Methods and processes for collecting debugging events in the debugging subsystem (1 ).

Methods and processes for collecting debugging events in the debugging subsystem (1 ).

The application scenarios of software debugging are generally:

This article is my note on reading the <software debugging> prepared by Mr. Zhang yinkui.

This article mainly describes how to collect the debugging events obtained by the debugger.

 

Reading directory

• Collection Process of Process Creation and thread Creation events
• Collection of process and thread exit events
• Module ing and Event Recording
• Exception event collection

 

 

 

 

 

 

Debugging events (messages) that can be collected include:

1 typedef enum _ DBGKM_APINUMBER 2 {3 DbgKmExceptionApi = 0, // exception event 4 bytes, // create thread event 5 DbgKmCreateProcessApi, // create process event 6 DbgKmExitThreadApi, // thread exit event 7 DbgKmExitProcessApi, // process exit event 8 DbgKmLoadDllApi, // load Dll event 9 found, // uninstall Dll event 10 DbgKmErrorReportApi, // internal error event 11 DbgKmMaxApiNumber, // The maximum value of this set of constants is 12}

PS: DbgKmErrorReportApi is used to report internal errors of the debugging subsystem and is no longer used.

-Process Creation and thread creation event collection

Create a series of functions starting with Ps or Psp in the worker process and thread. This write Series function is called Process Manager. When the process manager creates a new user-mode Windows thread, the following work is performed:
-Create necessary kernel objects and data structures for this thread
-Allocate stack space
-Suspend this thread
-Notification Environment Subsystem (the subsystem will make necessary settings and Registration)
-Call PspUserThreadStartup to prepare the startup thread (the function always calls the debug subsystem's kernel function DbgkCreateThread .)
-The DbgkCreateThread () function of the debug subsystem kernel function checks whether the process of the newly created thread is being debugged (based on whether DebugPort is NULL). If it is NULL, return immediately (return to the PspUserThreadStartup () function). If it is not NULL, it will continue to check whether the user State time (UserTime) of the process is 0, the purpose is to determine whether the thread is the first thread in the process. If it is the first thread, the DbgkpQueueMessage () function is used to send the DbgKmCreateProcessApi message to the debug port (DebugPort. if it is not the first thread, send the DbgkmCreateTheadApi message.

The specific process is as follows:

Establish the kernel object and Data Structure
|
\/
Allocate stack space
|
\/
Suspend thread
|
\/
Notification Environment Subsystem
| --> Necessary settings and Registration
\/
----- >>> PspUserThreadStartup ()
| --> DbgkCreateThread ()/* called within the function */
|
Return to upper-layer function \/
| <-- Yes <-[DebugPort = NULL]
|
No
|
\/--------------------------------
[UserTime = 0] -- yes --> | use the DbgkpQueueMessage () function |
| Send the DbgKmCreateProcessApi message |
Not --------------------------------
|
\/
-------------------------------
| Using the DbgkpQueueMessage () function |
| Send the DbgkmCreateTheadApi message |
-------------------------------

-Process and thread exit event collection process

The PspExitThread function of the Process Manager is responsible for exiting and clearing threads. before the function destroys the thread structure and resources, the function calls the function of the debugging subsystem to give the debugger (if any) a processing opportunity. if the exit is the last thread in the process, PspExitThread will call the DbgkExitProcess function; otherwise, it will call the DbgkExitThread function. after the DbgExitThread function is called, it checks whether the DebugPort of the process is set to 0. If it is not set to 0, it suspends the process and sends the DbgKmExitThreadApi message to the DebugPort through the DbgkpQueueMessage Function. the suspended thread will resume operation only after DbgKmExitThreadApi function returns. the execution process of the DbgExitProcess function is similar to that of the DbgExitThread function, except that the DbgKmExitProcessApi message is sent. and there is no need to execute the suspension and recovery actions, because the process manager has The thread is marked with a delete mark (??)

 

-Module ing and Event Recording
When the system wants a dll, it first determines whether the dll has been loaded (what are the conditions ?) If yes, it will not be loaded repeatedly. It will only map the Memory Page corresponding to the dll to the memory space of the target process (how to know the location and size of the dll to be loaded in the memory ), add 1 to the number of references of the dll. when a process exits or calls the FreeLibrary function to uninstall a Dll, the system will delete the Dll ing from the virtual memory space of the process (how to know the address mapped to the virtual memory space of the process), and decrease the number of times the Dll is referenced, if the number of references is 0, the Dll will be completely removed from the Memory (from where). The Memory Manager in the system kernel is responsible for DLl ing and ing. the Memory Manager uses a Section object to indicate a memory area that can be shared by multiple processes. A series of kernel services and functions are designed to implement various ing and reflection tasks. the NtMapViewOfSection function is used to map the kernel service of the module. NtUnmapViewOfSection is used to reflect the shot. when NtMapViewOfSection successfully maps a module image to a specified process space (mainly using MmMapViewOfSection ing), The NtMapViewOfSection function calls the DbgkMapViewOfSection function of the debugging subsystem to notify the debugging subsystem.
The module ing process is as follows:
-Input table of the recursive traversal module (LdrpWalkImportDescriptor)
-LdrpLoadImportModule)
-Map the module to the virtual space of the process (User-state function: ZwMapViewOfSection)
-Map the module to the virtual space of the process (kernel function: NtMapViewOfSection)
-Notification debugging subsystem (DbgkMapViewOfSection)
-Check whether the DebugPort field is empty.
-If it is null, send the debugging information to the debug port (DbgkpQueueMessage)

The execution process of the MnUnmapViewOfSection function is similar. This function calls the debugging subsystem.
DbgkUnmapViewOfSection function,
After the DbgkUnmapViewOfSection function detects that the DebugPort is not empty
DbgKmUnLoadDllAPi message

 -Exception event collection
KiDispatchException function: hub for exception distribution,It will schedule up to two rounds of handling opportunities for each exceptionFor each round of processing opportunities, itCall the DbgkForwardException function of the debugging subsystem to notify the debugging subsystem.. The DbgkForwardException function can send messages to the abnormal port of the process, or send messages to the debug port, to determine which message to send, it is determined by the KiDispatchException function passing a Boolean parameter to this function when calling it. if DbgkForwardException decides to send a message to the exception port, the DbgkForwardException function checks whether the DebugPort field of the process is null. If not, the DbgKmExceptionApi message is sent through the dbgkqueuemessage function.