EnableTracing() enables debugger step tracing according to the trace_level value which is the first argument. TRACE_STEP (the lowest level trace – records all instructions), TRACE_INSN (records instruction trace) and TRACE_FUNC (records calls and rets) are possible options. The second argument, called enable, can have one of two values: 0 = turn off; 1 = turn on.
1 2 3 4 5 6 7 8 9 10 11 12 13 | // Enable step tracing // trace_level - what kind of trace to modify // enable - 0: turn off, 1: turn on // Returns: success success EnableTracing(long trace_level, long enable); TRACE_STEP 0x0 // lowest level trace. trace buffers are not maintained TRACE_INSN 0x1 // instruction level trace TRACE_FUNC 0x2 // function level trace (calls & rets) | cs |
GetDebuggerEvent() takes two arguments: WFNE_* constants and timeout value. If the timeout value is set to -1 it means infinity, while any other number defines the number of seconds to wait. It is crucial to understand that GetDebuggerEvent() must be called after every execution break. The list of WFNE_* constants can be found in the IDA help file. The flags we are using: WFNE_ANY | WFNE_CONT mean that any first debugging event will be returned to our script (even if it does not suspend the debugged process execution) and continuation should be resumed from the suspended state. The WFNE_SUSP means that the script should wait until the process is suspended.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | Wait for the next event This function (optionally) resumes the process execution and wait for a debugger event until timeout wfne - combination of WFNE_... constants timeout - number of seconds to wait, -1-infinity returns: debugger event codes, see below long GetDebuggerEvent(long wfne, long timeout); // wfne flag is combination of the following: WFNE_ANY return the first event (even if it doesn't suspend the process) if the process is still running, the database does not reflect the memory state. you might want to call RefreshDebuggerMemory() in this case WFNE_SUSP wait until the process gets suspended WFNE_SILENT set: be slient, clear:display modal boxes if necessary WFNE_CONT continue from the suspended state // debugger event codes NOTASK process does not exist DBG_ERROR error (e.g. network problems) DBG_TIMEOUT timeout PROCESS_START New process started PROCESS_EXIT Process stopped THREAD_START New thread started THREAD_EXIT Thread stopped BREAKPOINT Breakpoint reached STEP One instruction executed EXCEPTION Exception LIBRARY_LOAD New library loaded LIBRARY_UNLOAD Library unloaded INFORMATION User-defined information SYSCALL Syscall (not used yet) WINMESSAGE Window message (not used yet) PROCESS_ATTACH Attached to running process PROCESS_DETACH Detached from process v | cs |
'reversing > reversing' 카테고리의 다른 글
| ARM hooking 정리 (0) | 2021.03.30 |
|---|---|
| frida - runtime.exec hook[root bypass] (0) | 2021.03.04 |
| mips 특징 (0) | 2018.10.08 |
| chroot qemu static 환경변수 설정 (0) | 2018.10.07 |
| 유니콘[Unicorn] 활용 (1) | 2018.09.19 |