2022-01-09调试器00
请注意,本文编写于 324 天前,最后修改于 328 天前,其中某些信息可能已经过时。

目录


单步步入

t - 单步步入: 逢call必入

实现:
使用TF位

asm
OnTCommand proc lpContext:LPVOID
    invoke SetTFAndDecEip, 0, lpContext
    ret
OnTCommand endp

SetTFAndDecEip proc uses esi edi dwDecVal:DWORD, lpContext:LPVOID
    
    mov edi,lpContext
	assume edi: ptr CONTEXT
	mov eax, dwDecVal
    sub [edi].regEip, eax
    
    or [edi].regFlag, 100h	
    
    ret
SetTFAndDecEip endp

单步步过

p - 单步步过 : 逢call必跳

实现:
非call指令,直接TF标志位
call指令,在下一行指令设置临时断点

call指令识别:
使用反汇编引擎

asm
OnPCommand proc uses esi edi hProcess:HANDLE,lpDebugEvent:LPVOID, lpContext:LPVOID
    LOCAL @dwResult:DWORD
    LOCAL @aryCode[16]:BYTE
    LOCAL @dwBytesToRead:DWORD
    LOCAL @szAsm[MAXBYTE]:BYTE
    LOCAL @szOpcode[MAXBYTE]:BYTE
    LOCAL @nAsmLen:UINT
    LOCAL @dwNextAddr:DWORD
    LOCAL @dwAddr:DWORD
    LOCAL @nIdx:DWORD
    LOCAL @dwLstSize:DWORD
    LOCAL @pBpCmd:ptr tagBPCMD
    xor eax, eax
    mov @dwAddr, eax
    mov @dwNextAddr, eax
    mov @nAsmLen, eax
    mov @dwBytesToRead, eax
    mov @nIdx, eax
    mov @dwLstSize, eax
    
	mov @dwResult, DBG_EXCEPTION_HANDLED
	invoke RtlZeroMemory, addr @szAsm, sizeof @szAsm
    invoke RtlZeroMemory, addr @szOpcode, sizeof @szOpcode
    invoke RtlZeroMemory, addr @aryCode, sizeof @aryCode
    
    mov esi,lpDebugEvent
	assume esi: ptr DEBUG_EVENT
	;获得指向线程起始地址的指针
	mov ebx,[esi].u.Exception.pExceptionRecord.ExceptionAddress
	mov @dwAddr, ebx
	
    invoke ReadProcessMemory, hProcess, @dwAddr, addr @aryCode, sizeof @aryCode, addr @dwBytesToRead
    invoke Decode2AsmOpcode, addr @aryCode, addr @szAsm, addr @szOpcode, addr @nAsmLen, @dwAddr
    invoke strstr, addr @szAsm, offset g_strCall    ;判断是否有call
    .if eax != NULL
        mov eax, @dwAddr
        add eax, @nAsmLen
        mov @dwNextAddr, eax
        
        invoke GetLstSize, offset g_lstBpCmds
        mov @dwLstSize,eax
        .while TRUE
            mov eax, @nIdx
            .if eax >= @dwLstSize
                .break
            .endif
            invoke GetLstAt,offset g_lstBpCmds, @nIdx
            mov @pBpCmd,eax
            assume eax:ptr tagBPCMD
            mov ebx, [eax].m_dwAddr
            .if ebx == @dwNextAddr
                mov @dwResult, DBG_CONTINUE
                jmp EXIT_PROC
            .endif
            inc @nIdx
        .endw
        
        invoke OnBpCommand, hProcess,@dwNextAddr, TRUE
        .if eax == TRUE
            mov @dwResult, DBG_CONTINUE
        .endif
    .elseif
        invoke SetTFAndDecEip,0,lpContext
        mov @dwResult, DBG_CONTINUE
    .endif
EXIT_PROC:
    mov eax, @dwResult
    ret
OnPCommand endp

本文作者:Na1r

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!