From 0a2696b3812f09654d3ed46a25151fb6c6cf1ce6 Mon Sep 17 00:00:00 2001 From: "Mr. eXoDia" Date: Fri, 11 Mar 2016 21:43:00 +0100 Subject: [PATCH] fixed Detach and DetachAndBreak functions --- GleeBug/Debugger.Loop.cpp | 36 ++++++++++++++++++++++-------------- GleeBug/Debugger.cpp | 21 ++++++--------------- capstone_wrapper | 2 +- 3 files changed, 29 insertions(+), 30 deletions(-) diff --git a/GleeBug/Debugger.Loop.cpp b/GleeBug/Debugger.Loop.cpp index 4c0037f..f9e3c67 100644 --- a/GleeBug/Debugger.Loop.cpp +++ b/GleeBug/Debugger.Loop.cpp @@ -25,20 +25,6 @@ namespace GleeBug while (!mBreakDebugger) { - //execute the delayed-detach - if (mDetach) - { - if (!UnsafeDetach()) - cbInternalError("Debugger::Detach failed!"); - break; - } - if (mDetachAndBreak) - { - if (!UnsafeDetachAndBreak()) - cbInternalError("Debugger::DetachAndBreak failed!"); - break; - } - //wait for a debug event mIsRunning = true; if (!MyWaitForDebugEvent(&mDebugEvent, INFINITE)) @@ -119,6 +105,21 @@ namespace GleeBug //call the post debug event callback cbPostDebugEvent(mDebugEvent); + //execute the delayed-detach + if (mDetachAndBreak) + { + if (!UnsafeDetachAndBreak()) + cbInternalError("Debugger::DetachAndBreak failed!"); + break; + } + + //clear trap flag when set by GleeBug (to prevent an EXCEPTION_SINGLE_STEP after detach + if (mDetach && mThread) + { + if (mThread->isInternalStepping || mThread->isSingleStepping) + mThread->registers.TrapFlag = false; + } + //write the register context if (mThread) { @@ -129,6 +130,13 @@ namespace GleeBug //continue the debug event if (!ContinueDebugEvent(mDebugEvent.dwProcessId, mDebugEvent.dwThreadId, mContinueStatus)) break; + + if (mDetach || mDetachAndBreak) + { + if (!UnsafeDetach()) + cbInternalError("Debugger::Detach failed!"); + break; + } } //cleanup diff --git a/GleeBug/Debugger.cpp b/GleeBug/Debugger.cpp index fe0c703..2efcff1 100644 --- a/GleeBug/Debugger.cpp +++ b/GleeBug/Debugger.cpp @@ -57,6 +57,8 @@ namespace GleeBug bool Debugger::UnsafeDetach() { + mRegisters->TrapFlag = false; + mThread->RegWriteContext(); return !!DebugActiveProcessStop(mMainProcess.dwProcessId); } @@ -66,22 +68,15 @@ namespace GleeBug mDetachAndBreak = false; } - bool Debugger::UnsafeDetachAndBreak() //TODO check with child processes + bool Debugger::UnsafeDetachAndBreak() { if (!mProcess || !mThread || !mRegisters) //fail when there is no process or thread currently specified return false; - - //set the trap flag to trigger an exception - auto gip = mRegisters->Gip(); - auto codePtr = ptr(VirtualAllocEx(mProcess->hProcess, nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)); - unsigned char code[2] = { 0xCC, 0xC3 }; - mProcess->MemWriteUnsafe(codePtr, code, sizeof(code)); - mRegisters->Gsp -= sizeof(ptr); - mProcess->MemWriteUnsafe(mRegisters->Gsp(), &gip, sizeof(gip)); - mRegisters->Gip = codePtr; + //trigger an EXCEPTION_SINGLE_STEP in the debuggee + mRegisters->TrapFlag = true; mThread->RegWriteContext(); - + //detach from the process return UnsafeDetach(); } @@ -90,9 +85,5 @@ namespace GleeBug { mDetachAndBreak = true; mDetach = false; - - //unset the trap flag when set by GleeBug - if (mThread->isInternalStepping || mThread->isSingleStepping) - mRegisters->TrapFlag = false; } }; \ No newline at end of file diff --git a/capstone_wrapper b/capstone_wrapper index 5a37f7c..28919b6 160000 --- a/capstone_wrapper +++ b/capstone_wrapper @@ -1 +1 @@ -Subproject commit 5a37f7cfaf4a1b1050890c244348fa6f7cfd109b +Subproject commit 28919b6b84f2e1b162365ae3699833097fc64864