tut28.html

WINDOWS程序员使用指南--汇编基础

    <font color="#FFCCCC"> <b>DEBUG_ONLY_THIS_PROCESS </b></font>flag).</font></p>
  <p> <font face="MS Sans Serif" size="-1"><b><font color="#CC9900">u</font></b> 
    is a union that contains more information about the debug event. It can be 
    one of the following structures depending on the value of <font color="#CC9900"><b>dwDebugEventCode</b></font> 
    above. </font></p>
  <table border="1" cellspacing="2" cellpadding="2" align="center">
    <tr bgcolor="#009900"> 
      <th><b><font face="MS Sans Serif" size="-1">value in dwDebugEventCode</font></b></th>
      <th><font face="MS Sans Serif" size="-1">Interpretation of u</font></th>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">CREATE_PROCESS_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1"> A <font color="#FFCCCC"><b>CREATE_PROCESS_DEBUG_INFO</b></font> 
        structure named <font color="#CCCCFF"><b><font color="#FF6666">CreateProcessInfo</font></b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">EXIT_PROCESS_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">An <font color="#FFCCCC"><b>EXIT_PROCESS_DEBU<font color="#FF6666">G_INFO</font></b></font><font color="#FF6666"><b> 
        structure named</b></font> ExitProcess</font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">CREATE_THREAD_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">A <font color="#FFCCCC"><b>CREATE_THREAD_DEBUG_INFO</b></font> 
        structure named <font color="#FF6666"><b>CreateThread</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">EXIT_THREAD_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">An <font color="#FFCCCC"><b>EXIT_THREAD_DEBUG_EVENT 
        </b></font>structure named <font color="#FF6666"><b>ExitThread</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">LOAD_DLL_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">A <font color="#FFCCCC"><b>LOAD_DLL_DEBUG_INFO</b></font> 
        structure named<font color="#FF6666"><b> LoadDll</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">UNLOAD_DLL_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">An <font color="#FFCCCC"><b>UNLOAD_DLL_DEBUG_INFO</b></font> 
        structure named <font color="#FF6666"><b>UnloadDll</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">EXCEPTION_DEBUG_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">An <font color="#FFCCCC"><b>EXCEPTION_DEBUG_INFO</b></font> 
        structure named <font color="#FF6666"><b>Exception</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">OUTPUT_DEBUG_STRING_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">An <font color="#FFCCCC"><b>OUTPUT_DEBUG_STRING_INFO 
        </b></font>structure named <font color="#FF6666"><b>DebugString</b></font></font></td>
    </tr>
    <tr> 
      <td><b><font face="MS Sans Serif" size="-1">RIP_EVENT</font></b></td>
      <td><font face="MS Sans Serif" size="-1">A <font color="#FFCCCC"><b>RIP_INFO</b></font> 
        structure named <font color="#FF6666"><b>RipInfo</b></font></font></td>
    </tr>
  </table>
  <p><font face="MS Sans Serif" size="-1">I won't go into detail about all those 
    structures in this tutorial, only the <font color="#FFCCCC"><b>CREATE_PROCESS_DEBUG_INFO 
    </b></font>structure will be covered here. <br>
    Assuming that our program calls <font color="#FFFFCC"><b>WaitForDebugEvent</b></font> 
    and it returns. The first thing we should do is to examine the value in <font color="#CC9900"><b>dwDebugEventCode</b></font> 
    to see which type of debug event occured in the debuggee process. For example, 
    if the value in <font color="#CC9900"><b>dwDebugEventCode</b></font> is <font color="#FFCCCC"><b>CREATE_PROCESS_DEBUG_EVENT</b></font>, 
    you can interpret the member in <font color="#FFFFCC"><b>u</b></font> as <font color="#FFFFCC"><b>CreateProcessInfo</b></font> 
    and access it with <font color="#CCFFCC"><b>u.CreateProcessInfo</b></font>. 
    </font></p>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Do whatever 
    your program want to do in response to the debug event</font></b></font><font face="MS Sans Serif" size="-1">. 
    When <font color="#FFFFCC"><b>WaitForDebugEvent </b></font>returns, it means 
    a debug event just occurred in the debuggee process or a timeout occurs. Your 
    program needs to examine the value in <font color="#CC9900"><b>dwDebugEventCode</b></font> 
    in order to react to the event appropriately. In this regard, it's like processing 
    Windows messages: you choose to handle some and ignore some. </font></li>
  <li><font face="MS Sans Serif" size="-1"><b><font color="#CCFFCC">Let the debuggee 
    continues execution</font></b>. When a debug event occurs, Windows suspends 
    the debuggee. When you're finished with the event handling, you need to kick 
    the debuggee into moving again. You do this by calling <font color="#FFFFCC"><b>ContinueDebugEvent</b></font> 
    function.</font> 
    <p><font face="MS Sans Serif" size="-1"><b><font color="#33FF33">ContinueDebugEvent 
      proto dwProcessId:DWORD, dwThreadId:DWORD, dwContinueStatus:DWORD</font></b></font></p>
    <p><font face="MS Sans Serif" size="-1">This function resumes the thread that 
      was previously suspended because a debug event occurred.<br>
      <font color="#CC9900"><b>dwProcessId</b></font> and <font color="#CC9900"><b>dwThreadId</b></font> 
      are the process and thread IDs of the thread that will be resumed. You usually 
      take these two values from the <font color="#CCFFCC"><b>dwProcessId</b></font> 
      and <font color="#CCFFCC"><b>dwThreadId</b></font> members of the <font color="#FFCCCC"><b>DEBUG_EVENT</b></font> 
      structure.<br>
      dwContinueStatus specifies how to continue the thread that reported the 
      debug event. There are two possible values:<font color="#CCFFCC"><b> DBG_CONTINUE</b></font> 
      and <font color="#CCFFCC"><b>DBG_EXCEPTION_NOT_HANDLED</b></font>. For all 
      other debug events, those two values do the same thing: resume the thread. 
      The exception is the <font color="#CCFFCC"><b>EXCEPTION_DEBUG_EVENT</b></font>. 
      If the thread reports an exception debug event, it means an exception occurred 
      in the debuggee thread. If you specify <font color="#CCFFCC"><b>DBG_CONTINUE</b></font>, 
      the thread will ignore its own exception handling and continue with the 
      execution. In this scenario, your program must examine and resolve the exception 
      itself before resuming the thread with <font color="#CCFFCC"><b>DBG_CONTINUE</b></font> 
      else the exception will occur again and again and again.... If you specify 
      <font color="#CCFFCC"> <b>DBG_EXCEPTION_NOT_HANDLED</b></font>, your program 
      is telling Windows that it didn't handle the exception: Windows should use 
      the default exception handler of the debuggee to handle the exception. <br>
      In conclusion, if the debug event refers to an exception in the debuggee 
      process, you should call <font color="#FFFFCC"><b>ContinueDebugEvent</b></font> 
      with <font color="#FFCCCC"><b><font color="#CCFFCC">DBG_CONTINUE</font></b></font> 
      flag if your program already removed the cause of exception. Otherwise, 
      your program must call <font color="#FFFFCC"> <b>ContinueDebugEvent</b></font> 
      with <font color="#CCFFCC"><b>DBG_EXCEPTION_NOT_HANDLED</b></font> flag. 
      Except in one case which you must always use <font color="#FFCCCC"><b>DBG_CONTINUE</b></font> 
      flag: the first <font color="#FFCCCC"> <b>EXCEPTION_DEBUG_EVENT</b></font> 
      which has the value <font color="#FFCCCC"><b>EXCEPTION_BREAKPOINT</b></font> 
      in the ExceptionCode member. When the debuggee is going to execute its very 
      first instruction, your program will receive the exception debug event. 
      It's actually a debug break (int 3h). If you respond by calling <font color="#FFFFCC"><b>ContinueDebugEvent 
      </b></font>with <font color="#FFCCCC"><b>DBG_EXCEPTION_NOT_HANDLED</b></font> 
      flag, Windows NT will refuse to run the debuggee (because no one cares for 
      it). You must always use <font color="#FFCCCC"><b>DBG_CONTINUE</b></font> 
      flag in this case to tell Windows that you want the thread to go on.</font></p>
  </li>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Continue this 
    cycle in an infinite loop until the debuggee process exits</font></b></font><font face="MS Sans Serif" size="-1">. 
    Your program must be in an infinite loop much like a message loop until the 
    debuggee exits. The loop looks like this:</font> 
    <p><font size="-1" face="MS Sans Serif"><b>.while TRUE<br>
      &nbsp;&nbsp;&nbsp; invoke WaitForDebugEvent, addr DebugEvent, INFINITE<br>
      &nbsp;&nbsp;&nbsp;.break .if DebugEvent.dwDebugEventCode==EXIT_PROCESS_DEBUG_EVENT<br>
      &nbsp;&nbsp;&nbsp;<font color="#CCFFCC">&lt;Handle the debug events&gt;</font><br>
      &nbsp;&nbsp;&nbsp;invoke ContinueDebugEvent, DebugEvent.dwProcessId, DebugEvent.dwThreadId, 
      DBG_EXCEPTION_NOT_HANDLED <br>
      .endw </b></font><br>
    </p>
    <p><font face="MS Sans Serif" size="-1">Here's the catch: Once you start debugging 
      a program, you just can't detach from the debuggee until it exits.</font></p>
  </li>
</ol>
<p><font face="MS Sans Serif" size="-1">Let's summarize the steps again:</font></p>
<ol>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Create a process 
    or attach your program to a running process</font></b></font><font face="MS Sans Serif" size="-1">.</font></li>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Wait for debugging 
    events</font></b></font></li>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Do whatever 
    your program want to do in response to the debug event</font></b></font><font face="MS Sans Serif" size="-1">.</font></li>
  <li><font face="MS Sans Serif" size="-1"><b><font color="#CCFFCC">Let the debuggee 
    continues execution</font></b>.</font></li>
  <li><font color="#CCFFCC"><b><font face="MS Sans Serif" size="-1">Continue this 
    cycle in an infinite loop until the debuggee process exits</font></b></font></li>
</ol>
<h3><font face="MS Sans Serif" size="-1">Example:</font></h3>
<p><font face="MS Sans Serif" size="-1">This example debugs a win32 program and 
  shows important information such as the process handle, process Id, image base 
  and so on.</font></p>
<p><font face="Fixedsys" size="-1">.386 <br>
  .model flat,stdcall <br>
  option casemap:none <br>
  include \masm32\include\windows.inc <br>
  include \masm32\include\kernel32.inc <br>
  include \masm32\include\comdlg32.inc <br>
  include \masm32\include\user32.inc <br>
  includelib \masm32\lib\kernel32.lib <br>
  includelib \masm32\lib\comdlg32.lib <br>
  includelib \masm32\lib\user32.lib <br>
  .data <br>
  AppName db "Win32 Debug Example no.1",0 <br>
  ofn OPENFILENAME <> <br>
  FilterString db "Executable Files",0,"*.exe",0 <br>