Advanced Debugging
About AdvDbg Consult Train Services Products Tools Community Contact  
欢迎光临 高端调试 登录 | 注册 | FAQ
 
  ACPI调试
Linux内核调试
Windows内核调试
 
  调试战役
调试原理
新工具观察
 
  Linux
Windows Vista
Windows
 
  Linux驱动
WDF
WDM
 
  PCI Express
PCI/PCI-X
USB
无线通信协议
 
  64位CPU
ARM
IA-32
  CPU Info Center
 
  ACPI标准
系统认证
Desktop
服务器
 
  Embedded Linux
嵌入式开发工具
VxWorks
WinCE
嵌入式Windows
 
  格蠹调试套件(GDK)
  格蠹学院
  小朱书店
  老雷的微博
  《软件调试》
  《格蠹汇编》
  《软件调试(第二版)》
沪ICP备11027180号-1

Windows内核调试

帖子发起人: icecools   发起时间: 2009-03-26 21:54 下午   回复: 8

Print Search
帖子排序:    
   2009-03-26, 21:54 下午
icecools 离线,最后访问时间: 2009/3/26 21:46:44 icecools

发帖数前200位
注册: 2009-03-26
发 贴: 5
windbg ext中怎么调用被调试程序的函数?
Reply Quote
我自己写了一个windbg的extension,里面需要调用被调试程序的一个函数来显示东西,但我没有找到相应的函数,只看到在windbg里的.call可以,但是写程序怎么实现啊?
比如我有个函数Func1(void* p)
我用fun = GetExpression ("Fun1")得到函数地址,然后用
GetExpression(args)得到我传的参数的地址,然后con = ReadMemroy得到此地址的值,后面调用
fun(con)的时候总是出错,大家有啥办法吗?谢谢!
IP 地址: 已记录   报告
   2009-03-27, 12:47 下午
Raymond 离线,最后访问时间: 2020/7/3 3:40:25 格蠹老雷

发帖数前10位
注册: 2005-12-19
发 贴: 1,303
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
可以格式化成.call命令,然后用IDebugControl的Execute接口执行。注意,执行.call命令需要私有符号。
IP 地址: 已记录   报告
   2009-03-31, 11:28 上午
icecools 离线,最后访问时间: 2009/3/26 21:46:44 icecools

发帖数前200位
注册: 2009-03-26
发 贴: 5
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
谢谢Raymond.
我参考了网上另一种方法实现了一下,大体为先GetOffsetByName得到函数地址,然后在target上分配一块内存,拼一段调用此函数的代码,执行后int 3返回调试器,调了一下可以工作
IP 地址: 已记录   报告
   2009-04-02, 09:12 上午
aeezguo 离线,最后访问时间: 2010/4/21 7:25:59 guozf

发帖数前10位
男
注册: 2008-12-06
HK
发 贴: 68
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
有这种方法的具体的资料么?可以share给我啊?谢谢。
IP 地址: 已记录   报告
   2009-04-02, 17:43 下午
icecools 离线,最后访问时间: 2009/3/26 21:46:44 icecools

发帖数前200位
注册: 2009-03-26
发 贴: 5
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
楼上,贴上程序,给你参考下
char PushCode<img src="/emoticons/emotion-14.gif" alt="Devil [6]" /> = "\x68\x00\x00\x00\x00"; // push 0
char CallCode[9] = "\xBA\xF0\xF0\xAD\xDE" // 0 - MOV EDX, 0xdeadf0f0 (address of remote function)
"\xFF\xD2" // 5 - CALL *EDX
"\xCC"; // 7 - int3
const CHAR *FUNCTION_NAME = "MyFunctionsName; //it has a pointer parameter

//The helper function to write code/date to the target process virtual memory
int WriteDataVirtual(PDEBUG_DATA_SPACES dataSpaces, ULONG64 baseAddr, void *data, ULONG dataLen, ULONG *offset)
{
ULONG tempOff = 0;
ULONG bytesWritten;

while (dataSpaces->WriteVirtual(baseAddr + *offset + tempOff, (PVOID)((ULONG) data + tempOff), dataLen - tempOff, &bytesWritten) == S_OK)
{
tempOff += bytesWritten;
if (tempOff == dataLen)
{
break;
}
}

if (tempOff != dataLen)
{
dprintf("WriteVirtual error!\n");
return -1;
}

*offset += dataLen;
return S_OK;
}

//WINDBG will call the MyFunctionsName
HRESULT CALLBACK mycall(PDEBUG_CLIENT Client, PCSTR args)
{
ULONG64 functionAddr, dagAddr, processHandle, moduleBase;
ULONG eipIndex, typeId, pdagCont;
DEBUG_VALUE eipValue;
size_t totalCodeLen;
CONTEXT context;
void *codeSpace;
bool success = false;
HRESULT result = S_OK;

PDEBUG_SYMBOLS debugSymbols;
PDEBUG_ADVANCED debugAdvanced;
PDEBUG_DATA_SPACES debugDataSpaces;
PDEBUG_REGISTERS debugRegisters;
PDEBUG_SYSTEM_OBJECTS debugSystemObjects;
PDEBUG_CONTROL debugControl;

Client->QueryInterface(__uuidof(IDebugSymbols), (void **) &debugSymbols);
Client->QueryInterface(__uuidof(IDebugAdvanced), (void **) &debugAdvanced);
Client->QueryInterface(__uuidof(IDebugDataSpaces), (void **) &debugDataSpaces);
Client->QueryInterface(__uuidof(IDebugRegisters), (void **) &debugRegisters);
Client->QueryInterface(__uuidof(IDebugSystemObjects), (void **) &debugSystemObjects);
Client->QueryInterface(__uuidof(IDebugControl), (void **) &debugControl);

if (!debugSymbols || !debugAdvanced || !debugDataSpaces || !debugRegisters || !debugSystemObjects || !debugControl)
{
dprintf("Query the interface error!\n");
goto E_RELEASE;
}

//Get the function address
result = debugSymbols->GetOffsetByName(FUNCTION_NAME, &functionAddr);
if (result != S_OK)
{
dprintf("Function not found or ambiguous!\n");
goto E_RELEASE;
}

//Get the pointer variable address
result = debugSymbols->GetOffsetByName(args, &dagAddr);
if (result != S_OK)
{
dprintf("DagName not found or ambiguous!\n");
goto E_RELEASE;
}

//Find the pointer variable's type and the module base including the variable
result = debugSymbols->GetSymbolTypeId(args, &typeId, &moduleBase);
if (result != S_OK)
{
dprintf("GetSymbolTypeId not found or ambiguous!\n");
goto E_RELEASE;
}

//Get the pointer from the variable
result = debugSymbols->ReadTypedDataVirtual(dagAddr, moduleBase, typeId, (PVOID)&pdagCont, 4, NULL);
if (result != S_OK)
{
dprintf("ReadTypedDataVirtual error!\n");
goto E_RELEASE;
}

//Get the thread context to prepare for call target function then restore the current context
result = debugAdvanced->GetThreadContext(&context, sizeof(context));
if (result != S_OK)
{
dprintf("GetThreadContexterror!\n");
goto E_RELEASE;
}

//Get target handle
result = debugSystemObjects->GetCurrentProcessHandle(&processHandle);
if (result != S_OK)
{
dprintf("GetCurrentProcessHandle error!\n");
goto E_RELEASE;
}

totalCodeLen = sizeof(PushCode) + sizeof(CallCode);

//Allocate some memory in the target
if (!(codeSpace = VirtualAllocEx((HANDLE) processHandle, NULL, totalCodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE )))
{
DWORD error = GetLastError();

LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL );
dprintf((CHAR *) lpMsgBuf);

dprintf("VirtualAllocEx error!\n");
goto E_RELEASE;
}

ULONG curOffset = 0;

memcpy(&(PushCode[1]), (void *) &(pdagCont), 4);

//Write the following code to target memory(push the parameter to the stack)
//PUSH pVoid
result = WriteDataVirtual(debugDataSpaces, (ULONG64) codeSpace, PushCode, sizeof(PushCode) - 1, &curOffset);
if (result != S_OK)
{
goto E_VFREE;
}

memcpy(&(CallCode[1]), (void *) &functionAddr, 4);
//Write the following code to target memory(call target function and return to debugger)
//MOV EDX, funcitonAddress
//CALL *EDX
//INT 3
result = WriteDataVirtual(debugDataSpaces, (ULONG64) codeSpace, CallCode, sizeof(CallCode) - 1, &curOffset);
if (result != S_OK)
{
goto E_VFREE;
}

//Get EIP value
result = debugRegisters->GetIndexByName("eip", &eipIndex);
if (result != S_OK)
{
dprintf("GetIndexByName error!\n");
goto E_VFREE;
}

result = debugRegisters->GetValue(eipIndex, &eipValue);
if (result != S_OK)
{
dprintf("GetValue error!\n");
goto E_VFREE;
}

// Set the new EIP and go
eipValue.Type = DEBUG_VALUE_INT32;
eipValue.I32 = (ULONG) codeSpace;

result = debugRegisters->SetValue(eipIndex, &eipValue);
if (result != S_OK)
{
dprintf("SetValue error!\n");
goto E_VFREE;
}

//Here we run the code finally!
result = debugControl->SetExecutionStatus(DEBUG_STATUS_GO);
if (result != S_OK)
{
dprintf("SetExecutionStatus error!\n");
goto E_RESTORE;
}

result = debugControl->WaitForEvent(0, INFINITE);

//Return from the target function so we need restore the current thread context
E_RESTORE:
debugAdvanced->SetThreadContext(&context, sizeof(context));

//Do some cleanup work
E_VFREE:
VirtualFreeEx((HANDLE) processHandle, codeSpace, 0, MEM_RELEASE);

E_RELEASE:
if (debugSymbols) debugSymbols->Release();
if (debugAdvanced) debugAdvanced->Release();
if (debugDataSpaces) debugDataSpaces->Release();
if (debugRegisters) debugRegisters->Release();
if (debugSystemObjects) debugSystemObjects->Release();
if (debugControl) debugControl->Release();

return result;
}
IP 地址: 已记录   报告
   2009-04-02, 17:44 下午
icecools 离线,最后访问时间: 2009/3/26 21:46:44 icecools

发帖数前200位
注册: 2009-03-26
发 贴: 5
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
第一行应该是
char PushCode[ 6 ] = "\x68\x00\x00\x00\x00"; // push 0
不知道怎么给替换成图标了
IP 地址: 已记录   报告
   2009-04-07, 08:21 上午
aeezguo 离线,最后访问时间: 2010/4/21 7:25:59 guozf

发帖数前10位
男
注册: 2008-12-06
HK
发 贴: 68
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
楼上的老兄,这个方法试验过,源代码可以直接work么?谢谢啊。
IP 地址: 已记录   报告
   2009-04-07, 08:47 上午
aeezguo 离线,最后访问时间: 2010/4/21 7:25:59 guozf

发帖数前10位
男
注册: 2008-12-06
HK
发 贴: 68
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
还有,这段程序好像 没有包括如何传递参数啊?
IP 地址: 已记录   报告
   2009-04-07, 10:00 上午
icecools 离线,最后访问时间: 2009/3/26 21:46:44 icecools

发帖数前200位
注册: 2009-03-26
发 贴: 5
Re: windbg ext中怎么调用被调试程序的函数?
Reply Quote
当然可以工作,你仔细看代码,调用函数接受一个指针做参数,注意pushcode那部分。。。
IP 地址: 已记录   报告
高端调试 » 软件调试 » Windows内核调试 » Re: windbg ext中怎么调用被调试程序的函数?

 
Legal Notice Privacy Statement Corporate Governance Corporate Governance
(C)2004-2020 ADVDBG.ORG All Rights Reserved.