1.准备
附加目标进程:
BOOL DebugActiveProcess( DWORD dwProcessId );
附加后目标进程的调试信息,包括异常信息都可能发到本进程处理
2.等待调试事件:
BOOL WaitForDebugEvent( LPDEBUG_EVENT lpDebugEvent, DWORD dwMilliseconds );
通过第一个参数获取调试事件,结构体包含了进程发出的一些信息,调试信息,异常信息
调试事件结构体:
typedef struct _DEBUG_EVENT {
DWORD dwDebugEventCode; //调试事件特征码,用于标识该调试事件类型
DWORD dwProcessId; //调试进程id
DWORD dwThreadId; //发出调试事件的线程id
union {
EXCEPTION_DEBUG_INFO Exception;
CREATE_THREAD_DEBUG_INFO CreateThread;
CREATE_PROCESS_DEBUG_INFO CreateProcessInfo;
EXIT_THREAD_DEBUG_INFO ExitThread;
EXIT_PROCESS_DEBUG_INFO ExitProcess;
LOAD_DLL_DEBUG_INFO LoadDll;
UNLOAD_DLL_DEBUG_INFO UnloadDll;
OUTPUT_DEBUG_STRING_INFO DebugString;
RIP_INFO RipInfo;
} u;
} DEBUG_EVENT,
*LPDEBUG_EVENT;
对于dwDebugEventCode有以下值
| CREATE_PROCESS_DEBUG_EVENT 3 |
Reports a create-process debugging event. The value of u.CreateProcessInfo specifies a CREATE_PROCESS_DEBUG_INFO structure. |
| CREATE_THREAD_DEBUG_EVENT 2 |
Reports a create-thread debugging event. The value of u.CreateThread specifies a CREATE_THREAD_DEBUG_INFO structure. |
| EXCEPTION_DEBUG_EVENT 1 |
Reports an exception debugging event. The value of u.Exception specifies an EXCEPTION_DEBUG_INFO structure. |
| EXIT_PROCESS_DEBUG_EVENT 5 |
Reports an exit-process debugging event. The value of u.ExitProcess specifies an EXIT_PROCESS_DEBUG_INFO structure. |
| EXIT_THREAD_DEBUG_EVENT 4 |
Reports an exit-thread debugging event. The value of u.ExitThread specifies an EXIT_THREAD_DEBUG_INFO structure. |
| LOAD_DLL_DEBUG_EVENT 6 |
Reports a load-dynamic-link-library (DLL) debugging event. The value of u.LoadDll specifies a LOAD_DLL_DEBUG_INFO structure. |
| OUTPUT_DEBUG_STRING_EVENT 8 |
Reports an output-debugging-string debugging event. The value of u.DebugString specifies an OUTPUT_DEBUG_STRING_INFO structure. |
| RIP_EVENT 9 |
Reports a RIP-debugging event (system debugging error). The value of u.RipInfo specifies a RIP_INFO structure. |
| UNLOAD_DLL_DEBUG_EVENT 7 |
Reports an unload-DLL debugging event. The value of u.UnloadDll specifies an UNLOAD_DLL_DEBUG_INFO structure. |
以上值与调试事件结构体的联合参数一一对应, 一般通过switch对各种调试事件进行处理.而每一种调试事件的详细信息在对应的联合体成员结构体
3.获取信息后可以进行处理,但WaitForDebugEvent执行成功后调试进程将暂停.所以处理完调试事件后需要恢复调试进程:
BOOL ContinueDebugEvent( DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus );
对于第3个参数:
If the DBG_CONTINUE flag is specified for this parameter and the thread specified by the dwThreadId parameter previously reported an EXCEPTION_DEBUG_EVENT debugging event, the function stops all exception processing and continues the thread.
For any other debugging event, this flag continues the thread.
If the DBG_EXCEPTION_NOT_HANDLED flag is specified for this parameter and the thread specified by dwThreadId previously reported an EXCEPTION_DEBUG_EVENT debugging event, the function continues exception processing.
If this is a first-chance exception event, the search and dispatch logic of the structured exception handler is used; otherwise, the process is terminated.
For any other debugging event, this flag continues the thread.
所以一般用DBG_CONTINUE 使调试进程继续运行