调试器不会收到断点事件

时间:2015-09-21 14:02:06

标签: c++ windows debugging

我正在学习使用VS2015上的visual c ++编写内存补丁。 windows10。所以我使用DEBUG_PROCESS |'CreateProcess' DEBUG_ONLY_THIS_PROCESS。 然后我很快得到CREATE_PROCESS_DEBUG_EVENT,在那里我写0xcc到我想要破解的那一刻。之后,只是挂在那里的调试目标和'WaitForDebugEvent'无法让我得到任何调试事件。 我转储目标并且INT3确实存在,运行转储文件并执行它应该执行的操作。 这是代码:

    STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
HANDLE PatchProcess;
BYTE ReadBuffer[MAX_PATH] = { 0 };
BYTE int3Code[1] = { 0xcc };
BYTE dwOldStyle[4] = { 0x65,0x65,0x65,0x65 };
if (!CreateProcess(FILE_NAME, NULL, NULL, NULL, FALSE, DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
    std::cout << "CreateProcess failed" << std::endl;
    return false;
}
GetLastError();
PatchProcess = pi.hProcess;
DEBUG_EVENT dbEvent;
CONTEXT Regs;
DWORD dwState, Oldpp;

Regs.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
BOOL WhileDoFlag = true;
while (WhileDoFlag) {
    WaitForDebugEvent(&dbEvent, INFINITE);
    std::cout << "Waiting" << std::endl;
    std::cout << "Debug event code:" << dbEvent.dwDebugEventCode << std::endl;
    dwState = DBG_EXCEPTION_HANDLED;
    switch (dbEvent.dwDebugEventCode)
    {
    case CREATE_PROCESS_DEBUG_EVENT:
        ReadProcessMemory(pi.hProcess, (LPVOID)(BP), &ReadBuffer, 2, NULL);
        GetLastError();
        std::cout << "Code at" << BP << ":" << ReadBuffer[0] << std::endl;
        system("pause");
        VirtualProtectEx(pi.hProcess, (LPVOID)BP, 4, PAGE_EXECUTE_READWRITE, &Oldpp);
        GetLastError();
        WriteProcessMemory(pi.hProcess, (LPVOID)(BP), &int3Code, 2, NULL);
        GetLastError();
        dwState = DBG_CONTINUE;
        break;

    case EXIT_PROCESS_DEBUG_EVENT:
        WhileDoFlag = false;
        break;

    case EXCEPTION_DEBUG_EVENT:
        switch (dbEvent.u.Exception.ExceptionRecord.ExceptionCode)
        {
            case EXCEPTION_BREAKPOINT: 
            {
                GetThreadContext(pi.hThread, &Regs);
                if (Regs.Eip == BP + 1) {
                    Regs.Eip--;
                    WriteProcessMemory(pi.hProcess, (LPVOID)BP, &dwOldStyle, 4, 0);
                    GetLastError();
                    ReadProcessMemory(pi.hProcess, (LPVOID)(Regs.Ebp), &ReadBuffer, 1, 0);
                    GetLastError();
                    MessageBox(0, (char*)ReadBuffer, "patch test", MB_OK);
                    SetThreadContext(pi.hThread, &Regs);
                }
                dwState = DBG_CONTINUE;
                break;
            }
        }
        break;
    }
    ContinueDebugEvent(pi.dwProcessId, pi.dwThreadId, dwState);
}

在Windows上是否有某种安全保护(在XP之后)?

PS:IDA可以使用默认的本地win32调试器从转储文件中获取正确位置的断点。 PS2:使用ollydbg调试转储文件,目标在执行时崩溃

mov dword ptr ss:[esp+0x4],eax

eax是ModuleEntryPoint esp + 0x4也是ModuleEntryPoint 这是一个坏的断点,我添加导致问题吗?

1 个答案:

答案 0 :(得分:0)

0xCC是一个字节,您正在写入2个字节,导致目标进程崩溃,您正在写入的字节之一只是随机垃圾。在呼叫WriteProcessMemory()

时只写一个字节
相关问题
最新问题