Yes I'm trying to track DBEvents as they happen. I want to move the uninitialized character string to the display buffer in a MSG Box. I'm using Win2k and my program keeps getting shut down by the operating system.
Posted on 2003-02-10 01:20:46 by mrgone
:confused: can u post some code?
Posted on 2003-02-10 01:50:33 by BubbaFate
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\user32.lib

.data
AppName db "Win32 Debug Example no.4",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc db "The debuggee exits",0Dh,0Ah
db "regEBX= : %lx",0Dh,0Ah
db "thread : %1x",0
ProcessInfo db "File Handle: %lx ",0dh,0Ah
db "Process Handle: %lx",0Dh,0Ah
db "Thread Handle: %lx",0Dh,0Ah
db "Image Base: %lx",0Dh,0Ah
db "Start Address: %lx",0

regEBX dd 0
thread dd 0
Identify db "Event: %1x",0

.data?

buffer db 2048 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
align dword
context CONTEXT <>

.code
start:
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofn
.if eax==TRUE
invoke GetStartupInfo,addr startinfo
invoke CreateProcess, addr buffer, NULL, NULL, NULL, FALSE,
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS, NULL, NULL, addr startinfo, addr pi
invoke SetDebugErrorLevel,SLE_MINORERROR
.while TRUE
invoke WaitForDebugEvent, addr DBEvent, INFINITE ;*****

invoke wsprintf, addr buffer, addr ProcessInfo, DBEvent.u.CreateProcessInfo.hFile, DBEvent.u.CreateProcessInfo.hProcess, DBEvent.u.CreateProcessInfo.hThread, DBEvent.u.CreateProcessInfo.lpBaseOfImage, DBEvent.u.CreateProcessInfo.lpStartAddress
invoke MessageBox,0, addr buffer, addr AppName, MB_OK+MB_ICONINFORMATION

Just a modification of Hutches code. But at WaitForDebugEvent I want to pass the variable from DBEvent to a string that will be displayed is a Message Box
Posted on 2003-02-10 02:10:46 by mrgone
Possibly you should initialize some of the structures used, startinfo for example. It has a "structure size" member, AFAIK. Just a guess, though

Japheth
Posted on 2003-02-10 02:21:30 by japheth
... i still dont understand the problem... i copy/pasted your code and everything seemed to work alrite.. ?
Posted on 2003-02-10 02:34:18 by BubbaFate
A text variable. The stucture DBEvent receives the text string from Windows after a debug event. I want to display that "text string" in a message box. But thanks for reply. If you know than hit me back
Posted on 2003-02-10 12:52:14 by mrgone
what you need to do is allocate a sufficient amount of memory for your string and place it in there, then pass the address to the messagebox or alternatively if possible just give the stringpointer from the error directly to the MessageBox function
Posted on 2003-02-10 13:04:00 by Hiroshimator
DBEvent.u.DebugString is only valid when DBEvent.dwDebugEventCode == OUTPUT_DEBUG_STRING_EVENT. So if you treat the union as string data when the code is not string_event then your app will crash. BTW the string pointer that that structure refers to is only valid in the target's address space... therefore u need to use ReadProcessMemory to read it.
Posted on 2003-02-10 17:53:03 by BubbaFate
I use these macros:
showfmt MACRO fmtstr, values:VARARG

LOCAL @@over, @@fmt
jmp @@over
@@fmt db fmtstr, 0
@@over: pushad
invoke GlobalAlloc, GMEM_MOVEABLE OR GMEM_ZEROINIT, 1000h
push eax
push eax
invoke GlobalLock, eax
push eax
invoke wsprintf, eax, ADDR @@fmt, values
pop eax
invoke MessageBox, 0, eax, 0, MB_OK OR MB_ICONASTERISK OR MB_APPLMODAL
call GlobalUnlock
call GlobalFree
popad
ENDM
showint MACRO caption, value
LOCAL @@over, @@fmt
jmp @@over
@@fmt db caption, " = %u", 0
@@over: pushad
mov ebx, value
invoke GlobalAlloc, GMEM_MOVEABLE OR GMEM_ZEROINIT, 1000h
push eax
push eax
invoke GlobalLock, eax
push eax
invoke wsprintf, eax, ADDR @@fmt, ebx
pop eax
invoke MessageBox, 0, eax, 0, MB_OK OR MB_ICONASTERISK OR MB_APPLMODAL
call GlobalUnlock
call GlobalFree
popad
ENDM
showhex MACRO caption, value
LOCAL @@over, @@fmt
jmp @@over
@@fmt db caption, " = %08Xh", 0
@@over: pushad
mov ebx, value
invoke GlobalAlloc, GMEM_MOVEABLE OR GMEM_ZEROINIT, 1000h
push eax
push eax
invoke GlobalLock, eax
push eax
invoke wsprintf, eax, ADDR @@fmt, ebx
pop eax
invoke MessageBox, 0, eax, 0, MB_OK OR MB_ICONASTERISK OR MB_APPLMODAL
call GlobalUnlock
call GlobalFree
popad
ENDM
showstr MACRO caption, value
LOCAL @@over, @@fmt
jmp @@over
@@fmt db caption, " = %s", 0
@@over: pushad
mov ebx, value
invoke GlobalAlloc, GMEM_MOVEABLE OR GMEM_ZEROINIT, 1000h
push eax
push eax
invoke GlobalLock, eax
push eax
invoke wsprintf, eax, ADDR @@fmt, ebx
pop eax
invoke MessageBox, 0, eax, 0, MB_OK OR MB_ICONASTERISK OR MB_APPLMODAL
call GlobalUnlock
call GlobalFree
popad
ENDM

.code
...
push ebx
mov ebx, eax
showfmt "The value of eax is: %04u", ebx
pop ebx
...
showint "result", eax
...
showhex "result (in hexadecimal)", eax
...
showstr "mystring", esi
Posted on 2003-02-10 19:04:57 by comrade
Ok working on it. I pasted your code comrad and will study that. Sure appreciate everyones input. The overall objective here is to read the general purpose registers or what Windows refers to as CONTEXT_INTEGER from a debugee. With slight modification of Hutches original code (tut30) I was able to do this easily in Windows 98. It appears that in Windows 2000 I lose the original thread handle and end up retreving values from a DLL, and of course I don't have CONTEXT_FULL access do to NT security hooks. But the original debugee gets lost in never never land and with Hutches original code where he counts EXCEPTION_BREAK_POINTS after setting the trap flag I can bring in a process that has only 8 instructions and in WIN2K it will tell me there are 57,000 approx. instructions.
Posted on 2003-02-10 20:42:40 by mrgone
Thanks Comarad. I inched forward thanks to your code sample. It looks like the return values for DebugEvents are numerical values. If these values are listed in the order they are documented in Win32 API , then the debugger is repeating a debug exception over and over with a union code of 80000004. Thanks Again :)
Posted on 2003-02-11 18:05:26 by mrgone