Microsoft提供了一种用于Windows的相对比较容易使用的调试API。
这种API允许使用简单的循环,从处于用户态的程序访问调试事件。下面是一个简单的结构:
DEBUG_EVENT dbg_evt;
m_hProcess = OpenProcess( PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION,0,mPID);
if(m_hProcess == NULL)
{
_error_out("[!] OpenProcess Failed !/n");
return;
}
//ok,we have the process opened;time to start debugging
if(!DebugActiveProcess(mPID))
{
_error_out("[!] DebugActiveProcess failed !/n");
return;
}
//don't kill the process on thread exit
//note:only supported on windows xp
DebugSetProcessKillOnExit(FALSE);
while(1)
{
if(WaitForDebugEvent(&dbg_evt,DEBUGLOOP_WAIT_TIME))
{
//handle the debug events
HandleDebugEvent(dbg_evt);//自定义函数
if(!ContinueDebugEvent(mPID,dbg_evt.dwThreadIDd,DBG_CONTINUE))
{
_error_out("[!] ContinueDebugEvent failed !");
break;
}
}
else
{
//ignore timeout error
int err = GetLastError();
if(err != 121)
{
_error_out("[!] WaitForDebugEvent failed !/n");
break;
}
}
//exit if debugger has been disabled
if(mDebugActive == FALSE)break;
}
RemoveAllBreakPoints();//自定义文件