 len;
if ( !PyW_GetNumber(py_len, &len) )
Py_RETURN_NONE;
if ( len == BADADDR )
len = uint64(-1);
qstring buf;
if ( len != uint64(-1) && ea_t(ea + len) < ea
|| get_strlit_contents(&buf, ea, len, type, NULL, flags) < 0 )
{
Py_RETURN_NONE;
}
if ( type == STRTYPE_C && buf.length() > 0 && buf.last() == '\0' )
buf.remove_last();
PYW_GIL_CHECK_LOCKED_SCOPE();
newref_t py_buf(PyString_FromStringAndSize(buf.begin(), buf.length()));
py_buf.incref();
return py_buf.o;
}
//--------------------------------------------------------------------------
static int idaapi callback(
void * /*user_data*/,
int notification_code,
va_list va)
{
static int stage = 0;
static bool is_dll;
static char needed_file[QMAXPATH];
switch ( notification_code )
{
case dbg_process_start:
case dbg_process_attach:
get_input_file_path(needed_file, sizeof(needed_file));
// no break
case dbg_library_load:
if ( stage == 0 )
{
const debug_event_t *pev = va_arg(va, const debug_event_t *);
if ( !strieq(pev->modinfo.name, needed_file) )
break;
if ( notification_code == dbg_library_load )
is_dll = true;
// remember the current module bounds
if ( pev->modinfo.rebase_to != BADADDR )
curmod.startEA = pev->modinfo.rebase_to;
else
curmod.startEA = pev->modinfo.base;
curmod.endEA = curmod.startEA + pev->modinfo.size;
deb(IDA_DEBUG_PLUGIN, "UUNP: module space %a-%a\n", curmod.startEA, curmod.endEA);
++stage;
}
break;
case dbg_library_unload:
if ( stage != 0 && is_dll )
{
const debug_event_t *pev = va_arg(va, const debug_event_t *);
if ( curmod.startEA == pev->modinfo.base
|| curmod.startEA == pev->modinfo.rebase_to )
{
deb(IDA_DEBUG_PLUGIN, "UUNP: unload unpacked module\n");
if ( stage > 2 )
enable_step_trace(false);
stage = 0;
curmod.startEA = 0;
curmod.endEA = 0;
_hide_wait_box();
}
}
break;
case dbg_run_to: // Parameters: const debug_event_t *event
dbg->stopped_at_debug_event(true);
bp_gpa = get_name_ea(BADADDR, "kernel32_GetProcAddress");
#ifndef __X64__
if( (LONG)GetVersion() < 0 ) // win9x mode -- use thunk's
{
is_9x = true;
win9x_resolve_gpa_thunk();
}
#endif
if ( bp_gpa == BADADDR )
{
bring_debugger_to_front();
warning("Sorry, could not find kernel32.GetProcAddress");
FORCE_STOP:
stage = 4; // last stage
clear_requests_queue();
request_exit_process();
run_requests();
break;
}
else if( !my_add_bpt(bp_gpa) )
{
bring_debugger_to_front();
warning("Sorry, can not set bpt to kernel32.GetProcAddress");
goto FORCE_STOP;
}
else
{
++stage;
set_wait_box("Waiting for a call to GetProcAddress()");
}
continue_process();
break;
case dbg_bpt: // A user defined breakpoint was reached.
// Parameters: thid_t tid
// ea_t breakpoint_ea
// int *warn = -1
// Return (in *warn):
// -1 - to display a breakpoint warning dialog
// if the process is suspended.
// 0 - to never display a breakpoint warning dialog.
// 1 - to always display a breakpoint warning dialog.
{
thid_t tid = va_arg(va, thid_t); qnotused(tid);
ea_t ea = va_arg(va, ea_t);
//int *warn = va_arg(va, int*);
if ( stage == 2 )
{
if ( ea == bp_gpa )
{
regval_t rv;
if ( get_reg_val(REGNAME_ESP, &rv) )
{
ea_t esp = ea_t(rv.ival);
invalidate_dbgmem_contents(esp, 1024);
ea_t gpa_caller = getPtr(esp);
if ( !is_library_entry(gpa_caller) )
{
ea_t nameaddr;
if ( ptrSz == 4 )
{
nameaddr = get_long(esp+8);
}
else
{
get_reg_val(REGNAME_ECX, &rv);
nameaddr = ea_t(rv.ival);
}
invalidate_dbgmem_contents(nameaddr, 1024);
char name[MAXSTR];
size_t len = get_max_ascii_length(nameaddr, ASCSTR_C, ALOPT_IGNHEADS);
name[0] = '\0';
get_ascii_contents2(nameaddr, len, ASCSTR_C, name, sizeof(name));
if ( !ignore_win32_api(name) )
{
deb(IDA_DEBUG_PLUGIN, "%a: found a call to GetProcAddress(%s)\n", gpa_caller, name);
if ( !my_del_bpt(bp_gpa) || !my_add_bpt(gpa_caller) )
error("Can not modify breakpoint");
}
}
}
}
else if ( ea == bpt_ea )
{
my_del_bpt(ea);
if ( !is_library_entry(ea) )
{
msg("Uunp: reached unpacker code at %a, switching to trace mode\n", ea);
enable_step_trace(true);
++stage;
uint64 eax;
if ( get_reg_val(REGNAME_EAX, &eax) )
an_imported_func = ea_t(eax);
set_wait_box("Waiting for the unpacker to finish");
}
else
{
warning("%a: bpt in library code", ea); // how can it be?
my_add_bpt(bp_gpa);
}
}
// not our bpt? skip it
else
{
// hide the wait box to allow others plugins to properly stop
_hide_wait_box();
break;
}
}
}
// while continue_process() would work here too, request+run is more universal
// because they do not ignore the request queue
request_continue_process();
run_requests();
break;
case dbg_trace: // A step occured (one instruction was executed). This event
// notification is only generated if step tracing is enabled.
// Parameter: none
if ( stage == 3 )
{
thid_t tid = va_arg(va, thid_t); qnotused(tid);
ea_t ip = va_arg(va, ea_t);
// ip reached the OEP range?
if ( oep_area.contains(ip) )
{
// stop the trace mode
enable_step_trace(false);
msg("Uunp: reached OEP %a\n", ip);
set_wait_box("Reanalyzing the unpacked code");
// reanalyze the unpacked code
do_unknown_range(oep_area.startEA, oep_area.size(), DOUNK_EXPAND);
auto_make_code(ip); // plan to make code
noUsed(oep_area.startEA, oep_area.endEA); // plan to reanalyze
auto_mark_range(oep_area.startEA, oep_area.endEA, AU_FINAL); // plan to analyze
move_entry(ip); // mark the program's entry point
_hide_wait_box();
// inform the user
bring_debugger_to_front();
if ( askyn_c(1,
"HIDECANCEL\n"
"The universal unpacker has finished its work.\n"
"Do you want to take a memory snapshot and stop now?\n"
"(you can do it yourself if you want)\n") > 0 )
{
set_wait_box("Recreating the import table");
invalidate_dbgmem_config();
if ( is_9x )
find_thunked_imports();
create_impdir();
set_wait_box("Storing resources to 'resource.res'");
if ( resfile[0] != '\0' )
extract_resource(resfile);
_hide_wait_box();
if ( take_memory_snapshot(true) )
goto FORCE_STOP;
}
suspend_process();
unhook_from_notification_point(HT_DBG, callback, NULL);
}
}
break;
case dbg_process_exit:
{
stage = 0;
// stop the tracing
_hide_wait_box();
unhook_from_notification_point(HT_DBG, callback, NULL);
if ( success )
jumpto(inf.beginEA, -1);
else
tell_about_failure();
}
break;
case dbg_exception:// Parameters: const debug_event_t *event
// int *warn = -1
// Return (in *warn):
// -1 - to display an exception warning dialog
// if the process is suspended.
// 0 - to never display an exception warning dialog.
// 1 - to always display an exception warning dialog.
{
// const debug_event_t *event = va_arg(va, const debug_event_t *);
// int *warn = va_arg(va, int *);
// FIXME: handle code which uses SEH to unpack itself
if ( askyn_c(1,
"AUTOHIDE DATABASE\n"
"HIDECANCEL\n"
"An exception occurred in the program.\n"
"UUNP does not support exceptions yet.\n"
"The execution has been suspended.\n"
"Do you want to continue the unpacking?") <= 0 )
{
_hide_wait_box();
stage = 0;
enable_step_trace(false); // stop the trace mode
suspend_process();
}
else
{
continue_process();
}
}
break;
case dbg_request_error:
// An error occured during the processing of a request.
// Parameters: ui_notification_t failed_command
// dbg_notification_t failed_dbg_notification
{
ui_notification_t failed_cmd = va_arg(va, ui_notification_t);
dbg_notification_t failed_dbg_notification = va_arg(va, dbg_notification_t);
_hide_wait_box();
stage = 0;
warning("dbg request error: command: %d notification: %d",
failed_cmd, failed_dbg_notification);
}
break;
}
return 0;
}
GCCTypeInfo *GCCTypeInfo::parseTypeInfo(ea_t ea)
{
if (g_KnownTypes.count(ea))
return g_KnownTypes[ea];
GCC_RTTI::type_info tmp;
if (!get_bytes(&tmp, sizeof(GCC_RTTI::type_info), ea))
return 0;
ea_t name_ea = tmp.__type_info_name;
size_t length = get_max_strlit_length(name_ea, STRTYPE_C, ALOPT_IGNHEADS);
qstring buffer;
if (!get_strlit_contents(&buffer, name_ea, length, STRTYPE_C)) {
return 0;
}
qstring name(buffer);
qstring demangled_name;
name = qstring("_ZTS") + name;
int32 res = demangle_name(&demangled_name, name.c_str(), 0);
if (res != (MT_GCC3 | M_AUTOCRT | MT_RTTI))
{
return 0;
}
demangled_name = demangled_name.substr(19);
GCCTypeInfo * result = new GCCTypeInfo();
result->ea = ea;
result->typeName = demangled_name;
result->vtbl = tmp.__type_info_vtable;
setUnknown(ea + ea_t(offsetof(GCC_RTTI::type_info, __type_info_vtable)), sizeof(void*));
op_plain_offset(ea + ea_t(offsetof(GCC_RTTI::type_info, __type_info_vtable)), 0, ea);
setUnknown(ea + ea_t(offsetof(GCC_RTTI::type_info, __type_info_name)), sizeof(void*));
op_plain_offset(ea + ea_t(offsetof(GCC_RTTI::type_info, __type_info_name)), 0, ea);
MakeName(ea, demangled_name, "RTTI_", "");
if (tmp.__type_info_vtable == class_type_info_vtbl)
{
g_KnownTypes[ea] = result;
return result;
}
if (tmp.__type_info_vtable == si_class_type_info_vtbl)
{
GCC_RTTI::__si_class_type_info si_class;
if (!get_bytes(&si_class, sizeof(GCC_RTTI::__si_class_type_info), ea))
{
delete result;
return 0;
}
GCCTypeInfo *base = parseTypeInfo(si_class.base);
if (base == 0)
{
delete result;
return 0;
}
setUnknown(ea + ea_t(offsetof(GCC_RTTI::__si_class_type_info, base)), sizeof(void*));
op_plain_offset(ea + ea_t(offsetof(GCC_RTTI::__si_class_type_info, base)), 0, ea);
result->parentsCount = 1;
result->parentsTypes = new GCCParentType*[1];
result->parentsTypes[0] = new GCCParentType();
result->parentsTypes[0]->ea = base->ea;
result->parentsTypes[0]->info = base;
result->parentsTypes[0]->flags = 0;
g_KnownTypes[ea] = result;
return result;
}
if (tmp.__type_info_vtable != vmi_class_type_info_vtbl) {
// Unknown type, ignore it
delete result;
return 0;
}
GCC_RTTI::__vmi_class_type_info vmi_class;
if (!get_bytes(&vmi_class, sizeof(GCC_RTTI::__vmi_class_type_info), ea))
return 0;
// vmi_class.vmi_flags; // WTF??
result->parentsCount = vmi_class.vmi_base_count;
result->parentsTypes = new GCCParentType*[result->parentsCount];
ea_t addr = ea + ea_t(offsetof(GCC_RTTI::__vmi_class_type_info, vmi_bases));
setUnknown(ea + ea_t(offsetof(GCC_RTTI::__vmi_class_type_info, vmi_flags)), sizeof(void*));
create_dword(ea + ea_t(offsetof(GCC_RTTI::__vmi_class_type_info, vmi_flags)), sizeof(void *));
setUnknown(ea + ea_t(offsetof(GCC_RTTI::__vmi_class_type_info, vmi_base_count)), sizeof(int));
create_dword(ea + ea_t(offsetof(GCC_RTTI::__vmi_class_type_info, vmi_base_count)), sizeof(int));
GCC_RTTI::__base_class_info baseInfo;
for (int i = 0; i < vmi_class.vmi_base_count; ++i, addr += sizeof(baseInfo))
{
if (!get_bytes(&baseInfo, sizeof(baseInfo), addr))
{
delete result;
return 0;
}
GCCTypeInfo *base = parseTypeInfo(baseInfo.base);
if (base == 0)
{
delete result;
return 0;
}
setUnknown(addr + ea_t(offsetof(GCC_RTTI::__base_class_info, base)), sizeof(void*));
op_plain_offset(addr + offsetof(GCC_RTTI::__base_class_info, base), 0, addr);
setUnknown(addr + ea_t(offsetof(GCC_RTTI::__base_class_info, vmi_offset_flags)), sizeof(void*));
create_dword(addr + ea_t(offsetof(GCC_RTTI::__base_class_info, vmi_offset_flags)), sizeof(int));
result->parentsTypes[i] = new GCCParentType();
result->parentsTypes[i]->ea = base->ea;
result->parentsTypes[i]->ea = base->ea;
result->parentsTypes[i]->info = base;
result->parentsTypes[i]->flags = static_cast<unsigned>(baseInfo.vmi_offset_flags);
qstring flags;
if (baseInfo.vmi_offset_flags & baseInfo.virtual_mask)
flags += " virtual_mask ";
if (baseInfo.vmi_offset_flags & baseInfo.public_mask)
flags += " public_mask ";
if (baseInfo.vmi_offset_flags & baseInfo.offset_shift)
flags += " offset_shift ";
set_cmt(addr + ea_t(offsetof(GCC_RTTI::__base_class_info, vmi_offset_flags)), flags.c_str(), false);
}
g_KnownTypes[ea] = result;
return result;
}
//--------------------------------------------------------------------------
ea_t idaapi debmod_t::dbg_appcall(
ea_t func_ea,
thid_t tid,
const struct func_type_info_t *fti,
int /*nargs*/,
const struct regobjs_t *regargs,
struct relobj_t *stkargs,
struct regobjs_t *retregs,
qstring *errbuf,
debug_event_t *event,
int options)
{
enum
{
E_OK, // Success
E_READREGS, // Failed to read registers
E_REG_USED, // The calling convention refers to reserved registers
E_ARG_ALLOC, // Failed to allocate memory for stack arguments
E_WRITE_ARGS, // Failed to setup stack arguments
E_WRITE_REGS, // Failed to setup register arguments
E_HANDLE_EVENT,// Failed to handle debug event
E_DEBUG_EVENT, // Could not get debug events
E_QUIT, // Program exited
E_RESUME, // Failed to resume the application
E_EXCEPTION, // An exception has occured
E_APPCALL_FROM_EXC, // Cannot issue an AppCall if last event was an exception
E_TIMEOUT, // Timeout
};
static const char *const errstrs[] =
{
"success",
"failed to read registers",
"the calling convention refers to reserved registers",
"failed to allocate memory for stack arguments",
"failed to setup stack arguments",
"failed to setup register arguments",
"failed to handle debug event",
"could not get debug events",
"program exited",
"failed to resume the application",
"an exception has occured",
"last event was an exception, cannot perform an appcall",
"timeout",
};
// Save registers
regval_t rv;
bool brk = false;
int err = E_OK;
call_context_t &ctx = appcalls[tid].push_back();
regval_map_t call_regs;
ea_t args_sp = BADADDR;
do
{
// In Win32, when WaitForDebugEvent() returns an exception
// it seems that the OS remembers the exception context so that
// the next call to ContinueDebugEvent() will work with the last exception context.
// Now if we carry an AppCall when an exception was just reported:
// - Appcall will change context
// - Appcall's control bpt will generate an exception thus overriding the last exception context saved by the OS
// - After Appcall, IDA kernel cannot really continue from the first exception because it was overwritten
// Currently we will disallow Appcalls if last event is an exception
if ( last_event.eid == EXCEPTION )
{
err = E_APPCALL_FROM_EXC;
break;
}
// Save registers
ctx.saved_regs.resize(nregs);
if ( dbg_read_registers(tid, -1, ctx.saved_regs.begin()) != 1 )
{
err = E_READREGS;
break;
}
// Get SP value
ea_t org_sp = ea_t(ctx.saved_regs[sp_idx].ival);
// Stack contents
bytevec_t stk;
// Prepare control address
// We will generate a BP code ptrsz aligned and push unto the stack
// as the first argument. This is where we will set the control bpt.
// Since the bpt is on the stack, two possible scenarios:
// - BPT exception
// - Access violation: trying to execute from NX page
// In both cases we will catch an exception and learn what address was
// involved.
// - Save the ctrl address
ea_t ctrl_ea = org_sp - addrsize;
// - Compute the pointer where arguments will be allocated on the stack
size_t stkargs_size = align_up(stkargs->size(), addrsize);
args_sp = ctrl_ea - stkargs_size;
// align the stack pointer to 16 byte boundary (gcc compiled programs require it)
args_sp &= ~15;
ctx.ctrl_ea = args_sp + stkargs_size;
// Relocate the stack arguments
if ( !stkargs->relocate(args_sp, false) )
{
err = E_ARG_ALLOC;
break;
}
// Prepare the stack.
// The memory layout @SP before transfering to the function:
// R = ret addr
// A = args
// - Append the return address (its value is the value of the ctrl code address)
stk.append(&ctx.ctrl_ea, addrsize);
// - Append the stack args
stk.append(stkargs->begin(), stkargs->size());
stk.resize(addrsize+stkargs_size); // align up
ctx.sp = args_sp - addrsize;
int delta = finalize_appcall_stack(ctx, call_regs, stk);
ctx.sp += delta;
// Write the stack
int nwrite = stk.size() - delta;
if ( nwrite > 0 )
{
if ( dbg_write_memory(ctx.sp, stk.begin()+delta, nwrite) != nwrite )
{
err = E_WRITE_ARGS;
break;
}
//show_hex(stk.begin()+delta, nwrite, "Written stack bytes to %a:\n", ctx.sp);
}
// ask the debugger to set a breakpoint
dbg_add_bpt(BPT_SOFT, ctx.ctrl_ea, -1);
// Copy arg registers to call_regs
for ( size_t i=0; i < regargs->size(); i++ )
{
const regobj_t &ri = regargs->at(i);
int reg_idx = ri.regidx;
if ( reg_idx == sp_idx || reg_idx == pc_idx )
{
brk = true;
err = E_REG_USED;
break;
}
// Copy the register value
if ( ri.size() <= sizeof(rv.fval) )
{
rv.clear();
memcpy(rv.fval, ri.value.begin(), ri.size());
if ( ri.relocate )
rv.ival += args_sp;
}
else
{
bytevec_t &b = rv.set_bytes();
b.resize(ri.size());
memcpy(b.begin(), ri.value.begin(), ri.size());
rv.rvtype = 0; // custom data format
}
call_regs[reg_idx] = rv;
}
if ( brk )
break;
// Set the stack pointer
rv.clear();
rv.ival = ctx.sp;
call_regs[sp_idx] = rv;
// Set the instruction pointer
rv.ival = func_ea;
call_regs[pc_idx] = rv;
// Change all the registers in question
for ( regval_map_t::iterator it = call_regs.begin();
it != call_regs.end();
++it )
{
if ( dbg_write_register(tid, it->first, &it->second) != 1 )
{
err = E_WRITE_REGS;
brk = true;
break;
}
// Mark that we changed the regs already
ctx.regs_spoiled = true;
}
if ( brk )
break;
// For manual appcall, we have done everything, just return now
if ( (options & APPCALL_MANUAL) != 0 )
break;
// Resume the application
// Since no* exception last occured**, we can safely say that the
// debugger actually handled the exception.
// * : We disallow appcalls if an exception last occured
// **: Actually if an AppCall was issued then last event is an exception
// but we will mask it by calling continue_after_event(handled_by_debugger = true)
if ( !continue_after_last_event(true) )
{
err = E_RESUME;
break;
}
// We use this list to accumulate the events
// We will give back the events at the end of the loop
debug_event_t tmp;
if ( event == NULL )
event = &tmp;
// Determine timeout for get_debug_event()
uint64 endtime = 0;
int recalc_timeout = 0; // never recalc timeout
int timeout_ms = TIMEOUT;
if ( (options & APPCALL_TIMEOUT) != 0 )
{
timeout_ms = GET_APPCALL_TIMEOUT(options);
if ( timeout_ms > 0 )
{
get_nsec_stamp(&endtime);
endtime += timeout_ms * uint64(1000 * 1000);
}
recalc_timeout = 1; // recalc timeout after the first pass
}
while ( true )
{
if ( recalc_timeout )
{
if ( recalc_timeout != 2 )
{ // we will recalc timeout at the next iteration
recalc_timeout = 2;
}
else
{
if ( timeout_ms > 0 )
{
// calculate the remaining timeout
uint64 now;
get_nsec_stamp(&now);
timeout_ms = int64(endtime - now) / int64(1000 * 1000);
}
if ( timeout_ms <= 0 )
{ // timeout out waiting for the appcall to finish
err = E_TIMEOUT;
if ( dbg_prepare_to_pause_process() <= 0 )
break; // could not even prepare to pause, nothing we can do :(
}
}
}
// Wait for debug events
gdecode_t r = dbg_get_debug_event(event, timeout_ms);
if ( r == GDE_NO_EVENT )
continue;
if ( r == GDE_ERROR )
{ // error getting debug event (network error, etc)
err = E_DEBUG_EVENT;
break;
}
// We may get three possible events related to our control breakpoint:
// - Access violation type: because we try to execute non-executable code
// - Or a BPT exception if the stack page happens to be executable
// - Process exit
bool hit_ctrl_bpt = false;
if ( event->eid == PROCESS_EXIT
|| (hit_ctrl_bpt=should_stop_appcall(tid, event, ctx.ctrl_ea)) != false
|| err == E_TIMEOUT )
{
if ( !hit_ctrl_bpt )
{
send_debug_event_to_ida(event, RQ_SILENT|RQ_SUSPEND);
event->eid = NO_EVENT;
}
last_event.eid = NO_EVENT;
break;
}
// Any other exception?
else if ( event->eid == EXCEPTION )
{
if ( (options & APPCALL_DEBEV) == 0 )
*errbuf = event->exc.info; // Copy exception text to the user
err = E_EXCEPTION;
// When an exception happens during the appcall, we want to mask
// the exception, because:
// 1. we reset the EIP to its original location
// 2. there is no exception handler for the appcall so we cannot really pass as unhandled
// FIXME
last_event.eid = NO_EVENT;
last_event.handled = true;
brk = true;
break;
}
if ( send_debug_event_to_ida(event, RQ_SILENT|RQ_SUSPEND) != 0 )
{
err = E_HANDLE_EVENT;
break;
}
dbg_continue_after_event(event);
event->eid = NO_EVENT;
}
if ( brk || err != E_OK )
break;
// write the argument vector back because it could be spoiled by the application
size_t nbytes = fti->stkargs;
if ( nbytes > 0
&& dbg_write_memory(args_sp, stkargs->begin(), nbytes) != ssize_t(nbytes) )
{
err = E_WRITE_ARGS;
break;
}
// Retrieve the return value
if ( retregs != NULL && !retregs->empty() )
{
regvals_t retr;
retr.resize(nregs);
if ( dbg_read_registers(tid, -1, retr.begin()) <= 0 )
{
err = E_READREGS;
break;
}
for ( size_t i=0; i < retregs->size(); i++ )
{
regobj_t &r = retregs->at(i);
regval_t &v = retr[r.regidx];
memcpy(r.value.begin(), v.get_data(), r.value.size());
r.relocate = false;
}
}
} while ( false );
if ( err != E_OK )
{
if ( err != E_EXCEPTION )
*errbuf = errstrs[err];
dbg_cleanup_appcall(tid);
args_sp = BADADDR;
}
return args_sp;
}
//--------------------------------------------------------------------------
// return top of the stack area usable by appcall. usually it is equal to the
// current esp, unless the area below the stack pointer is not usable
// (for example, AMD64 ABI required the "red zone" not to be modified)
ea_t debmod_t::calc_appcall_stack(const regvals_t ®vals)
{
return ea_t(regvals[sp_idx].ival);
}
