Rizin
unix-like reverse engineering framework and cli tools
windows_debug.h
Go to the documentation of this file.
1 // SPDX-FileCopyrightText: 2015 Álvaro Felipe Melchor <alvaro.felipe91@gmail.com>
2 // SPDX-License-Identifier: LGPL-3.0-only
3 
4 #ifndef WINDOWS_DEBUG_H
5 #define WINDOWS_DEBUG_H
6 /*_______
7  | | |
8  |___|___|
9  | | |
10  |___|___|
11 */
12 
13 #include <rz_types.h>
14 #include <rz_debug.h>
15 #include <rz_windows.h>
16 #include <tlhelp32.h> // CreateToolhelp32Snapshot
17 #include <psapi.h> // GetModuleFileNameEx, GetProcessImageFileName
18 #include <winternl.h>
19 #include <tchar.h>
20 #include <w32dbg_wrap.h>
21 
22 #ifndef XSTATE_GSSE
23 #define XSTATE_GSSE 2
24 #endif
25 
26 #ifndef XSTATE_LEGACY_SSE
27 #define XSTATE_LEGACY_SSE 1
28 #endif
29 
30 #if !defined(XSTATE_MASK_GSSE)
31 #define XSTATE_MASK_GSSE (1LLU << (XSTATE_GSSE))
32 #endif
33 
34 #undef CONTEXT_XSTATE
35 #if defined(_M_X64)
36 #define CONTEXT_XSTATE (0x00100040)
37 #else
38 #define CONTEXT_XSTATE (0x00010040)
39 #endif
40 #define XSTATE_AVX (XSTATE_GSSE)
41 #define XSTATE_MASK_AVX (XSTATE_MASK_GSSE)
42 #ifndef CONTEXT_ALL
43 #define CONTEXT_ALL 1048607
44 #endif
45 
46 typedef struct _SYSTEM_HANDLE {
47  ULONG ProcessId;
48  BYTE ObjectTypeNumber;
49  BYTE Flags;
50  USHORT Handle;
51  PVOID Object;
52  ACCESS_MASK GrantedAccess;
53 } SYSTEM_HANDLE, *PSYSTEM_HANDLE;
54 
55 typedef struct _SYSTEM_HANDLE_INFORMATION {
56  ULONG HandleCount;
57  SYSTEM_HANDLE Handles[1];
58 } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
59 
60 typedef enum _POOL_TYPE {
61  NonPagedPool,
62  PagedPool,
63  NonPagedPoolMustSucceed,
64  DontUseThisType,
65  NonPagedPoolCacheAligned,
66  PagedPoolCacheAligned,
67  NonPagedPoolCacheAlignedMustS
68 } POOL_TYPE,
69  *PPOOL_TYPE;
70 
71 typedef struct _OBJECT_TYPE_INFORMATION {
72  UNICODE_STRING Name;
73  ULONG TotalNumberOfObjects;
74  ULONG TotalNumberOfHandles;
75  ULONG TotalPagedPoolUsage;
76  ULONG TotalNonPagedPoolUsage;
77  ULONG TotalNamePoolUsage;
78  ULONG TotalHandleTableUsage;
79  ULONG HighWaterNumberOfObjects;
80  ULONG HighWaterNumberOfHandles;
81  ULONG HighWaterPagedPoolUsage;
82  ULONG HighWaterNonPagedPoolUsage;
83  ULONG HighWaterNamePoolUsage;
84  ULONG HighWaterHandleTableUsage;
85  ULONG InvalidAttributes;
86  GENERIC_MAPPING GenericMapping;
87  ULONG ValidAccess;
88  BOOLEAN SecurityRequired;
89  BOOLEAN MaintainHandleCount;
90  USHORT MaintainTypeList;
91  POOL_TYPE PoolType;
92  ULONG PagedPoolUsage;
93  ULONG NonPagedPoolUsage;
94 } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
95 
96 // thread list
97 typedef struct {
98  int pid;
99  int tid;
100  bool bFinished;
101  bool bSuspended;
102  HANDLE hThread;
103  LPVOID lpThreadLocalBase;
104  LPVOID lpStartAddress;
105  PVOID lpThreadEntryPoint;
106  DWORD dwExitCode;
107 } THREAD_ITEM, *PTHREAD_ITEM;
108 
109 typedef struct {
110  int pid;
111  HANDLE hFile;
112  void *BaseOfDll;
113  char *Path;
114  char *Name;
115 } LIB_ITEM, *PLIB_ITEM;
116 
117 // Vista
118 BOOL(WINAPI *w32_ProcessIdToSessionId)
119 (DWORD, DWORD *);
120 BOOL(WINAPI *w32_QueryFullProcessImageNameW)
121 (HANDLE, DWORD, LPWSTR, PDWORD);
122 // Internal NT functions (winternl.h)
123 NTSTATUS(WINAPI *w32_NtQuerySystemInformation)
124 (ULONG, PVOID, ULONG, PULONG);
125 NTSTATUS(WINAPI *w32_NtQueryInformationThread)
126 (HANDLE, ULONG, PVOID, ULONG, PULONG);
127 NTSTATUS(WINAPI *w32_NtDuplicateObject)
128 (HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG);
129 NTSTATUS(WINAPI *w32_NtQueryObject)
130 (HANDLE, ULONG, PVOID, ULONG, PULONG);
131 // fpu access API (Windows 7)
132 ut64(WINAPI *w32_GetEnabledXStateFeatures)();
133 BOOL(WINAPI *w32_InitializeContext)
134 (PVOID, DWORD, PCONTEXT *, PDWORD);
135 BOOL(WINAPI *w32_GetXStateFeaturesMask)
136 (PCONTEXT Context, PDWORD64);
137 PVOID(WINAPI *w32_LocateXStateFeature)
138 (PCONTEXT Context, DWORD, PDWORD);
139 BOOL(WINAPI *w32_SetXStateFeaturesMask)
140 (PCONTEXT Context, DWORD64);
141 
142 // APIs
143 int w32_init(RzDebug *dbg);
144 
145 int w32_reg_read(RzDebug *dbg, int type, ut8 *buf, int size);
146 int w32_reg_write(RzDebug *dbg, int type, const ut8 *buf, int size);
147 
148 int w32_attach(RzDebug *dbg, int pid);
149 int w32_detach(RzDebug *dbg, int pid);
150 int w32_attach_new_process(RzDebug *dbg, int pid);
151 int w32_select(RzDebug *dbg, int pid, int tid);
152 int w32_kill(RzDebug *dbg, int pid, int tid, int sig);
153 void w32_break_process(void *user);
154 int w32_dbg_wait(RzDebug *dbg, int pid);
155 
156 int w32_step(RzDebug *dbg);
157 int w32_continue(RzDebug *dbg, int pid, int tid, int sig);
158 RzDebugMap *w32_map_alloc(RzDebug *dbg, ut64 addr, int size);
159 int w32_map_dealloc(RzDebug *dbg, ut64 addr, int size);
160 int w32_map_protect(RzDebug *dbg, ut64 addr, int size, int perms);
161 
162 RzList *w32_thread_list(RzDebug *dbg, int pid, RzList *list);
163 RzDebugInfo *w32_info(RzDebug *dbg, const char *arg);
164 
165 RzList *w32_pid_list(RzDebug *dbg, int pid, RzList *list);
166 
167 RzList *w32_desc_list(int pid);
168 
169 #if __arm64__
170 int w32_hwbp_arm_add(RzDebug *dbg, RzBreakpoint *bp, RzBreakpointItem *b);
171 int w32_hwbp_arm_del(RzDebug *dbg, RzBreakpoint *bp, RzBreakpointItem *b);
172 #endif
173 
174 #endif
dbg
RzDebug * dbg
Definition: desil.c:30
size
voidpf void uLong size
Definition: ioapi.h:138
buf
voidpf void * buf
Definition: ioapi.h:138
ut8
uint8_t ut8
Definition: lh5801.h:11
list
static void list(RzEgg *egg)
Definition: rz-gg.c:52
pid
static static fork const void static count static fd const char const char static newpath char char char static envp time_t static t const char static mode static whence const char static dir time_t static t unsigned static seconds const char struct utimbuf static buf static inc pid
Definition: sflib.h:64
BYTE
unsigned char BYTE
Definition: lz4.c:286
type
int type
Definition: mipsasm.c:17
rz_debug.h
rz_types.h
rz_windows.h
b
#define b(i)
Definition: sha256.c:42
LIB_ITEM
Definition: windows_debug.h:109
LIB_ITEM::BaseOfDll
void * BaseOfDll
Definition: windows_debug.h:112
LIB_ITEM::Path
char * Path
Definition: windows_debug.h:113
LIB_ITEM::pid
int pid
Definition: windows_debug.h:110
LIB_ITEM::Name
char * Name
Definition: windows_debug.h:114
LIB_ITEM::hFile
HANDLE hFile
Definition: windows_debug.h:111
THREAD_ITEM
Definition: windows_debug.h:97
THREAD_ITEM::lpThreadEntryPoint
PVOID lpThreadEntryPoint
Definition: windows_debug.h:105
THREAD_ITEM::bSuspended
bool bSuspended
Definition: windows_debug.h:101
THREAD_ITEM::pid
int pid
Definition: windows_debug.h:98
THREAD_ITEM::dwExitCode
DWORD dwExitCode
Definition: windows_debug.h:106
THREAD_ITEM::lpThreadLocalBase
LPVOID lpThreadLocalBase
Definition: windows_debug.h:103
THREAD_ITEM::tid
int tid
Definition: windows_debug.h:99
THREAD_ITEM::bFinished
bool bFinished
Definition: windows_debug.h:100
THREAD_ITEM::hThread
HANDLE hThread
Definition: windows_debug.h:102
THREAD_ITEM::lpStartAddress
LPVOID lpStartAddress
Definition: windows_debug.h:104
_OBJECT_TYPE_INFORMATION
Definition: windows_debug.h:71
_OBJECT_TYPE_INFORMATION::PoolType
POOL_TYPE PoolType
Definition: windows_debug.h:91
_OBJECT_TYPE_INFORMATION::TotalNamePoolUsage
ULONG TotalNamePoolUsage
Definition: windows_debug.h:77
_OBJECT_TYPE_INFORMATION::SecurityRequired
BOOLEAN SecurityRequired
Definition: windows_debug.h:88
_OBJECT_TYPE_INFORMATION::Name
UNICODE_STRING Name
Definition: windows_debug.h:72
_OBJECT_TYPE_INFORMATION::TotalNumberOfObjects
ULONG TotalNumberOfObjects
Definition: windows_debug.h:73
_OBJECT_TYPE_INFORMATION::ValidAccess
ULONG ValidAccess
Definition: windows_debug.h:87
_OBJECT_TYPE_INFORMATION::HighWaterNumberOfHandles
ULONG HighWaterNumberOfHandles
Definition: windows_debug.h:80
_OBJECT_TYPE_INFORMATION::TotalHandleTableUsage
ULONG TotalHandleTableUsage
Definition: windows_debug.h:78
_OBJECT_TYPE_INFORMATION::HighWaterNonPagedPoolUsage
ULONG HighWaterNonPagedPoolUsage
Definition: windows_debug.h:82
_OBJECT_TYPE_INFORMATION::HighWaterNumberOfObjects
ULONG HighWaterNumberOfObjects
Definition: windows_debug.h:79
_OBJECT_TYPE_INFORMATION::InvalidAttributes
ULONG InvalidAttributes
Definition: windows_debug.h:85
_OBJECT_TYPE_INFORMATION::MaintainTypeList
USHORT MaintainTypeList
Definition: windows_debug.h:90
_OBJECT_TYPE_INFORMATION::HighWaterHandleTableUsage
ULONG HighWaterHandleTableUsage
Definition: windows_debug.h:84
_OBJECT_TYPE_INFORMATION::TotalPagedPoolUsage
ULONG TotalPagedPoolUsage
Definition: windows_debug.h:75
_OBJECT_TYPE_INFORMATION::TotalNumberOfHandles
ULONG TotalNumberOfHandles
Definition: windows_debug.h:74
_OBJECT_TYPE_INFORMATION::MaintainHandleCount
BOOLEAN MaintainHandleCount
Definition: windows_debug.h:89
_OBJECT_TYPE_INFORMATION::HighWaterPagedPoolUsage
ULONG HighWaterPagedPoolUsage
Definition: windows_debug.h:81
_OBJECT_TYPE_INFORMATION::TotalNonPagedPoolUsage
ULONG TotalNonPagedPoolUsage
Definition: windows_debug.h:76
_OBJECT_TYPE_INFORMATION::HighWaterNamePoolUsage
ULONG HighWaterNamePoolUsage
Definition: windows_debug.h:83
_OBJECT_TYPE_INFORMATION::GenericMapping
GENERIC_MAPPING GenericMapping
Definition: windows_debug.h:86
_OBJECT_TYPE_INFORMATION::NonPagedPoolUsage
ULONG NonPagedPoolUsage
Definition: windows_debug.h:93
_OBJECT_TYPE_INFORMATION::PagedPoolUsage
ULONG PagedPoolUsage
Definition: windows_debug.h:92
_SYSTEM_HANDLE_INFORMATION
Definition: windows_debug.h:55
_SYSTEM_HANDLE_INFORMATION::HandleCount
ULONG HandleCount
Definition: windows_debug.h:56
_SYSTEM_HANDLE_INFORMATION::Handles
SYSTEM_HANDLE Handles[1]
Definition: windows_debug.h:57
_SYSTEM_HANDLE
Definition: windows_debug.h:46
_SYSTEM_HANDLE::ProcessId
ULONG ProcessId
Definition: windows_debug.h:47
_SYSTEM_HANDLE::Object
PVOID Object
Definition: windows_debug.h:51
_SYSTEM_HANDLE::Handle
USHORT Handle
Definition: windows_debug.h:50
_SYSTEM_HANDLE::GrantedAccess
ACCESS_MASK GrantedAccess
Definition: windows_debug.h:52
_SYSTEM_HANDLE::ObjectTypeNumber
BYTE ObjectTypeNumber
Definition: windows_debug.h:48
_SYSTEM_HANDLE::Flags
BYTE Flags
Definition: windows_debug.h:49
_UNICODE_STRING
Definition: winapi.h:4115
rz_bp_item_t
Definition: rz_bp.h:41
rz_bp_t
Definition: rz_bp.h:78
rz_debug_info_t
Definition: rz_debug.h:336
rz_debug_map_t
Definition: rz_debug.h:136
rz_debug_t
Definition: rz_debug.h:241
rz_list_t
Definition: rz_list.h:18
w32dbg_wrap.h
NTSTATUS
LONG NTSTATUS
Definition: win.h:198
w32_hwbp_arm_del
int w32_hwbp_arm_del(RzDebug *dbg, RzBreakpoint *bp, RzBreakpointItem *b)
Definition: windows_debug.c:485
w32_hwbp_arm_add
int w32_hwbp_arm_add(RzDebug *dbg, RzBreakpoint *bp, RzBreakpointItem *b)
Definition: windows_debug.c:438
LPWSTR
DWORD LPWSTR
Definition: windows_debug.h:121
ACCESS_MASK
ACCESS_MASK
Definition: windows_debug.h:128
PDWORD
DWORD PDWORD
Definition: windows_debug.h:121
w32_info
RzDebugInfo * w32_info(RzDebug *dbg, const char *arg)
Definition: windows_debug.c:1404
w32_attach_new_process
int w32_attach_new_process(RzDebug *dbg, int pid)
Definition: windows_debug.c:817
w32_attach
int w32_attach(RzDebug *dbg, int pid)
Definition: windows_debug.c:598
_POOL_TYPE
_POOL_TYPE
Definition: windows_debug.h:60
PagedPoolCacheAligned
@ PagedPoolCacheAligned
Definition: windows_debug.h:66
NonPagedPoolCacheAligned
@ NonPagedPoolCacheAligned
Definition: windows_debug.h:65
NonPagedPoolCacheAlignedMustS
@ NonPagedPoolCacheAlignedMustS
Definition: windows_debug.h:67
NonPagedPool
@ NonPagedPool
Definition: windows_debug.h:61
DontUseThisType
@ DontUseThisType
Definition: windows_debug.h:64
NonPagedPoolMustSucceed
@ NonPagedPoolMustSucceed
Definition: windows_debug.h:63
PagedPool
@ PagedPool
Definition: windows_debug.h:62
PLIB_ITEM
struct LIB_ITEM * PLIB_ITEM
Context
PCONTEXT Context
Definition: windows_debug.h:136
PSYSTEM_HANDLE_INFORMATION
struct _SYSTEM_HANDLE_INFORMATION * PSYSTEM_HANDLE_INFORMATION
HANDLE
DWORD * HANDLE
Definition: windows_debug.h:119
ut64
ut64(WINAPI *w32_GetEnabledXStateFeatures)()
PTHREAD_ITEM
struct THREAD_ITEM * PTHREAD_ITEM
POOL_TYPE
enum _POOL_TYPE POOL_TYPE
SYSTEM_HANDLE_INFORMATION
struct _SYSTEM_HANDLE_INFORMATION SYSTEM_HANDLE_INFORMATION
w32_step
int w32_step(RzDebug *dbg)
Definition: windows_debug.c:395
PHANDLE
PHANDLE
Definition: windows_debug.h:128
PPOOL_TYPE
enum _POOL_TYPE * PPOOL_TYPE
PDWORD64
PCONTEXT PDWORD64
Definition: windows_debug.h:136
ULONG
ULONG
Definition: windows_debug.h:124
w32_map_protect
int w32_map_protect(RzDebug *dbg, ut64 addr, int size, int perms)
Definition: windows_debug.c:1229
w32_thread_list
RzList * w32_thread_list(RzDebug *dbg, int pid, RzList *list)
Definition: windows_debug.c:1280
w32_break_process
void w32_break_process(void *user)
Definition: windows_debug.c:912
w32_map_dealloc
int w32_map_dealloc(RzDebug *dbg, ut64 addr, int size)
Definition: windows_debug.c:1197
POBJECT_TYPE_INFORMATION
struct _OBJECT_TYPE_INFORMATION * POBJECT_TYPE_INFORMATION
w32_init
int w32_init(RzDebug *dbg)
Definition: windows_debug.c:37
w32_dbg_wait
int w32_dbg_wait(RzDebug *dbg, int pid)
Definition: windows_debug.c:927
w32_pid_list
RzList * w32_pid_list(RzDebug *dbg, int pid, RzList *list)
Definition: windows_debug.c:1443
PVOID
PVOID
Definition: windows_debug.h:124
w32_kill
int w32_kill(RzDebug *dbg, int pid, int tid, int sig)
Definition: windows_debug.c:890
DWORD64
PCONTEXT DWORD64
Definition: windows_debug.h:140
w32_reg_read
int w32_reg_read(RzDebug *dbg, int type, ut8 *buf, int size)
Definition: windows_debug.c:544
w32_continue
int w32_continue(RzDebug *dbg, int pid, int tid, int sig)
Definition: windows_debug.c:1144
PSYSTEM_HANDLE
struct _SYSTEM_HANDLE * PSYSTEM_HANDLE
OBJECT_TYPE_INFORMATION
struct _OBJECT_TYPE_INFORMATION OBJECT_TYPE_INFORMATION
DWORD
DWORD
Definition: windows_debug.h:119
SYSTEM_HANDLE
struct _SYSTEM_HANDLE SYSTEM_HANDLE
w32_detach
int w32_detach(RzDebug *dbg, int pid)
Definition: windows_debug.c:622
w32_select
int w32_select(RzDebug *dbg, int pid, int tid)
Definition: windows_debug.c:837
w32_reg_write
int w32_reg_write(RzDebug *dbg, int type, const ut8 *buf, int size)
Definition: windows_debug.c:570
PULONG
PULONG
Definition: windows_debug.h:124
w32_desc_list
RzList * w32_desc_list(int pid)
Definition: windows_debug.c:1471
w32_map_alloc
RzDebugMap * w32_map_alloc(RzDebug *dbg, ut64 addr, int size)
Definition: windows_debug.c:1186
addr
static int addr
Definition: z80asm.c:58