First, Constructing C data Types
- C Type | Python Type | cTYPES Type
- _______________________________________________________________________________________
- char | 1-character | String C_char
- wchar_t | 1-character Unicode | String C_wchar
- char | Int/long | C_byte
- char | Int/long | C_ubyte
- Short | Int/long | C_short
- unsigned short | Int/long | C_ushort
- int | Int/long | C_int
- unsigned int | Int/long | C_uint
- Long | Int/long | C_long
- unsigned long | Int/long | C_ulong
- Long Long | Int/long | C_longlong
- unsigned Long Long | Int/long | C_ulonglong
- float | float | C_float
- Double | float | C_double
- char * (NULL terminated) | String or None | C_char_p
- wchar_t * (NULL terminated) | Unicode or none | C_wchar_p
- void * | Int/long or None | C_void_
Second, Universal CPU Register
- The registers of the CPU are capable of fast access to a small amount of data. In the x86 instruction set, a CPU has
Eight general-purpose registers: EAX, EDX, ECX, ESI, EDI, EBP, ESP and EBX. There are many other registers that meet
When you arrive, you will be given specific explanations. These eight general purpose registers have different uses, understand their function for us to design the debugging
The device is critical. Let's start with a brief look at each register and function. Finally, we will pass a simple real
To explain how they are used.
- The EAX register is also called an accumulator register, which is used to perform calculations in addition to the return value of the stored function.
Operation. Many of the optimized x86 instruction sets are designed specifically for read-write and compute instructions for EAX registers. Columns as from the most
The basic addition and subtraction, compared to the special multiplication operation has the special EAX optimization instruction.
As we said earlier, the return value of the function is also stored in the EAX register. This is important because by returning
Back to the value in the EAX we can determine whether the function is successful or not, or get the exact return value.
- The EDX register is also called the data register. This register is essentially an extension of the EAX register,
It assists EAX in completing more complex computational operations like multiplication and division. Although it can also be used as a universal register, it is not
More is the calculation operation combined with the EAX register.
- A ECX register, also called a count register, is used for looping operations, such as repeated character store operations, or
Statistics on the number of persons. It is important to note that the calculation of the ECX register is downward rather than upward (a simple understanding is
Cycle operation is reduced from large to small)
- In the x86 assembly, it relies on ESI and EDI registers to efficiently process data that needs to be cycled.
The ESI register is the source operand pointer that stores the location of the input data stream. The EDI register is the destination operand pointer,
Stores the location where the calculated results are stored. In short, ESI (source index) is used for reading, EDI (destination index)
Used for writing. The efficiency of the program processing data is greatly improved by using the pointer of the source operand and the object operand.
- ESP and EBP are stack pointers and base pointers, respectively. Both registers are responsible for function invocation and stack
For When a function is called, the parameters required by the function are pressed into the stack and the return address of the last function is also pressed
Into. ESP points to the top of the stack, which is the return address. The EBP points to the bottom of the stack. Sometimes, the compiler can make excellent
Release EBP so that it is no longer used for stack operations and is used only as a normal register.
- EBX is the only register that has no special purpose. It can be used as an additional data storage device.
- Another register that needs to be mentioned is the EIP. This register always points to the command to be executed immediately. When the CPU
When executing thousands of code for a program, the EIP will point in real time to where the current CPU is going to be executed immediately.
- A debugger must be able to easily get and modify the contents of these registers. Each operating system provides
An interface that allows the debugger to interact with the CPU so that these values can be obtained and modified. We will be in the back of the operating system
section for a detailed separate explanation.
Third, stack
The stack is a very important structure when developing the debugger. Stacks store a variety of information related to function calls,
Includes the parameters of the function and the method returned after the function has been executed. ESP is responsible for tracking the top of the stack and EBP is responsible for tracking the bottom.
The stack is growing from a high address of memory like a low address. Let's use the previously written function My_sock () as an example to explain the stack as
of what works.
Function Call in C
_____________________________________________________________________
int My_socks (Color_one, Color_two, Color_three);
_____________________________________________________________________
Function Call in x86 Assembly
_____________________________________________________________________
Push Color_three
Push Color_two
Push Color_one
Call My_socks
Iv. Breakpoints
Breakpoints are needed when we need to get the debugger to pause. By pausing the process, we can observe
variables, stack parameters, and memory data, and record them. Breakpoints have a lot of benefits when you debug a process
These features will make you feel refreshed. Breakpoints are divided into three main types: software breakpoints, hardware breakpoints, memory breakpoints . They have
Very similar way of working, but the means of implementation are different.
1. Software breakpoints
If the instruction we have previously explained takes place at the address of 0x4433221, it is generally shown as follows:
_______________________________________________________________________________
0X44332211:8BC3 MOV EAX, EBX
_______________________________________________________________________________
The address, opcode, and advanced assembly instructions are shown here. To set a breakpoint at this address, pause the CPU,
We will swap out a single-byte opcode from the 2-byte 8bc3 opcode. This single-byte operation code is also
is the 3rd interrupt instruction (INT 3), a command that allows the CPU to pause. The 3rd interrupt is converted into an opcode of 0xCC.
Here is the comparison before setting breakpoints and after setting breakpoints:
The opcode before the breakpoint is set
_______________________________________________________________________________
0X44332211:8BC3 MOV EAX, EBX
_______________________________________________________________________________
The operation code after the breakpoint is set
_______________________________________________________________________________
0X44332211:CCC3 MOV EAX, EBX
_______________________________________________________________________________
2. Hardware Breakpoint
Hardware breakpoints are useful, especially when you want to set breakpoints in a small area, but you can't modify them.
This type of breakpoint is set at the CPU level and is used with a specific register: Debug register. A CPU will typically have
8 Debug Registers (DR0 registers to DR7 registers), which are used to manage hardware breakpoints. Debug Register DR0
To the debug register DR3 storage hardware breakpoint address. This means that you can have up to 4 hardware breakpoints at a time.
DR4 and DR5 reserved. DR6 is a status register that describes the type of debug event that is triggered by a breakpoint. DR7 essentially
is a switch register for a hardware breakpoint, and it also stores the different types of breakpoints. By setting it in the DR7 register
Different flags to create the following breakpoints:
· Interrupts when instructions are executed at a specific address
. When data can be written at a specific address
· When data is read or written but not executed at a specific address
This is useful when you want to set a specific breakpoint (up to 4) and cannot modify the running process.
3. Memory Breakpoint
A memory breakpoint is actually not a real breakpoint. When a debugger sets a memory breakpoint, it is actually
Changed the permissions of a block or page in memory. A memory page is the smallest unit of memory that the operating system processes. An internal
When the save page is successfully applied, it has a permission set that determines how the memory is accessed. Here are some of the memory
Examples of access permissions for pages:
The executable page allows execution but does not allow read or write, otherwise throws an access exception
Readable pages only allow data to be read from the page, while the rest throws access exceptions
Writable pages allow data to be written to the page
Any access to the protected page throws an exception, after which the page resumes its pre-access state
Most systems allow you to synthesize these permissions. For example, you can create a page in memory that can
Read and write, while another page can be read and executed. Each operating system has built-in functions that let you query the current
The permissions of the memory pages (not all), and modify them.
What we are interested in here is the Protection pages (Guard page). This type of page is often used to isolate heaps and stacks, or
Ensure that part of the memory data does not grow out of bounds. Another scenario is when a particular block of memory is hit by the process (visiting
Asked), the process is suspended. For example, if we are in reverse a Network service program, where it receives network data
Package, we set the protection page on the memory of the storage packet, then run the program, and once there is any access to the protection page
ask, will cause the CPU to pause, throw a Protection page debugging exception , this time we can determine when the program is
In what way to access the received data. Then further follow the instructions to observe the memory access, and then determine the program
What the data does. This breakpoint also solves the problem of software breakpoint data update, because we have not modified any
Code that runs.
Python Grey Hat Learning Note: Debugger settings