Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[C++]Debugging a process

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Deltron Z
Expert Cheater
Reputation: 1

Joined: 14 Jun 2009
Posts: 164

PostPosted: Fri May 14, 2010 1:23 pm    Post subject: [C++]Debugging a process Reply with quote

I'm creating a process using CreateProcess with DEBUG_PROCESS parameter to debug it. I'm not sure what I'm doing wrong, but I have a few problems.
One of them is that I can't set INT 3 at an address, let's say CreateEventA, however I can write memory to an address within the module address range. why when I'm trying to Virtual Protect a Win32 API from Kernel32 it fails with error INVALID_ADDRESS? (487)
And the other problem is when I use ImageLoad - I can get the informatin but the image isn't really loaded to the memory, because the addresses doesn't exist. if I load notepad.exe then when I'm trying to access the IAT for instance, I get an error since the memory is empty there. (something like 0x0100XXXX) And when I'm trying to load anything else with image base 0x00400000 then obviously something is wrong since the addresses cross, and if I use LoadLibrary I get 0x00520000 or so.

I guess I'm using ImageLoad wrong, but the debugging problem is more important because ImageLoad is useless without it. Sad

Thanks.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri May 14, 2010 1:30 pm    Post subject: This post has 1 review(s) Reply with quote

You have to wait till you get the loadlibrary event of the executable (or dll that you want to place the bp at)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Deltron Z
Expert Cheater
Reputation: 1

Joined: 14 Jun 2009
Posts: 164

PostPosted: Fri May 14, 2010 1:55 pm    Post subject: Reply with quote

So when I create a process with DEBUG_PROCESS it doesn't break at the entry point? so that brings me back to the ImageLoad question - there won't be any problems getting the RVA of the entry point using ImageLoad, right? but I'm still not sure I'm getting it right - what does ImageLoad do exacly if it doesn't load the library into the memory? I mean, how can I access the IAT then? reading with ReadProcessMemory and the RVA's the VA's and then reading from these VA's once again?

And I have another question now - when I resume the thread I get an error since I overwritten the instruction with 0xCC - INT 3. what should I do to "step" in code? EIP - 1 + re-write original code, would that work?

Thanks a lot for the very quick answer! Very Happy
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri May 14, 2010 2:59 pm    Post subject: Reply with quote

Yes, it'll break somewhere at the image loader of windows.

I recommend getting the base address from the load library debug event and from there get the entry point and exports

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Deltron Z
Expert Cheater
Reputation: 1

Joined: 14 Jun 2009
Posts: 164

PostPosted: Fri May 14, 2010 3:32 pm    Post subject: Reply with quote

I tried something out - but I get an error when breaking at the entry point for a second and then resuming the process.
I've set a breakpoint, 0xCC at the entry point, restored it once breakpoint occurred and after resuming the thread I've got the same error that I'm getting when I set EIP to EIP - 1.
What am I doing wrong?

Oh and, about the load library - how am I supposed to break there if kernel32.dll isn't loaded? and how would I get the entry point from that? I've already gotten it by using ImageLoad.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri May 14, 2010 3:41 pm    Post subject: Reply with quote

to continue from an int3 breakpoints:
eip-1
restore the original byte
set the trap flag in the eflags register
resume, and wait till it breaks again (next instruction)
set 0xcc back


Also, keep in mind that some breaks are not caused by your debugger, but they are there by default in windows. You need to let them continue normally (handled or not)


as for kernel32.dll, it will eventually be loaded, and when that event happens, you can set a breakpoint in there. (and thats the time you call ImageLoad as well, NOT before)

Actually, I don't think ImageLoad is useful for a debugger, I suggest SymLoadModule

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Deltron Z
Expert Cheater
Reputation: 1

Joined: 14 Jun 2009
Posts: 164

PostPosted: Fri May 14, 2010 4:42 pm    Post subject: Reply with quote

That's what I did before, but the problem was becuase I resumed the thread before calling ContinueDebugEvent. Confused
I called it before resuming and it works perfectly fine now. Smile

It sounds pretty complicated, maybe a little too complicated for what I want... I guess if I'd use DLL Injection method instead it'd be a lot easier and much shorter codes.
However, a debugger is interesting, I might event try and do some stuff to experience it. SymLoadModule seems even more complicated than ImageLoad which seems pretty simple and very useful. Rolling Eyes

Anyway - thanks a lot for your help. Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites