static BOOL tgt_process_active_close_process(struct dbg_process* pcs, BOOL kill)
{
if (pcs == dbg_curr_process)
{
/* remove all set breakpoints in debuggee code */
break_set_xpoints(FALSE);
/* needed for single stepping (ugly).
* should this be handled inside the server ???
*/
be_cpu->single_step(&dbg_context, FALSE);
if (dbg_curr_thread->in_exception)
{
SetThreadContext(dbg_curr_thread->handle, &dbg_context);
ContinueDebugEvent(dbg_curr_pid, dbg_curr_tid, DBG_CONTINUE);
}
}
if (kill)
{
TerminateProcess(pcs->handle, 0);
}
else
{
if (!DebugActiveProcessStop(pcs->pid)) return FALSE;
}
SymCleanup(pcs->handle);
dbg_del_process(pcs);
return TRUE;
}
BOOL My_DebugActiveProcessStop()
{
DWORD dwProcessId=NULL;
BOOL returnVal_Real = NULL;
BOOL returnVal_Intercepted = NULL;
DWORD error_Real = 0;
DWORD error_Intercepted = 0;
disableInterception();
returnVal_Real = DebugActiveProcessStop (dwProcessId);
error_Real = GetLastError();
enableInterception();
returnVal_Intercepted = DebugActiveProcessStop (dwProcessId);
error_Intercepted = GetLastError();
return ((returnVal_Real == returnVal_Intercepted) && (error_Real == error_Intercepted));
}
void CNBUTOJCore::ClearUp(const char *exe, const char *output, PROCESS_INFORMATION ProcInfo)
{
string tmp;
DebugActiveProcessStop(ProcInfo.dwProcessId);
TerminateProcess(ProcInfo.hProcess, 0);
CloseHandle(ProcInfo.hThread);
CloseHandle(ProcInfo.hProcess);
while(FileExists(exe))
{
tmp = string("del ") + exe;
system(tmp.c_str());
}
while(FileExists(output))
{
tmp = string("del ") + output;
system(tmp.c_str());
}
/** 删除FPC的什么什么 */
string ofile = exe;
ofile = ofile.substr(0, ofile.length() - 3) + ".o";
while(FileExists(ofile.c_str()))
{
tmp = string("del ") + ofile.c_str();
system(tmp.c_str());
}
}
/* Detach from all inferiors. */
static int
win32_detach (void)
{
winapi_DebugActiveProcessStop DebugActiveProcessStop = NULL;
winapi_DebugSetProcessKillOnExit DebugSetProcessKillOnExit = NULL;
#ifdef _WIN32_WCE
HMODULE dll = GetModuleHandle (_T("COREDLL.DLL"));
#else
HMODULE dll = GetModuleHandle (_T("KERNEL32.DLL"));
#endif
DebugActiveProcessStop = GETPROCADDRESS (dll, DebugActiveProcessStop);
DebugSetProcessKillOnExit = GETPROCADDRESS (dll, DebugSetProcessKillOnExit);
if (DebugSetProcessKillOnExit == NULL
|| DebugActiveProcessStop == NULL)
return -1;
{
struct thread_resume resume;
resume.thread = -1;
resume.step = 0;
resume.sig = 0;
resume.leave_stopped = 0;
win32_resume (&resume);
}
if (!DebugActiveProcessStop (current_process_id))
return -1;
DebugSetProcessKillOnExit (FALSE);
win32_clear_inferiors ();
return 0;
}
HL_API bool hl_debug_stop( int pid ) {
# if defined(HL_WIN)
BOOL b = DebugActiveProcessStop(pid);
CleanHandles();
return (bool)b;
# elif defined(USE_PTRACE)
return ptrace(PTRACE_DETACH,pid,0,0) >= 0;
# else
return false;
# endif
}
void DbgSessionDelete (dbgSession* session) {
if (!session)
return;
if (session->process.id.pid)
DebugActiveProcessStop (session->process.id.pid);
if (session->process.thread)
CloseHandle ((HANDLE)session->process.thread);
if (session->process.process)
CloseHandle ((HANDLE)session->process.process);
DbgSessionDeleteProc (session);
}
ErrorCode Process::detach() {
prepareForDetach();
BOOL result = DebugActiveProcessStop(_pid);
if (!result)
return Platform::TranslateError();
cleanup();
_flags &= ~kFlagAttachedProcess;
return kSuccess;
}
BOOL detach()
{
if (DebugActiveProcessStop(pid))
{
std::cout << "[*] detach, EXIT." << std::endl;
return true;
}
else
{
std::cout << "[!] detach() error" << std::endl;
return false;
}
}
void spwanAndHook_(char *dlltoinject,opt *options){
STARTUPINFO sInfo;
PROCESS_INFORMATION pInfo;
printf("[Info] Launching process: %s\n",options->cmdline);
ZeroMemory(&sInfo, sizeof(sInfo));
sInfo.cb = sizeof(sInfo);
ZeroMemory(&pInfo, sizeof(pInfo));
if (CreateProcess(options->cmdline, NULL, NULL, NULL, FALSE, DEBUG_ONLY_THIS_PROCESS/*CREATE_SUSPENDED*/, NULL, NULL, &sInfo, &pInfo))
{
char cmd[512];
printf("[info] New pid: %d\n",pInfo.dwProcessId);
sprintf(cmd,"EXECUTING \"%s\" HOOKING PID %d",options->cmdline,pInfo.dwProcessId);
logger(options->ini,"injector",cmd,strlen(cmd));
DEBUG_EVENT debugEvent;
do{
// printf(">> %x\n",debugEvent.dwDebugEventCode);
if(!WaitForDebugEvent(&debugEvent, 1000)) break;
if(debugEvent.dwDebugEventCode == LOAD_DLL_DEBUG_EVENT)
{
// SuspendThread(debugEvent.u.CreateProcessInfo.hThread);
// printf("Injecting!\n");
injecta(pInfo.dwProcessId,dlltoinject,options);
Sleep(1000);
// ResumeThread(debugEvent.u.CreateProcessInfo.hThread);
DebugSetProcessKillOnExit(FALSE);
DebugActiveProcessStop(debugEvent.dwProcessId);
break;
}
ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE);
} while(1);
/*
if(WaitForInputIdle((void*)pInfo.hProcess,5)==WAIT_FAILED) printf("[info] Wait failed, console app? :p");
if(options->waitKeyPress){
printf("Press [intro] to resume process..\n");
getchar();
}*/
// injecta(pInfo.dwProcessId,dlltoinject,options);
// ResumeThread((void*)pInfo.hThread);
// WaitForInputIdle((void*)pInfo.dwProcessId,INFINITE);
// Sleep(100);
CloseHandle(pInfo.hThread);
CloseHandle(pInfo.hProcess);
}else{
printf("[Error] Unable to create the process (path not found?)\n");
}
}
bool CNBUTOJCore::_ErrExit(const HANDLE hProcess, const DWORD dwProcessID, CodeState &cs, NState state, __int64 exe_time, SIZE_T exe_memory, const char *code)
{
DebugActiveProcessStop(dwProcessID);
TerminateProcess(hProcess, 4);
cs.state = state;
//cs.exe_time = exe_time;
cs.exe_time = _GetRunTime(hProcess);
cs.exe_memory = exe_memory;
if(strlen(code) != 0)
{
strcpy(cs.err_code, code);
}
return false;
}
bool CDebugger::Detach() {
cout << "\n[+] Detach debugger!" << endl;
for (auto dwProcessId : m_vProcessIds) {
cout << "[+] Detach pid: " << dwProcessId << endl;
DebugActiveProcessStop(dwProcessId);
// Terminate process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
TerminateProcess(hProcess, 0);
}
m_bActive = false;
return m_bActive;
}
BOOL WindowsDebugger::debugger_detach()
{
if( !this->bAttachedToProcess ) {
dprintflvl( 2, "Not attached to a process" );
return FALSE;
}
if( DebugActiveProcessStop( this->nProcessId ) == NULL ) {
WinError::winerror_print_last_error( __FUNCTION__ );
dprintflvl( 2, "Unable to detach" );
return FALSE;
}
this->bAttachedToProcess = FALSE;
return TRUE;
}
/*
* Release the process. Frees the process control structure.
* flags:
* PRELEASE_KILL Terminate the process with SIGKILL.
*/
void Prelease(struct ps_prochandle *P, int flags)
{
if (flags & PRELEASE_KILL)
TerminateProcess(P->phandle, 1);
else {
if (P->flags & PGRAB_RDONLY) {
SymCleanup(P->phandle);
freemodules(P);
free(P);
return;
}
CloseHandle(P->event);
DebugActiveProcessStop(P->pid);
}
SymCleanup(P->phandle);
pthread_mutex_destroy(&P->mutex);
pthread_cond_destroy(&P->cond);
freemodules(P);
free(P);
}
/* Detach from inferior PID. */
static int
win32_detach (int pid)
{
struct process_info *process;
winapi_DebugActiveProcessStop DebugActiveProcessStop = NULL;
winapi_DebugSetProcessKillOnExit DebugSetProcessKillOnExit = NULL;
#ifdef _WIN32_WCE
HMODULE dll = GetModuleHandle (_T("COREDLL.DLL"));
#else
HMODULE dll = GetModuleHandle (_T("KERNEL32.DLL"));
#endif
DebugActiveProcessStop = GETPROCADDRESS (dll, DebugActiveProcessStop);
DebugSetProcessKillOnExit = GETPROCADDRESS (dll, DebugSetProcessKillOnExit);
if (DebugSetProcessKillOnExit == NULL
|| DebugActiveProcessStop == NULL)
return -1;
{
struct thread_resume resume;
resume.thread = minus_one_ptid;
resume.kind = resume_continue;
resume.sig = 0;
win32_resume (&resume, 1);
}
if (!DebugActiveProcessStop (current_process_id))
return -1;
DebugSetProcessKillOnExit (FALSE);
process = find_process_pid (pid);
remove_process (process);
win32_clear_inferiors ();
return 0;
}
/* exit codes: 0 = ok, 1 = invocation error, 3 = internal error */
int main()
{
int argc;
int creationFlags;
wchar_t **argv;
wchar_t *env = 0;
STARTUPINFOW si;
PROCESS_INFORMATION pi;
DEBUG_EVENT dbev;
enum RunMode mode = Run;
HANDLE image = NULL;
argv = CommandLineToArgvW(GetCommandLine(), &argc);
if (argc != ArgCount) {
fprintf(stderr, "This is an internal helper of Qt Creator. Do not run it manually.\n");
return 1;
}
/* convert message to OEM codepage */
WideCharToMultiByte(CP_OEMCP, 0, argv[ArgMsg], -1, sleepMsg, sizeof(sleepMsg), NULL, NULL);
/* Connect to the master, i.e. Creator. */
if (!(qtcFd = _wfopen(argv[ArgSocket], L"w"))) {
fprintf(stderr, "Cannot connect creator comm pipe %S: %s\n",
argv[ArgSocket], strerror(errno));
doExit(1);
}
if (*argv[ArgDir] && !SetCurrentDirectoryW(argv[ArgDir])) {
/* Only expected error: no such file or direcotry */
sendMsg("err:chdir %d\n", GetLastError());
return 1;
}
if (*argv[ArgEnv]) {
FILE *envFd;
long size;
if (!(envFd = _wfopen(argv[ArgEnv], L"rb"))) {
fprintf(stderr, "Cannot read creator env file %S: %s\n",
argv[ArgEnv], strerror(errno));
doExit(1);
}
fseek(envFd, 0, SEEK_END);
size = ftell(envFd);
rewind(envFd);
env = malloc(size);
if (fread(env, 1, size, envFd) != size) {
perror("Failed to read env file");
doExit(1);
}
fclose(envFd);
}
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
creationFlags = CREATE_UNICODE_ENVIRONMENT;
if (!wcscmp(argv[ArgAction], L"debug")) {
mode = Debug;
} else if (!wcscmp(argv[ArgAction], L"suspend")) {
mode = Suspend;
}
switch (mode) {
case Debug:
creationFlags |= DEBUG_ONLY_THIS_PROCESS;
break;
case Suspend:
creationFlags |= CREATE_SUSPENDED;
break;
default:
break;
}
if (!CreateProcessW(0, argv[ArgCmdLine], 0, 0, FALSE, creationFlags, env, 0, &si, &pi)) {
/* Only expected error: no such file or direcotry, i.e. executable not found */
sendMsg("err:exec %d\n", GetLastError());
doExit(1);
}
/* This is somewhat convoluted. What we actually want is creating a
suspended process and letting gdb attach to it. Unfortunately,
the Windows kernel runs amok when we attempt this.
So instead we start a debugged process, eat all the initial
debug events, suspend the process and detach from it. If gdb
tries to attach *now*, everything goes smoothly. Yay. */
if (mode == Debug) {
do {
if (!WaitForDebugEvent (&dbev, INFINITE))
systemError("Cannot fetch debug event, error %d\n");
if (dbev.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT)
image = dbev.u.CreateProcessInfo.hFile;
if (dbev.dwDebugEventCode == EXCEPTION_DEBUG_EVENT) {
/* The first exception to be delivered is a trap
which indicates completion of startup. */
if (SuspendThread(pi.hThread) == (DWORD)-1)
systemError("Cannot suspend debugee, error %d\n");
}
if (!ContinueDebugEvent(dbev.dwProcessId, dbev.dwThreadId, DBG_CONTINUE))
systemError("Cannot continue debug event, error %d\n");
} while (dbev.dwDebugEventCode != EXCEPTION_DEBUG_EVENT);
if (!DebugActiveProcessStop(dbev.dwProcessId))
systemError("Cannot detach from debugee, error %d\n");
if (image)
CloseHandle(image);
}
SetConsoleCtrlHandler(ctrlHandler, TRUE);
sendMsg("thread %d\n", pi.dwThreadId);
sendMsg("pid %d\n", pi.dwProcessId);
if (WaitForSingleObject(pi.hProcess, INFINITE) == WAIT_FAILED)
systemError("Wait for debugee failed, error %d\n");
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
free(env);
doExit(0);
return 0;
}
DWORD WINAPI DebugThread(LPVOID arg)
{
DEBUG_EVENT evt;
DWORD dwContinue;
DWORD dwBPAddress = 0x44D471;
DWORD dwBPEnd = 0x44D47C;
DWORD dwDataRead = 0x443848;
DWORD dwDataSucceed = 0x44384D;
BYTE bBPAddr = 0;
BYTE bBPEnd = 0;
BYTE bDataRead = 0;
BYTE bDataSucceed = 0;
DWORD dwRead;
DWORD dwDataLength = 0; //[ESP + 0x10] at 0x443848
char szName[16]; //[ESP + 0x0C] at 0x44384D
char szHeader[8]; //[ESP + 0x08] at 0x44384D This value should "BSE 1.0\0"
BOOL bFlag = FALSE;
BOOL bFlag2 = FALSE;
BOOL bAlpha = FALSE;
CONTEXT lcContext;
HANDLE hThread = NULL;
HANDLE hProcess = NULL;
LPVOID ptr, ptr2;
BYTE *pBMPData;
DWORD dwLength;
BYTE *pData;
Image *result;
// SYSTEMTIME time;
WCHAR str[64];
unsigned short width;
unsigned short height;
szName[0] = 0;
if (DebugActiveProcess(dwProcessID))
SetEvent(hAttachSucceeded);
SetEvent(hDebugInit);
DebugSetProcessKillOnExit(FALSE);
while (TRUE)
{
if (WaitForSingleObject(hDebugEnd, 0) == WAIT_OBJECT_0)
break;
dwContinue = DBG_CONTINUE;
if (WaitForDebugEvent(&evt, 10))
{
switch (evt.dwDebugEventCode)
{
case CREATE_PROCESS_DEBUG_EVENT:
bDataRead = SetSoftwareBreakpoint(evt.u.CreateProcessInfo.hProcess, dwDataRead);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, evt.dwProcessId);
CloseHandle(evt.u.CreateProcessInfo.hFile);
break;
case CREATE_THREAD_DEBUG_EVENT:
break;
case LOAD_DLL_DEBUG_EVENT:
CloseHandle(evt.u.LoadDll.hFile);
break;
case EXCEPTION_DEBUG_EVENT:
if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
{
if (evt.u.Exception.ExceptionRecord.ExceptionAddress == (PVOID)dwBPAddress)
{
// if (bFlag)
// {
// MessageBeep(0);
bAlpha = FALSE;
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, evt.dwThreadId);
lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(hThread, &lcContext);
ptr = (LPVOID)(lcContext.Eax + 0x08);
ReadProcessMemory(hProcess, ptr, &pBMPData, 4, &dwRead);
ReadProcessMemory(hProcess, (LPVOID)pBMPData, &width, 2, &dwRead);
ReadProcessMemory(hProcess, (LPVOID)(pBMPData + 2), &height, 2, &dwRead);
dwLength = width * height * 4;
pData = (BYTE *)calloc(dwLength, sizeof(BYTE));
if (pData)
{
wsprintf(str, L"[%dx%d] %S", width, height, szName);
if (SendMessage(hListLayer, LB_FINDSTRINGEXACT, -1, (LPARAM)str) == LB_ERR)
{
SendMessage(hListLayer, LB_INSERTSTRING, 0, (LPARAM)str);
ReadProcessMemory(hProcess, (LPVOID)(pBMPData + 0x10), pData, dwLength, &dwRead);
result = (Image *)calloc(1, sizeof(Image));
result->width = width;
result->height = height;
result->data = (PIXEL *)pData;
//Is this bitmap has no alpha channel (all alpha channel == 0)
for (int i = 0; i < width * height; i++)
if (result->data[i].a != 0x00)
{
bAlpha = TRUE;
break;
}
//Set alpha channel
if (!bAlpha)
for (int i = 0; i < width * height; i++)
result->data[i].a = 0xFF;
//Insert Decoded Image to List
SendMessage(hListLayer, LB_SETITEMDATA, 0, (LPARAM)result);
}
}
MoveEIPBack(hThread);
bBPEnd = SetSoftwareBreakpoint(hProcess, dwBPEnd);
ResetSoftwareBreakpoint(hProcess, dwBPAddress, bBPAddr);
CloseHandle(hThread);
// }
// else
bFlag = TRUE;
}
else if (evt.u.Exception.ExceptionRecord.ExceptionAddress == (PVOID)dwBPEnd)
{
// if (bFlag2)
// {
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, evt.dwThreadId);
MoveEIPBack(hThread);
bDataRead = SetSoftwareBreakpoint(hProcess, dwDataRead);
ResetSoftwareBreakpoint(hProcess, dwBPEnd, bBPEnd);
CloseHandle(hThread);
// }
// else
bFlag2 = TRUE;
}
else if (evt.u.Exception.ExceptionRecord.ExceptionAddress == (PVOID)dwDataRead)
{
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, evt.dwThreadId);
lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(hThread, &lcContext);
ptr = (LPVOID)(lcContext.Esp + 0x10);
ReadProcessMemory(hProcess, ptr, &dwDataLength, 4, &dwRead);
MoveEIPBack(hThread);
bDataSucceed = SetSoftwareBreakpoint(hProcess, dwDataSucceed);
ResetSoftwareBreakpoint(hProcess, dwDataRead, bDataRead);
CloseHandle(hThread);
}
else if (evt.u.Exception.ExceptionRecord.ExceptionAddress == (PVOID)dwDataSucceed)
{
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, evt.dwThreadId);
MoveEIPBack(hThread);
if (dwDataLength)
{
lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(hThread, &lcContext);
if (lcContext.Eax == dwDataLength)
{
ptr = (LPVOID)(lcContext.Esp + 0x08);
ReadProcessMemory(hProcess, ptr, &ptr2, 4, &dwRead);
ReadProcessMemory(hProcess, ptr2, &szHeader, 8, &dwRead);
if (strncmp(szHeader, "BSE 1.0\0", 8) == 0)
{
//Read Succeed
ptr = (LPVOID)(lcContext.Esp + 0x0C);
ReadProcessMemory(hProcess, ptr, &ptr2, 4, &dwRead);
ReadProcessMemory(hProcess, ptr2, &szName, 16, &dwRead);
bBPAddr = SetSoftwareBreakpoint(hProcess, dwBPAddress);
}
else
bDataRead = SetSoftwareBreakpoint(hProcess, dwDataRead);
}
else
bDataRead = SetSoftwareBreakpoint(hProcess, dwDataRead);
}
else
bDataRead = SetSoftwareBreakpoint(hProcess, dwDataRead);
ResetSoftwareBreakpoint(hProcess, dwDataSucceed, bDataSucceed);
CloseHandle(hThread);
}
}
else if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP)
{
}
else
dwContinue = DBG_EXCEPTION_NOT_HANDLED;
break;
case EXIT_PROCESS_DEBUG_EVENT:
SetEvent(hDebugEnd);
break;
default:
dwContinue = DBG_EXCEPTION_NOT_HANDLED;
break;
}
ContinueDebugEvent(evt.dwProcessId, evt.dwThreadId, dwContinue);
}
}
if (bDataRead)
ResetSoftwareBreakpoint(hProcess, dwDataRead, bDataRead);
if (bDataSucceed)
ResetSoftwareBreakpoint(hProcess, dwDataSucceed, bDataSucceed);
if (bBPAddr)
ResetSoftwareBreakpoint(hProcess, dwBPAddress, bBPAddr);
if (bBPEnd)
ResetSoftwareBreakpoint(hProcess, dwBPEnd, bBPEnd);
if (hProcess)
CloseHandle(hProcess);
DebugActiveProcessStop(dwProcessID);
return 0;
}
void resume(DWORD processId)
{
DebugActiveProcessStop(processId);
}
bool debugthread::stopdebug()
{
DebugActiveProcessStop(pars.pi.dwProcessId);
return true;
}
void DebuggerThread::run()
{
if ( !DebugActiveProcess( debugger->processId ) )
return;
DebugSetProcessKillOnExit( FALSE );
HANDLE hImageFile = NULL;
//bool go = false;
//HANDLE target_thread = 0;
while( !commit_suicide )
{
DEBUG_EVENT dbgEvent;
if ( !WaitForDebugEvent( &dbgEvent, 100 ) )
{
//if ( go )
//{
// DWORD t0 = GetTickCount();
// CONTEXT threadcontext;
// threadcontext.ContextFlags = CONTEXT_i386 | CONTEXT_CONTROL;
// HRESULT result = SuspendThread(target_thread);
// if(result == 0xffffffff)
// __asm int 3
// SetThreadPriority( target_thread, THREAD_PRIORITY_TIME_CRITICAL );
// result = GetThreadContext(target_thread, &threadcontext);
// SetThreadPriority( target_thread, THREAD_PRIORITY_NORMAL );
// ResumeThread(target_thread);
//
// DWORD t1 = GetTickCount();
// char buf[256];
// sprintf(buf, "%08x - %ims\n", t1, t1 - t0);
// OutputDebugString(buf);
//}
DWORD err = GetLastError();
continue;
}
WaitForSingleObject( hMutex, INFINITE );
switch (dbgEvent.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
SetEvent( readyEvent );
//go = true;
break;
case CREATE_THREAD_DEBUG_EVENT:
debugger->hThreads.push_back( ThreadInfo( dbgEvent.dwThreadId, dbgEvent.u.CreateThread.hThread ) );
break;
case CREATE_PROCESS_DEBUG_EVENT:
debugger->hProcess = dbgEvent.u.CreateProcessInfo.hProcess;
hImageFile = dbgEvent.u.CreateProcessInfo.hFile;
debugger->hThreads.push_back( ThreadInfo( dbgEvent.dwThreadId, dbgEvent.u.CreateProcessInfo.hThread ) );
//target_thread = dbgEvent.u.CreateProcessInfo.hThread;
break;
case EXIT_THREAD_DEBUG_EVENT:
// Display the thread's exit code.
break;
case EXIT_PROCESS_DEBUG_EVENT:
// Display the process's exit code.
break;
case LOAD_DLL_DEBUG_EVENT:
// Read the debugging information included in the newly
// loaded DLL. Be sure to close the handle to the loaded DLL
// with CloseHandle.
break;
case UNLOAD_DLL_DEBUG_EVENT:
// Display a message that the DLL has been unloaded.
break;
case OUTPUT_DEBUG_STRING_EVENT:
// Display the output debugging string.
break;
}
ReleaseMutex( hMutex );
ContinueDebugEvent( dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED );
}
if ( hImageFile )
CloseHandle( hImageFile );
DebugActiveProcessStop( debugger->processId );
}
bool Debugger::Detach()
{
return !!DebugActiveProcessStop(_mainProcess.dwProcessId);
}
// cette fonction teste si l'entrée fait planter le programme
DWORD FuzzwinAlgorithm::debugTarget(CInput *pNewInput)
{
// Execution de la cible en mode debug pour récupérer la cause et l'emplacement de l'erreur
// source http://msdn.microsoft.com/en-us/library/windows/desktop/ms681675(v=vs.85).aspx
STARTUPINFO si;
PROCESS_INFORMATION pi;
DEBUG_EVENT e;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&e, sizeof(e));
si.cb = sizeof(si);
std::string cmdLineDebug(this->getCmdLineDebug(pNewInput));
DWORD returnCode = 0;
DWORD exceptionCode = 0;
bool continueDebug = true; // variable de sortie de boucle infinie
BOOL bSuccess = CreateProcess(
nullptr, // passage des arguments par ligne de commande
(LPSTR) cmdLineDebug.c_str(),
nullptr, nullptr, // attributs de processus et de thread par défaut
FALSE, // pas d'héritage des handles
DEBUG_PROCESS | CREATE_NO_WINDOW, // mode DEBUG, pas de fenetres
nullptr, nullptr, // Environnement et repertoire de travail par défaut
&si, &pi); // Infos en entrée et en sortie
if (!bSuccess)
{
this->logTimeStamp();
this->log(" Erreur createProcess Debug");
this->logEndOfLine();
return 0; // fin de la procédure prématurément
}
// activation du "timer" pour stopper le debuggage au bout du temps spécifié
if (_hTimer)
{
// transformation secondes => intervalles de 100 nanosecondes ( x (-10 000 000))
LARGE_INTEGER liDueTime;
liDueTime.QuadPart = _maxExecutionTime * (-10000000LL);
if (!SetWaitableTimer(_hTimer,
&liDueTime, // temps d'attente
0, // pas de périodicité
&FuzzwinAlgorithm::timerExpired, // fonction appelée lors de l'expiration
&pi.hProcess, // argument passé : handle du processus en cours de debuggage
0)) // peu importe le 'resume'
{
this->logTimeStamp();
this->log(" Erreur Lancement du timer !!");
this->logEndOfLine();
return 0;
}
}
/**********************/
/* DEBUT DU DEBUGGAGE */
/**********************/
while (continueDebug)
{
WaitForDebugEvent(&e, INFINITE);
switch (e.dwDebugEventCode)
{
// Exception rencontrée
case EXCEPTION_DEBUG_EVENT:
// récupération du code d'exception rencontré
exceptionCode = e.u.Exception.ExceptionRecord.ExceptionCode;
// cas particulier : breakpoint de début d'exécution du programme
if (EXCEPTION_BREAKPOINT == exceptionCode)
{
// acquitter
ContinueDebugEvent(e.dwProcessId, e.dwThreadId, DBG_CONTINUE);
break;
}
else // véritable exception rencontrée
{
PVOID exceptionAddr = e.u.Exception.ExceptionRecord.ExceptionAddress;
char details[64];
sprintf(&details[0], " Adresse 0x%p - Code %08X", exceptionAddr, exceptionCode);
this->logEndOfLine();
this->log(std::string(60, '*'));
this->logEndOfLine();
this->logTimeStamp();
this->log(" @@@ ERREUR @@@ Fichier " + pNewInput->getFileName());
this->logEndOfLine();
this->logTimeStamp();
this->log(&details[0]);
this->logEndOfLine();
this->log(std::string(60, '*'));
this->logEndOfLine();
this->logEndOfLine();
// enregistrement de l'erreur dans le fichier des fautes
// ouverture en mode "app(end)"
std::ofstream fault(_faultFile, std::ios::app);
fault << pNewInput->getFilePath();
fault << " Exception n° " << std::hex << exceptionCode << std::dec << std::endl;
fault.close();
// enregistrer le code d'erreur dans l'objet
pNewInput->setExceptionCode(exceptionCode);
// actions spécifiques cmdline/gui à mener lors de la découverte d'une faute
this->faultFound();
// Fermeture du processus
TerminateProcess(pi.hProcess, 0);
// acquitter
//ContinueDebugEvent(e.dwProcessId, e.dwThreadId, DBG_CONTINUE);
// arret du debug
DebugActiveProcessStop(pi.dwProcessId);
// fermeture des handles du programme débuggé
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
// retour du code d'erreur
returnCode = exceptionCode;
continueDebug = false;
}
break;
case EXIT_PROCESS_DEBUG_EVENT: // = fin du programme (normale ou provoquée par expiration du timer)
this->logVerbose(" (OK)");
this->logVerboseEndOfLine();
// acquitter
ContinueDebugEvent(e.dwProcessId, e.dwThreadId, DBG_CONTINUE);
// fermeture des handles du programme débuggé
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
// quitter la boucle
continueDebug = false;
break; // quitter la boucle
default:
// acquitter les autres évènements
ContinueDebugEvent(e.dwProcessId, e.dwThreadId, DBG_CONTINUE);
break;
}
}
// arret du timer (sans effet si c'est le timer qui a provoqué l'arret du debug)
if (_hTimer) CancelWaitableTimer(_hTimer);
// retour du code d'erreur ou 0 si rien trouvé
return (returnCode);
}
int main(int argc, char **argv){
if( argc<2){
printf("Usage: %s <ip address>\n", argv[0]);
return 1;
}
if( IsDebuggerPresent()){
HANDLE iphlpapi=LoadLibrary("iphlpapi.dll");
if( !iphlpapi){
perror("iphlpapi.dll");
return 1;
}
FARPROC IcmpSendEcho=GetProcAddress(iphlpapi, "IcmpSendEcho");
FARPROC IcmpCreateFile=GetProcAddress(iphlpapi, "IcmpCreateFile");
FARPROC IcmpCloseHandle=GetProcAddress(iphlpapi, "IcmpCloseHandle");
if( (IcmpSendEcho && IcmpCreateFile && IcmpCloseHandle)==0){
perror("icmp functions");
return 1;
}
unsigned long ipaddr=INADDR_NONE, params[2];
HANDLE hIcmpFile;
char data[32], *reply;
int replySize=sizeof(ICMP_ECHO_REPLY)+sizeof(data);
if( (ipaddr=inet_addr(argv[1]))==INADDR_NONE){
perror("Illegal IP address!");
return 1;
}
if( (hIcmpFile=(HANDLE)IcmpCreateFile())==INVALID_HANDLE_VALUE){
perror("IcmpCreateFile");
return 1;
}
reply=(char *)malloc(replySize);
ZeroMemory(data, sizeof(data));
params[0]=PARAM;
params[1]=(unsigned long)GetProcAddress(iphlpapi, "IcmpSendEcho2Ex");
RaiseException(EXCEPTION_BREAKPOINT, 0, 2, params);
puts("Exception raised!");
IcmpSendEcho(hIcmpFile, ipaddr, data, sizeof(data), NULL, reply, replySize, 1000);
puts("This line should never be shown...");
IcmpCloseHandle(hIcmpFile);
return 0;
}
PROCESS_INFORMATION pi;
STARTUPINFO si;
HANDLE hProcess, hThread;
DEBUG_EVENT debugEvent;
EXCEPTION_RECORD *ExceptionRecord=&debugEvent.u.Exception.ExceptionRecord;
CONTEXT context;
FARPROC IcmpSendEcho2Ex=NULL;
char path[256], args[512], originalByte[1];
ZeroMemory(?, sizeof(PROCESS_INFORMATION));
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&debugEvent, sizeof(DEBUG_EVENT));
ZeroMemory(&context, sizeof(CONTEXT));
ZeroMemory(path, sizeof(path));
ZeroMemory(args, sizeof(args));
si.cb=sizeof(STARTUPINFO);
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=SW_HIDE;
context.ContextFlags=CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
GetModuleFileName(NULL, path, sizeof(path)-1);
snprintf(args, sizeof(args)-1, "%s %s", path, argv[1]);
if( !CreateProcess(
NULL,
args,
NULL,
NULL,
FALSE,
DEBUG_PROCESS,
NULL,
NULL,
&si,
?
)){
perror("CreateProcess");
return 1;
}
if( (hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId))==NULL){
perror("OpenProcess");
return 1;
}
HANDLE kernel32=LoadLibrary("kernel32.dll");
FARPROC DebugSetProcessKillOnExit=GetProcAddress(kernel32, "DebugSetProcessKillOnExit");
FARPROC DebugActiveProcessStop=GetProcAddress(kernel32, "DebugActiveProcessStop");
FARPROC OpenThread=GetProcAddress(kernel32, "OpenThread");
CloseHandle(kernel32);
DebugSetProcessKillOnExit(TRUE);
while(WaitForDebugEvent(&debugEvent, INFINITE) && debugEvent.dwDebugEventCode!=EXIT_PROCESS_DEBUG_EVENT){
if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT && ExceptionRecord->ExceptionCode==EXCEPTION_BREAKPOINT){
if( ExceptionRecord->NumberParameters>1 && ExceptionRecord->ExceptionInformation[0]==PARAM){
IcmpSendEcho2Ex=(FARPROC)ExceptionRecord->ExceptionInformation[1];
printf("IcmpSendEcho2Ex %p\n", IcmpSendEcho2Ex);
if( !BreakpointSet(hProcess, IcmpSendEcho2Ex, &originalByte)){
perror("BreakpointSet");
break;
}
}
else if( ExceptionRecord->ExceptionAddress==IcmpSendEcho2Ex){
printf("EIP %p\n", IcmpSendEcho2Ex);
if( !BreakpointRetrieve(hProcess, IcmpSendEcho2Ex, &originalByte)){
perror("BreakpointRetrieve");
break;
}
if((hThread=(HANDLE)OpenThread(THREAD_ALL_ACCESS, FALSE, debugEvent.dwThreadId))==NULL) puts("OpenThread");
if(!GetThreadContext(hThread, &context)) puts("GetThreadContext");
context.Eip -= 1;
if(!SetThreadContext(hThread, &context)) puts("SetThreadContext");
CreateThread(NULL, 0, (void *)Terminate, hProcess, 0, NULL);
}
}
else if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT){
puts("Exception!");
DebugActiveProcessStop(debugEvent.dwProcessId);
break;
}
ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE);
ZeroMemory(&debugEvent, sizeof(DEBUG_EVENT));
}
return 0;
}
bool DebugFrontend::StartProcessAndRunToEntry(LPCSTR exeFileName, LPSTR commandLine, LPCSTR directory, PROCESS_INFORMATION& processInfo)
{
STARTUPINFO startUpInfo = { 0 };
startUpInfo.cb = sizeof(startUpInfo);
ExeInfo info;
if (!GetExeInfo(exeFileName, info) || info.entryPoint == 0)
{
MessageEvent("Error: The entry point for the application could not be located", MessageType_Error);
return false;
}
if (!info.i386)
{
MessageEvent("Error: Debugging 64-bit applications is not supported", MessageType_Error);
return false;
}
DWORD flags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS;
if (!CreateProcess(NULL, commandLine, NULL, NULL, TRUE, flags, NULL, directory, &startUpInfo, &processInfo))
{
OutputError(GetLastError());
return false;
}
// Running to the entry point currently doesn't work for managed applications, so
// just start it up.
if (!info.managed)
{
unsigned long entryPoint = info.entryPoint;
BYTE breakPointData;
bool done = false;
while (!done)
{
DEBUG_EVENT debugEvent;
WaitForDebugEvent(&debugEvent, INFINITE);
DWORD continueStatus = DBG_EXCEPTION_NOT_HANDLED;
if (debugEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT)
{
if (debugEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP ||
debugEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
{
CONTEXT context;
context.ContextFlags = CONTEXT_FULL;
GetThreadContext(processInfo.hThread, &context);
if (context.Eip == entryPoint + 1)
{
// Restore the original code bytes.
SetBreakpoint(processInfo.hProcess, (LPVOID)entryPoint, false, &breakPointData);
done = true;
// Backup the instruction pointer so that we execute the original instruction.
--context.Eip;
SetThreadContext(processInfo.hThread, &context);
// Suspend the thread before we continue the debug event so that the program
// doesn't continue to run.
SuspendThread(processInfo.hThread);
}
continueStatus = DBG_CONTINUE;
}
}
else if (debugEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT)
{
done = true;
}
else if (debugEvent.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT)
{
// Offset the entry point by the load address of the process.
entryPoint += reinterpret_cast<size_t>(debugEvent.u.CreateProcessInfo.lpBaseOfImage);
// Write a break point at the entry point of the application so that we
// will stop when we reach that point.
SetBreakpoint(processInfo.hProcess, reinterpret_cast<void*>(entryPoint), true, &breakPointData);
CloseHandle(debugEvent.u.CreateProcessInfo.hFile);
}
else if (debugEvent.dwDebugEventCode == LOAD_DLL_DEBUG_EVENT)
{
CloseHandle(debugEvent.u.LoadDll.hFile);
}
ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, continueStatus);
}
}
DebugActiveProcessStop(processInfo.dwProcessId);
return true;
}
extern "C" int __declspec(dllexport) ExitDebugging()
{
DebugActiveProcessStop(dwPid);
ExitProcess(0);
return 1;
}
