📄 lion-tutorial29.htm
字号:
<html>
<head>
<link rel="stylesheet" href="../../asm.css">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Iczelion's win32 asm tutorial</title>
</head>
<body bgcolor="#FFFFFF" background="../../images/back01.jpg">
<p align="center">Tutorial 29: Win32 Debug API Part 2</p>
<hr size="1">
We continue with the subject of win32 debug API. In this tutorial, we will learn
how to modify the debuggee process.<br>
Download <b><a href="files/tut29.zip" style="text-decoration:none">the example</a></b>
<h3>Theory:</h3>
<p>In the previous tutorial, we know how to load the debuggee and handle debug
events that occur in its process. In order to be useful, our program must be
able to modify the debuggee process. There are several APIs just for this purpose.</p>
<ul>
<li><b>ReadProcessMemory</b> This function allows you to read memory in the
specified process. The function prototype is as follows:
<p><b>ReadProcessMemory proto hProcess:DWORD, lpBaseAddress:DWORD, lpBuffer:DWORD,
nSize:DWORD, lpNumberOfBytesRead:DWORD</b></p>
<p><b>hProcess</b> is the handle to the process you want to read.<br>
<b>lpBaseAddress</b> is the address in the target process you want to start
reading. For example, if you want to read 4 bytes from the debuggee process
starting at 401000h, the value in this parameter must be 401000h.<br>
<b>lpBuffer</b> is the address of the buffer to receive the bytes read from
the process. <br>
<b>nSize</b> is the number of bytes you want to read<br>
<b>lpNumberOfBytesRead</b> is the address of the variable of dword size
that receives the number of bytes actually read. If you don't care about
it, you can use NULL.</p>
</li>
<li><b>WriteProcessMemory</b> is the counterpart of <b>ReadProcessMemory</b>.
It enables you to write memory of the target process. Its parameters are exactly
the same as those of <b>ReadProcessMemory</b>
<p>The next two API functions need a little background on context. Under a
multitasking OS like Windows, there can be several programs running at the
same time. Windows gives each thread a timeslice. When that timeslice expires,
Windows freezes the present thread and switches to the next thread that
has the highest priority. Just before switching to the other thread, Windows
saves values in registers of the present thread so that when the time comes
to resume the thread, Windows can restore the last *environment* of that
thread. The saved values of the registers are collectively called a context.
<br>
Back to our subject. When a debug event occurs, Windows suspends the debuggee.
The debuggee's context is saved. Since the debuggee is suspended, we can
be sure that the values in the context will remain unchanged . We can get
the values in the context with <b>GetThreadContext</b> and we can change
them with <b>SetThreadContext</b>.<br>
These two APIs are very powerful. With them, you have at your fingertips
the VxD-like power over the debuggee: you can alter the saved register values
and just before the debuggee resumes execution, the values in the context
will be written back into the registers. Any change you made to the context
is reflected back to the debuggee. Think about it: you can even alter the
value of the eip register and divert the flow of execution to anywhere you
like! You won't be able to do that under normal circumstance.</p>
<p><b>GetThreadContext proto hThread:DWORD, lpContext:DWORD </b></p>
<p><b>hThread</b> is the handle to the thread that you want to obtain the
context from<br>
<b>lpContext</b> is the address of the <b>CONTEXT</b> structure that will
be filled when the function returns successfully.</p>
<p><b>SetThreadContext</b> has exactly the same parameters. Let's see what
a CONTEXT structure looks like:</p>
</li>
<li><b>CONTEXT STRUCT <br>
</b></li>
<li><b>ContextFlags dd ? <br>
;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_DEBUG_REGISTERS</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------<br>
iDr0 dd ? <br>
iDr1 dd ? <br>
iDr2 dd ? <br>
iDr3 dd ? <br>
iDr6 dd ? <br>
iDr7 dd ? <br>
</b></li>
<li><b>;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_FLOATING_POINT</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------<br>
</b></li>
<li><b>FloatSave FLOATING_SAVE_AREA <> <br>
</b></li>
<li><b>;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_SEGMENTS</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------</b></li>
<li><b>regGs dd ? <br>
regFs dd ? <br>
regEs dd ? <br>
regDs dd ? <br>
</b></li>
<li><b>;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_INTEGER</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------</b></li>
<li><b>regEdi dd ? <br>
regEsi dd ? <br>
regEbx dd ? <br>
regEdx dd ? <br>
regEcx dd ? <br>
regEax dd ? <br>
</b></li>
<li><b>;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_CONTROL</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------</b></li>
<li><b>regEbp dd ? <br>
regEip dd ? <br>
regCs dd ? <br>
regFlag dd ? <br>
regEsp dd ? <br>
regSs dd ? <br>
</b></li>
<li><b>;----------------------------------------------------------------------------------------------------------<br>
; This section is returned if ContextFlags contains the value CONTEXT_EXTENDED_REGISTERS</b></li>
<li><b>;-----------------------------------------------------------------------------------------------------------</b></li>
<li><b>ExtendedRegisters db MAXIMUM_SUPPORTED_EXTENSION dup(?) CONTEXT ENDS
</b>
<p>As you can observe, the members of this structures are mimics of the real
processor's registers. Before you can use this structure, you need to specify
which groups of registers you want to read/write in <b>ContextFlags</b>
member. For example, if you want to read/write all registers, you must specify
<b>CONTEXT_FULL</b> in <b>ContextFlags</b>. If you want only to read/write
regEbp, regEip, regCs, regFlag, regEsp or regSs, you must specify <b>CONTEXT_CONTROL</b>
in <b>ContextFlags</b>.</p>
<p>One thing you must remember when using the <b>CONTEXT </b>structure: it
must be aligned on dword boundary else you'd get strange results under NT.
You must put "align dword" just above the line that declares it,
like this: </p>
<p><b>align dword<br>
MyContext CONTEXT <></b></p>
</li>
</ul>
<h3>Example:</h3>
<p>The first example demonstrates the use of <b>DebugActiveProcess</b>. First,
you need to run a target named win.exe which goes in an infinite loop just before
the window is shown on the screen. Then you run the example, it will attach
itself to win.exe and modify the code of win.exe such that win.exe exits the
infinite loop and shows its own window.</p>
<p>.386 <br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
includelib \masm32\lib\user32.lib <br>
<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -