tut29.html

WINDOWS程序员使用指南--汇编基础

<html>
<head>
<title>Iczelion's Win32 Assembly Tutorial 29: Win32 Debug API part 2</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#000000" text="#FFFFFF" link="#FFFFCC" vlink="#FFCCCC" alink="#CCFFCC">
<h1 align="center"><font face="Arial, Helvetica, sans-serif" color="#FFFFCC">Tutorial 
  29: Win32 Debug API Part 2</font></h1>
<p><font face="MS Sans Serif" size="-1">We continue with the subject of win32 
  debug API. In this tutorial, we will learn how to modify the debuggee process.<br>
  Download <b><a href="files/tut29.zip" style="text-decoration:none">the example</a></b></font></p>
<h3><font face="Arial, Helvetica, sans-serif">Theory:</font></h3>
<p><font face="MS Sans Serif" size="-1">In the previous tutorial, we know how 
  to load the debuggee and handle debug events that occur in its process. In order 
  to be useful, our program must be able to modify the debuggee process. There 
  are several APIs just for this purpose.</font></p>
<ul>
  <li><font face="MS Sans Serif" size="-1"><b><font color="#FFFFCC">ReadProcessMemory</font></b> 
    This function allows you to read memory in the specified process. The function 
    prototype is as follows:</font> 
    <p><font face="MS Sans Serif" size="-1"><b><font color="#CCFFCC">ReadProcessMemory 
      proto hProcess:DWORD, lpBaseAddress:DWORD, lpBuffer:DWORD, nSize:DWORD, 
      lpNumberOfBytesRead:DWORD</font></b></font></p>
    <p><font face="MS Sans Serif" size="-1"><b><font color="#FF9900">hProcess</font></b> 
      is the handle to the process you want to read.<br>
      <font color="#FF9900"><b>lpBaseAddress</b></font> is the address in the 
      target process you want to start reading. For example, if you want to read 
      4 bytes from the debuggee process starting at 401000h, the value in this 
      parameter must be 401000h.<br>
      <font color="#FF9900"><b>lpBuffer</b></font> is the address of the buffer 
      to receive the bytes read from the process. <br>
      <font color="#FF9900"><b>nSize</b></font> is the number of bytes you want 
      to read<br>
      <font color="#FF9900"><b>lpNumberOfBytesRead</b></font> is the address of 
      the variable of dword size that receives the number of bytes actually read. 
      If you don't care about it, you can use NULL.</font></p>
  </li>
  <li><font color="#FFFFCC"><b><font face="MS Sans Serif" size="-1">WriteProcessMemory</font></b></font><font face="MS Sans Serif" size="-1"> 
    is the counterpart of <font color="#FFFFCC"><b>ReadProcessMemory</b></font>. 
    It enables you to write memory of the target process. Its parameters are exactly 
    the same as those of <font color="#FFFFCC"><b>ReadProcessMemory</b></font></font> 
    <p><font face="MS Sans Serif" size="-1">The next two API functions need a 
      little background on context. Under a multitasking OS like Windows, there 
      can be several programs running at the same time. Windows gives each thread 
      a timeslice. When that timeslice expires, Windows freezes the present thread 
      and switches to the next thread that has the highest priority. Just before 
      switching to the other thread, Windows saves values in registers of the 
      present thread so that when the time comes to resume the thread, Windows 
      can restore the last *environment* of that thread. The saved values of the 
      registers are collectively called a context. <br>
      Back to our subject. When a debug event occurs, Windows suspends the debuggee. 
      The debuggee's context is saved. Since the debuggee is suspended, we can 
      be sure that the values in the context will remain unchanged . We can get 
      the values in the context with <font color="#FFFFCC"><b>GetThreadContext</b></font> 
      and we can change them with <font color="#FFFFCC"><b>SetThreadContext</b></font>.<br>
      These two APIs are very powerful. With them, you have at your fingertips 
      the VxD-like power over the debuggee: you can alter the saved register values 
      and just before the debuggee resumes execution, the values in the context 
      will be written back into the registers. Any change you made to the context 
      is reflected back to the debuggee. Think about it: you can even alter the 
      value of the eip register and divert the flow of execution to anywhere you 
      like! You won't be able to do that under normal circumstance.</font></p>
    <p><b><font face="MS Sans Serif" size="-1" color="#CCFFCC">GetThreadContext 
      proto hThread:DWORD, lpContext:DWORD</font> </b></p>
    <p><font face="MS Sans Serif" size="-1"><b><font color="#FF9900">hThread</font></b> 
      is the handle to the thread that you want to obtain the context from<br>
      <font color="#FF9900"><b>lpContext</b></font> is the address of the <font color="#CCFFCC"><b>CONTEXT</b></font> 
      structure that will be filled when the function returns successfully.</font></p>
    <p><font face="MS Sans Serif" size="-1"><b><font color="#FFFFCC">SetThreadContext</font></b> 
      has exactly the same parameters. Let's see what a CONTEXT structure looks 
      like:</font></p>
  </li>
  <li><b><font face="MS Sans Serif" size="-1">CONTEXT STRUCT <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">ContextFlags dd ? <br>
    ;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_DEBUG_REGISTERS</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------<br>
    iDr0 dd ? <br>
    iDr1 dd ? <br>
    iDr2 dd ? <br>
    iDr3 dd ? <br>
    iDr6 dd ? <br>
    iDr7 dd ? <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_FLOATING_POINT</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------<br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">FloatSave FLOATING_SAVE_AREA <> 
    <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_SEGMENTS</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">regGs dd ? <br>
    regFs dd ? <br>
    regEs dd ? <br>
    regDs dd ? <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_INTEGER</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">regEdi dd ? <br>
    regEsi dd ? <br>
    regEbx dd ? <br>
    regEdx dd ? <br>
    regEcx dd ? <br>
    regEax dd ? <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_CONTROL</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">regEbp dd ? <br>
    regEip dd ? <br>
    regCs dd ? <br>
    regFlag dd ? <br>
    regEsp dd ? <br>
    regSs dd ? <br>
    </font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;----------------------------------------------------------------------------------------------------------<br>
    ; This section is returned if ContextFlags contains the value CONTEXT_EXTENDED_REGISTERS</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">;-----------------------------------------------------------------------------------------------------------</font></b></li>
  <li><b><font face="MS Sans Serif" size="-1">ExtendedRegisters db MAXIMUM_SUPPORTED_EXTENSION 
    dup(?) CONTEXT ENDS </font></b> 
    <p><font face="MS Sans Serif" size="-1">As you can observe, the members of 
      this structures are mimics of the real processor's registers. Before you 
      can use this structure, you need to specify which groups of registers you 
      want to read/write in <font color="#FF9900"><b>ContextFlags</b></font> member. 
      For example, if you want to read/write all registers, you must specify <font color="#CCFFCC"><b>CONTEXT_FULL</b></font> 
      in <font color="#FF9900"><b>ContextFlags</b></font>. If you want only to 
      read/write regEbp, regEip, regCs, regFlag, regEsp or regSs, you must specify 
      <font color="#CCFFCC"><b>CONTEXT_CONTROL</b></font> in <font color="#FF9900"><b>ContextFlags</b></font>.</font></p>
    <p><font face="MS Sans Serif" size="-1">One thing you must remember when using 
      the <font color="#CCFFCC"><b>CONTEXT </b></font>structure: it must be aligned 
      on dword boundary else you'd get strange results under NT. You must put 
      &quot;align dword&quot; just above the line that declares it, like this:</font> 
    </p>
    <p><font face="MS Sans Serif" size="-1"><b><font color="#CCFFCC">align dword<br>
      MyContext CONTEXT &lt;&gt;</font></b></font></p>
  </li>
</ul>
<h3><font face="Arial, Helvetica, sans-serif">Example:</font></h3>
<p><font face="MS Sans Serif" size="-1">The first example demonstrates the use 
  of <font color="#FFFFCC"><b>DebugActiveProcess</b></font>. First, you need to 
  run a target named win.exe which goes in an infinite loop just before the window 
  is shown on the screen. Then you run the example, it will attach itself to win.exe 
  and modify the code of win.exe such that win.exe exits the infinite loop and 
  shows its own window.</font></p>
<p><font face="Fixedsys" size="-1">.386 <br>
  .model flat,stdcall <br>
  option casemap:none <br>
  include \masm32\include\windows.inc <br>
  include \masm32\include\kernel32.inc <br>
  include \masm32\include\comdlg32.inc <br>
  include \masm32\include\user32.inc <br>
  includelib \masm32\lib\kernel32.lib <br>
  includelib \masm32\lib\comdlg32.lib <br>
  includelib \masm32\lib\user32.lib <br>
  <br>