Duncan Ogilvie
41978f961c
DBG: show full command line near 'Process Started' log entry
2019-04-06 12:40:51 +02:00
Duncan Ogilvie
ee411b0c30
DBG: some more improvements to safely reading the PE info
2019-04-06 12:40:50 +02:00
6e18613e37
DBG: ReadExportDirectory: put upper bound on the number of imports
2019-03-17 19:46:33 +01:00
e38adf1265
DBG: AddressOfNameOrdinals is WORD[], not DWORD[]
2019-03-17 19:46:33 +01:00
c54c96816e
DBG: ReadExportDirectory: do bounds checks on all export dir entries before indexing into arrays
...
Fixes #2105 (second case/malware sample)
2019-03-17 19:46:33 +01:00
e36779d7a4
DBG: more robust validation of PE directory sizes
2019-03-17 19:46:33 +01:00
Duncan Ogilvie
7d53b1ae08
DBG: fix potential crashes in GetModuleInfo
2019-01-20 22:41:26 +01:00
Duncan Ogilvie
9f5ce5041d
DBG: fix a mistake in MemUpdateMap
...
closes #2101
2019-01-20 20:45:47 +01:00
Duncan Ogilvie
85e96353cb
DBG+BRIDGE+GUI: put in the title whether x64dbg is elevated or not
2019-01-20 20:43:39 +01:00
Duncan Ogilvie
223ea586bb
DBG: add some more helpful format functions
...
ascii, ansi, utf8, utf16, disasm, modname
2019-01-10 23:54:31 +01:00
Duncan Ogilvie
d04288cbc1
DBG: improve performance of MemoryMapUpdate
2019-01-10 23:45:24 +01:00
Duncan Ogilvie
e5e96f7cbb
DBG: analyze all xrefs in the module with XrefsAnalysis
2019-01-10 23:44:51 +01:00
Duncan Ogilvie
cc15cdec9f
DBG: correctly handle executables with entry points inside the MZ header
...
closes #1994
2019-01-10 23:44:07 +01:00
Duncan Ogilvie
f1fbfd98b3
DBG: don't use CreateProcessInfo->lpStartAddress because it is broken
...
closes #2099
2019-01-10 23:43:05 +01:00
Duncan Ogilvie
688e2ccc04
DBG+GUI: AStyle
2018-11-18 15:50:13 +01:00
Duncan Ogilvie
418541e46e
DBG: improve the skipInt3Stepping feature to work for long int3 instructions
2018-11-18 15:49:43 +01:00
1e9bf1ab7c
DBG: Fix mapped area overrun in ReadDebugDirectory for bogus debugDirSize
2018-11-18 15:20:38 +01:00
0adb663a91
Fixed Symbol::GetList() for symbols without undecorated name
...
* Such symbols have "" instead of nullptr in SYMBOLINFO.undecoratedSymbol
* This fix greatly improves Snowman's decompiled results, example: comctl32!ListBox_SetCurSelHandler
2018-11-13 12:10:36 +01:00
836a544287
Run "AStyleWhore"
2018-11-13 10:01:22 +08:00
5162450ff3
Fix yara crash when used with a single argument
2018-11-04 23:14:31 +01:00
c7107374d2
DBG: remove capstone references
2018-11-04 23:14:04 +01:00
de678aec21
Fixed incorrect error message when memory could not be allocated
2018-11-02 15:31:14 +00:00
0c87d87fe6
DBG: fix getting raw int value for float typed watch points
2018-10-31 12:39:00 +01:00
e0052d6b2b
ZYDIS: Use ZydisOperandAction as an enum instead of a flag
2018-10-31 12:38:40 +01:00
0065f204a3
Add DLL ordinal to symbol table and fix symbol table comparator
2018-10-31 12:38:00 +01:00
5a4f15e9f5
DBG: add OptionalHeader.AddressOfEntryPoint to the displayed symbols
2018-10-31 12:37:48 +01:00
Duncan Ogilvie
fba7af6bcd
Merge branch 'torusrxxx-patch00000092' into development
2018-10-29 13:38:56 +01:00
5669e13485
temporary
2018-10-16 18:15:01 +02:00
ae9bf8c49e
st(X) can be edited
2018-10-16 18:15:01 +02:00
cf1498786c
Merge branch 'development' into patch00000092
2018-10-12 20:50:28 +08:00
d149f6d794
Do not leave empty or corrupt PDBs in the store if a download failed. Fixes a crash in LoadDataFromIStream in MS DIA 14.15
2018-10-10 15:50:40 +02:00
Duncan Ogilvie
da69e828ea
DBG: improve memory usage and performance with line numbers
2018-10-10 15:45:32 +02:00
Duncan Ogilvie
25a67b778e
DBG: fix buffer overflow and assert when tracing fxsave or invalid instructions
2018-10-10 15:44:37 +02:00
Duncan Ogilvie
22861d69e5
Add some analysis for exceptions containing FACILITY_VISUALCPP in exinfo
2018-10-10 15:44:37 +02:00
Duncan Ogilvie
b1188c3c04
DBG: fix crash in stackgetsuspectedcallstack when CSP is not pointing to valid memory
2018-10-10 15:44:37 +02:00
Duncan Ogilvie
521195eea9
DBG: small refactor for SymAutoComplete
2018-10-10 15:44:37 +02:00
Duncan Ogilvie
d7f1dadb52
DBG: exclude some invalid imports + give ordinal imports a name
2018-10-10 15:44:37 +02:00
Duncan Ogilvie
70cfec4094
DBG: add (undocumented) option to force load PDB
2018-10-10 15:44:37 +02:00
03f596c162
Stricter ordinal name check
2018-10-09 11:20:55 +08:00
Duncan Ogilvie
da913f7cdc
DBG: fix a possible crash in disasmget
2018-09-13 12:56:10 +02:00
Duncan Ogilvie
7aab39f8e1
Revert "DBG: do not step if there is an enable breakpoint at CIP"
...
This reverts commit 9804400df6
2018-09-02 00:53:05 +02:00
d4ec06f6de
Fixed a crash when tracing into far jump
2018-08-21 17:04:36 +02:00
Duncan Ogilvie
7526b7e482
DBG: update TitanEngine
2018-07-19 16:44:44 +02:00
Duncan Ogilvie
62b6be97e0
DBG: allow the "-p PID -e EVENT" command line for JIT debugging
2018-07-15 19:11:52 +02:00
Duncan Ogilvie
fa82c80c51
DBG: temporary fix for AutoPatchExporter
2018-07-05 02:41:18 +02:00
Duncan Ogilvie
bcb1df389c
DBG: include DIA in deps
2018-07-05 02:41:09 +02:00
Duncan Ogilvie
d7eac4598d
DBG: better error messages in PDBDiaFile::open
2018-07-05 02:39:58 +02:00
Duncan Ogilvie
144dbd4c2f
DBG: undecorate import/export names
2018-07-04 17:12:37 +02:00
Duncan Ogilvie
9804400df6
DBG: do not step if there is an enable breakpoint at CIP
...
closes #1721
2018-07-01 19:28:08 +02:00
Duncan Ogilvie
e5467cf966
DBG: correctly update module list when changing module type
2018-07-01 19:28:07 +02:00
Duncan Ogilvie
0c8956f480
DBG+GUI: disable source debugging per default
2018-07-01 19:28:07 +02:00
Duncan Ogilvie
8c169ae2ed
DBG+BRIDGE+GUI: fix source loading
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
b63402066b
DBG: implement findSourceLineInfo by fileName + line in symbol source
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
47d6efb59e
DBG: do not fully escape debug strings
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
b8ae4b1496
DBG: invalidate symbol source when MODINFO is destroyed
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
d70ed83a72
DBG: fix a bug in getLabel where jmp [MessageBoxA] would not be recognized correctly
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
df31f0da45
DBG: change symbol load order + add debuggee.pdb to the search list
2018-07-01 19:28:05 +02:00
Duncan Ogilvie
4098dc8fb2
DBG: finally fix the handle leak in PDBDiaFile
2018-07-01 19:28:05 +02:00
Duncan Ogilvie
8af904fad6
DBG: fix assert in debug mode on pluginunloadall
2018-07-01 19:28:04 +02:00
Duncan Ogilvie
9e68ea3900
DBG: only store file hash in database if there is other data as well
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
7d1afa0940
DBG+GUI: change layout of window title to be more helpful in the task bar
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
2665df4eb3
DBG: added mod.headerva expression function
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
87c3238de8
DBG (WIP): set up DIA file stream for profiling of a handle leak
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
d79586d02b
DBG: fix a crash in the Cleanup in downslib
2018-07-01 19:28:02 +02:00
Duncan Ogilvie
70b3149599
WIP: new symbol gui mostly working
2018-07-01 19:28:02 +02:00
0bb2efcb2c
Improve performance and crash resistance when loading PE files containing 1000 or more sections. Tested on https://github.com/corkami/pocs/blob/master/PE/bin/65535sects.exe . Technically performance was already very good, but that was only due to crashing instantly
2018-07-01 19:28:01 +02:00
f515484790
ReadBaseRelocationTable() refactor. Is it better now? Dunno really. This method may be slightly easier to use with both SEC_COMMIT and SEC_IMAGE mappings in the future if needed, but in the end they pretty much do the same thing. At least some more TitanEngine calls were killed off so that's something I suppose
...
Replaced dark and brooding "..."s in error messages with exclamation marks to better emphasise that this stuff is serious
2018-07-01 19:28:01 +02:00
1f485f313e
DBG: more robust debug directory parsing. Validate the RVA, type and size bounds for each debug directory entry, and do not stop after the one unrecognised (non-CV) entry
...
Protect against PDB paths that do not have a null terminator in the PE codeview info
2018-07-01 19:28:01 +02:00
Duncan Ogilvie
14da6c4448
DBG: clean up downslib
2018-07-01 19:28:00 +02:00
6df9535ba4
Rewrite ReadTlsCallbacks() to use RtlImageDirectoryEntryToData and remove all TitanEngine calls. Also fix an anti-debug trick I found by accident: it is possible to have working TLS callbacks with a TLS directory size of 0. The loader does not check this field and always executes callbacks if they exist
2018-07-01 19:28:00 +02:00
28c03967c7
RvaToVa(): use SizeOfRawData instead of VirtualSize as the upper bound on section RVAs. This matches the behaviour of RtlImageRvaToSection for SEC_COMMIT mappings
2018-07-01 19:28:00 +02:00
a4638d2ea9
DBG: misc. changes and fixes in SymbolSourceDIA:
...
- Rename SetThreadDescription to SetWin10ThreadDescription, to clarify that this function isn't actually useful to anyone. (ha ha, OK... but seriously, the same name is also used by the Windows SDK which apparently takes precedence and gets added as a static import, making it impossible to start the debugger on OSes other than Windows 10)
- Thread names are a good idea and they even kind of work on older Windows versions with NtQueryInformationThread(ThreadQuerySetWin32StartAddress), which is what e.g. Process Explorer and Process Hacker use. What *doesn't* work so well is lambdas. Added static functions SymbolsThread() and SourceLinesThread() to replace these. (before: x64dbg.dll!<lambda_fc00d3fb731b14a9b4857ac068d657c4>::<lambda_invoker_cdecl>. after: x64dbg.dll!SymbolSourceDIA::SymbolsThread). These should probably be file statics instead of class members, but they need access to private class functions
- GetModuleHandleA -> GetModuleHandleW. The former just calls the latter but with an extra string allocation and pointless unicode conversion
- Fix pedantic Clang warnings about member initialization order in ctor
- Qualify type name in call to virtual function in destructor, as this will be statically resolved and won't call any potential future implementations in derived classes (this can be further 'fixed' by making either the function or the class final so you'll get a compile time error if you try to do this later)
2018-07-01 19:28:00 +02:00
9b0f9b5c59
Add clarifying comment/TODO re: invalid RVAs to ReadExportDirectory(). Don't feed your .avi collection to this function just yet
2018-07-01 19:28:00 +02:00
a94c250c5d
[DBG] Rewrite ReadImportDirectory()
...
- Obtain the directory directly using RtlImageDirectoryEntryToData and ditch TitanEngine conversion helpers
- Use OFTs instead of FTs if possible, with FTs only as fallback
- Answer the pop quiz questions in comments re: ntdll loader behaviour and handle these cases appropriately
- Use THUNK_VAL() to obtain OFT/FT values independent of process and file bitness
- Always use ULONG64 for AddressOfData to be able to test for IMAGE_ORDINAL_FLAG64. Also return ULONG64 from RvaToVa(), and rva2offset too as a result of this. This makes these functions compatible with both 32 and 64 bit files regardless of process bitness. There shouldn't be any functional changes due to this, otherwise will revert/fix
- Require an import by name to have a non-null name in addition to not having the ordinal flag set. Otherwise treat it as an import by ordinal
- The ordinal value of an import by ordinal is obtained by (val & 0xffff), not (val &= ~ordinalFlag). The ordinal flag is now always removed to ensure the RVA is valid
- Give imports by ordinal a 'name' the same way dbghelp does, e.g. Ordinal57. Previously imports by ordinal were not being shown in the Symbols tab due to having no name. TODO: if we have the PDB for the file being imported from, we can overwrite or append the real function name later using the importee's export directory
- RvaToVa(): assert that RVA 0 always returns VA 0, because if this isn't the case something is seriously messed up
2018-07-01 19:27:59 +02:00
5ad21c69ee
- ReadDebugDirectory(): add about 20 years worth of missing debug directory type names
...
- symbolsourcedia.h: Add _global.h #include to prevent various macros like WINVER and _WIN32_WINNT from being redefined because Windows.h was indirectly included first
2018-07-01 19:27:59 +02:00
fc9285ed2e
[DBG] Work on modinfo improvements:
...
- Add ImageNtHeaders() (clone of RtlImageNtHeaderEx which doesn't exist on XP) to obtain PE headers given a VA
- Add HEADER_FIELD() and THUNK_VAL() macros to module.h to allow accessing header fields independent of process and file bitness
- Add IMAGE_NT_HEADERS pointer to MODINFO, since anything related to parsing PEs needs this struct
- Read PE headers in GetModuleInfo(). Currently the headers are being parsed every time a TitanEngine helper function is called, the goal is to reduce this to once per module load
- GetModuleInfo(): eliminate all TitanEngine calls now that we have the headers
- Add RvaToVa() for SEC_COMMIT mappings. This can simultaneously serve as replacement for rva2offset helpers (pass base = 0). Preferably SEC_IMAGE should be used though as that way neither of these would be needed
- ReadExportDirectory(): use RtlImageDirectoryEntryToData() to obtain a PIMAGE_EXPORT_DIRECTORY and its size in one go to eliminate TitanEngine helper calls and RVA to offset conversions
- Answer burning questions re: Windows loader behaviour when parsing exports in comments
- (Minor) fix '>= 0' comparison against unsigned as this will always evaluate to true
- Add comment re: PDB search path order since it's wrong atm but I'm too scared of breaking something if I change this code myself
2018-07-01 19:27:59 +02:00
Duncan Ogilvie
013cd1e5f7
DBG: dont copy MODINFO and MODIMPORT/MODEXPORT structures
2018-07-01 19:27:59 +02:00
Duncan Ogilvie
4e88b399fe
Update DIA to 14.13.26128.0 + XP support
2018-07-01 19:27:58 +02:00
Duncan Ogilvie
aa8a215895
DBG: use win32 threads instead of std::thread
2018-07-01 19:27:58 +02:00
72ccf42298
Fix too early stream deletion.
2018-07-01 19:27:58 +02:00
cad8aed97d
Refactor PDB data loading via IStream, explicit file access.
2018-07-01 19:27:58 +02:00
c8af1f9144
Use correct PDBDiaFile instance.
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
45b49995f3
DBG: fall back to resolving modules exports when no symbol is found
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
73a5ffebd9
DBG: use export/import data from modules instead of from memory
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
476bc093bc
DBG: add export and import parsing routines in module.cpp
...
#580
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
bee62fbbf0
DBG: add missing locks for ModInfoFromAddr
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
a2c52260f7
DBG: remove unused imports field from MODINFO
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
4fa1b9a2a1
DBG: fix a buffer overflow in the symbol autocomplete function
2018-07-01 19:27:56 +02:00
0cbf519e66
Fix undecorated name being uninitialized.
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
d5ae04dce4
DBG: fully implement symdownload command without dbghelp usage
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
ff11a39533
DBG: attempt to load symbols from multiple locations
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
637815b63d
DBG: symdownload now works without dbghelp
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
ba6ad4cefc
DBG: initial version of Wininet download library
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
3ab836225f
DBG: remove some useless dbghelp calls
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
66017a7442
DBG: refactor SymbolInfo to use VA instead of RVA
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
ffc168f44d
DBG: rename SymbolSourcePDB to SymbolSourceDIA
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
73b30ed49b
DBG: actually use findSymbolsByPrefix
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
876abcdf10
DBG: change findSymbolsByPrefix to take a callback
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
a6ccf69e5b
DBG: implement SymAddrFromName (untested on large symbols, working on small)
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
550a1ff45a
DBG: correct PDB signature format
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
2ce2470ea1
DBG: implement a much nicer data structure for SymbolSourcePDB
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
c7d0f50207
DBG: initial implementation of name-sorted symbol storage
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
eb9d55ac61
DBG: read debug directory on ModLoad
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
caa5b6273f
DBG: implement DiaLoadCallback for loadDataForExe
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
4fadd01ad4
DBG: move files in 'Symbols' folder
2018-07-01 19:27:52 +02:00
4a1327a896
Only print on load failure if its not missing.
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
b07611387f
GUI: implement initial version of ZehSymbolTable
...
beware of race conditions, but it appears to kinda work
2018-07-01 19:27:51 +02:00
ae5bb70203
Fix resolving symbol size always returning true.
2018-07-01 19:27:50 +02:00
80ad0e7df1
Minor cleanup.
2018-07-01 19:27:50 +02:00
59d166ecf4
Refactor PDBDiaFile query.
2018-07-01 19:27:50 +02:00
Duncan Ogilvie
82774e2445
DBG: use undocumented __unDNameEx function to significantly speed up symbol loading
...
Before:
Loaded 313534 line infos in 47.406
Loaded 140366 symbols in 171.640
After:
Loaded 313534 line infos in 4.187
Loaded 140366 symbols in 9.391
2018-07-01 19:27:50 +02:00
Duncan Ogilvie
a9782ac6c6
DBG: Don't show pointless module size in ModLoad
2018-07-01 19:27:49 +02:00
Duncan Ogilvie
995153cfc0
DBG: fix some truncation issues
2018-07-01 19:27:49 +02:00
058c14d8bf
Make source file strings unique, reduces a lot of memory.
2018-07-01 19:27:49 +02:00
bd08f67f47
Load symbols and source line in parallel.
2018-07-01 19:27:49 +02:00
7c6bfcd2c6
Use enumerators Next instead of index, slight performance improvement.
2018-07-01 19:27:48 +02:00
97fa3c1408
Lock when trying to read source lines.
2018-07-01 19:27:48 +02:00
ae050ea4a1
Fix source lines displayed with disp.
2018-07-01 19:27:48 +02:00
cad369f7a5
Refactor DbgHelp source line query references to new symbol interface.
2018-07-01 19:27:48 +02:00
ac6ee608e4
Add source line queries into new symbol interface.
2018-07-01 19:27:48 +02:00
2604384853
Refactor source line queries in DIA interface.
2018-07-01 19:27:47 +02:00
b68c89a12e
Hide undecorated name if identical to decorated.
2018-07-01 19:27:47 +02:00
d6fd79346e
Prioritize private symbols over public.
2018-07-01 19:27:47 +02:00
e648e27346
Use spinlock instead of critical section.
...
Use proper thread termination on destructor.
2018-07-01 19:27:47 +02:00
a0c94caaf6
Cleanup DIA interface some more.
2018-07-01 19:27:46 +02:00
d35996883e
Implement unloading.
2018-07-01 19:27:46 +02:00
0ea92f26eb
Remove unused functions from DIA interface.
2018-07-01 19:27:46 +02:00
Duncan Ogilvie
1b94728118
DBG: buggy implementation of symbol enum
2018-07-01 19:27:46 +02:00
Duncan Ogilvie
03a609c954
lf to crlf
2018-07-01 19:27:45 +02:00
4e2f307052
Tabs to spaces
2018-07-01 19:27:45 +02:00
626695f233
Add PDB load cancellation.
2018-07-01 19:27:45 +02:00
01f0a824ab
Fix marking symbol with wrong type.
2018-07-01 19:27:45 +02:00
b176fb7e46
Initial for async symbol loading.
2018-07-01 19:27:44 +02:00
3a3afa3744
Remove unused DbgHelp loading.
2018-07-01 19:27:44 +02:00
bd173bf01e
Refactor symbol loading/query to use a common interface.
2018-07-01 19:27:44 +02:00
121486a137
Initial implementation of LRU.
...
Initial implementation of MSDIA.
2018-07-01 19:27:44 +02:00
Duncan Ogilvie
95cacb3732
DBG: add information to Zydis command
2018-07-01 19:04:38 +02:00
380df7ba2e
minor parsing bug
2018-06-19 18:51:36 +02:00
ddbeeefab4
Special format to find an inactive breakpoint to edit it.
2018-06-19 18:51:36 +02:00
b59798db6f
minor enhancements about SymbolView&breakpointcpp&SearchListView
2018-06-19 18:51:36 +02:00
Duncan Ogilvie
12e9127799
DBG: support for an edge case in HandlesGetName where the process itself doesn't have query access
2018-06-19 18:30:13 +02:00
f8c67ef2ab
show PID or TID in handles view
2018-06-19 18:30:13 +02:00
Duncan Ogilvie
f5fa7de918
DBG: better message in _dbg_animatecommand
2018-06-11 03:13:25 +02:00
0ab417f5b4
Animation help; Restore empty graph help
2018-06-11 03:12:50 +02:00
Duncan Ogilvie
db17e323fe
DBG: more message fixes
2018-06-03 17:47:01 +02:00
Duncan Ogilvie
01960c556b
fix some whitespace in strings
2018-06-03 17:43:30 +02:00
1cd3cfc469
fix mistakes
2018-06-03 17:43:30 +02:00
4cf5508b5f
add error descriptions to x64dbg failure messages
2018-06-03 17:43:30 +02:00
Duncan Ogilvie
3f33ad44cc
DBG+GUI: update zydis and fix some issues related to formatting
...
closes #1904
closes #1898
2018-04-05 00:20:31 +02:00
Duncan Ogilvie
3f754c0bfc
DBG: fix an out of bounds access on expression "([esp])"
2018-03-26 02:14:49 +02:00
Duncan Ogilvie
1c1a48bcee
DBG: fix heuristic string detection near the end of a page
...
related to #1906
2018-03-05 23:52:07 +01:00
Duncan Ogilvie
f8e4ed4f1f
DBG: fix bug with operand size in TraceRecord
2018-03-04 23:00:13 +01:00
Duncan Ogilvie
8da82cf569
PROJECT: remove keystone
2018-03-04 22:41:00 +01:00
Duncan Ogilvie
e5f950308a
PROJECT: remove capstone
2018-03-04 22:35:01 +01:00
Duncan Ogilvie
55d99b5647
DBG+GUI: replace Capstone with Zydis in trace record
2018-03-04 22:32:08 +01:00
Duncan Ogilvie
49167e92c6
DBG+GUI: fix many application verifier issues
2018-03-04 22:04:37 +01:00
Duncan Ogilvie
53e621c175
DBG: replace WAITID_STOP with a more reliable method
...
closes #1852
2018-03-04 22:04:04 +01:00
Duncan Ogilvie
16fdf57f41
DBG: move call to CB_STOPDEBUG to the very end of the debug loop
...
close issue #1899
2018-02-14 22:19:00 +01:00
Duncan Ogilvie
2c284cd210
DBG: remove std::thread usage from TaskThread
2018-02-14 20:38:49 +01:00
Duncan Ogilvie
1fa1c3d705
DBG: remove limitation of placing "&" in labels
2018-01-30 20:54:45 +01:00
Duncan Ogilvie
ddc97f2a74
DBG: show PEB in memory map
...
#1882
2018-01-28 11:51:15 +01:00
Duncan Ogilvie
39f78b1c33
DBG: remove weak acquire in dbghelp_safe
...
possibly fixes #1863
2018-01-12 14:15:06 +01:00
Duncan Ogilvie
2d6004da9b
DBG: remove TitanEngine for parsing TLS callbacks
2017-12-28 23:25:42 +01:00
Duncan Ogilvie
7c0d122ee4
DBG: add breakpointexceptionaddress variable
2017-12-28 20:27:23 +01:00
Duncan Ogilvie
761e2f67c0
DBG: fix a rare bug with module resolving by name (thanks to chessgod101!)
...
if you had:
blub.exe
blub.exe.dll
And tried to resolve 'blub.exe' it could return the base of 'blub.exe.dll'
2017-12-24 13:21:06 +01:00
Duncan Ogilvie
0e2ff40443
DBG: remove unused parameter from RecursiveAnalysis class
2017-12-17 02:05:53 +01:00
f29d660b6e
Search for function pointer
2017-12-17 02:05:39 +01:00
Duncan Ogilvie
37e83c9436
DBG+GUI: trim error descriptions in RegisterView and format functions
2017-12-03 22:27:47 +01:00
Duncan Ogilvie
e11701d7c3
GUI: improve InfoBox for bigger memory sizes
2017-12-03 22:27:47 +01:00
70a836b17a
Move SafeSymCleanup() call to cbExitProcess so it isn't called when the process may have already terminated
...
debugLoopFunction: set fdProcessInfo->hProcess and fdProcessInfo->hThread to NULL as these shouldn't be used after this point. The actual CloseHandle calls on these two handles are done by kernel32!ContinueDebugEvent immediately after cbExitProcess
2017-11-28 17:29:50 +01:00
2f3f28746d
Remove 2 occurrences of 'varset("$hp", fdProcessInfo->hProcess)', one of which was being called with the initial handle from CreateProcess(). cbCreateProcess is now the only place where this variable is set, for both types of debug sessions (attaching or creating)
2017-11-28 17:29:50 +01:00
629a6022e4
Fix duplicate debuggee process and initial thread handles being kept around in the case that x64dbg is not attaching:
...
- CloseHandle() the fdProcessInfo->hProcess and fdProcessInfo->hThread handles and set them to NULL if CreateProcess was called (i.e. we are not attaching) just before entering the debug loop
- cbCreateProcess(): set fdProcessInfo->hProcess, fdProcessInfo->hThread and varset("$hp") to the correct handles prior to doing anything else
2017-11-28 17:29:50 +01:00
c8e8b692f0
Remove static global handle 'hProcess' in debugger.cpp; it is only used in one place as argument to SafeSymCleanup(). Use fdProcessInfo->hProcess instead
2017-11-28 17:29:50 +01:00
200c861761
fixed winerror & ntstatus fmt funcs
...
Thanks @Mattiwatti
2017-11-17 12:54:30 +01:00
Duncan Ogilvie
1c79384a06
DBG: remove the ordinal flag before printing the value
...
#1795
2017-11-15 13:44:36 +01:00
Duncan Ogilvie
d1edce0872
DBG: small improvement to Handle class
...
By @torusrxxx
2017-11-14 16:00:55 +01:00
Duncan Ogilvie
4db8d02cf4
DBG: show operand visibility in Zydis command
2017-11-14 16:00:54 +01:00
4cf0844255
Browse dialog and goto dialog support auto-complete ( #1738 )
...
* Browse dialog and goto dialog supports auto-complete
* don't use unicode string size
* Auto complete only when expression is valid symbol name
* use dbgfunctions for better flexibility and performance
* buffer last auto complete
* disable auto completion
2017-11-07 20:24:51 +01:00
3116b3dde0
fixed NTSTATUS name
2017-11-07 20:24:01 +01:00
01e5caf75b
removed upper part check in NTSTATUS
2017-11-07 20:24:01 +01:00
79e335277e
lazy load mnemonic data and save 3MB memory
2017-11-07 20:24:01 +01:00
990bccfffc
add mem.isstring()
2017-11-07 20:24:01 +01:00
e6297423f9
Add NTSTATUS fmt;show str in locals tab;fix div by 0 in data copy dlg.
2017-11-07 20:24:01 +01:00
d67031a089
DBG: remove \\n replacement in string formatting
2017-11-07 20:23:25 +01:00
15b0e73ba0
DGB: fix disp+imm printing in “zydis” command
2017-11-07 20:22:15 +01:00
Duncan Ogilvie
ae20041edb
DBG: proper workaround for 0x prefix in GUI
...
also closes #1792
2017-11-04 18:08:44 +01:00
Duncan Ogilvie
4870eebd87
DBG: correctly handle imports by ordinal
...
closes #1795
2017-11-04 16:34:52 +01:00
Duncan Ogilvie
9c639ddc5f
DBG: small improvements to winerror format function
2017-10-30 00:35:54 +01:00
Duncan Ogilvie
2f26a80b78
DBG+BRIDGE+GUI: deprecate DbgGetRegDump
2017-10-29 02:18:06 +02:00
ec0555dc0d
Added winerror format function and show help message for last error in reg view
2017-10-28 02:52:13 +02:00
d5582c6a1f
- DbgGetRegDumpEx(): copy lastStatus NTSTATUS name if requested struct size is >= sizeof(REGDUMP_V2)
...
- RegistersView: replace usages of REGDUMP with REGDUMP_V2 to access LastStatus register
2017-10-28 02:47:49 +02:00
8c9b11ecc9
Remove LastStatus from THREADALLINFO to preserve plugin compatibility
2017-10-28 02:47:49 +02:00
6f1b6b77bb
dbg changes for TEB->LastStatusValue:
...
- Add LASTSTATUS struct
- Add LastStatus members to REGDUMP and THREADALLINFO
- Add ThreadGetLastStatus()/ThreadGetLastStatusTEB()
- Make "laststatus" a supported pseudo-register in isregister() / getregister() / setregister() similar to "lasterror"
- _dbg_getregdump(): copy the full name of the last NTSTATUS value
- ThreadGetList(): add the last status value to the thread list for each thread
- TraceRecordManager: account for the size change of REGDUMP to keep REGDUMPWORD the same size
2017-10-28 02:47:49 +02:00
8f0f83bdf3
ntdll.h: Update PEB and TEB structs for Windows 10 RS3, and correct offset of TEB->LastStatusValue on x86
2017-10-28 02:47:49 +02:00
787b86cd1f
Add DbgGetRegDumpEx to bridge API
...
Public SDK changes:
- Add LASTSTATUS struct
- Add REGDUMP_V2 struct with LASTSTATUS member
- Add DbgGetRegDumpEx(REGDUMP* regdump, size_t size);
Internal changes:
- Change typedef of _dbg_getregdump to add a size parameter
- Make DbgGetRegDump() pass sizeof(REGDUMP) to _dbg_getregdump to preserve existing behaviour. DbgGetRegDumpEx() forwards the size that was passed to it
2017-10-27 00:02:39 +02:00
0fbb1aa056
Don't add autocomments on "mov edi,edi"( #1775 )
2017-10-26 00:43:54 +02:00
Duncan Ogilvie
0762182973
DBG: implement DLL breakpoints directly in x64dbg
2017-10-25 21:58:01 +02:00
466d5e9173
Update cmd-misc.cpp
2017-10-25 11:21:44 +00:00
db5c3e23af
Update cmd-misc.cpp
2017-10-25 11:16:01 +00:00
Duncan Ogilvie
ecbea6d9d8
GUI: fix Sonar issues
2017-10-22 17:07:45 +02:00
9a2cb20682
enhancement to run until return
2017-10-18 22:49:06 +02:00
390bf4c5ca
Trace recording ( #1736 )
...
* run trace file format
* record opcode
* Successfully recorded sample run trace
* fixed order of thread id and opcode
* use capstone in run trace
* Revised format;Stop tracing when stop debug;Changed ext name
* trace browser(draft)
* Lower bound
* Lower bound
* implemented more funcitons in trace file reader
* Initial trace browser
* trace browser works for single-page traces
* fixed page fault
* Multi-selection, fixed page faults
* copy disassembly
* resize columns
* address label;follow in disassembly
* highlight
* history,comment,breakpoint in trace view
* stricter validation to prevent buffer overflow
* MAX_MEMORY_OPERANDS=32
* fixing bug in memory access count
* Temporary info menu to view registers & memory
* assumed to fix thread id bug
* live update trace view
* Fixed a bug with registers recording (similar to thread id bug)
* Search for constant in trace file
* Fixed bugs with memory operands recording
* File header for trace file; Auto update trace viewer
* fix x64dbg_translations.pro
* Default filename for trace; Start trace from trace view
* Switch to Qt JSON
* Copy selection, file offset and RVA; recent files
* Properly implement MRU menu
* shortcut for tracing
* Fix file names with comma
* added interaction with tab closing
* change default directory for trace file
* fix minor issue
2017-10-16 20:00:26 +02:00
9959278863
Properly exit x64dbg
2017-10-15 16:18:48 +02:00
Duncan Ogilvie
f6590e6465
DBG: fixed a typo
2017-10-14 17:31:11 +02:00
Duncan Ogilvie
d6ca58efd1
DBG: fixed another problem with Zydis
2017-10-14 15:42:02 +02:00
Duncan Ogilvie
6f7af9b8da
DBG: fixed various small issues with Zydis
...
ping @athre0z
2017-10-14 00:32:34 +02:00
Duncan Ogilvie
c9e17df1c0
DBG+LAUNCHER: correctly handle mixed mode executables
...
fixes #1758
2017-10-13 23:38:53 +02:00
8cf9f63bac
Fixing #1752
2017-10-13 19:43:33 +02:00
c5c3358c52
Add range checks for operand access ( fixes #1750 ) ( #1751 )
...
* DBG: added range checks to operand access
- previously, some instructions could trigger the `DebugBreak` path in `Zydis::operator[]`
* GUI: removed redundant semicolon
2017-10-10 21:01:59 +02:00
5b1cf81f55
zydis_wrapper: Fixed x32 build
2017-10-09 10:02:13 +02:00
3fca5c9191
Ported & renamed `cbInstrCapstone`
2017-10-09 10:02:13 +02:00
af0ff55df3
zydis_wrapper: Better compliance with style-guide
...
- Removed underscores
- Removed redundant “zy” prefix
- Executed `AStyleWhore` (sorreh, I use git on my macOS host, can’t put it into pre-commit-hook)
2017-10-09 10:02:13 +02:00
ca9401fdb7
Moved “zydis_wrapper” into root repo
...
- Instead, we directly use Zydis as a submodule now
2017-10-09 10:02:13 +02:00
4c841d85c6
Renamed `Capstone` -> `Zydis`
...
- Prevents name clashes with actual capstone disassembler implementation
2017-10-09 10:02:13 +02:00
5338a0a85b
Replace Capstone with Zydis
...
- While at it, added branch info logic to disassembler class
- Thus reduce direct checks by mnemonic in GUI and analysis code
- Replaced direct disassembler struct access with disassembler class calls where trivially possible
- Removed workarounds for empty segment registers
- Temp. disabled `cbInstrCapstone` command
- Temp. disabled flag stuff in `QBeaEngine`
2017-10-09 10:02:13 +02:00
Duncan Ogilvie
103866eafe
DBG+EXE+GUI: fixed some more sonar warnings
2017-10-08 20:19:32 +02:00
Duncan Ogilvie
57235b2f24
DBG+EXE+LAUNCHER+BRIDGE: remove _CRT_SECURE_NO_WARNINGS
2017-10-08 16:16:20 +02:00
Duncan Ogilvie
d121cd9dc2
DBG+LAUNCHER: fix exception handling in GetPeArch.h
...
Thanks to digitalboy for the report!
2017-10-05 17:08:34 +02:00
Duncan Ogilvie
ba6e6dea63
DBG: full unicode support in ResolveShortcut
2017-09-30 14:30:40 +02:00
Duncan Ogilvie
1143621eb1
DBG: make sure the debugger is signaled as initialized before loading plugins
...
Fixes #1734
2017-09-30 13:01:24 +02:00
Duncan Ogilvie
fcda76a470
DBG: fixed LibrarianEnableBreakpoint
2017-09-30 12:52:07 +02:00
7627fce15c
Tripleslash for scriptapi_misc functions
2017-09-11 15:00:30 +02:00
mrexodia
ef6bf04fb0
DBG: find the plugin name for the currently-loading plugin name (thanks to testuser!)
2017-09-07 23:04:48 +02:00
mrexodia
2d7c929c64
DBG: fixed a deadlock while unloading plugins
...
closes #1710
2017-09-06 03:50:46 +02:00
mrexodia
7c93a0ef48
DBG: QueryWorkingSetEx with GetProcAddress (restored XP support)
2017-09-04 22:57:49 +02:00
mrexodia
9cc8e779e9
DBG: some small improvements to plugin functions and added idle detection for time wasted
2017-09-04 22:57:48 +02:00
mrexodia
082bcc0937
Merge remote-tracking branch 'origin/PLMDebug' into development
2017-09-01 22:54:53 +02:00
mrexodia
037504643b
DBG+GUI: option to query the working set before attempting to read a memory page
...
workaround for http://www.triplefault.io/2017/08/detecting-debuggers-by-abusing-bad.html
2017-09-01 22:53:50 +02:00
mrexodia
4104c0a004
GUI: formatting + fixed a warning
2017-09-01 18:52:06 +02:00
fa92a9c474
Add Xref for switch cases; Follow switch cases in CPU.
2017-09-01 13:58:33 +02:00
bf43f7eb97
graph for switch statements
2017-09-01 13:58:33 +02:00
690b048c7f
breakpoint, memory and threads view support multi-select ( #1697 )
...
* breakpoint, memory and threads view support multi-select
* fixed
* use older breakpointsview
* fixed
* revert deps change
* command in reference view
* to-do
* fixed deps
2017-09-01 13:57:41 +02:00
2b4a9bc9dc
Fixes #1699 Arch-Indep-Registers ( #1700 )
...
* Arch-Indep-Registers Fix 1
* Run format.bat
2017-08-31 20:55:11 +02:00
mrexodia
80210eb9b0
LAUNCHER+DBG: add support for PID attaching + PLMDebug in the command line
...
closes #1698
2017-08-28 11:41:37 +02:00
mrexodia
d678ad1e82
DBG: fixed a warning on x64 about the cookie
2017-08-26 15:54:52 +02:00
mrexodia
88fec2a1d3
DBG: correctly remove librarian breakpoints on exit + remove hwbp on detach
2017-08-25 13:18:13 +02:00
mrexodia
fa2784792c
DBG+GUI: query the process cookie on startup ( #489 #1418 #1412 )
2017-08-25 13:17:14 +02:00
mrexodia
da77f37c4f
DBG: moved tracing code out of debugger.cpp
2017-08-25 13:14:46 +02:00
mrexodia
010a3bbf7e
DBG: better behaviour for "exhandlers" on XP
2017-08-25 13:02:37 +02:00
mrexodia
652c61f7f7
DBG+BRIDGE+GUI: warn when trying to render a graph with more than 5000 nodes
...
(closes #1321 )
2017-08-21 15:13:02 +02:00
mrexodia
1c4607e25b
DBG: change ReadBaseRelocationTable to read the relocation directory from disk instead of memory
2017-08-21 00:44:21 +02:00
mrexodia
838b03e9d9
DBG: add ModEnum to remove various bottlenecks with module loading
2017-08-21 00:41:04 +02:00
mrexodia
2bd32aee32
DBG: fixed typo in pluginreload command
2017-08-18 00:08:37 +02:00
mrexodia
ca296699b0
DBG: added plugreload command
2017-08-17 23:54:43 +02:00
8c797ef42d
Fix "requires a narrowing conversion" error when compiling with vs2015 ( #1687 )
2017-08-17 13:06:58 +02:00
mrexodia
a404f63960
DBG: fixed Script::Flags implementation
2017-08-14 16:24:29 +02:00
6587cbc564
underline relocated bytes in disassembly view ( #1683 )
...
* DBG: add relocation info to module
* GUI: underline relocated bytes
* DBG: remove unnecessary wrapper function
* DBG: store relocations in sorted vector instead of set
* GUI: warn about patches in relocation regions (closes #263 )
2017-08-14 00:17:47 +02:00
mrexodia
a64bdef223
DBG+GUI: minor fixes
2017-08-13 18:10:59 +02:00
mrexodia
f484108fd7
DBG: added MemBpSize function
2017-08-13 17:17:37 +02:00
mrexodia
1b27b951ee
DBG+BRIDGE: added more detail in the BRIDGEBP structure (in the padding so backwards-compatible)
2017-08-13 17:17:15 +02:00
Duncan Ogilvie
Mattiwatti
Bálint Faragó
Alexander Miloslavskiy
torusrxxx
ZehMatt
Mack Stump
Joel Höner
roL
Rajarshi Vaidya aka gmastergreatee
Georgeto