軟件調試
軟件斷點
調試的本質是什么?
就是在被調試程序中觸發異常,然后被調試程序就會向_DEBUG_OBJECT結構體添加調試事件,這里我們調試器就接管這個異常了(調試的過程就是異常處理的過程)
軟件斷點
在x64dbg中通過快捷鍵F2能下一個軟件中斷,當程序運行到這里時,程序就會停下來,得到程序的控制權,也被稱之為中斷到調試器
本質上就是在當前指定位置的機器碼(硬編碼)改為了int 3,這里可以用其他內存搜索工具查看這個下斷點的地址,可以發現是被改為了int 3(CC)
執行流程
- 被調試進程
- 當CPU檢測到INT 3指令
- 查IDT表找到對應中斷處理函數
- CommonDispatchException
- KiDispatchException
- DbgkForwardException搜集并發送調試事件 -> DbgkpSendApiMessage(x,x)
- 調試器進程
- 循環判斷調試事件
- 取出調試事件
- 獲取CPU寄存器上下文和內存
- 用戶處理
代碼測試
#include<iostream>
#include<windows.h>
#include <stdint.h>
#include <capstone/capstone.h>
#define DEBUGGR_PROCESS L"C:\\Users\\BananaLi\\Desktop\\HookMe.exe"// 保存原始字節
BYTE originalByte;
BYTE int3 = 0xCC; // INT3 斷點指令HANDLE g_hDebugThread;
BOOL bInitCapstone = TRUE;
CONTEXT context = { 0 };
BOOL bIsSystemInt3 = TRUE; // 第一次為系統斷點 ntdll!LdrInitializeThunk
DWORD dwContinue DBG_CONTINUE;LPVOID lpAddress;
HANDLE hProcess;// 定義 Capstone 函數指針類型
typedef unsigned int (*cs_open_fn)(unsigned int arch, unsigned int mode, void** handle);
typedef unsigned int (*cs_disasm_fn)(void* handle, const uint8_t* code, size_t code_size, uint64_t address, size_t count, cs_insn** insn);
typedef void (*cs_free_fn)(cs_insn* insn, size_t count);
typedef unsigned int (*cs_close_fn)(void** handle);void DisassembleHex(HANDLE hProcess, LPVOID address, size_t size) {// 1. 加載 capstone.dllHMODULE capstone_dll = LoadLibrary(L"C:\\Users\\BananaLi\\Desktop\\capstone_x64.dll");if (!capstone_dll) {printf("Failed to load capstone.dll! Error: %d\n", GetLastError());}// 2. 獲取函數指針cs_open_fn cs_open = (cs_open_fn)GetProcAddress(capstone_dll, "cs_open");cs_disasm_fn cs_disasm = (cs_disasm_fn)GetProcAddress(capstone_dll, "cs_disasm");cs_free_fn cs_free = (cs_free_fn)GetProcAddress(capstone_dll, "cs_free");cs_close_fn cs_close = (cs_close_fn)GetProcAddress(capstone_dll, "cs_close");if (!cs_open || !cs_disasm || !cs_free || !cs_close) {printf("Failed to get Capstone functions!\n");FreeLibrary(capstone_dll);}// 3. 初始化 Capstone(x64 模式)void* handle;if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) {printf("Failed to initialize Capstone!\n");FreeLibrary(capstone_dll);}// 2. 從內存讀取指令字節uint8_t code[32];SIZE_T bytesRead;if (!ReadProcessMemory(hProcess, address, code, size, &bytesRead) || bytesRead != size) {printf("Failed to read memory at 0x%p\n", address);cs_close(&handle);return;}// 3. 反匯編cs_insn* insn;size_t count = cs_disasm(handle, code, bytesRead, (uint64_t)address, 0, &insn);if (count > 0) {printf("Disassembly at 0x%p:\n", address);printf("Address | Bytes | Assembly\n");printf("----------------------------------\n");for (size_t i = 0; i < count; i++) {printf("0x%08llx | ", insn[i].address);for (size_t j = 0; j < insn[i].size; j++) {printf("%02x ", insn[i].bytes[j]);}printf("%*s | %s %s\n",(int)(15 - insn[i].size * 3), "",insn[i].mnemonic,insn[i].op_str);}cs_free(insn, count);}else {printf("Failed to disassemble at 0x%p\n", address);}// 4. 關閉引擎cs_close(&handle);
}BOOL WaitForUserCommand() {// 模擬調試器等待用戶輸入命令printf("請輸入命令:\n");system("pause");return TRUE;
}BOOL Int3ExcptionProc(EXCEPTION_DEBUG_INFO* pExceptionInfo) {BOOL bRet = FALSE;// 第一次為系統斷點if (bIsSystemInt3) {bIsSystemInt3 = FALSE;return TRUE;}else {// 恢復原碼BOOL nnn = WriteProcessMemory(hProcess, pExceptionInfo->ExceptionRecord.ExceptionAddress, &originalByte, 1, NULL);printf("error : %d\n", GetLastError());// 顯示斷點位置printf("Int 3斷點地址:0x%p\n",pExceptionInfo->ExceptionRecord.ExceptionAddress);// 獲取線程上下文context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;GetThreadContext(g_hDebugThread, &context);// 修正ripcontext.Rip--;printf("rip的值:0x%p\n\n", context.Rip);GetThreadContext(g_hDebugThread, &context);FlushInstructionCache(GetCurrentProcess(),(LPCVOID)context.Rip,1);printf("------------還原后的正確匯編指令------------\n");// 從斷點位置解釋反匯編代碼DisassembleHex(hProcess, lpAddress,16);// 等待用戶輸入命令while (bRet == FALSE) {bRet = WaitForUserCommand();}}return bRet;
}void setInt3BreakPoint(DEBUG_EVENT* pDebugEvent) {// 獲取進程入口點地址LPTHREAD_START_ROUTINE lpStartAddress = (LPTHREAD_START_ROUTINE)pDebugEvent->u.CreateProcessInfo.lpStartAddress;hProcess = pDebugEvent->u.CreateProcessInfo.hProcess; lpAddress = pDebugEvent->u.CreateProcessInfo.lpStartAddress;printf("斷點位置:0x%p\n",lpAddress);DWORD64 oldAddressData;ReadProcessMemory(hProcess, lpAddress, &oldAddressData, sizeof(DWORD64), NULL);printf("保存前斷點地址對應的硬編碼:%llx\n" , oldAddressData);// 1. 保存原始字節ReadProcessMemory(hProcess, lpAddress, &originalByte, sizeof(BYTE), NULL);printf("保存的originalByte:%llx\n", originalByte);// 2. 寫入INT3指令WriteProcessMemory(hProcess, lpAddress, &int3, sizeof(BYTE), NULL);ReadProcessMemory(hProcess, lpAddress, &oldAddressData, sizeof(DWORD64), NULL);printf("保存后斷點地址對應的硬編碼:%llx\n\n", oldAddressData);printf("------------設置軟件斷點后的匯編指令------------\n");// 從斷點位置解釋反匯編代碼DisassembleHex(hProcess, lpAddress, 16);// 3. 刷新指令緩存FlushInstructionCache(hProcess, lpAddress, sizeof(BYTE));
}// 異常過濾器
BOOL ExceptionHandler(DEBUG_EVENT* pDebugEvent) {BOOL bRet = TRUE;// 得到異常信息EXCEPTION_DEBUG_INFO exceptionInfo = pDebugEvent->u.Exception;// 得到線程句柄g_hDebugThread = OpenThread(THREAD_ALL_ACCESS, FALSE, pDebugEvent->dwThreadId);// 判斷 異常類型switch (exceptionInfo.ExceptionRecord.ExceptionCode) {// int 3 異常case EXCEPTION_BREAKPOINT: {printf("斷點異常\n");bRet = Int3ExcptionProc(&exceptionInfo);break;}// 還有很多其他的異常類型可以處理。。。}return bRet;}int main() {BOOL nIsContinue = TRUE;DEBUG_EVENT debugEvent = { 0 };BOOL bRet = TRUE;// 1.創建調試進程STARTUPINFO startUpInfo = { 0 };PROCESS_INFORMATION pInfo = { 0 };GetStartupInfo(&startUpInfo);bRet = CreateProcess(DEBUGGR_PROCESS, NULL, NULL, NULL, TRUE, DEBUG_PROCESS || DEBUG_ONLY_THIS_PROCESS, NULL, NULL, &startUpInfo, &pInfo);if (bRet == FALSE) {printf("創建調試進程失敗,錯誤碼:%d\n",GetLastError());return 0;}// 調試循環(主框架)while (nIsContinue) {// 2.等待調試事件bRet = WaitForDebugEvent(&debugEvent, INFINITE);if (bRet == FALSE) {printf("等待調試事件失敗,錯誤碼:%d\n", GetLastError());return 0;}switch (debugEvent.dwDebugEventCode) {case EXCEPTION_DEBUG_EVENT: {// 處理異常bRet = ExceptionHandler(&debugEvent);if (!bRet)dwContinue = DBG_EXCEPTION_NOT_HANDLED;break;}case CREATE_PROCESS_DEBUG_EVENT: {// 在OPE入口設置斷點setInt3BreakPoint(&debugEvent);break;}case EXIT_PROCESS_DEBUG_EVENT: {nIsContinue = FALSE;break;}case CREATE_THREAD_DEBUG_EVENT: {break;}case EXIT_THREAD_DEBUG_EVENT: {break;}case LOAD_DLL_DEBUG_EVENT: {break;}case UNLOAD_DLL_DEBUG_EVENT: {break;}default:break;}// 讓被調試程序繼續運行bRet = ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, dwContinue);}return 0;
}
效果展示
)
)
)