open source Windows debugger core

 

Introduction

(dum(b)ug) is a full open source Windows debugger core, implemented as C++ class architecture for instant debugger creation in the Win32 environment. It supports a number of features, including:

• Full encapsulation of the Win32 debug API
• PE file format parsing (.exe, .dll files)
• Codeview, COFF and FPO debug symbol support (no PDB yet)
• Single-shot soft breakpoints and automatic restore of original code
• Single stepping
• Disassembly using a libdisasm Windows port, including jump prediction
• Handling of exceptions, breakpoints and other important stuff either by specification of call-back functions or by overloading virtual prototypes provided in the class in case you prefer to inherit the functionality.

 

 

ltrace for Windows

ltrace for Windows - here named "(dum(b)ug) tracer" is a library call tracer supporting the logging of calls to library or program functions to automatically identify function arguments and results, hereby aiding quick auditing of closed source code for the use of insecure functions. This is a example implementation for the (dum(b)ug) core.

How it works

The (dum(b)ug) tracer works by specifying the function prototypes that are supposed to be traced and then attaching the tracer to the process in question or loading the process. The function prototypes are specified in a trace definition file. Example:

int printf( char *, char *);
"haxor" == int sprintf( [out] char *buffer, [in] fmtchar *format);

This example illustrates a number of concepts (dum(b)ug) tracer uses:

• You can specify plain C notation function prototypes
• You can name arguments for more readable output
• It supports argument directions. Specification of [in] will cause the argument to be inspected in depth only when the function is entered, [out] only then the function returns and [both] or no direction information causes inspection in both cases. This allows you to ignore uninitialized buffers, for example the output buffer of a sprintf() call.
• You can perform output matching on the returned buffer (or the first [out] char buffer, in case the return value is not a char* or wchar* buffer). This way, you will only see functions whose result contains this string
• Variable number of arguments such as with sprintf(char *, char *, ...) is not supported and you have to rely on the actual output
• wchar type is supported and the output is tailored to be ASCII again

The following types are supported:

• char - a single character
• char* - a char buffer
• fmtchar* - a char string being a format string
• int - a 32bit integer
• int* - a pointer to a 32bit integer
• void - nothing
• void* - arbirary 32bit pointer
• wchar - a single wide character
• wchar* - a wchar buffer
• fmtwchar* - a wchar string begin a format string

 

 

Getting the stuff