ragweed 0.1.7.3 → 0.2.0.pre1

data/lib/ragweed/debugger32.rb

@@ -1,8 +1,5 @@
 require ::File.join(::File.dirname(__FILE__),'wrap32')
 
-# I am not particularly proud of this code, which I basically debugged
-# into existence, but it does work.
-
 # Debugger class for win32
 # You can use this class in 2 ways:
 #
@@ -15,47 +12,58 @@ require ::File.join(::File.dirname(__FILE__),'wrap32')
 class Ragweed::Debugger32
   include Ragweed
 
-  # Breakpoint class. Handles the actual setting, removal and triggers for
-  # breakpoints. 
-  # no user servicable parts.
+  ## Breakpoint class. Handles the actual setting,
+  ## removal and triggers for breakpoints.
+  ## no user servicable parts.
   class Breakpoint
+
     INT3 = 0xCC
-    attr_accessor :orig
-    attr_accessor :bpid
 
-    def initialize(bp, ip, callable)
-      @@bpid ||= 0
-      @bp = bp 
+    attr_accessor :orig, :deferred, :addr
+
+    def initialize(process, ip, def_status, callable)
+      @process = process
       @addr = ip
       @callable = callable
-      @bpid = (@@bpid += 1)
+      @deferred = def_status
+      @orig = 0
     end
+
+    def addr; @addr; end
     
     def install
-      @orig = process.read8(@addr)
-      if(@orig != INT3)
-        process.write8(@addr, INT3) 
-        Ragweed::Wrap32::flush_instruction_cache(@bp.process.handle)
-      end
+        if @addr == 0 or @deferred == true
+          return
+        end
+
+        o = @process.read8(@addr)
+
+        if(orig != INT3)
+          @orig = o
+          @process.write8(@addr, INT3) 
+          Ragweed::Wrap32::flush_instruction_cache(@process.handle)
+        end
+    end
+
+    def deferred_install(h, base)
+        @addr = @process.get_deferred_proc_remote(@addr, h, base)
+        self.install
+        return @addr
     end
 
     def uninstall
       if(@orig != INT3)
-        process.write8(@addr, @orig) 
-        Ragweed::Wrap32::flush_instruction_cache(@bp.process.handle)
+        @process.write8(@addr, @orig)
+        Ragweed::Wrap32::flush_instruction_cache(@process.handle)
       end
     end
 
     def call(*args); @callable.call(*args); end    
-    def method_missing(meth, *args); @bp.send(meth, *args); end
-  end
+  end ## End Breakpoint class
 
-  # Get a handle to the process so you can mess with it.
+  ## Get a handle to the process so you can mess with it.
   def process; @p; end
   
-  # This is how you normally create a debug instance: with a regex
-  # on the image name of the process.
-  #    d = Debugger.find_by_regex /notepad/i
   def self.find_by_regex(rx)
     Ragweed::Wrap32::all_processes do |p|
       if p.szExeFile =~ rx
@@ -64,179 +72,201 @@ class Ragweed::Debugger32
     end
     nil
   end
-    
-  # If you want to get one by hand, and not by Debugger#find_by_regex,
-  # pass this either a PID or a Process object.
+
   def initialize(p)
-    # grab debug privilege at least once.
-    @@token ||= Ragweed::Wrap32::ProcessToken.new.grant("seDebugPrivilege")
+    ## grab debug privilege at least once
+    @@token ||= Ragweed::Wrap32::ProcessToken.new.grant('seDebugPrivilege')
 
     p = Process.new(p) if p.kind_of? Numeric
     @p = p
     @steppers = []
     @handled = Ragweed::Wrap32::ContinueCodes::UNHANDLED
-    @first = true
     @attached = false
 
-    # for setting breakpoints: inject a thread to do GetProcAddress,
-    # cache the result.
-    @resolve = Hash.new do |h, k|
-      if k.kind_of? String
-        ip = @p.get_proc_remote(k)
-      else
-        ip = k
-      end
-      raise "no such location" if ip == 0 or ip == 0xFFFFFFFF
-      h[k] = ip
-    end
+    ## breakpoints is a hash with a key being the breakpoint
+    ## addr and the value being a Breakpoint class
+    @breakpoints = Hash.new
 
-    # the magic initializer here just makes sure the Hash always
-    # contains arrays with convenience methods.
-    @breakpoints = Hash.new do |h, k|
-      bps = Array.new
-      def bps.call(*args); each {|bp| bp.call(*args)}; end
-      def bps.install; each {|bp| bp.install}; end
-      def bps.uninstall; each {|bp| bp.uninstall}; end 
-      h[k] = bps
-    end
+    ## We want to ignore ntdll!DbgBreakPoint 
+    @ntdll_dbg_break_point = @p.get_proc_remote('ntdll!DbgBreakPoint')
   end
-  
-  # single-step the thread (by TID). "callable" is something that honors
-  # .call, like a Proc. In a dubious design decision: the "handle" to the
-  # single stepper is the Proc object itself. See Debugger#on_breakpoint
-  # for an example of how to use this.
+
+  ## single-step the thread (by TID). "callable" is something that honors
+  ## .call, like a Proc. In a dubious design decision: the "handle" to the
+  ## single stepper is the Proc object itself. See Debugger#on_breakpoint
+  ## for an example of how to use this.
   def step(tid, callable)
     if @steppers.empty?
       Ragweed::Wrap32::open_thread(tid) do |h|
-        ctx = Ragweed::Wrap32::ThreadContext.get(h)
+        ctx = Ragweed::Wrap32::get_thread_context(h)
         ctx.single_step(true)
-        ctx.set(h)
+        Ragweed::Wrap32::set_thread_context(h, ctx)
       end
     end
     @steppers << callable    
   end
 
-  # turn off single-stepping for one callable (you can have more than one
-  # at a time). In other words, when you pass a Proc to Debugger#step, save
-  # it somewhere, and later pass it to "unstep" to turn it off. 
+  ## turn off single-stepping for one callable (you can have more than one
+  ## at a time). In other words, when you pass a Proc to Debugger#step, save
+  ## it somewhere, and later pass it to "unstep" to turn it off. 
   def unstep(tid, callable)
     @steppers = @steppers.reject {|x| x == callable}
     if @steppers.empty?
       Ragweed::Wrap32::open_thread(tid) do |h|
-        ctx = Ragweed::Wrap32::ThreadContext.get(h)
+        ctx = Ragweed::Wrap32::get_thread_context(h)
         ctx.single_step(false)
-        ctx.set(h)
+        Ragweed::Wrap32::set_thread_context(h, ctx)
       end
     end
   end
 
-  # convenience: either from a TID or a BreakpointEvent, get the thread context.
+  ## convenience: either from a TID or a BreakpointEvent, get the thread context.
   def context(tid_or_event)
     if not tid_or_event.kind_of? Numeric
       tid = tid_or_event.tid
     else
       tid = tid_or_event
     end
-    Ragweed::Wrap32::open_thread(tid) {|h| Ragweed::Wrap32::ThreadContext.get(h)}
+    Ragweed::Wrap32::open_thread(tid) { |h| Ragweed::Wrap32::get_thread_context(h) }
   end
 
-  # set a breakpoint given an address, which can also be a string in the form
-  # "module!function", as in, "user32!SendMessageW". Be aware that the symbol
-  # lookup takes place in an injected thread; it's safer to use literal addresses.
+  ## set a breakpoint given an address, which can also be a string in the form
+  ## "module!function", as in, "user32!SendMessageW". Be aware that the symbol
+  ## lookup takes place in an injected thread; it's safer to use literal addresses
+  ## when possible.
   #
-  # to handle the breakpoint, pass a block to this method, which will be called
-  # when the breakpoint hits.
+  ## to handle the breakpoint, pass a block to this method, which will be called
+  ## when the breakpoint hits.
   #
-  # breakpoints are always re-set after firing. If you don't want them to be
-  # re-set, unset them manually.
-  #
-  # returns a numeric id that can be used to clear the breakpoint.
+  ## breakpoints are always re-set after firing. If you don't want them to be
+  ## re-set, unset them manually.
   def breakpoint_set(ip, callable=nil, &block)
     if not callable and block_given?
       callable = block
     end
-    ip = @resolve[ip]
-    @breakpoints[ip] << Breakpoint.new(self, ip, callable)
-  end
 
-  # clear a breakpoint given an id, or clear all breakpoints associated with
-  # an address.  
-  def breakpoint_clear(ip, bpid=nil)
-    ip = @resolve[ip]
-    if not bpid
-      @breakpoints[ip].uninstall
-      @breakpoints.delete ip
+    def_status = false
+
+    ## This is usually 'Module!Function' or 'Module!0x1234'
+    if @p.is_breakpoint_deferred(ip) == true
+        def_status = true
     else
-      found = nil
-      @breakpoints[ip].each_with_index do |bp, i|
-        if bp.bpid == bpid
-          found = i
-          if bp.orig != Breakpoint::INT3
-            if @breakpoints[ip][i+1]
-              @breakpoints[ip][i + 1].orig = bp.orig
-            else
-              bp.uninstall
-            end
-          end
-        end
-      end
-      raise "couldn't find #{ ip }" if not found
-      @breakpoints[ip].delete_at(found) if found
+        def_status = false
+        ip = @p.get_proc_remote(ip)
     end
+
+    ## If we cant immediately set the breakpoint
+    ## mark it as deferred and wait till later
+    ## Sometimes *_proc_remote() will return the
+    ## name indicating failure (just in case)
+    if ip == 0 or ip == 0xFFFFFFFF or ip.kind_of? String
+      def_status = true
+    else
+      def_status = false
+    end
+
+    ## Dont want duplicate breakpoint objects
+    @breakpoints.each_key { |k| if k == ip then return end }
+    bp = Breakpoint.new(@p, ip, def_status, callable)
+    @breakpoints[ip] = bp
+  end
+
+  ## Clear a breakpoint by ip
+  def breakpoint_clear(ip)
+    bp = @breakpoints[ip]
+
+    if bp.nil?
+        return nil
+    end
+
+    bp.uninstall
+    @breakpoints.delete(ip)
   end 
   
-  # handle a breakpoint event:
-  # call handlers for the breakpoint, step past and reset it.
+  ## handle a breakpoint event:
+  ## call handlers for the breakpoint, step past and reset it.
   def on_breakpoint(ev)
-    if @first
-
-      # DbgUiRemoteInjectWhatever actually injects a thread into the
-      # target process, which explicitly issues an INT3. We never care
-      # about this breakpoint right now.
-      @first = false
-    else
       ctx = context(ev)
       eip = ev.exception_address
-      
-      # call handlers, then clear the breakpoint so we can execute the
-      # real instruction.
-      @breakpoints[eip].first.uninstall
+
+      if eip == @ntdll_dbg_break_point
+        return
+      end
+
+      @breakpoints[eip].uninstall
+
+      ## Call the block passed to breakpoint_set
+      ## which may have been passed through hook()
       @breakpoints[eip].call(ev, ctx)
 
-      # single step past the instruction...
+      ## single step past the instruction...
       step(ev.tid, (onestep = lambda do |ev, ctx|
         if ev.exception_address != eip
-
-          # ... then re-install the breakpoint ...
-          if not @breakpoints[eip].empty?
-            @breakpoints[eip].first.install
+          ## ... then re-install the breakpoint ...
+          if not @breakpoints[eip].nil?
+            @breakpoints[eip].install
           end
-
-          # ... and stop single-stepping.
+          ## ... and stop single-stepping.
           unstep(ev.tid, onestep)
         end
-      end)) 
+      end))
 
-      # put execution back where it's supposed to be...
+      ## Put execution back where it's supposed to be...
       Ragweed::Wrap32::open_thread(ev.tid) do |h|
         ctx = context(ev)
-        ctx.eip = eip # eip was ev.exception_address
-        ctx.set(h)
+        ctx.eip = eip ## eip was ev.exception_address
+        Ragweed::Wrap32::set_thread_context(h, ctx)
       end
-    end
   
-    # tell the target to stop handling this event
+    ## Tell the target to stop handling this event
     @handled = Ragweed::Wrap32::ContinueCodes::CONTINUE
   end
 
-  # handle a single-step event  
+  ## FIX: this method should be a bit more descriptive in its naming
+  def get_dll_name(ev)
+    name = Ragweed::Wrap32::get_mapped_filename(@p.handle, ev.base_of_dll, 256)
+    name.gsub!(/[\n]+/,'')
+    name.gsub!(/[^\x21-\x7e]/,'')
+    i = name.index('0')
+    i ||= name.size
+    return name[0, i]
+  end
+
+  def on_load_dll(ev)
+    dll_name = get_dll_name(ev)
+
+    @breakpoints.each_pair do |k,bp|
+        if !bp.addr.kind_of?String
+            next
+        end
+
+        m,f = bp.addr.split('!')
+
+        if dll_name =~ /#{m}/i
+            deferred = bp.deferred
+
+            if deferred == true
+                bp.deferred = false
+            end
+
+            new_addr = bp.deferred_install(ev.file_handle, ev.base_of_dll)
+
+            if !new_addr.nil?
+                @breakpoints[new_addr] = bp.dup
+                @breakpoints.delete(k)
+            end
+        end
+    end
+  end
+
+  ## handle a single-step event  
   def on_single_step(ev)
     ctx = context(ev)
     Ragweed::Wrap32::open_thread(ev.tid) do |h|
-      # re-enable the trap flag before our handler, which may
-      # choose to disable it.
+      ## re-enable the trap flag before our handler,
+      ## which may choose to disable it.
       ctx.single_step(true)
-      ctx.set(h)
+      Ragweed::Wrap32.set_thread_context(h, ctx)
     end
     
     @steppers.each {|s| s.call(ev, ctx)}
@@ -244,18 +274,31 @@ class Ragweed::Debugger32
     @handled = Ragweed::Wrap32::ContinueCodes::CONTINUE
   end
 
-  # this is sort of insane but most of my programs are just
-  # debug loops, so if you don't do this, they just hang when
-  # the target closes.
+  ## This is sort of insane but most of my programs are just
+  ## debug loops, so if you don't do this, they just hang when
+  ## the target closes.
   def on_exit_process(ev)
     exit(1)
   end
 
-  # Read through me to see all the random events you can hook in
-  # a subclass. 
-  # 
-  # call me directly if you want to handle multiple debugger instances,
-  # i guess. 
+  ## TODO: Implement each of these
+  def on_create_process(ev)       end
+  def on_create_thread(ev)        end
+  def on_exit_thread(ev)          end
+  def on_output_debug_string(ev)  end
+  def on_rip(ev)                  end
+  def on_unload_dll(ev)           end
+  def on_alignment(ev)            end
+  def on_bounds(ev)               end
+  def on_divide_by_zero(ev)       end
+  def on_int_overflow(ev)         end
+  def on_invalid_handle(ev)       end
+  def on_priv_instruction(ev)     end
+  def on_stack_overflow(ev)       end
+  def on_invalid_disposition(ev)  end
+
+  ## Read through me to see all the random events
+  ## you can hook in a subclass.
   def wait
     self.attach() if not @attached
 
@@ -309,30 +352,30 @@ class Ragweed::Debugger32
     @handled = Ragweed::Wrap32::ContinueCodes::UNHANDLED
   end
 
-  # debug loop.
+  ## Debug loop
   def loop
     while true
       wait
     end
   end
   
-  # this is called implicitly by Debugger#wait.
-  # Attaches to the child process for debugging
+  ## This is called implicitly by Debugger#wait.
+  ## Attaches to the child process for debugging
   def attach
     Ragweed::Wrap32::debug_active_process(@p.pid)
     Ragweed::Wrap32::debug_set_process_kill_on_exit
     @attached = true
-    @breakpoints.each do |k, v|
-      v.install
+    @breakpoints.each_pair do |k, bp|
+      bp.install
     end
   end
 
-  # let go of the target.
+  ## Let go of the target.
   def release
     Ragweed::Wrap32::debug_active_process_stop(@p.pid)
     @attached = false
-    @breakpoints.each do |k, v|
-      v.uninstall
+    @breakpoints.each_pair do |k, bp|
+      bp.uninstall
     end
   end
 end

data/lib/ragweed/debuggerosx.rb

@@ -149,13 +149,15 @@ class Ragweed::Debuggerosx
         rescue Errno::EBUSY
           # Yes this happens and it's wierd
           # Not sure it should happen
-          pp 'unable to self.continue'
-          pp self.get_registers
+          if $DEBUG
+            puts 'unable to self.continue'
+            puts self.get_registers
+          end
         retry
         end
       when signal == 0x13 #WIFCONTINUED
         try(:on_continue)
-      else #holy broken stuff batman
+      else
         raise "Unknown signal '#{signal}' recieved: This should not happen - ever."
       end
     end
@@ -163,32 +165,28 @@ class Ragweed::Debuggerosx
   end
 
   # these event functions are stubs. Implementations should override these
-  def on_single_step
-    pp "Single stepping #{ thread } (on_single_step)"
-    pp Ragweed::Wraposx::ThreadInfo.get(thread)
+  def on_attach
   end
 
-  def on_sigsegv
-    pp Ragweed::Wraposx::ThreadContext.get(thread)
-    pp Ragweed::Wraposx::ThreadInfo.get(thread)
+  def on_detach
+  end
+
+  def on_single_step
+    #puts Ragweed::Wraposx::ThreadInfo.get(thread).inspect
   end
 
   def on_exit(status)
-    pp "Exited! (on_exit)"
     @exited = true
   end
 
   def on_signal(signal)
-    pp "Exited with signal #{ signal } (on_signal)"
     @exited = true
   end
 
   def on_stop(signal)
-    pp "#Stopped with signal #{ signal } (on_stop)"
   end
 
   def on_continue
-    pp "Continued! (on_continue)"
   end
 
   # installs all breakpoints into child process
@@ -216,6 +214,7 @@ class Ragweed::Debuggerosx
     r = Ragweed::Wraposx::ptrace(Ragweed::Wraposx::Ptrace::ATTACH,@pid,0,0)
     # Ragweed::Wraposx::ptrace(Ragweed::Wraposx::Ptrace::CONTINUE,@pid,1,0)
     @attached = true
+    on_attach
     self.hook(opts) if (opts[:hook] and not @hooked)
     self.install_bps if (opts[:install] and not @installed)
     return r
@@ -228,6 +227,7 @@ class Ragweed::Debuggerosx
     self.uninstall_bps if @installed
     r = Ragweed::Wraposx::ptrace(Ragweed::Wraposx::Ptrace::DETACH,@pid,0,Ragweed::Wraposx::Wait::UNTRACED)
     @attached = false
+    on_detach
     self.unhook(opts) if opts[:hook] and @hooked
     return r
   end