R3--＞DbgUiConvertStateChangeStructureWorker-CSDN博客

本文链接：https://blog.csdn.net/weixin_43751677/article/details/144178307
内核层将DEBUG_EVENT(未公开结构)转换到DBGUI_WAIT_STATE_CHANGE (未公开结构),在ntdll中再次将DBGUI_WAIT_STATE_CHANGE转换成用户层DEBUG_EVENT(公开结构)
    //@qq1490900437使用转载请标明出处
 //将DBGUI_WAIT_STATE_CHANGE 转换成debug_event结构

 NTSTATUS __stdcall DbgUiConvertStateChangeStructureWorker(PDBGUI_WAIT_STATE_CHANGE WaitStateChange, LPDEBUG_EVENT DebugEvent,BOOLEAN UseUnicode)
 {
	 NTSTATUS Status = STATUS_SUCCESS;
	 DebugEvent->dwProcessId = WaitStateChange->AppClientId.UniqueProcess;
	 DebugEvent->dwThreadId = WaitStateChange->AppClientId.UniqueThread;
	 switch (WaitStateChange->NewState)
	 {
		 

		case DbgCreateThreadStateChange:
		{
			THREAD_BASIC_INFORMATION Baseinfo = { 0 };
			ULONG RethrenLen = 0;
			DebugEvent->dwDebugEventCode = CREATE_THREAD_DEBUG_EVENT;
			DebugEvent->u.CreateThread.hThread = WaitStateChange->StateInfo.CreateThread.HandleToThread;
			DebugEvent->u.CreateThread.lpStartAddress == WaitStateChange->StateInfo.CreateThread.NewThread.StartAddress;
				//获得某个线程的TEB地址
			if (NT_SUCCESS(NtQueryInformationThread(WaitStateChange->StateInfo.CreateThread.HandleToThread,ThreadBasicInformation,&Baseinfo,sizeof(Baseinfo),&RethrenLen)))
			{
				DebugEvent->u.CreateThread.lpThreadLocalBase = Baseinfo.TebBaseAddress;
			}
			else
			{
				DebugEvent->u.CreateThread.lpThreadLocalBase = NULL;
			}
		
			break;
		}
		case DbgCreateProcessStateChange:
		{
			THREAD_BASIC_INFORMATION Baseinfo = { 0 };
			ULONG RethrenLen = 0;
			DebugEvent->dwDebugEventCode                          = CREATE_PROCESS_DEBUG_EVENT;
			DebugEvent->u.CreateProcessInfo.hProcess              = WaitStateChange->StateInfo.CreateProcessInfo.HandleToProcess;
			DebugEvent->u.CreateProcessInfo.hThread               = WaitStateChange->StateInfo.CreateProcessInfo.HandleToThread;
			DebugEvent->u.CreateProcessInfo.hFile                 = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.FileHandle;
			DebugEvent->u.CreateProcessInfo.lpBaseOfImage         = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.BaseOfImage;
			DebugEvent->u.CreateProcessInfo.dwDebugInfoFileOffset = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.DebugInfoFileOffset;
			DebugEvent->u.CreateProcessInfo.nDebugInfoSize        = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.DebugInfoSize;
			DebugEvent->u.CreateProcessInfo.lpStartAddress        = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.InitialThread.StartAddress;
			DebugEvent->u.CreateProcessInfo.lpImageName           = NULL;
			DebugEvent->u.CreateProcessInfo.fUnicode              = 1;

			if (NT_SUCCESS(NtQueryInformationThread(WaitStateChange->StateInfo.CreateThread.HandleToThread, ThreadBasicInformation, &Baseinfo, sizeof(Baseinfo), &RethrenLen)))
			{
				DebugEvent->u.CreateProcessInfo.lpThreadLocalBase = Baseinfo.TebBaseAddress;

			}
			else
			{
				DebugEvent->u.CreateProcessInfo.lpThreadLocalBase = NULL;
			}
			break;
		}
		case DbgExitThreadStateChange:
		{
			DebugEvent->dwDebugEventCode = EXIT_THREAD_DEBUG_EVENT;
			DebugEvent->u.ExitThread.dwExitCode = WaitStateChange->StateInfo.ExitThread.ExitStatus;
			break;
		}
		case DbgExitProcessStateChange:
		{
			DebugEvent->dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT;
			DebugEvent->u.ExitProcess.dwExitCode = WaitStateChange->StateInfo.ExitProcess.ExitStatus;
			break;
		}
		case DbgExceptionStateChange :
		case DbgBreakpointStateChange :
		case DbgSingleStepStateChange:
		{
			if (WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionCode == DBG_PRINTEXCEPTION_WIDE_C)
			{
				DebugEvent->dwDebugEventCode = OUTPUT_DEBUG_STRING_EVENT;
				if (UseUnicode)
				{
					DebugEvent->u.DebugString.nDebugStringLength = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[0];
					DebugEvent->u.DebugString.lpDebugStringData = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[1];
					DebugEvent->u.DebugString.fUnicode = 1;
					
				}//@qq1490900437
				else
				{
					DebugEvent->u.DebugString.nDebugStringLength = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[2];
					DebugEvent->u.DebugString.lpDebugStringData = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionRecord->ExceptionInformation[3];
					DebugEvent->u.DebugString.fUnicode = 0;
				}
				break;
			}//@qq1490900437

			if (WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionCode == DBG_PRINTEXCEPTION_C)
			{
				DebugEvent->dwDebugEventCode = OUTPUT_DEBUG_STRING_EVENT;
				DebugEvent->u.DebugString.nDebugStringLength = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[2];
				DebugEvent->u.DebugString.lpDebugStringData = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionRecord->ExceptionInformation[3];
				DebugEvent->u.DebugString.fUnicode = 0;
				break;
			}
			if (WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionCode == DBG_RIPEXCEPTION)
			{
				DebugEvent->dwDebugEventCode = RIP_EVENT;
				DebugEvent->u.RipInfo.dwType = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[1];
				DebugEvent->u.RipInfo.dwError= WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[0];
				break;
			}

        //未完成

		}//@qq1490900437
		
		case DbgLoadDllStateChange:
		{
            //未完成
		}
		case DbgUnloadDllStateChange:
		{
            //未完成
		}




		 default:
			 break;
	 }
 }