Read chapter 9 of Software Debugging

Today, I read the software debugging by Mr. Zhang yinkui. the CPU and hardware-related components are far apart. So I started reading from the operating system in Chapter 9. Today's Reading Notes: 9.2 debugging events for collecting debugging messages are divided into eight types: typedefenum_DBGKM_APINUMBER {DbgkmExceptionApi0, abnormal DbgkmCreateThreadApi1,

Today, I read the software debugging by Mr. Zhang yinkui. the CPU and hardware-related components are far apart. So I started reading from the operating system in Chapter 9. Today's Reading Notes: 9.2 debugging events for collecting debugging messages are divided into eight types: typedef enum _ DBGKM_APINUMBER {DbgkmExceptionApi = 0, // DbgkmCreateThreadApi = 1 ,//

Today, I read the software debugging by Mr. Zhang yinkui. the CPU and hardware-related components are far apart. So I started reading from the operating system in Chapter 9. Today's Reading Notes:

9.2 collect debugging messages
There are eight types of debugging events
Typedef enum _ DBGKM_APINUMBER
{
DbgkmExceptionApi = 0, // exception
DbgkmCreateThreadApi = 1, // create a thread
DbgkmCreateProcessApi = 2, // create a process
DbgkmExitThreadApi = 3, // exit the thread
DbgkmExitProcessApi = 4, // process exited
DbgkmLoadDllApi = 5, // map DLL
DbgkmUnloadDllApi = 6, // reflect the DLL
DbgkmErrorReportApi = 7, // internal error
DbgkmMaxApiNumber = 8, // maximum value of this set of constants
} DBGKM_APINUMBER;


9.2.2 process and thread creation message
The operating system supports sending messages to the debugging system, which I did not expect. The specific process is as follows:
When creating a user-mode windows thread, first establish the necessary Kernel Object and data structure for the thread and allocate stack space,
The thread is in the suspended state (CREATE_SUSPEND), and then the Process Manager notifies the Environment subsystem, the Environment Subsystem will make necessary settings and registration, and finally
The process manager calls the PspUserThreadStartup routine to start the thread.
To support debugging, PspUserThreadStartup always calls the kernel function DbgkCreateThread of the debugging subsystem to give the debugging subsystem a processing opportunity.


DbgkCreateThread checks whether the process of the newly created thread is being debugged (whether it is empty according to DebugPort). If not, it returns immediately,
If yes, it will continue to check whether the user-state running time (UserTime) of the process is 0 to determine whether the thread is the first thread in the process. If yes,
The DbgkSendApiMessage () function is used to send the DbgkmCreateProcessApi message to the DebugPort. If not,
Then, send the DbgkmCreateThreadApi message.
The Process Creation (CREATE_PROCESS_DEBUG_EVENT, value: 3) and thread creation (CREATE_THREAD_DEBUG_EVENT, value: 2) events received by the debugger are derived from these two messages.


9.2.3 process and thread Exit message --- similar to above


9.2.4 module ing and Message reflection
DLL (Dynamic-link Library) is one of the most widely used technologies in Windows. For example:
Although the Windows Kernel File NTOSKRNL. EXE is an EXE suffix, its essence is a DLL;
NTDLL. DLL is a bridge between the user State and the operating system kernel, and the user State Code accesses the kernel service through it;
Windows subsystem DLL (KERNEL32.DLL, ADVAPI32.DLL, USER32.DLL, GDI32.DLL) is the carrier of Windows API;


Observe the DLL in the process:
1.run notepad.exe
2. Start VC6, use Build> Start Debug> Attatch to Process... to bring up the Attach Process dialog box, and then select notepad.
3. Click Debug> Modules... to view the DLL in the notepad process.
The second column is the address of the module in the process space (virtual addresses, all smaller than 0x80000000). It can be seen that these modules are located in the user space.


Does the DLL that exists in multiple process spaces occupy the memory repeatedly?
No! When LoadLibrary () and LoadLibraryEx () API load a DLL, it first determines whether the DLL has been loaded. If yes, it will not be loaded repeatedly,
Only map the Memory Page corresponding to the DLL to the memory space of the target process, and add the reference times of the DLL to 1.
When a process exits or calls FreeLibrary () API to uninstall a DLL, Windows deletes the DLL ing (unmap) from the virtual memory space of the process ),
And decrease the number of references of the DLL. If the number of references changes to 0, the DLL will be completely removed from the memory.


9.2.5 exception message
To support debugging, the system sends all exceptions in the program to the debugger.
In the kernel, The KiDispatchException function is the hub for exception distribution. It will schedule up to two rounds of handling opportunities for each exception,
For each round of processing opportunity, it will call the DbgkForwardException function of the debugging subsystem to notify the debugging subsystem.


Summary:
The System Process Manager, Memory Manager, and exception distribution function call the Dbgk collection routine of the debugging subsystem to notify the debugging subsystem of the debugging message,
After these routines are called, The DebugPort field of the current process is used to determine whether the current process is in the debug status.
If not, ignore this call and return it directly;
If yes, a DBGKM_APIMSG structure is generated, and then the DbgkSendApiMessage function described in the next section is called to send debugging messages.