metasm 1.0.1 → 1.0.2

data/metasm/os/main.rb

@@ -0,0 +1,330 @@
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+require 'metasm/main'
+
+module Metasm
+# this module regroups OS-related functions
+# (eg. find_process, inject_shellcode)
+# a 'class' just to be able to inherit from it...
+class OS
+	# represents a running process with a few information, and defines methods to get more interaction (#memory, #debugger)
+	class Process
+		attr_accessor :pid, :path, :modules
+		class Module
+			attr_accessor :path, :addr, :size
+		end
+
+		def initialize(pid=nil)
+			@pid = pid
+		end
+
+		def to_s
+			mod = File.basename(path) rescue nil
+			"#{pid}: ".ljust(6) << (mod || '<unknown>')
+		end
+		def inspect
+			'<Process:' + ["pid: #@pid", modules.to_a.map { |m| " #{'%X' % m.addr} #{m.path}" }].join("\n") + '>'
+		end
+	end
+
+	# returns the Process whose pid is name (if name is an Integer) or first module path includes name (string)
+	def self.find_process(name)
+		case name
+		when nil
+		when Integer
+			list_processes.find { |pr| pr.pid == name }
+		else
+			list_processes.find { |pr| pr.path.to_s.include? name.to_s } or
+				(find_process(Integer(name)) if name =~ /^(0x[0-9a-f]+|[0-9]+)$/i)
+		end
+	end
+
+	# create a new debuggee process stopped at start
+	def self.create_process(path)
+		dbg = create_debugger(path)
+		pr = open_process(dbg.pid)
+		pr.debugger = dbg
+		pr.memory = dbg.memory
+		pr
+	end
+
+	# return 'winos' or 'linos' depending on the underlying OS
+	def self.shortname
+		case RUBY_PLATFORM
+		when /mswin|mingw|cygwin/i; 'winos'
+		when /linux/i; 'linos'
+		end
+	end
+
+	# return the platform-specific version
+	def self.current
+		case shortname
+		when 'winos'; WinOS
+		when 'linos'; LinOS
+		end
+	end
+end
+
+# This class implements an objects that behaves like a regular string, but
+# whose real data is dynamically fetched or generated on demand
+# its size is immutable
+# implements a page cache
+# substrings are Strings (small substring) or another VirtualString
+# (a kind of 'window' on the original VString, when the substring length is > 4096)
+class VirtualString
+	# formats parameters for reading
+	def [](from, len=nil)
+		if not len and from.kind_of? Range
+			b = from.begin
+			e = from.end
+			b = b + length if b < 0
+			e = e + length if e < 0
+			len = e - b
+			len += 1 if not from.exclude_end?
+			from = b
+		end
+		from = from + length if from < 0
+
+		return nil if from > length or (from == length and not len)
+		len = length - from if len and from + len > length
+		return '' if len == 0
+
+		read_range(from, len)
+	end
+
+	# formats parameters for overwriting portion of the string
+	def []=(from, len, val=nil)
+		raise TypeError, 'cannot modify frozen virtualstring' if frozen?
+
+		if not val
+			val = len
+			len = nil
+		end
+		if not len and from.kind_of? Range
+			b = from.begin
+			e = from.end
+			b = b + length if b < 0
+			e = e + length if e < 0
+			len = e - b
+			len += 1 if not from.exclude_end?
+			from = b
+		elsif not len
+			len = 1
+			val = val.chr
+		end
+		from = from + length if from < 0
+
+		raise IndexError, 'Index out of string' if from > length
+		raise IndexError, 'Cannot modify virtualstring length' if val.length != len or from + len > length
+
+		write_range(from, val)
+	end
+
+	# returns the full raw data
+	def realstring
+		ret = ''
+		addr = 0
+		len = length
+		while len > @pagelength
+			ret << self[addr, @pagelength]
+			addr += @pagelength
+			len -= @pagelength
+		end
+		ret << self[addr, len]
+	end
+
+	# alias to realstring
+	# for bad people checking respond_to? :to_str (like String#<<)
+	# XXX alias does not work (not virtual (a la C++))
+	def to_str
+		realstring
+	end
+
+	# forwards unhandled messages to a frozen realstring
+	def method_missing(m, *args, &b)
+		if ''.respond_to? m
+			puts "Using VirtualString.realstring for #{m} from:", caller if $DEBUG
+			realstring.freeze.send(m, *args, &b)
+		else
+			super(m, *args, &b)
+		end
+	end
+
+	# avoid triggering realstring from method_missing if possible
+	def empty?
+		length == 0
+	end
+
+	# avoid triggering realstring from method_missing if possible
+	# heavily used in to find 0-terminated strings in ExeFormats
+	def index(chr, base=0)
+		return if base >= length or base <= -length
+		if i = self[base, 64].index(chr) or i = self[base, @pagelength].index(chr)
+			base + i
+		else
+			realstring.index(chr, base)
+		end
+	end
+
+	def rindex(chr, max=length)
+		return if max > length
+		if max > 64 and i = self[max-64, 64].rindex(chr)
+			max - 64 + i
+		elsif max > @pagelength and i = self[max-@pagelength, @pagelength].rindex(chr)
+			max - @pagelength + i
+		else
+			realstring.rindex(chr, max)
+		end
+	end
+
+	# '=~' does not go through method_missing
+	def =~(o)
+		realstring =~ o
+	end
+
+	# implements a read page cache
+
+	# the real address of our first byte
+	attr_accessor :addr_start
+	# our length
+	attr_accessor :length
+	# array of [addr, raw data], sorted by first == last accessed
+	attr_accessor :pagecache
+	# maximum length of self.pagecache (number of cached pages)
+	attr_accessor :pagecache_len
+	def initialize(addr_start, length)
+		@addr_start = addr_start
+		@length = length
+		@pagecache = []
+		@pagecache_len = 4
+		@pagelength ||= 4096	# must be (1 << x)
+	end
+
+	# returns wether a page is valid or not
+	def page_invalid?(addr)
+		cache_get_page(@addr_start+addr)[2]
+	end
+
+	# invalidates the page cache
+	def invalidate
+		@pagecache.clear
+	end
+
+	# returns the @pagelength-bytes page starting at addr
+	# return nil if the page is invalid/inaccessible
+	# addr is page-aligned by the caller
+	# addr is absolute
+	#def get_page(addr, len=@pagelength)
+	#end
+
+	# searches the cache for a page containing addr, updates if not found
+	def cache_get_page(addr)
+		addr &= ~(@pagelength-1)
+		i = 0
+		@pagecache.each { |c|
+			if addr == c[0]
+				# most recently used first
+				@pagecache.unshift @pagecache.delete_at(i) if i != 0
+				return c
+			end
+			i += 1
+		}
+		@pagecache.pop if @pagecache.length >= @pagecache_len
+		c = [addr]
+		p = get_page(addr)
+		c << p.to_s.ljust(@pagelength, "\0")
+		c << true if not p
+		@pagecache.unshift c
+		c
+	end
+
+	# reads a range from the page cache
+	# returns a new VirtualString (using dup) if the request is bigger than @pagelength bytes
+	def read_range(from, len)
+		from += @addr_start
+		if not len
+			base, page = cache_get_page(from)
+			page[from - base]
+		elsif len <= @pagelength
+			base, page = cache_get_page(from)
+			s = page[from - base, len]
+			if from+len-base > @pagelength		# request crosses a page boundary
+				base, page = cache_get_page(from+len)
+				s << page[0, from+len-base]
+			end
+			s
+		else
+			# big request: return a new virtual page
+			dup(from, len)
+		end
+	end
+
+	# rewrites a segment of data
+	# the length written is the length of the content (a VirtualString cannot grow/shrink)
+	def write_range(from, content)
+		invalidate
+		rewrite_at(from + @addr_start, content)
+	end
+
+	# overwrites a section of the original data
+	#def rewrite_at(addr, content)
+	#end
+end
+
+# on-demand reading of a file
+class VirtualFile < VirtualString
+	# returns a new VirtualFile of the whole file content (defaults readonly)
+	# returns a String if the file is small (<4096o) and readonly access
+	def self.read(path, mode='rb')
+		raise 'no filename specified' if not path
+		if sz = File.size(path) <= 4096 and (mode == 'rb' or mode == 'r')
+			File.open(path, mode) { |fd| fd.read }
+		else
+			File.open(path, mode) { |fd| new fd.dup, 0, sz }
+		end
+	end
+
+	# the underlying file descriptor
+	attr_accessor :fd
+
+	# creates a new virtual mapping of a section of the file
+	# the file descriptor must be seekable
+	def initialize(fd, addr_start = 0, length = nil)
+		@fd = fd
+		if not length
+			@fd.seek(0, File::SEEK_END)
+			length = @fd.tell - addr_start
+		end
+		super(addr_start, length)
+	end
+
+	def dup(addr = @addr_start, len = @length)
+		self.class.new(@fd, addr, len)
+	end
+
+	# reads an aligned page from the file, at file offset addr
+	def get_page(addr, len=@pagelength)
+		@fd.pos = addr
+		@fd.read len
+	end
+
+	def page_invalid?(addr)
+		false
+	end
+
+	# overwrite a section of the file
+	def rewrite_at(addr, data)
+		@fd.pos = addr
+		@fd.write data
+	end
+
+	# returns the full content of the file
+	def realstring
+		@fd.pos = @addr_start
+		@fd.read(@length)
+	end
+end
+end

data/{lib/metasm → metasm}/os/windows.rb

@@ -4,6 +4,7 @@
 #    Licence is LGPL, see LICENCE in the top-level directory
 
 require 'metasm/os/main'
+require 'metasm/debug'
 require 'metasm/dynldr'
 
 module Metasm
@@ -125,6 +126,12 @@ typedef void *HMODULE;
 #define DBG_CONTROL_C                    ((DWORD   )0x40010005L)
 #define DBG_CONTROL_BREAK                ((DWORD   )0x40010008L)
 #define DBG_COMMAND_EXCEPTION            ((DWORD   )0x40010009L)
+#define STATUS_WX86_CONTINUE             ((DWORD   )0x4000001DL)
+#define STATUS_WX86_SINGLE_STEP          ((DWORD   )0x4000001EL)
+#define STATUS_WX86_BREAKPOINT           ((DWORD   )0x4000001FL)
+#define STATUS_WX86_EXCEPTION_CONTINUE   ((DWORD   )0x40000020L)
+#define STATUS_WX86_EXCEPTION_LASTCHANCE ((DWORD   )0x40000021L)
+#define STATUS_WX86_EXCEPTION_CHAIN      ((DWORD   )0x40000022L)
 #define STATUS_GUARD_PAGE_VIOLATION      ((DWORD   )0x80000001L)
 #define STATUS_DATATYPE_MISALIGNMENT     ((DWORD   )0x80000002L)
 #define STATUS_BREAKPOINT                ((DWORD   )0x80000003L)
@@ -416,7 +423,7 @@ typedef struct _CONTEXT_AMD64 {
 
 	XMMREG Vector[26];
 	DWORD64 VectorControl;
-	
+
 	DWORD64 DebugControl;
 	DWORD64 LastBranchToRip;
 	DWORD64 LastBranchFromRip;
@@ -490,6 +497,10 @@ typedef struct _PROCESS_INFORMATION {
 } PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION;
 
 
+WINAPI
+DWORD
+GetVersion(VOID);
+
 WINBASEAPI
 HANDLE
 WINAPI
@@ -1033,7 +1044,7 @@ OpenThreadToken (
 	__out HANDLE *TokenHandle);
 EOS
 	SE_DEBUG_NAME = 'SeDebugPrivilege'
-	
+
 	new_api_c <<EOS, 'ntdll'
 #line #{__LINE__}
 
@@ -1170,11 +1181,12 @@ EOS
 	# convert a native function return value
 	# if the native does not have the zero_not_fail attribute, convert 0
 	#  to nil, and print a message on stdout
-        def self.convert_ret_c2rb(fproto, ret)
+	def self.convert_ret_c2rb(fproto, ret)
 		@last_err_msg = nil
 		if ret == 0 and not fproto.has_attribute 'zero_not_fail'
 			# save error msg so that last_error_msg returns the same thing if called again
 			puts "WinAPI: error in #{fproto.name}: #{@last_err_msg = last_error_msg}" if $VERBOSE
+			puts caller if $DEBUG
 			nil
 		else super(fproto, ret)
 		end
@@ -1254,12 +1266,12 @@ class WinOS < OS
 		def mappings
 			addr = 0
 			list = []
-			info = WinAPI.alloc_c_struct("MEMORY_BASIC_INFORMATION#{addrsz}")
+			info = WinAPI.alloc_c_struct("MEMORY_BASIC_INFORMATION#{WinAPI.host_cpu.size}")
 			path = [0xff].pack('C') * 512
 
 			hcache = heaps
 
-			while WinAPI.virtualqueryex(handle, addr, info, info.length) != 0
+			while WinAPI.virtualqueryex(handle, addr, info, info.sizeof) != 0
 				addr += info.regionsize
 				next unless info.state & WinAPI::MEM_COMMIT > 0
 
@@ -1273,7 +1285,7 @@ class WinOS < OS
 					WinAPI::PAGE_EXECUTE_READWRITE => 'rwx',
 					WinAPI::PAGE_EXECUTE_WRITECOPY => 'rwx'
 				}[info[:protect] & 0xff]
-				prot << 'g' if info[:protect] & WinAPI::PAGE_GUARD > 0
+				prot = prot.sub('r', '-') + 'g' if info[:protect] & WinAPI::PAGE_GUARD > 0
 				prot << 'p' if info[:type]    & WinAPI::MEM_PRIVATE > 0
 
 				if h = hcache[info.baseaddress]
@@ -1301,7 +1313,7 @@ class WinOS < OS
 			@peb_base ||=
 			if WinAPI.respond_to?(:ntqueryinformationprocess)
 				pinfo = WinAPI.alloc_c_struct('PROCESS_BASIC_INFORMATION')
-				if WinAPI.ntqueryinformationprocess(handle, WinAPI::PROCESSBASICINFORMATION, pinfo, pinfo.length, 0) == 0
+				if WinAPI.ntqueryinformationprocess(handle, WinAPI::PROCESSBASICINFORMATION, pinfo, pinfo.sizeof, 0) == 0
 					pinfo.pebbaseaddress
 				end
 			else
@@ -1336,7 +1348,7 @@ class WinOS < OS
 			@teb_base ||=
 			if WinAPI.respond_to?(:ntqueryinformationthread)
 				tinfo = WinAPI.alloc_c_struct('THREAD_BASIC_INFORMATION')
-				if WinAPI.ntqueryinformationthread(handle, WinAPI::THREADBASICINFORMATION, tinfo, tinfo.length, 0) == 0
+				if WinAPI.ntqueryinformationthread(handle, WinAPI::THREADBASICINFORMATION, tinfo, tinfo.sizeof, 0) == 0
 					tinfo.tebbaseaddress
 				end
 			else
@@ -1373,10 +1385,12 @@ class WinOS < OS
 			@context ||= Context.new(self, :all)
 			if block_given?
 				suspend
-				@context.update
-				ret = yield @context
-				resume
-				ret
+				begin
+					@context.update
+					yield @context
+				ensure
+					resume
+				end
 			else
 				@context
 			end
@@ -1386,28 +1400,34 @@ class WinOS < OS
 		class Context
 			def initialize(thread, kind=:all)
 				@handle = thread.handle
-				tg = thread.process ? thread.process.addrsz : 32
-				case WinAPI.host_cpu.shortname
-				when 'ia32', 'x64'; tg = ((tg == 32) ? 'ia32' : 'x64')
+				tg = (thread.process ? thread.process.addrsz : 32)
+				hcpu = WinAPI.host_cpu.shortname
+				case hcpu
+				when 'ia32', 'x64'
 				else raise "unsupported architecture #{tg}"
 				end
 
 				@getcontext = :getthreadcontext
 				@setcontext = :setthreadcontext
 				case tg
-				when 'ia32'
+				when 32
 					@context = WinAPI.alloc_c_struct('_CONTEXT_I386')
 					@context.contextflags = WinAPI::CONTEXT_I386_ALL
-					if WinAPI.host_cpu.shortname == 'x64'
+					if hcpu == 'x64'
 						@getcontext = :wow64getthreadcontext
 						@setcontext = :wow64setthreadcontext
 					end
-				when 'x64'
+				when 64
 					@context = WinAPI.alloc_c_struct('_CONTEXT_AMD64')
 					@context.contextflags = WinAPI::CONTEXT_AMD64_ALL
 				end
 			end
 
+			# retrieve the actual context structure (so we can pass to API's like StackWalk64)
+			def c_struct
+				@context
+			end
+			
 			# update the context to reflect the current thread reg values
 			# call only when the thread is suspended
 			def update
@@ -1418,15 +1438,17 @@ class WinOS < OS
 				case k.to_s
 				when /^[cdefgs]s$/i
 					@context["seg#{k}"]
-				when /^st(\d*)/i
+				when /^st(\d?)$/i
 					v = @context['st'][$1.to_i]
-					buf = v.str[v.str_off, 10]
+					buf = v.str[v.stroff, 10]
 					# TODO check this, 'D' is 8byte wide
 					buf.unpack('D')[0]
-				when /^xmm(\d+)/i
+				# TODO when /^ymm(\d+)$/i
+				when /^xmm(\d+)$/i
 					v = @context['xmm'][$1.to_i]
 					(v.hi << 64) | v.lo
-				when /^mmx?(\d+)/i
+				when /^mmx?(\d)$/i
+					# XXX probably in st(0/7)
 					@context['xmm'][$1.to_i].lo
 				else
 					@context[k]
@@ -1437,15 +1459,17 @@ class WinOS < OS
 				case k.to_s
 				when /^[cdefgs]s$/i
 					@context["seg#{k}"] = v
-				when /^st(\d*)/i
+				when /^st(\d?)$/i
 					# TODO check this, 'D' is 8byte wide
 					buf = [v, 0, 0].pack('DCC')
 					@context['st'][$1.to_i][0, 10] = buf
-				when /^xmm(\d+)/i
+				# TODO when /^ymm(\d+)$/i
+				when /^xmm(\d+)$/i
 					kk = @context['xmm'][$1.to_i]
 					kk.lo = v & ((1<<64)-1)
 					kk.hi = (v>>64) & ((1<<64)-1)
-				when /^mmx?(\d+)/i
+				when /^mmx?(\d)$/i
+					# XXX st(7-$1) ?
 					@context['xmm'][$1.to_i].lo = v
 				else
 					@context[k] = v
@@ -1455,10 +1479,10 @@ class WinOS < OS
 
 			def method_missing(m, *a)
 				if m.to_s[-1] == ?=
-					super(m, *a) if a.length != 1
+					return super(m, *a) if a.length != 1
 					send '[]=', m.to_s[0...-1], a[0]
 				else
-					super(m, *a) if a.length != 0
+					return super(m, *a) if a.length != 0
 					send '[]', m
 				end
 			end
@@ -1649,6 +1673,11 @@ class << self
 		end
 	end
 
+	# returns the [major, minor] version of the windows os
+	def version
+		v = WinAPI.getversion
+		[v & 0xff, (v>>8) & 0xff]
+	end
 end	# class << self
 end
 
@@ -1699,6 +1728,8 @@ class WinDebugger < Debugger
 	attr_accessor :os_process, :os_thread,
 		:auto_fix_fs_bug,
 		# is current exception handled? (arg to pass to continuedbgevt)
+		# if it has the special value :suspended, it means that the thread
+		# is to be restarted through resume and not continuedbgevt
 		:continuecode
 
 	attr_accessor :callback_unloadlibrary, :callback_debugstring, :callback_ripevent
@@ -1747,6 +1778,7 @@ class WinDebugger < Debugger
 		@os_process = WinOS::Process.new(processinfo.dwprocessid, processinfo.hprocess)
 		@os_thread  = WinOS::Thread.new(processinfo.dwthreadid, processinfo.hthread, @os_process)
 		initialize_osprocess
+		check_target
 	end
 
 	# called whenever we receive a handle to a new process being debugged, after initialisation of @os_process
@@ -1830,17 +1862,46 @@ class WinDebugger < Debugger
 	end
 
 	def set_reg_value(r, v)
-		ctx[r] = v
+		if @state == :running
+			suspend
+			ctx[r] = v
+			resume
+		else
+			ctx[r] = v
+		end
 	end
 
 	def do_continue(*a)
 		@cpu.dbg_disable_singlestep(self)
-		WinAPI.continuedebugevent(@pid, @tid, @continuecode)
+		if @continuecode == :suspended
+			resume
+		else
+			@state = :running
+			WinAPI.continuedebugevent(@pid, @tid, @continuecode)
+		end
 	end
 
 	def do_singlestep(*a)
 		@cpu.dbg_enable_singlestep(self)
-		WinAPI.continuedebugevent(@pid, @tid, @continuecode)
+		if @continuecode == :suspended
+			resume
+		else
+			@state = :running
+			WinAPI.continuedebugevent(@pid, @tid, @continuecode)
+		end
+	end
+
+	def do_enable_bpm(bp)
+		@bpm_info ||= WinAPI.alloc_c_struct("MEMORY_BASIC_INFORMATION#{WinAPI.host_cpu.size}")
+		WinAPI.virtualqueryex(os_process.handle, bp.address, @bpm_info, @bpm_info.sizeof)
+		# TODO save original page perms, check bpm type (:w -> vprotect(PAGE_READONLY)), handle multiple bpm on same page
+		WinAPI.virtualprotectex(os_process.handle, bp.address, bp.internal[:len], @bpm_info[:protect] | WinAPI::PAGE_GUARD, @bpm_info)
+	end
+
+	def do_disable_bpm(bp)
+		@bpm_info ||= WinAPI.alloc_c_struct("MEMORY_BASIC_INFORMATION#{WinAPI.host_cpu.size}")
+		WinAPI.virtualqueryex(os_process.handle, bp.address, @bpm_info, @bpm_info.sizeof)
+		WinAPI.virtualprotectex(os_process.handle, bp.address, bp.internal[:len], @bpm_info[:protect] & ~WinAPI::PAGE_GUARD, @bpm_info)
 	end
 
 	def update_dbgev(ev)
@@ -1855,7 +1916,7 @@ class WinDebugger < Debugger
 			st = ev.exception
 			str = st.exceptionrecord
 			stf = st.dwfirstchance	# non-zero = first chance
-			
+
 			@state = :stopped
 			@info = "exception"
 
@@ -1866,7 +1927,7 @@ class WinDebugger < Debugger
 			# DWORD NumberParameters;
 			# ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
 			case str.exceptioncode
-			when WinAPI::STATUS_ACCESS_VIOLATION
+			when WinAPI::STATUS_ACCESS_VIOLATION, WinAPI::STATUS_GUARD_PAGE_VIOLATION
 				if @auto_fix_fs_bug and ctx.fs != 0x3b
 					# fix bug in xpsp1 where fs would get a random value in a debugee
 					log "wdbg: #{pid}:#{tid} fix fs bug" if $DEBUG
@@ -1882,11 +1943,11 @@ class WinDebugger < Debugger
 				addr = str.exceptioninformation[1]
 				evt_exception(:type => 'access violation', :st => str, :firstchance => stf,
 					      :fault_addr => addr, :fault_access => mode)
-			when WinAPI::STATUS_BREAKPOINT
+			when WinAPI::STATUS_BREAKPOINT, WinAPI::STATUS_WX86_BREAKPOINT
 				# we must ack ntdll interrupts on process start
 				# but we should not mask process-generated exceptions by default..
 				evt_bpx
-			when WinAPI::STATUS_SINGLE_STEP
+			when WinAPI::STATUS_SINGLE_STEP, WinAPI::STATUS_WX86_SINGLE_STEP
 				evt_hwbp_singlestep
 			else
 				@status_name ||= WinAPI.cp.lexer.definition.keys.grep(/^STATUS_/).
@@ -1988,31 +2049,59 @@ class WinDebugger < Debugger
 		@dbg_eventstruct ||= WinAPI.alloc_c_struct('_DEBUG_EVENT')
 		if WinAPI.waitfordebugevent(@dbg_eventstruct, timeout) != 0
 			update_dbgev(@dbg_eventstruct)
+			true
 		end
 	end
 
+	def del_tid
+		# tell Windows to release the THREAD object
+		WinAPI.continuedebugevent(@pid, @tid, @continuecode)
+		super()
+	end
+
+	# do nothing, windows will send us a EXIT_PROCESS event
+	def del_tid_notid
+		nil while do_waitfordebug(10) and !@tid
+	end
+
+	def del_pid
+		# tell Windows to release the PROCESS object
+		WinAPI.debugactiveprocessstop(@pid) if WinAPI.respond_to?(:debugactiveprocessstop)
+		super()
+	end
+
 	def break
 		return if @state != :running
-		if WinAPI.respond_to? :debugbreakprocess
-			WinAPI.debugbreakprocess(os_process.handle)
-		else
-			suspend
-		end
+		# debugbreak() will create a new thread to 0xcc, but wont touch existing threads
+		suspend
 	end
 
 	def suspend
 		os_thread.suspend
+		invalidate
 		@state = :stopped
 		@info = 'thread suspended'
+		@continuecode = :suspended
+	end
+
+	def resume
+		@state = :running
+		@info = nil
+		os_thread.resume
 	end
 
 	def detach
 		del_all_breakpoints
-		if WinAPI.respond_to? :debugactiveprocessstop
-			WinAPI.debugactiveprocessstop(@pid)
-		else
+		if not WinAPI.respond_to? :debugactiveprocessstop
 			raise 'detach not supported'
 		end
+		# handle pending bp events
+		# TODO check_target needs the Breakpoint objects...
+		#pid = @pid ; 50.times { check_target } ; self.pid = pid
+
+		# if we detach after a dbgevt and before calling continuedbgevent, the thread
+		# may receive unhandled exceptions (eg BPX) and crash the process right after detach
+		each_tid { do_continue if @state == :stopped }
 		del_pid
 	end
 
@@ -2021,6 +2110,7 @@ class WinDebugger < Debugger
 	end
 
 	def pass_current_exception(doit = true)
+		return if @continuecode == :suspended
 		@continuecode = (doit ? WinAPI::DBG_EXCEPTION_NOT_HANDLED : WinAPI::DBG_CONTINUE)
 	end
 end