Linux下有功能强大ptrace,用于让父进程监视/修改/控制子进程的状态。Windows也提供了类似的接口,那就是Debuging API,用它可以编写用户级的调试器。
下面是一个例子,用以实现父进程创建并监视子进程运行状态。
#include <stddef.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <assert.h>
#include <windows.h>
#define MAX_PARAM_LEN 4096
int main( int argc, char ** argv )
{
int i, j = 0, len;
char command_buf[MAX_PARAM_LEN];
STARTUPINFO si;
PROCESS_INFORMATION pi;
DEBUG_EVENT de;
BOOL stop = FALSE;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if (argc<2) {
printf("Usage: %s <app_name> [arguments ...]\n", argv[0]);
return 0;
}
// Combine the module name and params into one string.
for (i = 1; i < argc; ++i) {
len = strlen(argv[i]);
if (len >= MAX_PARAM_LEN - j - 1) {
printf("buffer overflow\n");
exit(-1);
}
j += _snprintf(command_buf + j, MAX_PARAM_LEN - j, "%s ", argv[i]);
command_buf[j] = '\0'; // just for sure
}
if( !CreateProcess(NULL, command_buf, NULL, NULL, FALSE,
DEBUG_ONLY_THIS_PROCESS, NULL, NULL, &si, &pi ) ) {
printf( "CreateProcess failed (%d).\n", GetLastError() );
exit(-1);
}
while (TRUE) {
WaitForDebugEvent (&de, INFINITE);
switch (de.dwDebugEventCode) {
case EXCEPTION_DEBUG_EVENT: /* exception */
switch (de.u.Exception.ExceptionRecord.ExceptionCode) {
case EXCEPTION_INT_DIVIDE_BY_ZERO: /* #DE */
// Do what the parent process want to do when the child process gets #DE interrupt.
TerminateProcess(pi.hProcess,1);
break;
case EXCEPTION_BREAKPOINT: /* #BP */
// Do what the parent process want to do when the child process gets #BP interrupt.
break;
default:
printf("Unknown Exception\n");
break;
}
ContinueDebugEvent(de.dwProcessId,de.dwThreadId,DBG_EXCEPTION_HANDLED);
continue;
case CREATE_PROCESS_DEBUG_EVENT: /* child process created */
// Do what the parent process want to do when the child process was created.
break;
case EXIT_PROCESS_DEBUG_EVENT: /* child process exits */
stop = TRUE;
// Do what the parent process want to do when the child process exits.
break;
default:
printf("Unknown Event!\n");
break;
}
if (TRUE == stop) {
//printf("Process exit\n");
break;
}
ContinueDebugEvent (de.dwProcessId, de.dwThreadId, DBG_CONTINUE);
} // end of loop
assert(stop);
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
return 0;
}
程序参数为要监视的子进程及子进程的参数。注意一个正常的进程被创建出来后会先后收到CREATE_PROCESS_DEBUG_EVENT, EXCEPTION_DEBUG_EVENT中的EXCEPTION_BREAKPOINT和EXIT_PROCESS_DEBUG_EVENT。所以如果你不想子进程创建起来就出错,那就让处理断点的分支跳去执行ContinueDebugEvent(..., DBG_EXCEPTION_HANDLED)。
例子仅含框架,如要attach到已有进程请参见
DebugActiveProcess
,要修改子进程状态请参见RriteProcessMemory
和WriteProcessMemory等函数。
一些参考资料:
Debugging API examples: http://www.debuginfo.com/examples/dbgexamples.html
Writing the Debugger's Main Loop: http://msdn.microsoft.com/en-us/library/windows/desktop/ms681675(v=vs.85).aspx
Using the Windows Debugging API: http://www.howzatt.demon.co.uk/articles/SimpleDebugger.html
Debugging Functions: http://msdn.microsoft.com/en-us/library/ms679303
Win32调试API:http://hi.baidu.com/combojiang/blog/item/efb56e8ff0ebbfebf11f3654.html
利用Win32 Debug API打造自己的Debugger: http://hi.baidu.com/olhack/blog/item/c1e896508250e86284352407.html
The Debugging Application Programming Interface: http://msdn.microsoft.com/en-us/library/ms809754.aspx
在主进程中捕获子进程的异常:http://blog.csdn.net/simbi/article/details/3705719
Windows Debugging API: http://my.safaribooksonline.com/book/networking/intrusion-detection/9780321446114/in-memory-fuzzing-automation/ch20lev1sec3