Problems with Yoda's ForceLib - Forums

Home » Forums » MAIN » Problems with Yoda's ForceLib

I'm trying to use Yoda's ForceLib. I looked at his source code and as far as I can see, I am doing everything exactly the same, yet his code works and mine fails.





ProcessInfo		PROCESS_INFORMATION	<>

iBPCount	BYTE	?

StartAddress	DWORD	?



	mov	iBPCount, 0

	invoke	CreateProcess, 0, Parameter, 0, 0, 0, DEBUG_PROCESS or NORMAL_PRIORITY_CLASS,

			       0, 0, ADDR StartupInfo, ADDR ProcessInfo

	.IF	eax == 0

		invoke	ExitThread, 0		

		ret

	.ENDIF

DebugLoop:

	invoke	WaitForDebugEvent, ADDR DebugEvent, INFINITE

	mov	eax, DebugEvent.dwDebugEventCode

	.IF	eax == CREATE_PROCESS_DEBUG_EVENT

		mov	eax, DebugEvent.u.CreateThread.lpStartAddress

		mov	StartAddress, eax

		jmp	ContinueProcess

	.ELSEIF	eax == EXIT_PROCESS_DEBUG_EVENT

		invoke	ContinueDebugEvent, DebugEvent.dwProcessId, DebugEvent.dwThreadId, DBG_CONTINUE

		mov	edx, OFFSET ToReadOrNot

		mov	dword ptr [edx], 0

		invoke	ExitThread, 0

	.ELSEIF	eax == EXCEPTION_DEBUG_EVENT

		mov	eax, DebugEvent.u.Exception.pExceptionRecord.ExceptionCode

		.IF	eax == EXCEPTION_BREAKPOINT

			mov	al, iBPCount

			.IF	iBPCount == 0

				invoke	TrapEntry, StartAddress, ADDR ProcessInfo

				inc	iBPCount

			.ELSEIF	al == 1

				invoke	ForceLibraryDBG, ADDR DllToLoad, StartAddress, ADDR ProcessInfo

				inc	iBPCount

			.ELSEIF	eax == 2

				invoke	PerformCleanup, StartAddress, ADDR ProcessInfo

			.ENDIF

			

		.ENDIF

	.ENDIF

ContinueProcess:

	invoke	ContinueDebugEvent, DebugEvent.dwProcessId, DebugEvent.dwThreadId, DBG_CONTINUE

	jmp 	DebugLoop

	ret

The following is the C++ code from his example:



VOID DebugIt()

{

	BOOL           STOP = FALSE;

	DEBUG_EVENT    DE;

	int            iBPCount = 0;

	DWORD          dwContFlags,dwEntryPoint;



		while(WaitForDebugEvent(&DE,INFINITE))

		{

			dwContFlags = DBG_EXCEPTION_NOT_HANDLED;

			switch(DE.dwDebugEventCode)

			{

			    case CREATE_PROCESS_DEBUG_EVENT:

					dwEntryPoint = (DWORD)DE.u.CreateProcessInfo.lpStartAddress;

					break;



				case EXCEPTION_DEBUG_EVENT:

					switch(DE.u.Exception.ExceptionRecord.ExceptionCode)

					{

						case EXCEPTION_BREAKPOINT: // an int3 (0xCC) was found

							++iBPCount;

							switch(iBPCount)

							{

							case 1:

								if (!TrapEntry(dwEntryPoint,&PI))

									ShowError("fatal ERROR (1)");

								break;

							case 2:

								if (!ForceLibraryDBG(szTargetLibrary,dwEntryPoint,&PI))

									ShowError("fatal ERROR (2)");

								break;

							case 3:

								dwLibBase = PerformCleanup(dwEntryPoint,&PI);

								wsprintf(buff,"The dll's base address is: 0x%X",dwLibBase);

								MessageBox(0,buff,"dll loaded successfully",

									MB_ICONINFORMATION | MB_SYSTEMMODAL);

								break;

							}

							dwContFlags = DBG_CONTINUE;

							break;

					}

					break;



				case EXIT_PROCESS_DEBUG_EVENT:

					STOP = TRUE;

					break;

			}

			if (!STOP)

				ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,dwContFlags);

			else

				break;

		}

	return;

}

Posted on 2002-01-05 13:16:33 by Hel

ASM Community