📄 complete_debug_gatecondition.cpp
字号:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <psapi.h>
void main( VOID )
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
MODULEINFO mi;
// ISDEBUGGERPRESENT PATCH INFO:
DWORD DebugPatch[] = {0x00000000};
// Patch byte info:
// Search (read) byte
BYTE scanbytd[] = {0x02};
// Found (write) byte
BYTE replbytd[] = {0x01};
// MAIN PROGRAM PATCH INFO:
// Patch Address info: # elements in following arrays must be synchronized for Address/scan/replace
DWORD AddressOfPatch[] = {0x00D5D769, 0x00D5D76A};
// Patch byte info:
// Search (read) byte
BYTE scanbyte[] = {0x73, 0x07};
// Found (write) byte
BYTE replbyte[] = {0x90, 0x90};
BYTE DataRead[] = {0};
char FileName[] = "C:\\Program Files\\targetPath\\target.exe";
char b[1024];
BOOL contproc;
HMODULE hMods[2048];
DWORD cbNeeded;
DWORD nMods;
DWORD nPatches;
DWORD Pid[2];
DWORD dwPid;
HANDLE hProcess;
HANDLE hSaveFile;
HANDLE hSaveProcess;
HANDLE hSaveThread;
LPVOID lpMsgBuf;
DWORD dwExit;
DWORD dwRead;
DWORD dwWritten;
DWORD dwContinueStatus;
char *dbdll = "KERNEL32.DLL"; //IsDebuggerPresent dll for loaddll event (if required)
char *mydll = "XXX.DLL"; //specific dll for loaddll event (if required)
int *ProcAdd;
unsigned int i;
unsigned int j;
unsigned int k = 0; //count # of processes
unsigned int l = 0; //count # of breakpoints
unsigned int modlist[200];
DEBUG_EVENT DebugEv; // debugging event information
contproc = TRUE; // default; continue processing = TRUE
dwContinueStatus = DBG_CONTINUE;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
// Start the child process.
if(!CreateProcess( FileName, // No module name (use command line).
NULL, // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
TRUE, // Set handle inheritance to FALSE.
DEBUG_PROCESS, // No creation flags (use for more than 1 process
//DEBUG_PROCESS+DEBUG_ONLY_THIS_PROCESS, //(use for only 1 process)
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi )) // Pointer to PROCESS_INFORMATION structure.
{
MessageBox(0,"Unexpected load error","Create Process Failed",MB_OK+MB_TASKMODAL+MB_ICONERROR);
return;
}
while (TRUE) {
// Wait for a debugging event to occur. The second parameter indicates
// that the function does not return until a debugging event occurs.
if (WaitForDebugEvent(&DebugEv, 1000)) { // wait 1 second
// Process the debugging event code.
switch (DebugEv.dwDebugEventCode) {
case EXCEPTION_DEBUG_EVENT: {
// Process the exception code. When handling
// exceptions, remember to set the continuation
// status parameter (dwContinueStatus). This value
// is used by the ContinueDebugEvent function.
switch (DebugEv.u.Exception.ExceptionRecord.ExceptionCode) {
case EXCEPTION_ACCESS_VIOLATION: {
// First chance: Pass this on to the kernel.
// Last chance: Display an appropriate error.
if (DebugEv.u.Exception.dwFirstChance) {
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "EXCEPTION_ACCESS_VIOLATION", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
}
else {
contproc = FALSE;
}
}
break;
case EXCEPTION_ARRAY_BOUNDS_EXCEEDED: {
// The thread tried to access an array element that is out of bounds and
// the underlying hardware supports bounds checking.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Array bounds exceeded", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_BREAKPOINT: {
// First chance: Display the current
// instruction and register values.
l++;
if (DebugEv.u.Exception.dwFirstChance) {
contproc = TRUE;
//l == # of bp's note: (ntdll has debugbreak X 2 open processes)
//note: if ONLY 1 process and want to avoid INT3 debugger trick,
//change to (l > 1) below:
if (l > 2) {
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
else {
dwContinueStatus = DBG_CONTINUE;
}
}
else {
contproc = FALSE;
}
}
break;
case EXCEPTION_SINGLE_STEP: {
// First chance: Update the display of the
// current instruction and register values.
if (DebugEv.u.Exception.dwFirstChance) {
contproc = TRUE;
dwContinueStatus = DBG_CONTINUE;
}
else {
contproc = FALSE;
}
}
break;
case EXCEPTION_DATATYPE_MISALIGNMENT: {
// First chance: Pass this on to the kernel.
// Last chance: Display an appropriate error.
if (DebugEv.u.Exception.dwFirstChance) {
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
sprintf( b, "First Chance\nException address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Datatype misalignment", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
}
else {
contproc = FALSE;
}
}
break;
case EXCEPTION_FLT_DENORMAL_OPERAND: {
// One of the operands in a floating-point operation is denormal.
// A denormal value is one that is too small to represent as a standard floating-point value.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point denormal operand", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_DIVIDE_BY_ZERO: {
// The thread tried to divide a floating-point value by a floating-point divisor of zero.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point divide by zero", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_INEXACT_RESULT: {
// The result of a floating-point operation cannot be represented exactly as a decimal fraction.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point inexact result", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_INVALID_OPERATION: {
// This exception represents any floating-point exception not included in this list.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point invalid operation", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_OVERFLOW: {
// The exponent of a floating-point operation is greater than the magnitude allowed
// by the corresponding type.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point overflow", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_STACK_CHECK: {
// The stack overflowed or underflowed as the result of a floating-point operation
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point stack check", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_FLT_UNDERFLOW: {
// The exponent of a floating-point operation is less than the magnitude allowed
// by the corresponding type.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Floating-Point underflow", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_IN_PAGE_ERROR: {
// The thread tried to access a page that was not present, and the system
// was unable to load the page. For example, this exception might occur
// if a network connection is lost while running a program over the network.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Integer page error", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_INT_DIVIDE_BY_ZERO: {
// The thread tried to divide an integer value by an integer divisor of zero.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Integer divide by zero", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_INT_OVERFLOW: {
// The result of an integer operation caused a carry out of the most significant
// bit of the result.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Integer overflow", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
contproc = TRUE;
dwContinueStatus = DBG_EXCEPTION_NOT_HANDLED;
}
break;
case EXCEPTION_INVALID_DISPOSITION: {
// An exception handler returned an invalid disposition to the exception dispatcher.
// Programmers using a high-level language such as C should never encounter this exception.
sprintf( b, "Exception address:%08X", DebugEv.u.Exception.ExceptionRecord.ExceptionAddress);
MessageBox(NULL, b, "Invalid disposition", MB_OK+MB_TASKMODAL+MB_ICONWARNING);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -