📄 lion-tut-c30.htm
字号:
<html>
<head>
<link rel="stylesheet" href="../../asm.css">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Iczelion's win32 asm tutorial</title>
</head>
<body bgcolor="#FFFFFF" background="../../images/back01.jpg">
<p align="center">第30课: Win32调试API 第三部分</p>
<hr size="1">
在本章中,我们将继续探讨win32调试api。特别地,我们将学习如何去跟踪被调试程序.<br>
下载 <b><a href="files/tut30.zip" style="text-decoration:none">例子</a></b>.
<h3>理论:</h3>
<p>如果你以前使用过调试器,那么你应对跟踪比较熟悉。当"跟踪"一个程序时,
程序在每执行一条指令后将会停止,这使你有机会去检查寄存器/内存中的值。这种单步运
行的官方定义为跟踪(tracing)。<br>
单步运行的特色是由CPU本身提供的。标志寄存器的第8位称为<b>陷阱标志trap flag</b>。
如果该位设置,则CPU运行于单步模式。CPU将在每条指令后产生一个debug异常。当debug
异常产生后,陷阱标志自动清除。利用win32调试api,我们也可以单步运行被调试程序。
方法如下:</p>
<ol>
<li>调用<b>GetThreadContext</b>, 指定<b> ContextFlags</b>为<b>CONTEXT_CONTROL</b>,
来获得标志寄存器的值</li>
<li>设置<b>CONTEXT</b>结构成员标志寄存器<b>regFlag</b>中的陷阱标志位</li>
<li>调用<b> SetThreadContext </b></li>
<li>等待调式事件。被调试程序将按单步模式执行,在每执行一条指令后,我们将得到调试
事件,<b>u.Exception.pExceptionRecord.ExceptionCode</b>值为<b>EXCEPTION_SINGLE_STEP</b></li>
<li>如果要跟踪下一条指令,需要再次设置陷阱标志位。</li>
</ol>
<h3>例:</h3>
<p>.386<br>
.model flat,stdcall <br>
option casemap:none <br>
include \masm32\include\windows.inc <br>
include \masm32\include\kernel32.inc <br>
include \masm32\include\comdlg32.inc <br>
include \masm32\include\user32.inc <br>
includelib \masm32\lib\kernel32.lib <br>
includelib \masm32\lib\comdlg32.lib <br>
includelib \masm32\lib\user32.lib <br>
<br>
.data <br>
AppName db "Win32 Debug Example no.4",0 <br>
ofn OPENFILENAME <> <br>
FilterString db "Executable Files",0,"*.exe",0 <br>
db
"All Files",0,"*.*",0,0 <br>
ExitProc db "The debuggee exits",0Dh,0Ah <br>
db "Total Instructions executed
: %lu",0 <br>
TotalInstruction dd 0<br>
<br>
.data? <br>
buffer db 512 dup(?) <br>
startinfo STARTUPINFO <> <br>
pi PROCESS_INFORMATION <> <br>
DBEvent DEBUG_EVENT <> <br>
context CONTEXT <> <br>
<br>
.code <br>
start: <br>
mov ofn.lStructSize,SIZEOF ofn <br>
mov ofn.lpstrFilter, OFFSET FilterString <br>
mov ofn.lpstrFile, OFFSET buffer <br>
mov ofn.nMaxFile,512 <br>
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER
or OFN_HIDEREADONLY <br>
invoke GetOpenFileName, ADDR ofn <br>
.if eax==TRUE <br>
invoke GetStartupInfo,addr startinfo <br>
invoke CreateProcess, addr buffer, NULL, NULL, NULL, FALSE,
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS, NULL, NULL, addr startinfo, addr pi
<br>
.while TRUE <br>
invoke WaitForDebugEvent, addr DBEvent,
INFINITE <br>
.if DBEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT
<br>
invoke wsprintf, addr
buffer, addr ExitProc, TotalInstruction <br>
invoke MessageBox, 0,
addr buffer, addr AppName, MB_OK+MB_ICONINFORMATION <br>
.break <br>
.elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
<br>
mov
context.ContextFlags, CONTEXT_CONTROL <br>
invoke
GetThreadContext, pi.hThread, addr context <br>
or
context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE <br>
.continue
<br>
.elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_SINGLE_STEP
<br>
inc
TotalInstruction <br>
invoke
GetThreadContext,pi.hThread,addr context or context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId,DBG_CONTINUE <br>
.continue
<br>
.endif <br>
.endif <br>
invoke ContinueDebugEvent, DBEvent.dwProcessId,
DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED <br>
.endw <br>
.endif <br>
invoke CloseHandle,pi.hProcess <br>
invoke CloseHandle,pi.hThread <br>
invoke ExitProcess, 0 <br>
end start </p>
<h3>分析:</h3>
<p>该程序先显示一个打开文件对话框,当用户选择了一个可执行文件,它将单步执行该程序,
并记录执行的指令数,直到被调试程序退出运行。
</p>
<p> .elseif DBEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT
.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_BREAKPOINT
</p>
<p>利用该机会来设置被调试程序为单步运行模式。记住,在执行被调试程序的第一条指令前
windows将发送一个EXCEPTION_BREAKPOINT消息。
</p>
<p> mov
context.ContextFlags, CONTEXT_CONTROL <br>
invoke
GetThreadContext, pi.hThread, addr context </p>
<p>调用<b>GetThreadContext</b>,以被调试程序的当前寄存器内容来填充<b>CONTEXT </b>结构
特别地,我们需要标志寄存器的当前值。</p>
<p> or
context.regFlag,100h </p>
<p>设置标志寄存器映象的陷阱位(第8位)</p>
<p> invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE <br>
.continue
</p>
<p>然后调用<b>SetThreadContext</b>去覆盖<b>CONTEXT</b>的值。再以<b>DBG_CONTINUE</b>调用
<b>ContinueDebugEvent </b>来恢复被调试程序的运行。</p>
<p> .elseif DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_SINGLE_STEP
<br>
inc
TotalInstruction </p>
<p>当调试程序中一条指令执行后,我们将接收到<b>EXCEPTION_DEBUG_EVENT</b>的调试事件,
必须要检查<b>u.Exception.pExceptionRecord.ExceptionCode</b>的值。如果该值为
<b>EXCEPTION_SINGLE_STEP</b>,那么,该调试事件是单步运行模式造成的。在这种情况
下,<b>TotalInstruction</b>加一,因为我们确切地知道此时被调试程序执行了一条指令。</p>
<p> invoke
GetThreadContext,pi.hThread,addr context or context.regFlag,100h <br>
invoke
SetThreadContext,pi.hThread, addr context <br>
invoke
ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId,DBG_CONTINUE <br>
.continue
<br>
</p>
<p>由于陷阱标志在debug异常后自动清除了,如果我们需要继续保持单步运行模式,则
必须设置陷阱标志位。<br>
<b>警告: 不要用本教程中的此例子来调试大程序: 跟踪是很慢的。你或许需要等待10
多分钟才能关闭被调试程序。
</b><strong>
</strong></p>
<HR SIZE=1>
<DIV align=center> <font face="宋体">
<SCRIPT language=JavaScript1.1 src="../lion-tut-c13.files/textclick"></SCRIPT>
<BR>
</font></DIV>
<font face="宋体"><!-- 10:1 文本广告交换 --> </font>
<DIV align=center> <font face="宋体">
<SCRIPT language=JavaScript1.1 src="../lion-tut-c13.files/c21.htm"></SCRIPT>
<!-- 10:1 文本广告交换 --></font></DIV>
<HR SIZE=1>
<div align="center"> This article come from Iczelion's asm page, 翻译 xjg1124@163.net. Welcom to <a href="http://asm.yeah.net">http://asm.yeah.net</a></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -