• windows调试异常机制


    1.准备
    附加目标进程:
    BOOL DebugActiveProcess(   DWORD dwProcessId );
    附加后目标进程的调试信息,包括异常信息都可能发到本进程处理
     
    2.等待调试事件: 
    BOOL WaitForDebugEvent(  LPDEBUG_EVENT lpDebugEvent,   DWORD dwMilliseconds );
    通过第一个参数获取调试事件,结构体包含了进程发出的一些信息,调试信息,异常信息
    调试事件结构体:
    typedef struct _DEBUG_EVENT {
    DWORD dwDebugEventCode; //调试事件特征码,用于标识该调试事件类型
    DWORD dwProcessId; //调试进程id
    DWORD dwThreadId; //发出调试事件的线程id
    union {
    EXCEPTION_DEBUG_INFO Exception;
    CREATE_THREAD_DEBUG_INFO CreateThread;
    CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;
    EXIT_THREAD_DEBUG_INFO ExitThread;
    EXIT_PROCESS_DEBUG_INFO ExitProcess;
    LOAD_DLL_DEBUG_INFO LoadDll;
    UNLOAD_DLL_DEBUG_INFO UnloadDll;
    OUTPUT_DEBUG_STRING_INFO DebugString;
    RIP_INFO RipInfo;
    } u; } DEBUG_EVENT,
    *LPDEBUG_EVENT;
    对于dwDebugEventCode有以下值
    CREATE_PROCESS_DEBUG_EVENT
    3
    Reports a create-process debugging event. The value of u.CreateProcessInfo specifies a CREATE_PROCESS_DEBUG_INFO structure.
    CREATE_THREAD_DEBUG_EVENT
    2
    Reports a create-thread debugging event. The value of u.CreateThread specifies a CREATE_THREAD_DEBUG_INFO structure.
    EXCEPTION_DEBUG_EVENT
    1
    Reports an exception debugging event. The value of u.Exception specifies an EXCEPTION_DEBUG_INFO structure.
    EXIT_PROCESS_DEBUG_EVENT
    5
    Reports an exit-process debugging event. The value of u.ExitProcess specifies an EXIT_PROCESS_DEBUG_INFO structure.
    EXIT_THREAD_DEBUG_EVENT
    4
    Reports an exit-thread debugging event. The value of u.ExitThread specifies an EXIT_THREAD_DEBUG_INFO structure.
    LOAD_DLL_DEBUG_EVENT
    6
    Reports a load-dynamic-link-library (DLL) debugging event. The value of u.LoadDll specifies a LOAD_DLL_DEBUG_INFO structure.
    OUTPUT_DEBUG_STRING_EVENT
    8
    Reports an output-debugging-string debugging event. The value of u.DebugString specifies an OUTPUT_DEBUG_STRING_INFO structure.
    RIP_EVENT
    9
    Reports a RIP-debugging event (system debugging error). The value of u.RipInfo specifies a RIP_INFO structure.
    UNLOAD_DLL_DEBUG_EVENT
    7
    Reports an unload-DLL debugging event. The value of u.UnloadDll specifies an UNLOAD_DLL_DEBUG_INFO structure.

    以上值与调试事件结构体的联合参数一一对应, 一般通过switch对各种调试事件进行处理.而每一种调试事件的详细信息在对应的联合体成员结构体


    3.获取信息后可以进行处理,但WaitForDebugEvent执行成功后调试进程将暂停.所以处理完调试事件后需要恢复调试进程:

    BOOL ContinueDebugEvent( DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus );
    对于第3个参数:

    If the DBG_CONTINUE flag is specified for this parameter and the thread specified by the dwThreadId parameter previously reported an EXCEPTION_DEBUG_EVENT debugging event, the function stops all exception processing and continues the thread.

    For any other debugging event, this flag continues the thread.

    If the DBG_EXCEPTION_NOT_HANDLED flag is specified for this parameter and the thread specified by dwThreadId previously reported an EXCEPTION_DEBUG_EVENT debugging event, the function continues exception processing.

    If this is a first-chance exception event, the search and dispatch logic of the structured exception handler is used; otherwise, the process is terminated.

    For any other debugging event, this flag continues the thread. 

    所以一般用DBG_CONTINUE 使调试进程继续运行





  • 相关阅读:
    23种设计模式(1)
    设计模式六大原则
    关于设计模式
    《代码整洁之道》整理
    MySQL 查询优化
    互联网流量下的分层实验平台是咋做的
    机器学习web服务化实战:一次吐血的服务化之路
    RabbitMQ和Kafka到底怎么选(二)?
    RabbitMQ和Kafka到底怎么选?
    基于海量词库的单词拼写检查、推荐到底是咋做的?
  • 原文地址:https://www.cnblogs.com/freesec/p/6168831.html
Copyright © 2020-2023  润新知