flat assembler
Message board for the users of flat assembler.

Index > Windows > Coding a fasm debugger to break at a certain EIP?

Author
Thread Post new topic Reply to topic
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 07:07
ok, ive been trying to code an small debugger code in FASM for some time now, this code is to break at a certain EIP and "steal" the value of eax.

im trying to do so because you can steal DMA offsets out of the file without
the need of calculating it.


anyways, heres the prob...

when trying to define the DEBUG_EVENT it ALWAYS fails, i dont know if the
MASM syntax is incorrect NOR how to define a TYPE in FASM.

if anyone could post a small snippet which would break at a EIP i would be
very thankful.

im still learning ASM and im sure i will for many years to come but such an source code would be most helpful in my teachings.

if anyone know of a good FASM community beside's this one i would really appriciate such a link that aswell.

thank you.

Regards, Forsaken.
Post 10 Oct 2005, 07:07
View user's profile Send private message Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 08:13
i find this coding topic very interesting, sadly... ive not been able to find any such debugger code in any other language then C++ and MASM/NASM...


and as im not coding c++ i would really like to see some FASM tutorials on this.

i know there's a lot of ppl here which has the knowledge, im just hoping someone will write an example for me Very Happy

ive looked at Iczelion's debugging tutorials but i cant seem to get em working under FASM as i dont know the syntax differences.

it would be just wonderful if someone could port this to FASM as his tutorials contain great knowledge.

Regards, Forsaken.
Post 10 Oct 2005, 08:13
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 10 Oct 2005, 14:45
what is this for? trainers?
Post 10 Oct 2005, 14:45
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 15:40
yes, trainers would be the main use yes.

still, it might also be fun to code some sort of a mini debugger to learn from.
got any sources? fasm links?
Post 10 Oct 2005, 15:40
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 10 Oct 2005, 16:11
in masm
Quote:
jumplog ain't a leet coding project...
as it uses the debug api and
its not worth a shit

i just played around a bit with debug api and wanted to spread
sources anyway Wink

this 'code' logs all conditional jumps in a selected file and
writes it into a log-file.
you just run jumplog.exe, then select any executable that
will be traced (that may take several hours with large overbloated code...)
but anyways, give it a try or look at its code.

After you manually killed the debuggee's process somehow,
or it exited itself finally, you'll find a log inside the debuggee's
path (jumplog.log) that contains some stupid information on the target.


RVA Opcodes Disassembly Flags set:
of EIP

0040101C: 743C jz 0040105A Flags: odItsZaPc

Dunno what to do with this information exactly...
it's just one of my fuckin progs, that don't do anything in fact.

Big greetz to Iczelion, who provided excellent stuff on the debug api.
I just used some of your code, cause i couldn't have done it better...
AND i am dead lazy, ok Wink
so i hope, 'tis ok, otherwise i'll completely recode those routines
and they'll differ completely from yours Razz


now i'm tired, and i don't want to continue this lame document..
see you on irc

defiler


Description:
Download
Filename: jmplog.zip
Filesize: 6.01 KB
Downloaded: 304 Time(s)


_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 10 Oct 2005, 16:11
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 16:58
thank you Smile
Post 10 Oct 2005, 16:58
View user's profile Send private message Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend 10 Oct 2005, 20:35
forsaken: Debuggers work this way. They inject 0CCh (int3 opcode) in the place where you want to stop the program from executing. When there is an exception (which the debugger shall catch of course) it changes back the byte to normal. The code then is executed only till that moment and then you can use GetThreadContext to get all registers values, etc.
Post 10 Oct 2005, 20:35
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 10 Oct 2005, 22:23
using DRs would be nicer... doesn't win allow that?
Post 10 Oct 2005, 22:23
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 11 Oct 2005, 05:09
I work on debugger for win64. I implemented SW (int03) as well HW ("hardware" = debug registers) breakpoints successfuly. But the code is for win64, you must downgrade it to 32 bit...
Sources and executables here:
1. try my homepage and download link (fasm_amd64_win64_p002.zip file)
part 002 - Flat Assembler FASM win64 sources, executables, system drivers (FASM), debugger for win64 written in FASM
2. try http://board.flatassembler.net/topic.php?t=3437&start=25 but later, after I update new version dbg10... here

HW_BP is very big feature, It can break most of antidebug tricks...
SW_BP change opcode, so it's easy to detect them and antidebug routine can make a mess...
But detecting HW_BP isn't so easy (not easy but it's possible...)
To set HW_BP just set address to one of DR0-DR3 and set some bits in DR7
After HW_BP occur, it report EXCEPTION_SINGLE_STEP and code halt on next instruction.
refer to
http://www.logix.cz/michal/doc/i386/chp12-02.htm
how to set DR7 and what return in DR6 after EXCEPTION_SINGLE_STEP
Post 11 Oct 2005, 05:09
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 11 Oct 2005, 07:13
i also found a really nice example at Sulaiman Chang's site, http://sulaiman.netadvant.com/


sadly, it contains errors and wont compile ;/

it seems that it doesnt wanna work with the DEBUG_EVENT type even thou its been defined in the source...


if anyone could post a working source here i would be really greatful Smile
the source is in fasm and i dont think theres anything else besides the DEBUG_EVENT which wont compile...

he also used return instead or ret but i dont know if this would be considered a bug as i dont know if the 'return' instruction can be used in fasm, i couldnt anyway...

EDIT:
if anyone succeeds in compiling this, could they please specify their compiler version, IDE and so on?

it wont get past those MOV instructions which tries to work with dbgEvent.dwDebugEvent or whatever the variable is called Sad


regards, forsaken.
Post 11 Oct 2005, 07:13
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 11 Oct 2005, 07:49
My code in win64 works perfectly, but win64 structures differs from win32 not only by size (dword-qword), e.g. ThreadContext has too different structure. API's are the same.
You can try masm win32 specific tuts
http://spiff.tripnet.se/~iczelion/tut28.html
http://spiff.tripnet.se/~iczelion/tut29.html
http://spiff.tripnet.se/~iczelion/tut30.html
and compiled examples
http://spiff.tripnet.se/~iczelion/files/icz-tuts.zip
Of course, you can debug and step debugger (load debugger as debuggee) to learn how it works.


this is typical win32 debug loop:
debug_loop:
push -1 ; timeout
lea ebx,[DebugEv]
push ebx
call [WaitForDebugEvent]

EXCEPTION_DEBUG_EVENT = 1
CREATE_THREAD_DEBUG_EVENT = 2
CREATE_PROCESS_DEBUG_EVENT = 3
EXIT_THREAD_DEBUG_EVENT = 4
EXIT_PROCESS_DEBUG_EVENT = 5
LOAD_DLL_DEBUG_EVENT = 6
UNLOAD_DLL_DEBUG_EVENT = 7
OUTPUT_DEBUG_STRING_EVENT = 8
RIP_EVENT = 9
EXCEPTION_MAXIMUM_PARAMETERS = 15

DBG_CONTINUE = 00010002h
DBG_TERMINATE_THREAD = 40010003h
DBG_TERMINATE_PROCESS = 40010004h
DBG_CONTROL_C = 40010005h
DBG_CONTROL_BREAK = 40010008h
DBG_EXCEPTION_NOT_HANDLED = 80010001h

mov eax,[ebx] ; DebugEventCode
cmp eax,EXCEPTION_DEBUG_EVENT
jz handle_EXCEPTION_DEBUG_EVENT
cmp eax,CREATE_PROCESS_DEBUG_EVENT
jz handle_CREATE_PROCESS_DEBUG_EVENT
cmp eax,EXIT_PROCESS_DEBUG_EVENT
jz exit
; cmp....

ContinueDebug:
push DBG_CONTINUE
lea ebx,[ProcessInfo]
push dword [ebx + 4*3] ; ThreadId
push dword [ebx + 4*2] ; ProcessId
call [ContinueDebugEvent]

jmp debug_loop

handle_EXCEPTION_DEBUG_EVENT:
mov eax,[ebx + 4*3] ; u.Exception
; ebx point now to the EXCEPTION_DEBUG_INFO

STATUS_BREAKPOINT = 80000003h
STATUS_SINGLE_STEP = 80000004h
EXCEPTION_BREAKPOINT = STATUS_BREAKPOINT
EXCEPTION_SINGLE_STEP = STATUS_SINGLE_STEP
cmp eax,EXCEPTION_BREAKPOINT
jz ...
cmp eax,EXCEPTION_SINGLE_STEP
jz ...


note1, that in source there is raw put breakpoint at prog.exe startup entry point 401000. Entry point can differs in another exe. You can grab entry point:
CREATE_PROCESS_DEBUG_INFO.lpStartAddress
under win64:
lea rsi,qword [DebugEv + 40h] ; lpStartAddress
mov rax,[rsi]

under win32 maybe
mov eax,[DebugEv + 20h]

Note2: first exception occurs CREATE_PROCESS_DEBUG_EVENT
after first EXCEPTION_BREAKPOINT occur (it's somewhere in the kernel), this is the right time to put breakpoint on debuggee startup entry (or another place if you like)
next a few LOAD_DLL_DEBUG_EVENT occur
next your EXCEPTION_DEBUG_EVENT occurs at address at which you put breakpoint
after you process breakpoint (remove db 0CCh from memory), decrease EIP by 1 (decrease EIP isn't implemented in win32 source - it's handled as debuggee = prog.exe has at startup code inc eax - 1 byte opcode that is overwrited by db 0CCh - you can see different eax if you run prog.exe and if you run it by debug00.exe - but it's simple - GetThreadContext, decrease EIP by 1, SetThreadContext) (or if you didn't put breakpoint), debugge run until EXIT_PROCESS_DEBUG_EVENT occur, at whis is the right time to escape debug_loop


Description: Yeah, I found some code created by me and compiled by FASM !!!!
Download
Filename: dbg32.zip
Filesize: 4.35 KB
Downloaded: 284 Time(s)

Post 11 Oct 2005, 07:49
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.