Int3 Breakpoint Principle:
There are 2 steps to set breakpoints at one command, 1. Save the 1th byte of the instruction, 2. Replace this byte with 0xCC
We can take a look at the debugger I wrote:
The u instruction shows the instruction E8 3eac000 at address 14e1bbb; Call 14ec7fe.
Then check the contents of this address.
Next, set a breakpoint in 14E1BBB, BP 14e1bbb.
Looking at the contents of the 14E1BBB again, it was obvious that the first 1 bytes were set to 0xCC.
Breakpoint implementation process:
The following is the implementation code that sets the INT3 breakpoint.
DWORD Setbreakpoint (DWORD address)//incoming address to be set
{
BYTE Lpbyte;
BYTE Check = 0xCC;
size_t Bytesread;
1. Get the first 1 bytes of the address
if (ReadProcessMemory (g_process, (lpcvoid) Address, &lpbyte, sizeof (BYTE), &bytesread) = = 0)
{
printf ("\nerror in the Setbreakpoint->readprocessmemory, lasterror:%d", GetLastError ());
return 2;
}
2. Determine if this point already exists Int3 breakpoint
if (memcmp (&lpbyte, &check, sizeof (BYTE)) = = 0)
{
printf ("This Address had set breakpoint\n");
return 1;
}
3. Add this node to the Operation list and record the breakpoint address and the original content.
if (FALSE = = Record_breakpoint_list (Address, Lpbyte))
{
return 5;
}
Modify Address byte-> INT 3
if (0 = = WriteProcessMemory (g_process, (lpcvoid) Address, &check, sizeof (BYTE), &bytesread))
{
printf ("\nerror in the Setbreakpoint->writeprocessmemory, lasterror:%d", GetLastError ());
return 3;
}
return 0;
}
followed by the implementation code to remove the breakpoint
DWORD Deletebreakpoint (DWORD Address)
{
BYTE Lpbyte;
BYTE Check = 0xCC;
size_t Bytesread;
Gets the byte of the address
if (ReadProcessMemory (g_process, (lpcvoid) Address, &lpbyte, sizeof (BYTE), &bytesread) = = 0)
{
printf ("\nerror in the Setbreakpoint->readprocessmemory, lasterror:%d", GetLastError ());
return 2;
}
First of all, to determine if this is present Int3
if (memcmp (&lpbyte, &check, sizeof (BYTE))! = 0)
{
printf ("This Address don ' t have breakpoint\n");
return 1;
}
Operation list Delete this node and implement modify Address INT 3, BYTE
if (FALSE = = Delete_breakpoint_list (Address))
{
return 3;
}
return 0;
}
Implementation of the Simple debugger (d) Breakpoint