如何在使用 LoadLibrary 加载的 DLL 中设置真实断点
以下代码显示了如何在使用 LoadLibrary 加载的 DLL 中使用 x86 断点指令 INT 3 设置真正的断点。它处理 LOAD_DLL_DEBUG_EVENT 并将断点指令写入加载的 DLL。该命令有两个参数,一个 DLL 的名称和该 DLL 中导出函数的名称,以在开头设置断点。 DLL 的名称必须包含扩展名,但不能包含目录或驱动器号。如果程序运行,它将打印BREAKPOINT REACHED。
#include <stdio.h>
#include <windows.h>
int
winperror(char const *prefix) {
DWORD errid = GetLastError();
PVOID *buf;
fprintf(stderr, "%s: ", prefix);
if (FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM
| FORMAT_MESSAGE_IGNORE_INSERTS
| FORMAT_MESSAGE_ALLOCATE_BUFFER,
NULL, errid, 0, (LPTSTR) &buf, 0, NULL) != 0) {
fprintf(stderr, "%s\n", (TCHAR *) buf);
} else {
fprintf(stderr, "unknown windows error %08lx\n", errid);
}
return -1;
}
static int
install_breakpoint(HANDLE process, DWORD_PTR addr) {
static char const int3 = 0xcc;
if (WriteProcessMemory(process, (LPVOID) addr, &int3, 1, NULL) == 0) {
return winperror("WriteProcessMemory");
}
printf("breakpoint set at address %p\n", (void *) addr);
return 0;
}
static int
install_dll_breakpoint(HANDLE process, HMODULE module,
char const *dll, char const *function) {
HMODULE lmodule = LoadLibrary(dll);
if (lmodule == NULL) {
return winperror("LoadLibrary");
}
void *lproc = GetProcAddress(lmodule, function);
if (lproc == NULL) {
return winperror("GetProcAddress");
}
FreeLibrary(lmodule);
/* The debugged process might load the DLL at a different
address than the DLL in this process, but the offset of the
function from base of the DLL remains the same in both
processes.
*/
DWORD_PTR offset = (DWORD_PTR) lproc - (DWORD_PTR) lmodule;
DWORD_PTR proc = (DWORD_PTR) module + offset;
return install_breakpoint(process, proc);
}
static int
get_file_name_from_handle(HANDLE file, char *buf, size_t len) {
DWORD tmp[1 + 1024 / 2];
if (GetFileInformationByHandleEx(file, FileNameInfo,
tmp, sizeof tmp) == 0) {
return winperror("GetFileInformationByHandleEx");
}
FILE_NAME_INFO *info = (FILE_NAME_INFO *) tmp;
int n = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS,
info->FileName, info->FileNameLength / 2,
buf, len - 1, NULL, NULL);
if (n == 0) {
return winperror("WideCharToMultiByte");
}
buf[n] = '\0';
return 0;
}
int
main(int argc, char **argv) {
if (argc != 3) {
fprintf(stderr, "usage: %s dll function\n", argv[0]);
return 1;
}
static STARTUPINFO startup;
PROCESS_INFORMATION process_info;
startup.cb = sizeof startup;
startup.lpReserved = NULL;
startup.lpDesktop = NULL;
startup.lpTitle = NULL;
startup.dwFlags = 0;
startup.cbReserved2 = 0;
startup.lpReserved2 = NULL;
static char const rundll32[] = "rundll32";
char buf[1024];
if (sizeof rundll32 + 1 + strlen(argv[1]) + 1 + strlen(argv[2])
> sizeof buf) {
fprintf(stderr, "DLL and/or function name too long\n");
return 1;
}
strcpy(buf, rundll32);
strcat(buf, " ");
strcat(buf, argv[1]);
strcat(buf, ",");
strcat(buf, argv[2]);
if (CreateProcess(NULL, buf, NULL, NULL, TRUE,
DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS, 0, NULL,
&startup, &process_info) == 0) {
winperror("CreateProcess");
return 1;
}
HANDLE process = process_info.hProcess;
int first_breakpoint = 1;
while(1) {
DWORD continue_flag = DBG_EXCEPTION_NOT_HANDLED;
DEBUG_EVENT event;
if (WaitForDebugEvent(&event, INFINITE) == 0) {
winperror("WaitForDebugEvent");
return 1;
}
continue_flag = DBG_EXCEPTION_NOT_HANDLED;
switch(event.dwDebugEventCode) {
case EXCEPTION_DEBUG_EVENT:
EXCEPTION_DEBUG_INFO *info = &event.u.Exception;
EXCEPTION_RECORD *exp = &info->ExceptionRecord;
if (exp->ExceptionCode == EXCEPTION_BREAKPOINT) {
if (first_breakpoint) {
printf("PROCESS STARTED\n");
first_breakpoint = 0;
continue_flag = DBG_CONTINUE;
} else {
printf("BREAKPOINT REACHED %p\n",
exp->ExceptionAddress);
TerminateProcess(process, 0);
return 0;
}
}
break;
case CREATE_PROCESS_DEBUG_EVENT:
CloseHandle(event.u.CreateProcessInfo.hFile);
break;
case EXIT_PROCESS_DEBUG_EVENT:
printf("process exited without encoutering breakpoint"
" exit code = %d\n",
(int) event.u.ExitProcess.dwExitCode);
return 0;
case LOAD_DLL_DEBUG_EVENT:
HMODULE module = (HMODULE) event.u.LoadDll.lpBaseOfDll;
HANDLE file = event.u.LoadDll.hFile;
if (get_file_name_from_handle(file,
buf, sizeof buf) == -1) {
return 1;
}
printf("LOAD_DLL %p %s\n", module, buf);
char *s = strrchr(buf, '\\');
if (s == NULL) {
s = buf;
} else {
s++;
}
if (stricmp(s, argv[1]) == 0
&& install_dll_breakpoint(process, module, argv[1],
argv[2]) == -1) {
return 1;
}
CloseHandle(file);
break;
case UNLOAD_DLL_DEBUG_EVENT:
printf("UNLOAD_DLL %p\n",
event.u.UnloadDll.lpBaseOfDll);
break;
}
if (ContinueDebugEvent(event.dwProcessId, event.dwThreadId,
continue_flag) == 0) {
winperror("ContinueDebugEvent");
return 1;
}
}
}
要编译程序,您只需cl test.c。如果您使用test d3d9.dll CreateDirect3D9 调用它,您将看到如下输出:
LOAD_DLL 76EE0000 \Windows\SysWOW64\ntdll.dll
UNLOAD_DLL 76AE0000
UNLOAD_DLL 766B0000
UNLOAD_DLL 76AE0000
UNLOAD_DLL 76C00000
LOAD_DLL 766B0000 \Windows\SysWOW64\kernel32.dll
LOAD_DLL 76A50000 \Windows\SysWOW64\KernelBase.dll
LOAD_DLL 75DD0000 \Windows\SysWOW64\user32.dll
LOAD_DLL 76890000 \Windows\SysWOW64\gdi32.dll
LOAD_DLL 76EB0000 \Windows\SysWOW64\lpk.dll
LOAD_DLL 767F0000 \Windows\SysWOW64\usp10.dll
LOAD_DLL 75FD0000 \Windows\SysWOW64\msvcrt.dll
LOAD_DLL 75D20000 \Windows\SysWOW64\advapi32.dll
LOAD_DLL 76420000 \Windows\SysWOW64\sechost.dll
LOAD_DLL 758B0000 \Windows\SysWOW64\rpcrt4.dll
LOAD_DLL 749D0000 \Windows\SysWOW64\sspicli.dll
LOAD_DLL 749C0000 \Windows\SysWOW64\cryptbase.dll
LOAD_DLL 767C0000 \Windows\SysWOW64\imagehlp.dll
PROCESS STARTED
LOAD_DLL 74960000 \Windows\SysWOW64\apphelp.dll
LOAD_DLL 6E070000 \Windows\AppPatch\AcLayers.dll
LOAD_DLL 74C60000 \Windows\SysWOW64\shell32.dll
LOAD_DLL 765E0000 \Windows\SysWOW64\shlwapi.dll
LOAD_DLL 74B00000 \Windows\SysWOW64\ole32.dll
LOAD_DLL 76380000 \Windows\SysWOW64\oleaut32.dll
LOAD_DLL 748B0000 \Windows\SysWOW64\userenv.dll
LOAD_DLL 748A0000 \Windows\SysWOW64\profapi.dll
LOAD_DLL 73540000 \Windows\SysWOW64\winspool.drv
LOAD_DLL 73510000 \Windows\SysWOW64\mpr.dll
LOAD_DLL 58B50000 \Windows\AppPatch\acwow64.dll
LOAD_DLL 72EC0000 \Windows\SysWOW64\version.dll
LOAD_DLL 75F60000 \Windows\SysWOW64\imm32.dll
LOAD_DLL 74A30000 \Windows\SysWOW64\msctf.dll
LOAD_DLL 6EF10000 \Windows\SysWOW64\d3d9.dll
breakpoint set at address 6EF70A62
UNLOAD_DLL 6EF10000
LOAD_DLL 6EF10000 \Windows\SysWOW64\d3d9.dll
breakpoint set at address 6EF70A62
UNLOAD_DLL 6EF10000
LOAD_DLL 6EF10000 \Windows\SysWOW64\d3d9.dll
breakpoint set at address 6EF70A62
UNLOAD_DLL 6EF10000
LOAD_DLL 6EF10000 \Windows\SysWOW64\d3d9.dll
breakpoint set at address 6EF70A62
LOAD_DLL 6FF20000 \Windows\SysWOW64\d3d8thk.dll
LOAD_DLL 736F0000 \Windows\SysWOW64\dwmapi.dll
BREAKPOINT REACHED 6EF70A62
该程序仅实现了最低限度,以演示如何在加载了 LoadLibrary 的 DLL 中设置断点。值得注意的是,真正的调试器需要能够移除断点并恢复原始指令,以便在到达断点后程序可以继续运行。相反,这个程序只是终止被调试的程序并退出。