{"id":614,"date":"2013-12-09T00:12:48","date_gmt":"2013-12-09T00:12:48","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=614"},"modified":"2013-12-09T00:14:27","modified_gmt":"2013-12-09T00:14:27","slug":"writing-your-own-debugger-windows-in-c","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/12\/writing-your-own-debugger-windows-in-c\/","title":{"rendered":"Writing your own windows debugger in C"},"content":{"rendered":"Hello all!<\/p>\n
I’m cracking away on various projects and trying to keep focus. As I was going through my old notes, I came across a talk I wanted to give but could not due to my car accident and the subsequent down time caused me to forget. I wanted to cover making your own debugger in windows, but I never completed the project. I had dumping, I had a disassembler, etc, but it never panned out. It was more of a learning experience.<\/p>\n
None the less, I will share with you all some snippets I was able to piece together. We’ll go over the basics of “Break & Enter”. There are a few steps involved, but its pretty easy. By break and enter, I mean open a process \/ thread and break-point on the current instruction, sort of like how you would do when you attach to a process in Immunity \/ Olly \/ WinDBG \/ IDA. Luckily for me, windows provides the means to do so internally and we need only invoke these functions to do our own low level debugging. Disassebmly and dumping however is not supported internally on windows, so we would have to use a 3rd party library or write our own functionality if we wanted to do this. Debugging on the other hand is easy. Perhaps in the future I’ll finish my debugger when time is more permissive and I have more interest. <\/p>\n
These are the steps:<\/p>\n
Step 1 – get process id – can be done programatically with win32 snapshots \/ psapi or with task manager<\/p>\n
Step 2 – get handle to said process id – OpenProcess() win32 api<\/p>\n
Step 3 – getthreadcontenxt and store in structure- Windows api which stores the registers (eax, esi, etc)<\/p>\n
Step 4 – Enable debug privileges and suspend the thread so we can mess with it. <\/p>\n
Step 5 – call the DebugBreakProcess() function which writes an int3 call into the EIP for the process. <\/p>\n
Step 6 – Handle the debug loop. The debug loop is responsible for handling debug events such as single step interrupts, access violations, thread \/ process creation and the like. <\/p>\n
The code is below and I’ve tried my best to comment it and add the appropriate links to MSDN. <\/p>\n
<\/p>\n
\n
DWORD pid =<\/span> 2182<\/span>; \/\/ PID grabbed from task manager<\/span>\r\n\r\nHANDLE myproc =<\/span> OpenProcess(PROCESS_VM_READ |<\/span> PROCESS_QUERY_INFORMATION ,TRUE,pid); \/\/ open it, may have to do debug for the main loop<\/span>\r\n\r\n\r\nvoid<\/span> BreakAndEnter<\/span>(HANDLE proc)\r\n{\r\n CONTEXT tcx;\r\n \/\/ http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms679297%28v=vs.85%29.aspx<\/span>\r\n \/\/ there are 2 ways to do this<\/span>\r\n \/\/ 1) WriteProcessMemory() and pass he int3 opcode to the stack of the currently executing process<\/span>\r\n \/\/ 2) DebugBreakProcess() function which does the same thing essentially<\/span>\r\n \/\/ but first, you NEED to set the debug privilege<\/span>\r\n EnableDebugPriv(proc);\r\n SuspendThread(proc);\r\n \/\/ You need to suspend the thread b4 calling getthreadcontext<\/span>\r\n GetThreadContext(proc,&<\/span>tcx);\r\n printf("Register info for debugged process: <\/span>\\r\\n<\/span>"<\/span>);\r\n printf("EAX: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Eax);\r\n printf("EBX: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Ebx);\r\n printf("ECX: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Ecx);\r\n printf("EDX: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Edx);\r\n printf("ESI: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Esi);\r\n printf("ESP: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Esp);\r\n printf("EIP: %d<\/span>\\r\\n<\/span>"<\/span>,tcx.Eip);\r\n DebugBreakProcess(proc);\r\n \/\/ after calling into this, we need to tell our remote thread to continue<\/span>\r\n ContinueDebugEvent();\r\n \/\/ Our debug debug loop will handle any and all exceptions<\/span>\r\n system("pause"<\/span>);\r\n EnterDebugLoop();\r\n \/\/Applications should call FlushInstructionCache if they generate or modify code in memory. The CPU cannot detect the change, and may execute the old code it cached.<\/span>\r\n \/\/ FlushInstructionCache(proc,baseaddr,sizeofregion);<\/span>\r\n \/\/ After all this is called, we can handle our debug events<\/span>\r\n \/\/ http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms679302%28v=vs.85%29.aspx<\/span>\r\n\r\n\r\n}\r\n\r\nBOOL EnableDebugPriv<\/span>(HANDLE proc)\r\n{\r\n\t HANDLE hToken;\r\n\t LUID sedebugnameValue;\r\n\t TOKEN_PRIVILEGES tkp;\r\n\t \/\/ pass our opened process handle<\/span>\r\n\t OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES |<\/span> TOKEN_QUERY, &<\/span>hToken);\r\n LookupPrivilegeValue(NULL<\/span>, SE_DEBUG_NAME, &<\/span>sedebugnameValue);\r\n\t tkp.PrivilegeCount =<\/span> 1<\/span>;\r\n\t tkp.Privileges[0<\/span>].Luid =<\/span> sedebugnameValue;\r\n\t tkp.Privileges[0<\/span>].Attributes =<\/span> SE_PRIVILEGE_ENABLED;\r\n\t if<\/span>(AdjustTokenPrivileges(hToken, FALSE, &<\/span>tkp, sizeof<\/span> tkp, NULL<\/span>, NULL<\/span>))\r\n\t {\r\n CloseHandle(hToken);\r\n\t return<\/span> TRUE;\r\n\t }\r\n\t else<\/span>\r\n\t {\r\n\t MessageBox(NULL<\/span>,"Bro, you gotta be an admin to set privs like this"<\/span>, "Shit"<\/span>, MB_OK);\r\n\t CloseHandle(hToken);\r\n\t return<\/span> FALSE;\r\n\t }\r\n\r\n\r\n}\r\n\r\nvoid<\/span> EnterDebugLoop<\/span>(const<\/span> LPDEBUG_EVENT DebugEv)\r\n{\r\n DWORD dwContinueStatus =<\/span> DBG_CONTINUE; \/\/ exception continuation<\/span>\r\n\r\n for<\/span>(;;)\r\n {\r\n \/\/ Wait for a debugging event to occur. The second parameter indicates<\/span>\r\n \/\/ that the function does not return until a debugging event occurs.<\/span>\r\n\r\n WaitForDebugEvent(DebugEv, INFINITE);\r\n\r\n \/\/ Process the debugging event code.<\/span>\r\n\r\n switch<\/span> (DebugEv-><\/span>dwDebugEventCode)\r\n {\r\n case<\/span> EXCEPTION_DEBUG_EVENT:\r\n \/\/ Process the exception code. When handling<\/span>\r\n \/\/ exceptions, remember to set the continuation<\/span>\r\n \/\/ status parameter (dwContinueStatus). This value<\/span>\r\n \/\/ is used by the ContinueDebugEvent function.<\/span>\r\n\r\n switch<\/span>(DebugEv-><\/span>u.Exception.ExceptionRecord.ExceptionCode)\r\n {\r\n case<\/span> EXCEPTION_ACCESS_VIOLATION:\r\n \/\/ First chance: Pass this on to the system.<\/span>\r\n \/\/ Last chance: Display an appropriate error.<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> EXCEPTION_BREAKPOINT:\r\n \/\/ First chance: Display the current<\/span>\r\n \/\/ instruction and register values.<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> EXCEPTION_DATATYPE_MISALIGNMENT:\r\n \/\/ First chance: Pass this on to the system.<\/span>\r\n \/\/ Last chance: Display an appropriate error.<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> EXCEPTION_SINGLE_STEP:\r\n \/\/ First chance: Update the display of the<\/span>\r\n \/\/ current instruction and register values.<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> DBG_CONTROL_C:\r\n \/\/ First chance: Pass this on to the system.<\/span>\r\n \/\/ Last chance: Display an appropriate error.<\/span>\r\n break<\/span>;\r\n\r\n default:<\/span>\r\n \/\/ Handle other exceptions.<\/span>\r\n break<\/span>;\r\n }\r\n\r\n break<\/span>;\r\n\r\n case<\/span> CREATE_THREAD_DEBUG_EVENT:\r\n \/\/ As needed, examine or change the thread's registers<\/span>\r\n \/\/ with the GetThreadContext and SetThreadContext functions;<\/span>\r\n \/\/ and suspend and resume thread execution with the<\/span>\r\n \/\/ SuspendThread and ResumeThread functions.<\/span>\r\n\r\n dwContinueStatus =<\/span> OnCreateThreadDebugEvent(DebugEv);\r\n\r\n break<\/span>;\r\n\r\n case<\/span> CREATE_PROCESS_DEBUG_EVENT:\r\n \/\/ As needed, examine or change the registers of the<\/span>\r\n \/\/ process's initial thread with the GetThreadContext and<\/span>\r\n \/\/ SetThreadContext functions; read from and write to the<\/span>\r\n \/\/ process's virtual memory with the ReadProcessMemory and<\/span>\r\n \/\/ WriteProcessMemory functions; and suspend and resume<\/span>\r\n \/\/ thread execution with the SuspendThread and ResumeThread<\/span>\r\n \/\/ functions. Be sure to close the handle to the process image<\/span>\r\n \/\/ file with CloseHandle.<\/span>\r\n\r\n dwContinueStatus =<\/span> OnCreateProcessDebugEvent(DebugEv);\r\n break<\/span>;\r\n\r\n case<\/span> EXIT_THREAD_DEBUG_EVENT:\r\n \/\/ Display the thread's exit code.<\/span>\r\n\r\n dwContinueStatus =<\/span> OnExitThreadDebugEvent(DebugEv);\r\n break<\/span>;\r\n\r\n case<\/span> EXIT_PROCESS_DEBUG_EVENT:\r\n \/\/ Display the process's exit code.<\/span>\r\n\r\n dwContinueStatus =<\/span> OnExitProcessDebugEvent(DebugEv);\r\n break<\/span>;\r\n\r\n case<\/span> LOAD_DLL_DEBUG_EVENT:\r\n \/\/ Read the debugging information included in the newly<\/span>\r\n \/\/ loaded DLL. Be sure to close the handle to the loaded DLL<\/span>\r\n \/\/ with CloseHandle.<\/span>\r\n\r\n \/\/ dwContinueStatus = OnLoadDllDebugEvent(DebugEv); busted<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> UNLOAD_DLL_DEBUG_EVENT:\r\n \/\/ Display a message that the DLL has been unloaded.<\/span>\r\n\r\n\/\/ dwContinueStatus = OnUnloadDllDebugEvent(DebugEv); busted<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> OUTPUT_DEBUG_STRING_EVENT:\r\n \/\/ Display the output debugging string. doesnt fucking work<\/span>\r\n\r\n\/\/ dwContinueStatus = OnOutputDebugStringEvent(DebugEv);<\/span>\r\n break<\/span>;\r\n\r\n case<\/span> RIP_EVENT:\r\n\/\/ dwContinueStatus = OnRipEvent(DebugEv); doesnt fucking work<\/span>\r\n\r\n \/\/ http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms681675%28v=vs.85%29.aspx<\/span>\r\n \/\/ http:\/\/support.microsoft.com\/kb\/121093<\/span>\r\n break<\/span>;\r\n }\r\n\r\n \/\/ Resume executing the thread that reported the debugging event.<\/span>\r\n\r\n ContinueDebugEvent(DebugEv-><\/span>dwProcessId,DebugEv-><\/span>dwThreadId,dwContinueStatus);\r\n }\r\n}\r\n<\/pre>\n<\/div>\nHappy hacking!
\n![\"k9AnYwF\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/12\/k9AnYwF.jpg\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Hello all! I’m cracking away on various projects and trying to keep focus. As I was going through my old notes, I came across a talk I wanted to give but could not due to my car accident and the subsequent down time caused me to forget. I wanted to cover making your own debugger […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[105,74,106,75],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/614"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=614"}],"version-history":[{"count":3,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions"}],"predecessor-version":[{"id":616,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions\/616"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}