flat assembler
Message board for the users of flat assembler.

Index > Main > Ask about a log/debug system

Author
Thread Post new topic Reply to topic
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 09 Feb 2010, 10:44
Hallo Everybody,
some times ago i wrote a log/debug framework that works ok but
i am not fully satisfied with it, because every time for each
single variable or ret value or piece of code to check, i must add an
overhead of code to do the job.
for example:
Code:
 mov [mem],eax
  code_matcher eax > 0 ;if condition then log value
 log value
    

or, as i have seen in other code, the standard way
Code:
 SEH handler bound here
  code/data to be checked
 handler run from here leading to a safe place
    

But... as you probably already imagine, there are lot of standards out there
that i dont like Very Happy
For a few lines app or an "übercrappy" program (i like the definition, who is the author ?)
it could result even ok, but when lines are thousands it is not like
the fastest/useful method.

My idea was to implement a SEH mechanism one time, envelop all
address code/data to be checked in "protected" bounds and then check
in the handler matching instructions or r/w mem accesses. Similiarly
as in a debugger, but not so statically predefined/coded.

The matter is actually :
-1) to have only one SEH in one place, included/excluded and
enabled/disabled at compile time.
-2) avoid single try/catch for each var/piece of code
-3) mark data block /code block to be checked at compile time(f.e. using macros)
hints,abstract general ideas,reference code ?

Cheers,
hopcode
Post 09 Feb 2010, 10:44
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 Feb 2010, 10:50
Generally each SEH block will need its own custom error handlers for recovery and/or destruction/release of data. If you have one common SEH handler for everything then you have to provide all of the different variants of recovery and destruction/release code and somehow detect which one to use and where to return to at the right time. Doable I suppose, but seems like more of a programming nightmare than simply putting the SEH code close where it is used.
Post 09 Feb 2010, 10:50
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4330
Location: Now
edfed 09 Feb 2010, 11:22
debug the code with a real time analysis will always need a serious overhead.

like bochs, but it will be faster indead.

and with a system of breakpoint interrupt can be good.
or the single step mode.
there is a design in IA32 to debug code with a single step run mode.
i don't remember the way to use it (and never tested ) but at least, i am sure it exists.
like a int3 or something...
Post 09 Feb 2010, 11:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 Feb 2010, 12:28
edfed: SEH is not for debugging, it is for runtime exception handling and recovery. Not the same thing.
Post 09 Feb 2010, 12:28
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 09 Feb 2010, 14:37
revolution,

Are you sure? SEH catches STATUS_BREAKPOINT and STATUS_SINGLE_STEP, you can examine/modify thread context in handler… I didn't check hardware breakpoints yet, but int3 and TF seem to work OK. Here is crude test:
Code:
                format  PE GUI
                include "Win32AX.Inc"

ExceptionContinueExecution = 0
ExceptionContinueSearch = 1
ExceptionNestedException = 2
ExceptionCollidedUnwind = 3

STATUS_BREAKPOINT = 0x80000003
STATUS_SINGLE_STEP = 0x80000004
EXCEPTION_MAXIMUM_PARAMETERS = 15
struct EXCEPTION_RECORD
  ExceptionCode rd      1; DWORD
  ExceptionFlags rd     1; DWORD
  ExceptionRecord rd    1; struct EXCEPTION_RECORD *
  ExceptionAddress rd   1; PVOID
  NumberParameters rd   1; DWORD
  ExceptionInformation rd EXCEPTION_MAXIMUM_PARAMETERS; ULONG_PTR []
ends

SIZE_OF_80387_REGISTERS = 80
struct FLOATING_SAVE_AREA
  ControlWord          dd ?
  StatusWord           dd ?
  TagWord              dd ?
  ErrorOffset          dd ?
  ErrorSelector        dd ?
  DataOffset           dd ?
  DataSelector         dd ?
  RegisterArea         rb SIZE_OF_80387_REGISTERS
  Cr0NpxStatedd        dd ?
ends

MAXIMUM_SUPPORTED_EXTENSION = 512
struct CONTEXT
  ContextFlags         dd ?
  Dr0                  dd ?
  Dr1                  dd ?
  Dr2                  dd ?
  Dr3                  dd ?
  Dr6                  dd ?
  Dr7                  dd ?
  FloatSave            FLOATING_SAVE_AREA
  SegGs                dd ?
  SegFs                dd ?
  SegEs                dd ?
  SegDs                dd ?
  Edi                  dd ?
  Esi                  dd ?
  Ebx                  dd ?
  Edx                  dd ?
  Ecx                  dd ?
  Eax                  dd ?
  Ebp                  dd ?
  Eip                  dd ?
  SegCs                dd ?
  EFlags               dd ?
  Esp                  dd ?
  SegSs                dd ?
  ExtendedRegisters    rb MAXIMUM_SUPPORTED_EXTENSION
ends

                section ".text" executable readable writeable code
SEH_test:       push    SEH_handler
                push    dword [fs:0]
                mov     dword [fs:0], esp
                int3
                mov     eax, 0x12345678
                inc     eax
                inc     eax
                inc     eax
                inc     eax
                inc     eax
                mov     eax, 0xBADF00D
                int3
                mov     eax, 0x87654321
                inc     eax
                inc     eax
                inc     eax
                inc     eax
                inc     eax
                mov     eax, 0xDEADBEEF
                pop     dword [fs:0]
                invoke  MessageBox, HWND_DESKTOP, _done, _title, MB_OK
                invoke  ExitProcess, 0

proc    SEH_handler,\
        pExceptionRecord:DWORD,\        ; struct EXCEPTION_RECORD *
        pvEstablishedFrame:DWORD,\      ; void *
        pContextRecord:DWORD,\          ; struct CONTEXT *
        pvDispatcherContext:DWORD       ; void *

                mov     eax, [pExceptionRecord]
                mov     ecx, [eax+EXCEPTION_RECORD.ExceptionCode]
                cmp     ecx, STATUS_BREAKPOINT
                je      .breakpoint
                cmp     ecx, STATUS_SINGLE_STEP
                je      .single_step
.not_ours:      mov     eax, ExceptionContinueSearch
                ret
.breakpoint:    mov     edx, [eax+EXCEPTION_RECORD.ExceptionAddress]
                cmp     byte[edx], 0xCC
                jne     .not_ours
                mov     byte[edx], 0x90
                mov     eax, [pContextRecord]
                cinvoke wsprintf, _buf, _fmt_int3, edx, [eax+CONTEXT.Eax]
                invoke  MessageBox, HWND_DESKTOP, _buf, _title, MB_YESNO+MB_ICONQUESTION
                cmp     eax, IDYES
                mov     eax, ExceptionContinueExecution
                jne     .done
                mov     edx, [pContextRecord]
                or      [edx+CONTEXT.EFlags], 0x100
.done:          ret
.single_step:   mov     edx, [eax+EXCEPTION_RECORD.ExceptionAddress]
                mov     eax, [pContextRecord]
                cinvoke wsprintf, _buf, _fmt_int1, edx, [eax+CONTEXT.Eax]
                invoke  MessageBox, HWND_DESKTOP, _buf, _title, MB_YESNO+MB_ICONQUESTION
                mov     edx, [pContextRecord]
                cmp     eax, IDYES
                jne     .clear_tf
                or      [edx+CONTEXT.EFlags], 0x100
                jmp     @f
.clear_tf:      and     [edx+CONTEXT.EFlags], not 0x100
@@:             mov     eax, ExceptionContinueExecution
                jmp     .done
endp

                .data
_title          db      "Self-debugger", 0
_fmt_int1       db      "INT 1 exception at %X, eax==%X", 13, 10, "Continue trace step-by-step?", 0
_fmt_int3       db      "INT 3 exception at %X, eax==%X", 13, 10, "Trace step-by-step?", 0
_done           db      "Done with that.", 0
_buf            rb      100; was: db 100
                .end    SEH_test    
EDIT: I've made stupid mistake in _buf declaration.


Last edited by baldr on 09 Mar 2010, 17:13; edited 1 time in total
Post 09 Feb 2010, 14:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 Feb 2010, 15:15
If you use SEH only for catching breakpoints and single steps then you have completely missed the point of SEH.

I guess that is why you thought that a single SEH handler could do the job? Because if you simplify SEH to just the debugging things then indeed a simple global SEH handler would be much easier to implement.
Post 09 Feb 2010, 15:15
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 09 Feb 2010, 15:59
revolution,

Sorry, probably I misinterpret your phrase:
revolution wrote:
SEH is not for debugging, it is for runtime exception handling and recovery. Not the same thing.
"Not for debugging"…

And yes, I do know about SEH usage/implementation. I didn't claim that single handler could do anything (though __except_handler3 and __except_handler4 in C/C++ work pretty much like single parametrized handlers). I emphasize that: the only part I don't agree is "SEH is not for debugging".
Post 09 Feb 2010, 15:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 Feb 2010, 18:07
SEH can be used for debugging but it is not for that. Use a debugger for that.

It seems weird that one can use SEH to debug oneself. What is the point of an app single stepping itself? I never found a useful purpose for that. But by all means, if you have a useful way to use it for that then go ahead. I would be keen to know where it is genuinely useful.

Kind of like: doctor heal thyself Razz
Post 09 Feb 2010, 18:07
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 09 Feb 2010, 23:33
Thank you all for your useful opinions. My special thanks to baldr for the code. I am trying it right now, because
I am right now again at my desktop pC
I will take some time to think at large on the whole.But the thread remains open...
revolution wrote:
Kind of like: doctor heal thyself Razz

Yes, ok Very Happy, SEH is not a doctor, SHE is not good for debugging purpouse...
Post 09 Feb 2010, 23:33
View user's profile Send private message Visit poster's website Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 10 Feb 2010, 00:53
hopcode,

Consider sprinkling int3 in critical path of your code, dumping decision variables. It's much better to get meaningful log of path to failure embedded in your program than contrive the same inside debugger.
Post 10 Feb 2010, 00:53
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 12 Feb 2010, 07:11
They say imitation is the greatest form of flattery.

Here is the Win64 version of baldr's code (using console/VEH instead of gui/SEH).

Edit: Redirection didn't work due to an error, and having to blindly type input seemed silly. So, I've made redirection not just functional but also more useful (automatic).

1. DEBUG_RAX equ int3
2. pepper code with DEBUG statements
3. complex batch file
4. ...
5. ...
6. Profit?! Laughing


Description: Self tracing with VEH in Win64.
Download
Filename: w64.VEH.zip
Filesize: 3.32 KB
Downloaded: 597 Time(s)


_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 12 Feb 2010, 07:11
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.