Implementation of the Simple Debugger (a) debug loop and Disassembly engine

Recently interested in the principle of the debugger, wrote a simple demo

To open the debugging process:

To debug a process, you need to set the 6th parameter to debug_process when you open a file using CreateProcess.

BOOL WINAPI CreateProcess (  _in_opt_ lpctstr lpapplicationname,  _inout_opt_ LPTSTR lpcommandline,  _in_opt         _ Lpsecurity_attributes lpprocessattributes,  _in_opt_ lpsecurity_attributes lpthreadattributes,  _In_ BOOL binherithandles,  _in_ DWORD dwcreationflags,   //set to Debug_process  _in_opt_ lpvoid Lpenvironme NT,  _in_opt_ lpctstr lpcurrentdirectory,  _in_ lpstartupinfo lpstartupinfo,  _out_ lpprocess _information lpprocessinformation);

For example:

Startupinfo Sinfo;
Process_information PInfo;
ZeroMemory (&sinfo, sizeof (Sinfo));
SINFO.CB = sizeof (sinfo);
Sinfo.dwflags = Startf_useshowwindow;
Sinfo.wshowwindow = Sw_shownormal;
ZeroMemory (&pinfo, sizeof (PInfo));

CreateProcess (Szprocesspath, NULL, NULL, NULL, FALSE, debug_process, NULL, NULL, &sinfo, &pinfo);

g_process = pinfo.hprocess;//Record main thread handle
G_hthread = pinfo.hthread;//record process handle

Enterdebugloop (); Functions to enter the debug loop

Debug loops:

For debug loops, there's already a very clear explanation on MSDN.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681675 (v=vs.85). aspx

Here are some of the more important events that we've listed here.

void Enterdebugloop (const lpdebug_event Debugev) {DWORD dwcontinuestatus = dbg_continue;//exception Continuation F    or (;;) {//Wait for a debugging event to occur.        The second parameter indicates//The function does not return until a debugging event occurs.       Waitfordebugevent (Debugev, INFINITE);                  Switch (debugev->dwdebugeventcode) {case exception_debug_event:///exception event, breakpoint, exception will be triggered and handled in this event Switch (debugev->u.exception.exceptionrecord.exceptioncode) {case Exception_access_violat ION://status_access_violation   ((DWORD  ) 0xc0000005l)//First chance:pass this for the SY                Stem.                   Last Chance:display an appropriate error.                Break Case Exception_breakpoint://  ((DWORD  ) 0x80000003l)    INT3 Breakpoint//First chance:     Display the current//instruction and register values.              Break                Case Exception_datatype_misalignment://First chance:pass the system.                   Last Chance:display an appropriate error.                Break Case EXCEPTION_SINGLE_STEP://First chance:update the display of the//current Instructio                   N and register values.                Break                Case Dbg_control_c://First chance:pass the system.                   Last Chance:display an appropriate error.                Break                   Default://Handle other exceptions.            Break          } break;            Case create_thread_debug_event://thread Build Dwcontinuestatus = Oncreatethreaddebugevent (Debugev);         Break            Case create_process_debug_event://DEBUG Process established Dwcontinuestatus = oncreateprocessdebugevent (Debugev);          Break Case exit_tHread_debug_event://Thread exit//Display the thread ' s exit code.            Dwcontinuestatus = Onexitthreaddebugevent (Debugev);          Break             Case exit_process_debug_event://debug Process Exit//Display The process ' exit code.            Dwcontinuestatus = Onexitprocessdebugevent (Debugev);          Break            Case load_dll_debug_event://dll load dwcontinuestatus = onloaddlldebugevent (Debugev);          Break            Case unload_dll_debug_event://dll Uninstall dwcontinuestatus = onunloaddlldebugevent (Debugev);          Break Case output_debug_string_event://Output debug information, this event is triggered when the debug process uses APIs such as OutputDebugString Dwcontinuestatus = ONOUTP            Utdebugstringevent (Debugev);         Break            Case rip_event:dwcontinuestatus = onripevent (Debugev);      Break     }//Resume executing the thread that reported the debugging event. Continuedebugevent (Debugev->dwprocessid, Debugev->dwthrEadid, Dwcontinuestatus); }}


Disassembly  Engine:
The disassembly engine is one of the core parts of the debugger, which translates the machine code we get into assembly language.
Here I still use OD's anti-debugging engine, this engine can only handle the program under the x86 platform, if you need to debug 64-bit program, you need to find support 64-bit disassembly engine.

Download and document address: http://www.ollydbg.de/srcdescr.htm#_Toc531975954

The next section describes how to use and write out a basic debugger. 

Implementation of the Simple Debugger (a) debug loop and Disassembly engine