Windows下的"ptrace"-父进程监视子进程Debugging API

最新推荐文章于 2023-01-30 17:59:22 发布

ariesjzj

最新推荐文章于 2023-01-30 17:59:22 发布

阅读量5.5k

点赞数

文章标签： debugging windows exception command api null

本文链接：https://blog.csdn.net/jinzhuojun/article/details/7226443

版权

Develop 同时被 2 个专栏收录

41 篇文章 0 订阅

订阅专栏

Windows

22 篇文章 0 订阅

订阅专栏

原文地址： http://blog.csdn.net/ariesjzj/article/details/7226443

Linux下有功能强大ptrace，用于让父进程监视/修改/控制子进程的状态。Windows也提供了类似的接口，那就是Debuging API，用它可以编写用户级的调试器。

下面是一个例子，用以实现父进程创建并监视子进程运行状态。

#include <stddef.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <assert.h>
#include <windows.h>

#define MAX_PARAM_LEN		4096

int main( int argc, char ** argv )
{
	int i, j = 0, len;
	char command_buf[MAX_PARAM_LEN];

	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	DEBUG_EVENT de;
	BOOL stop = FALSE;

	ZeroMemory( &si, sizeof(si) );
	si.cb = sizeof(si);
	ZeroMemory( &pi, sizeof(pi) );

	if (argc<2) {
		printf("Usage: %s <app_name> [arguments ...]\n", argv[0]);
		return 0;
	}

	// Combine the module name and params into one string.
	for (i = 1; i < argc; ++i) {
		len = strlen(argv[i]);
		if (len >= MAX_PARAM_LEN - j - 1) {
			printf("buffer overflow\n");
			exit(-1);
		}
		j += _snprintf(command_buf + j, MAX_PARAM_LEN - j, "%s ", argv[i]);
		command_buf[j] = '\0';	// just for sure
	}

	if( !CreateProcess(NULL, command_buf, NULL, NULL, FALSE,          
		DEBUG_ONLY_THIS_PROCESS, NULL, NULL, &si, &pi ) ) {
			printf( "CreateProcess failed (%d).\n", GetLastError() );
			exit(-1);
	}

	while (TRUE) {
		WaitForDebugEvent (&de, INFINITE);

		switch (de.dwDebugEventCode) {
		case EXCEPTION_DEBUG_EVENT:			/* exception */
			switch (de.u.Exception.ExceptionRecord.ExceptionCode) { 
			case   EXCEPTION_INT_DIVIDE_BY_ZERO:	/* #DE */
				// Do what the parent process want to do when the child process gets #DE interrupt.
				TerminateProcess(pi.hProcess,1); 
				break; 
			case   EXCEPTION_BREAKPOINT:			/* #BP */
				// Do what the parent process want to do when the child process gets #BP interrupt.
				break;

			default: 
				printf("Unknown Exception\n"); 
				break;
			}    

			ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_EXCEPTION_HANDLED);
			continue;

		case CREATE_PROCESS_DEBUG_EVENT:		/* child process created */

			// Do what the parent process want to do when the child process was created.
			break;

		case EXIT_PROCESS_DEBUG_EVENT:			/* child process exits */
			stop = TRUE;

			// Do what the parent process want to do when the child process exits.
			break;

		default:
			printf("Unknown Event!\n");
			break;
		}

		if (TRUE == stop) {
			//printf("Process exit\n");
			break;
		}

		ContinueDebugEvent (de.dwProcessId,	de.dwThreadId, DBG_CONTINUE);

	} // end of loop

	assert(stop);

	CloseHandle( pi.hProcess );
	CloseHandle( pi.hThread );

	return 0;
}

程序参数为要监视的子进程及子进程的参数。注意一个正常的进程被创建出来后会先后收到CREATE_PROCESS_DEBUG_EVENT, EXCEPTION_DEBUG_EVENT中的EXCEPTION_BREAKPOINT和EXIT_PROCESS_DEBUG_EVENT。所以如果你不想子进程创建起来就出错，那就让处理断点的分支跳去执行ContinueDebugEvent(..., DBG_EXCEPTION_HANDLED)。

例子仅含框架，如要attach到已有进程请参见DebugActiveProcess，要修改子进程状态请参见RriteProcessMemory和WriteProcessMemory等函数。

一些参考资料：

Debugging API examples: http://www.debuginfo.com/examples/dbgexamples.html

Writing the Debugger's Main Loop: http://msdn.microsoft.com/en-us/library/windows/desktop/ms681675(v=vs.85).aspx

Using the Windows Debugging API: http://www.howzatt.demon.co.uk/articles/SimpleDebugger.html

Debugging Functions: http://msdn.microsoft.com/en-us/library/ms679303

Win32调试API:http://hi.baidu.com/combojiang/blog/item/efb56e8ff0ebbfebf11f3654.html

利用Win32 Debug API打造自己的Debugger: http://hi.baidu.com/olhack/blog/item/c1e896508250e86284352407.html

The Debugging Application Programming Interface: http://msdn.microsoft.com/en-us/library/ms809754.aspx

在主进程中捕获子进程的异常:http://blog.csdn.net/simbi/article/details/3705719

Windows Debugging API: http://my.safaribooksonline.com/book/networking/intrusion-detection/9780321446114/in-memory-fuzzing-automation/ch20lev1sec3