Debugger learningDebugger learning

Debugger learning

• debugger
  • white box debugger
  • black box debugger
    • user mode debugger(ring 3)
    • kernel debugger(ring 0)

when you interact with windows driver(like network driver), the driver works in kernel mode

• windows debugger

  • winDbg
  • OllyDbg

• Linux debugger

  • GNU Debugger(gdb)

• Intelligent debugging

  • PyDbg
  • Immunity Debugger

• debugging theory

  • low-level theory(CPU architecture, stack)

Goal

Create my own debugger for any operation system

CPU architecture

• x86 instruction set

  • x86 assembly
    • instruction(a sentence, high level command, like MOV EAX, EBX)
    • opcode or opreation code (machine language that command CPU executes, like 8BC3)
      
      

• EAX, EDX, ECX, ESI, EDI, EBP, ESP, EBX, EIP(General purpose register)

  • EAX(accumulator register, for calculations and store return values from function calls)
  • EDX(data register, storing extra data for more complex calculation, helper of EAX)
  • ECX(counter register, for loop operation, counts downward)
  • ESI(source index for the input, hold location of input stream, for reading)
  • EDI(destination index for the output, hold location of output stream, for writing)
  • ESP(stack pointer)
  • EBP(base pointer)
  • EBX(for extra storage)
  • EIP(point to current instruction that is being executed)

• Stack

  • store info
    • how a function is called (when called)
    • the parameters it takes(input var)
    • how the function return(return address)
  • Local variables
    • part of memory, where lifecycle exist when function exists
    • local variables are allocated on the stack
    • in the stack, after input parameters and return address push into the stack

Debugger

• debugger

  • debugger run as an endless loop to wait for the debugger event happen
  • when a debugging event occurs, the loop break
  • and a handler is called to deal with the event

• debugger event

  • breakpoint
  • memory violations(access violations or segmentation faults)
  • exeception generated by debugged program

• breakpoints

  • soft breakpoints
    • a single-byte instruction that stops the execution, and passes control to breakpoint handler
  • hardware breakpoints
    • CPU level
    • debugger register(DR0-DR7)
      • DR0-DR3 for addresses
      • DR4, DR5 reserved
      • DR6 status register(determine the type of debugging event)
      • DR7 switch of hardware breakpoint
        • break condition
        • break when executed at a particular address
        • break when data is written to address
        • break on read or write but not execution
          
  • memory breakpoints
    • change the permission on a region or page of memory
    • the memory page is a part of memory that the operating system handles on
      • page execution permission
      • page read permission
      • page write permission
      • guard page permission
        • useful, separating heap from the stack
        • ensure a portion of memory doesn’t grow beyond the boundary

Soft breakpoints

In order to place soft breakpoints, we need to be able to read and write into process's memory.(via ReadProcessMemory() and WriteProcessMemory())

Debug flow

debugger should:

• open an executable file
• attach the debugger to a running process
• be able to capture the state of CPU register at any given time

Exception and stack

the state of stack changes when an exception occurs

the exception is interesting, it can include breakpoints, access violations, improper access permission on memory.
IP(instruction pointer is something currently executing, we should get a handle to the
currently executing thread in the debuggee)

Process and thread

threads are executing inside the process. We can use OpenProcess() to select the thread we want
to handle. the first step is Thread Enumeration.(especially the running threads in the process).
the method corresponds Thread Enumeration is CreateToolhelp32Snapshot() which is from kernal32.dll

Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes

Remember our target is to obtain the register state from a process. ( be able to capture the state of CPU register at any given time and from any process or threads)

Thread

a process contains at least one thread(main thread)

Context and register

in windows operating system, context is the status of some basic component, like CPU register value is the context of the process or thread. context structure holds all the register values.

typedef struct _WOW64_CONTEXT {
  DWORD                    ContextFlags;
  DWORD                    Dr0;  // debugger regiesters
  DWORD                    Dr1;
  DWORD                    Dr2;
  DWORD                    Dr3;
  DWORD                    Dr6;
  DWORD                    Dr7;
  WOW64_FLOATING_SAVE_AREA FloatSave;
  DWORD                    SegGs; // segment registers
  DWORD                    SegFs;
  DWORD                    SegEs;
  DWORD                    SegDs;
  DWORD                    Edi; // registers
  DWORD                    Esi;
  DWORD                    Ebx;
  DWORD                    Edx;
  DWORD                    Ecx;
  DWORD                    Eax;
  DWORD                    Ebp;
  DWORD                    Eip;
  DWORD                    SegCs;
  DWORD                    EFlags;
  DWORD                    Esp;
  DWORD                    SegSs;
  BYTE                     ExtendedRegisters[WOW64_MAXIMUM_SUPPORTED_EXTENSION];
} WOW64_CONTEXT;

Debugging event handlers

debugging event handlers solve debugging events when they occur.

Order

• CREATE_PROCESS_DEBUG_EVENT
• LOAD_DLL_DEBUG_EVENT
• CREATE_THREAD_DEBUG_EVENT
• EXCEPTION_DEBUG_EVENT
• EXIT_THREAD_DEBUG_EVENT

最后

以上就是虚心项链为你收集整理的Debugger learningDebugger learning的全部内容，希望文章能够帮你解决Debugger learningDebugger learning所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。