Debugging Events

原文链接：http://msdn.microsoft.com/en-us/library/windows/desktop/ms679302%28v=vs.85%29.aspx

本文链接：http://blog.csdn.net/wlsgzl/article/details/18629635

typedef struct _DEBUG_EVENT {
  DWORD dwDebugEventCode;
  DWORD dwProcessId;
  DWORD dwThreadId;
  union {
    EXCEPTION_DEBUG_INFO      Exception;
    CREATE_THREAD_DEBUG_INFO  CreateThread;
    CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;
    EXIT_THREAD_DEBUG_INFO    ExitThread;
    EXIT_PROCESS_DEBUG_INFO   ExitProcess;
    LOAD_DLL_DEBUG_INFO       LoadDll;
    UNLOAD_DLL_DEBUG_INFO     UnloadDll;
    OUTPUT_DEBUG_STRING_INFO  DebugString;
    RIP_INFO                  RipInfo;
  } u;
} DEBUG_EVENT, *LPDEBUG_EVENT;

A debugging event is an incident in the process being debugged that causes the system to notify the debugger. 调试事件是被调试进程让系统通知调试器的事件。Debugging events include creating a process, creating a thread, loading a dynamic-link library (DLL), unloading a DLL, sending an output string, and generating an exception.调试事件包含了创建进程、创建线程、加载DLL、卸载DLL、发送输出字符串、发生异常。

If a debugging event occurs while a debugger is waiting for one, the system fills the DEBUG_EVENT structure specified by WaitForDebugEvent with information describing the event.当调试器等待调试事件时刚好发生了一个，系统会填写WaitForDebugEvent函数的DEBUG_EVENT结构体的相关调试信息。

When the system notifies the debugger of a debugging event, it also suspends all threads in the affected process. 当系统通知调试器调试事件时，同时挂起了相关进程的所有线程。The threads do not resume execution until the debugger continues the debugging event by using ContinueDebugEvent. 直到调试器使用ContinueDebugEvent继续调试事件时，被挂起的线程才继续执行。The following debugging events may occur while a process is being debugged.当进程被调试时，后续的调试事件也可能发生。

Debugging event 调试事件	Description 描述
CREATE_PROCESS_DEBUG_EVENT	Generated whenever a new process is created in a process being debugged or whenever the debugger begins debugging an already active process. 当一个新进程在一个被调试的进程中创建时产生，或者调试器开始调试一个已经存在的进程时产生。The system generates this debugging event before the process begins to execute in user mode and before the system generates any other debugging events for the new process.系统在用户模式下开始执行这个程序和系统开始产生其他调试事件之前，产生这个调试事件。 The DEBUG_EVENT structure contains a CREATE_PROCESS_DEBUG_INFO structure. DEBUG_EVENT结构体包含了CREATE_PROCESS_DEBUG_INFO结构体。This structure includes a handle to the new process, a handle to the process's image file, a handle to the process's initial thread, and other information that describes the new process.这个结构体包含了新进程的句柄、进程映像文件的句柄、进程初始线程的句柄，以及其他描述新进程的信息。 The handle to the process has PROCESS_VM_READ and PROCESS_VM_WRITE access. 进程的句柄有PROCESS_VM_READ和PROCESS_VM_WRITE访问权限。If a debugger has these types of access to a thread, it can read and write to the process's memory by using the ReadProcessMemory and WriteProcessMemory functions.如果调试器对一个线程有这些权限，那么它就可以通过ReadProcessMemory和WriteProcessMemory函数读写进程的内存。 If the system previously reported an EXIT_PROCESS_DEBUG_EVENT event, the system closes this handle when the debugger calls the ContinueDebugEvent function.如果系统之前报告了一个EXIT_PROCESS_DEBUG_EVENT事件，系统会在调试器调用ContinueDebugEvent函数之后关闭这个句柄。 The handle to the process's image file has GENERIC_READ access and is opened for read-sharing. 进程映像文件的句柄有GENERIC_READ访问权限，并且是以读共享方式打开的。The debugger should close this handle while processing CREATE_PROCESS_DEBUG_EVENT.调试器应该在处理CREATE_PROCESS_DEBUG_EVENT时关闭这个句柄。 The handle to the process's initial thread has THREAD_GET_CONTEXT, THREAD_SET_CONTEXT, and THREAD_SUSPEND_RESUME access to the thread.函数初始线程的句柄拥有对线程的THREAD_GET_CONTEXT, THREAD_SET_CONTEXT和THREAD_SUSPEND_RESUME访问权限。 If a debugger has these types of access to a thread, it can read from and write to the thread's registers by using the GetThreadContext and SetThreadContext functions and can suspend and resume the thread by using the SuspendThread and ResumeThread functions. 如果一个调试器拥有一个线程的这三种访问权限，它可以通过GetThreadContext和SetThreadContext函数读写线程的寄存器，通过SuspendThread和ResumeThread函数挂起、恢复线程。If the system previously reported an EXIT_PROCESS_DEBUG_EVENT event, the system closes this handle when the debugger calls the ContinueDebugEvent function.如果系统之前报告了一个EXIT_PROCESS_DEBUG_EVENT事件，系统会在调试器调用ContinueDebugEvent函数后关闭这个句柄。
CREATE_THREAD_DEBUG_EVENT	Generated whenever a new thread is created in a process being debugged or whenever the debugger begins debugging an already active process. 当一个被调试的进程创建一个新线程或者调试器开始调试一个已经存在的进程时产生。This debugging event is generated before the new thread begins to execute in user mode.这个调试事件在新线程在用户模式下开始执行前产生。 The DEBUG_EVENT structure contains a CREATE_THREAD_DEBUG_INFO structure.DEBUG_EVENT结构体包含了一个CREATE_THREAD_DEBUG_INFO结构体。 This structure includes a handle to the new thread and the thread's starting address.这个结构体包含了新线程的句柄和线程的开始地址。 The handle has THREAD_GET_CONTEXT, THREAD_SET_CONTEXT, and THREAD_SUSPEND_RESUME access to the thread.这个句柄对线程有THREAD_GET_CONTEXT、THREAD_SET_CONTEXT和THREAD_SUSPEND_RESUME访问权限。 If a debugger has these types of access to a thread, it can read from and write to the thread's registers by using the GetThreadContext and SetThreadContext functions and can suspend and resume the thread by using the SuspendThread and ResumeThread functions.如果调试器有对线程的这三种访问权限，它就可以用GetThreadContext和SetThreadContext函数读写线程的寄存器，用SuspendThread和ResumeThread函数挂起和恢复线程。 If the system previously reported an EXIT_THREAD_DEBUG_EVENT event, the system closes the handle to the new thread when the debugger calls the ContinueDebugEvent function.如果系统之前报告了EXIT_THREAD_DEBUG_EVENT事件，系统会在调试器调用ContinueDebugEvent函数时关闭新线程的句柄。
EXCEPTION_DEBUG_EVENT	Generated whenever an exception occurs in the process being debugged. 当被调试进程发生异常时生成。Possible exceptions include attempting to access inaccessible memory, executing breakpoint instructions, attempting to divide by zero, or any other exception noted in Structured Exception Handling.可能发生的异常包括试图访问无访问权限的内存、执行断点指令、试图除以零，以及其他在结构化异常处理中提到的异常。 The DEBUG_EVENT structure contains an EXCEPTION_DEBUG_INFO structure. DEBUG_EVENT结构体包含了EXCEPTION_DEBUG_INFO结构体。This structure describes the exception that caused the debugging event.这个结构体描述了引起调试事件的异常。 Besides the standard exception conditions, an additional exception code can occur during console process debugging. 除了标准异常的情况，额外的异常代码在控制台进程的调试时也能够发生。The system generates a DBG_CONTROL_C exception code when CTRL+C is input to a console process that handles CTRL+C signals and is being debugged. 当一个控制台程序在被调试的时候处理CTRL+C信号时，系统会产生一个DBG_CONTROL_C异常代码。This exception code is not meant to be handled by applications. 这种异常代码不指望被应用程序处理。An application should never use an exception handler to deal with it.应用程序永远都不该使用异常处理函数处理它。 It is raised only for the benefit of the debugger and is only used when a debugger is attached to the console process.这种异常代码只对调试器来说有用，而且只在调试器附加到控制台程序时使用。 If a process is not being debugged or if the debugger passes on the DBG_CONTROL_C exception unhandled (through the gn command), the application's list of handler functions is searched, as documented for the SetConsoleCtrlHandler function.如果程序不是正在调试，或者调试器掠过了DBG_CONTROL_C异常而未作处理(通过gn命令)，应用程序会像SetConsoleCtrlHandler函数的文档中说的那样搜索异常处理函数列表。 If the debugger handles the DBG_CONTROL_C exception (through the gh command), an application will not notice the CTRL+C except in code like this while ((inputChar = getchar()) != EOF) ... .如果调试处理了DBG_CONTROL_C异常（通过gn命令），应用程序不会注意到类似while ((inputChar = getchar()) != EOF)的CTRL+C异常。 Thus, the debugger cannot be used to stop the read wait in such code from terminating.因此，调试器不能在这些代码中停止读取等待的终止。
EXIT_PROCESS_DEBUG_EVENT	Generated whenever the last thread in a process being debugged exits.当被调试进程的最后一个线程退出时产生。 This debugging event occurs immediately after the system unloads the process's DLLs and updates the process's exit code.这种调试事件在系统卸载进程的DLL、更新进程退出码后立即发生。 The DEBUG_EVENT structure contains an EXIT_PROCESS_DEBUG_INFO structure that specifies the exit code.DEBUG_EVENT结构体包含了指明了退出码的EXIT_PROCESS_DEBUG_INFO结构体 The debugger deallocates any internal structures associated with the process on receipt of this debugging event.调试器在收到这个调试事件后释放所有与这个程序相关的调试事件的中间结构体。 The system closes the debugger's handle to the exiting process and all of the process's threads.系统关闭调试器中存在的正在退出程序的句柄以及进程的所有的线程。 The debugger should not close these handles.调试器不应该自己关闭这些句柄。 The kernel-mode portion of process shutdown cannot be completed until the debugger that receives this event calls ContinueDebugEvent.直到调试器收到这个事件调用ContinueDebugEvent函数后，程序内核模式的部分才会终止。 Until then, the process handles are open and the virtual address space is not released, so the debugger can examine the child process. 在那之前，进程的句柄是打开的，虚拟地址空间也没有释放，所以调试器可以检测该进程的子进程。To receive notification when the kernel-mode portion of process shutdown is complete, duplicate the handle returned with CREATE_PROCESS_DEBUG_EVENT, call ContinueDebugEvent, and then wait for the duplicated process handle to be signaled.如果想要在进程内核模式关闭完成的时候收到通知，可以复制用CREATE_PROCESS_DEBUG_EVENT返回的句柄，调用ContinueDebugEvent函数，然后等待复制的进程句柄变为有信号状态。
EXIT_THREAD_DEBUG_EVENT	Generated whenever a thread that is part of a process being debugged exits. 当被调试进程的线程退出的时候产生。The system generates this debugging event immediately after it updates the thread's exit code.当系统更新线程的退出码后立即生成这个调试事件。 The DEBUG_EVENT structure contains an EXIT_THREAD_DEBUG_INFO structure that specifies the exit code.DEBUG_EVENT结构体包含了一个指定了线程退出码的EXIT_THREAD_DEBUG_INFO结构体。 This debugging event does not occur if the exiting thread is the last thread of a process. 当退出的线程是进程的最后一个线程时，这个调试异常不会发生。In this case, the EXIT_PROCESS_DEBUG_EVENT debugging event occurs instead.在这种情况下，取而代之的是发生了EXIT_PROCESS_DEBUG_EVENT异常。 The debugger deallocates any internal structures associated with the thread on receipt of this debugging event.调试器在收到这个调试事件后释放所有与这个线程相关的调试事件的中间结构体。 The system closes the debugger's handle to the exiting thread.系统关闭调试器中存在的退出线程的句柄。 The debugger should not close this handle.调试器不能自己关闭这个句柄。
LOAD_DLL_DEBUG_EVENT	Generated whenever a process being debugged loads a DLL.当被调试进程加载DLL的时候产生。 This debugging event occurs when the system loader resolves links to a DLL or when the debugged process uses the LoadLibrary function.当系统加载器解析DLL的链接或者被调试程序使用LoadLibrary函数的时候产生这个调试事件。 This debugging event only occurs the first time the system attaches a DLL to the virtual address space of a process.这个调试事件仅在系统第一次把一个DLL附加到进程的虚拟地址空间的时候产生。 The DEBUG_EVENT structure contains a LOAD_DLL_DEBUG_INFO structure.DEBUG_EVENT结构体包含了一个LOAD_DLL_DEBUG_INFO结构体。 This structure includes a handle to the newly loaded DLL, the base address of the DLL, and other information that describes the DLL.这个结构体包含了新加载DLL的句柄以及关于这个DLL的其他信息。 The debugger should close the handle to the DLL handle while processing LOAD_DLL_DEBUG_EVENT.调试器应该在处理LOAD_DLL_DEBUG_EVENT的时候关闭这个DLL句柄。 Typically, a debugger loads a symbol table associated with the DLL on receipt of this debugging event.通常，调试器在收到这个调试事件之后加载与这个DLL相关的符号表。
OUTPUT_DEBUG_STRING_EVENT	Generated when a process being debugged uses the OutputDebugString function.当被调试进程调用OutputDebugString函数时产生。 The DEBUG_EVENT structure contains an OUTPUT_DEBUG_STRING_INFO structure. DEBUG_EVENT结构体包含了OUTPUT_DEBUG_STRING_INFO结构体This structure specifies the address, length, and format of the debugging string.这个结构体指定了调试字符串的地址、长度、格式。
UNLOAD_DLL_DEBUG_EVENT	Generated whenever a process being debugged unloads a DLL by using the FreeLibrary function.当被调试进程使用FreeLibrary函数卸载DLL的时候产生。 This debugging event only occurs the last time a DLL is unloaded from a process's address space (that is, when the DLL's usage count is zero).仅当DLL最后一次从一个进程的地址空间卸载（DLL的使用计数为0）时，调试事件发生。 The DEBUG_EVENT structure contains an UNLOAD_DLL_DEBUG_INFO structure. This structure specifies the base address of the DLL in the address space of the process that unloads the DLL.DEBUG_EVENT结构体包含了一个UNLOAD_DLL_DEBUG_INFO结构体。 Typically, a debugger unloads a symbol table associated with the DLL upon receiving this debugging event.通常，调试器在收到这个调试事件之后卸载与这个DLL相关的符号表。 When a process exits, the system automatically unloads the process's DLLs, but does not generate an UNLOAD_DLL_DEBUG_EVENT debugging event.当进程退出的时候，系统自动的卸载进程的DLL，但是不产生UNLOAD_DLL_DEBUG_EVENT事件。
RIP_EVENT	Generated whenever a process being debugged dies outside of the control of the system debugger.当被调试进程在系统调试器的控制范围外和谐掉之后产生。 The DEBUG_EVENT structure contains a RIP_INFO structure. DEBUG_EVENT结构体包含了RIP_INFO结构体。This structure specifies the error and type of error.这个结构体指明了错误以及错误的类型。

相关的结构体：

EXCEPTION_DEBUG_INFO