Windows-API: Software-Haltepunkte werden nicht erreicht ⇐ Python

[Anonymous]

Ich verwende Python, um einen rudimentären Debugger zu schreiben, der Windows-APIs zum Debuggen von C-Quelldateien verwendet. Ich stecke beim Erstellen der Software-Haltepunkte fest. Ich habe etwas recherchiert und diesen Artikel gefunden, der erklärt, dass das Festlegen von Software-Haltepunkten das Setzen von 0xCC auf einen Speicherort beinhaltet.

Code: Select all

original = ctypes.c_ubyte()
bytes_read = SIZE_T()
handle = OpenProcess(PROCESS_ALL_ACCESS, False, self.process_id)

# Read original byte
ReadProcessMemory(handle, address, ctypes.byref(original), 1, ctypes.byref(bytes_read))

# Write INT3
int3 = ctypes.c_ubyte(0xCC)
bytes_written = SIZE_T()
WriteProcessMemory(handle, address, ctypes.byref(int3), 1, ctypes.byref(bytes_written))

self.breakpoints[address] = original.value
CloseHandle(handle)

Abrufen der Adresse mithilfe von Comtypes, die das MSDIA SDK zum Parsen einer PDB-Datei verwenden:

Code: Select all

source_files = self.session.findFile(None, r"/path/to/source/file.c", 0x2 | 0x4)
source_file = source_files.Item(0)
line_numbers = self.session.findLinesByLinenum(source_file.compilands[0], source_file, line, 0)
line_number = line_numbers.Next(1)[0]
address = self.base_address + line_number.addressOffset  # + line_number.virtualAddress

Logik zur Handhabung von Software-Haltepunkten:

Code: Select all

def handle_software_breakpoint(self, thread_id, exception_address):
"""Handle a software breakpoint hit (INT3)"""
if exception_address not in self.breakpoints:
print("[!] Breakpoint hit at unknown address 0x%X" % exception_address)
return

# Fix instruction pointer to re-execute original instruction
context = CONTEXT32()
context.ContextFlags = CONTEXT_ALL
thread_handle = OpenThread(THREAD_ALL_ACCESS, False, thread_id)
GetThreadContext(thread_handle, ctypes.byref(context))
context.Eip -= 1  # Rewind past INT3
SetThreadContext(thread_handle, ctypes.byref(context))
CloseHandle(thread_handle)

original_byte = self.breakpoints[exception_address]
handle = OpenProcess(PROCESS_ALL_ACCESS, False, self.process_id)
# Restore original instruction byte
orig = ctypes.c_ubyte(original_byte)
size = SIZE_T()
WriteProcessMemory(handle, exception_address, ctypes.byref(orig), 1, ctypes.byref(size))
CloseHandle(handle)

print("[*] Software breakpoint handled at 0x%X" % exception_address)

Der einzige Haltepunkt, der behandelt wird, ist jedoch die Adresse 0x77BF1B52. Wie kann ich sicherstellen, dass die Haltepunkte erreicht werden? Muss man beim Lesen von Speicheradressen aus einer Zeile im Quellcode Kommentare berücksichtigen?

Python/C/C++-Lösungen sind akzeptabel.
Unten ist die Debug-Schleife:

Code: Select all

def run_debug_loop(self):
print("[+] Starting debug loop... waiting for events.")
debug_event = DEBUG_EVENT()

while WaitForDebugEvent(ctypes.byref(debug_event), INFINITE):
code = debug_event.dwDebugEventCode
pid = debug_event.dwProcessId
tid = debug_event.dwThreadId

if code == CREATE_PROCESS_DEBUG_EVENT:
print("[+] Process created, setting breakpoints...")
# Example: set a breakpoint at main()
self.set_software_breakpoint(self.io_addresses["B"])
ResumeThread(self.thread_handle)

elif code == EXCEPTION_DEBUG_EVENT:
record = debug_event.u.Exception.ExceptionRecord
exc_code = record.ExceptionCode
addr = record.ExceptionAddress

if exc_code == EXCEPTION_BREAKPOINT:
self.handle_software_breakpoint(tid, addr)
elif exc_code == EXCEPTION_SINGLE_STEP:
print("[!] Unexpected single-step (from restored breakpoint)")

elif code == 5:  # EXIT_PROCESS_DEBUG_EVENT
print("[+] Process exited.")
break

ContinueDebugEvent(pid, tid, DBG_CONTINUE)