At this moment i would like to do it for win32 plataform including XP
Hello im not a noob but also im not an expert on this matter, i've done some debbuging with the conventional API debugActiveProcess gettehreadContext etc... i guess you know how limited this is...
I've read some where that one might write a VXD with a custom interrupt handler because you whant to trap INT3 or any other interrupt or even exeption, tell my if im wrong.
So lets start with the basics.
1_ TRACING
2_ breack Point ( int 3 )
3_ binary debug formats ( exe's compiled with the debug options like LCCwin32) the ability to debug this type of exe's or any other exem either by loading or on running app (like VC++ )
4_ How to do this on WIN32 safely.

I think this is a nice Topic to talk about, crakers are well come.
Benjamin
Posted on 2005-05-26 06:49:45 by benjaminmaggi
Hey benjaminmaggi,
To start off, vxd's are only for win 9x, for nt+ you'd have to write a driver( .sys). I have some nice tuts on writing drivers in masm and c++ if you want them, however I wouldn't recommend trying to write one unless it was absolutely essential, because coding in kernel mode can be difficult and dangerous. For custom interrupt handling I do have source in asm to a driver that does this, I can give you that if you want aswell. However coding a debugger in ring3 (application layer) like olly is alot easier. First off Microsoft provides various debug apis you can use. ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/isdebuggerpresent.asp ) as you know. and You can find small examples of how using some of these api's in iczelion's tuts(28-30). There's also hex dump examples in masm32 package and I recommend looking for x86 dissembler source. You can find  sources to memory patchers and those alike at protools.cjb.net and exetools.com. Basically the steps I would take to code a debugger are, open the target process in memory, read the data and display it in asm and hex, to do tracing have the debugger be able to interpret jump 004030A9 or anything similiar and jump or do whatever needs to be done to that addr when you want it to. write changes if need be, and just go from there. Read/WriteProcessMemory are good for this. Detecting what language a pe file was written in by looking for debug info is a method peid uses. I've talked to the author alot on irc various times, and he seems like a pretty nice guy, so maybe if you asked him nicely,he'd give you some signatures. Anyway I hope I was of some help.

Posted on 2005-05-26 16:45:22 by Webring
Hi benjaminmaggi,

Why would you like to create your own debugger when very usefull tools such as Ollydbg are available on the net?

http://home.t-online.de/home/Ollydbg
Posted on 2005-05-27 05:02:32 by Vortex
Thanks Webring, you'r post has bring some light over my disturbed head, in fact im using the ring3 api for debbuging, 1 i found the image entry point and then go tracing from there.
And yes messing with ring0 is a task not to take lightly, im myself a dirty programmer, the main idea of this "debbuger" thing im writing is to trap interruptions from certain code, (INT 3 would be nice !)  been debbuged i thought custom interrupt handlers would work like the old days TSR programas, no im not crying at this moment  :sad: .
Dear Vortex to be honest to you, yes there is allways better soft out there, im not writing a complete debugger and yes programers have to avoid reinventing the well, but some times you just whant to find the path, and experience some little, don't you think ?
Any whay i know some surce for a symbolic debugger must be online i just hate to take 20 MB of code just to make a brackpoint in certain routine.
Webring i would appreciate the sources you have mentioned in your post
Posted on 2005-05-27 16:17:24 by benjaminmaggi
benjamin, sorry to say this, but if you have to ask how to do a ring0 debugger, you shouldn't do it.

You will need intimate knowledge of not only how IA32 functions (intel manuals volume 3: systems programming, about all of it), but also how the operating system you're working under works (9x VxDs, as well as the NT Kernel Mode Drivers, plus of course the whole NT system). Furthermore a good knowledge of PC hardware as well (at least keyboard input, but video and network drivers would be nice too).
Posted on 2005-05-27 19:51:55 by f0dder
First i am not asking how to do a ring0 debugger, ring0 task's are not the edge programing as far i know, under 386 arc. a ring0 task could be a SuperKernel like the one's we know, or a hello word printer with no more than 10k of code, I've coded microkernels for real time OS's I'm going to be honest with you, of course they where minimal and very simple but i know the basics, my application just need to trap an soft interruption a driver seems the right decision at this particular moment. if win API could do it let me know !, BTW what make you think i needed to know about hardware ( besides the processor) i only want to write a soft interrupt handler.

Benjamin, sorry to say this, but if you have to ask how to do a ring0 debugger, you shouldn't do it.

You will need intimate knowledge of not only how IA32 functions (Intel manuals volume 3: systems programming, about all of it), but also how the operating system you're working under works (9x VxDs, as well as the NT Kernel Mode Drivers, plus of course the whole NT system). Furthermore a good knowledge of PC hardware as well (at least keyboard input, but video and network drivers would be nice too).


A final comment, like i said before posting this article, answers like this one are welcome, that's why i take the time to read it and to answer, programmers mainly, they fall into reinventing of the wheel, or some thing even worst codding some thing they don't fully understand, it does happens to all of us, and the results are the waste of time and money, Hopefully we learn 2 things, a bit codding and the "don't do this any more" we humans have the tendency to make the same mistake over and over....

Benjamin
Posted on 2005-05-28 16:57:48 by benjaminmaggi
You can do tracing and break-on-int3 without any ring0 code, simply by using WaitForDebugEvent(), and examining the DEBUG_EVENT output structure.

Binary debug formats - use the Debug Help Library: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/dbghelp_functions.asp


BTW what make you think i needed to know about hardware ( besides the processor) i only want to write a soft interrupt handler.

I thought you wanted to write a full-blown kernelmode debugger :) - for that you do need some hardware support, since you can't rely on calling drivers.
Posted on 2005-05-29 19:39:41 by f0dder

Hi benjaminmaggi,

Why would you like to create your own debugger when very usefull tools such as Ollydbg are available on the net?

http://home.t-online.de/home/Ollydbg


Maybe skill improvement?
Posted on 2005-08-07 01:42:48 by realvampire
As I mostly trust own sources :) I simply have an INC with some macros,
that open a console on each to-debug program, printing out stuff I'm interested in.

Dominik

Posted on 2005-08-10 00:45:13 by Dom