idapython 中的例子, 演示了怎么使用Hook回调.
在进入断点回调后:
* 打印出函数名称
* 加入了继续执行的请求, 使程序继续跑下去. 用于观察函数执行流程.
#---------------------------------------------------------------------
# Debug notification hook test
#
# This script start the executable and steps through the first five
# instructions. Each instruction is disassembled after execution.
#
# Original Author: Gergely Erdelyi <gergely.erdelyi@d-dome.net>
#
# Maintained By: IDAPython Team
#
#---------------------------------------------------------------------
from idaapi import *
class MyDbgHook(DBG_Hooks):
""" Own debug hook class that implementd the callback functions """
def dbg_process_start(self, pid, tid, ea, name, base, size):
print("MyDbgHook : Process started, pid=%d tid=%d name=%s" % (pid, tid, name))
def dbg_process_exit(self, pid, tid, ea, code):
print("MyDbgHook : Process exited pid=%d tid=%d ea=0x%x code=%d" % (pid, tid, ea, code))
def dbg_library_unload(self, pid, tid, ea, info):
print("MyDbgHook : Library unloaded: pid=%d tid=%d ea=0x%x info=%s" % (pid, tid, ea, info))
return 0
def dbg_process_attach(self, pid, tid, ea, name, base, size):
print("MyDbgHook : Process attach pid=%d tid=%d ea=0x%x name=%s base=%x size=%x" % (pid, tid, ea, name, base, size))
def dbg_process_detach(self, pid, tid, ea):
print("MyDbgHook : Process detached, pid=%d tid=%d ea=0x%x" % (pid, tid, ea))
return 0
def dbg_library_load(self, pid, tid, ea, name, base, size):
print "MyDbgHook : Library loaded: pid=%d tid=%d name=%s base=%x" % (pid, tid, name, base)
def dbg_bpt(self, tid, ea):
print "MyDbgHook : Break point at %s[0x%x] pid=%d" % (GetFunctionName(ea), ea, tid)
# continue, bp only for calculate
idaapi.continue_process()
# return values:
# -1 - to display a breakpoint warning dialog
# if the process is suspended.
# 0 - to never display a breakpoint warning dialog.
# 1 - to always display a breakpoint warning dialog.
return 0
def dbg_suspend_process(self):
print "MyDbgHook : Process suspended"
def dbg_exception(self, pid, tid, ea, exc_code, exc_can_cont, exc_ea, exc_info):
print("MyDbgHook : Exception: pid=%d tid=%d ea=0x%x exc_code=0x%x can_continue=%d exc_ea=0x%x exc_info=%s" % (
pid, tid, ea, exc_code & idaapi.BADADDR, exc_can_cont, exc_ea, exc_info))
# return values:
# -1 - to display an exception warning dialog
# if the process is suspended.
# 0 - to never display an exception warning dialog.
# 1 - to always display an exception warning dialog.
return 0
def dbg_trace(self, tid, ea):
print("MyDbgHook : Trace tid=%d ea=0x%x" % (tid, ea))
# return values:
# 1 - do not log this trace event;
# 0 - log it
return 0
def dbg_step_into(self):
print("MyDbgHook : Step into")
self.dbg_step_over()
def dbg_run_to(self, pid, tid=0, ea=0):
print "MyDbgHook : Runto: tid=%d" % tid
idaapi.continue_process()
def dbg_step_over(self):
eip = GetRegValue("EIP")
print("MyDbgHook : 0x%x %s" % (eip, GetDisasm(eip)))
self.steps += 1
if self.steps >= 5:
request_exit_process()
else:
request_step_over()
# Remove an existing debug hook
try:
if debughook:
print("MyDbgHook : Removing previous hook")
debughook.unhook()
except:
pass
# Install the debug hook
debughook = MyDbgHook()
debughook.hook()
debughook.steps = 0
# Stop at the entry point
ep = GetLongPrm(INF_START_IP)
print "GetLongPrm(INF_START_IP) = 0x%X" % (ep)
request_run_to(ep)
# Step one instruction
request_step_over()
# Start debugging
run_requests()
MyDbgHook : Removing previous hook
GetLongPrm(INF_START_IP) = 0x133133C
Windbg: using debugging tools from 'C:\Program Files (x86)\Debugging Tools for Windows (x86)\'
1330000: process D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe has started (pid=5652)
MyDbgHook : Process started, pid=5652 tid=6996 name=D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe
77020000: loaded ntdll.dll
MyDbgHook : Library loaded: pid=5652 tid=6996 name=ntdll.dll base=77020000
Unloaded
MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=
75560000: loaded C:\Windows\syswow64\kernel32.dll
MyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\syswow64\kernel32.dll base=75560000
74B90000: loaded C:\Windows\syswow64\KERNELBASE.dll
MyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\syswow64\KERNELBASE.dll base=74b90000
71B70000: loaded C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll
MyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll base=71b70000
MyDbgHook : Runto: tid=0
MyDbgHook : Break point at _wmain[0x1331000] pid=6996
MyDbgHook : Break point at _wmain[0x1331006] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331051] pid=6996
MyDbgHook : Break point at _wmain[0x133102a] pid=6996
MyDbgHook : Break point at _wmain[0x1331060] pid=6996
Debugger: process has exited (exit code 0)
MyDbgHook : Process exited pid=5652 tid=6996 ea=0x7703fca2 code=0
Windbg: using debugging tools from 'C:\Program Files (x86)\Debugging Tools for Windows (x86)\'
1330000: process D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe has started (pid=6812)
MyDbgHook : Process started, pid=6812 tid=6240 name=D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe
77020000: loaded ntdll.dll
MyDbgHook : Library loaded: pid=6812 tid=6240 name=ntdll.dll base=77020000
Unloaded
MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=
Unloaded
MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=
75560000: loaded C:\Windows\syswow64\kernel32.dll
MyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\syswow64\kernel32.dll base=75560000
74B90000: loaded C:\Windows\syswow64\KERNELBASE.dll
MyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\syswow64\KERNELBASE.dll base=74b90000
71B70000: loaded C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll
MyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll base=71b70000
MyDbgHook : Break point at _wmain[0x1331000] pid=6240
MyDbgHook : Break point at _wmain[0x1331006] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331051] pid=6240
MyDbgHook : Break point at _wmain[0x133102a] pid=6240
MyDbgHook : Break point at _wmain[0x1331060] pid=6240
Debugger: process has exited (exit code 0)
MyDbgHook : Process exited pid=6812 tid=6240 ea=0x7703fca2 code=0
1745
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
