open source Windows debugger core

Introduction

(dum(b)ug) is a full open source Windows debugger core, implemented as C++ class architecture for instant debugger creation in the Win32 environment. It supports a number of features, including:

Full encapsulation of the Win32 debug API

PE file format parsing (.exe, .dll files)

Codeview, COFF and FPO debug symbol support (no PDB yet)

Single-shot soft breakpoints and automatic restore of original code

Single stepping

Disassembly using a libdisasm Windows port, including jump prediction

Handling of exceptions, breakpoints and other important stuff either by specification of call-back functions or by overloading virtual prototypes provided in the class in case you prefer to inherit the functionality.

ltrace for Windows

ltrace for Windows - here named "(dum(b)ug) tracer" is a library call tracer supporting the logging of calls to library or program functions to automatically identify function arguments and results, hereby aiding quick auditing of closed source code for the use of insecure functions. This is a example implementation for the (dum(b)ug) core.

How it works

The (dum(b)ug) tracer works by specifying the function prototypes that are supposed to be traced and then attaching the tracer to the process in question or loading the process. The function prototypes are specified in a trace definition file. Example:

int printf( char *, char *);
"haxor" == int sprintf( [out] char *buffer, [in] fmtchar *format);

This example illustrates a number of concepts (dum(b)ug) tracer uses:

You can specify plain C notation function prototypes

You can name arguments for more readable output

It supports argument directions. Specification of [in] will cause the argument to be inspected in depth only when the function is entered, [out] only then the function returns and [both] or no direction information causes inspection in both cases. This allows you to ignore uninitialized buffers, for example the output buffer of a sprintf() call.

You can perform output matching on the returned buffer (or the first [out] char buffer, in case the return value is not a char* or wchar* buffer). This way, you will only see functions whose result contains this string

Variable number of arguments such as with sprintf(char *, char *, ...) is not supported and you have to rely on the actual output

wchar type is supported and the output is tailored to be ASCII again

The following types are supported:

char - a single character

char* - a char buffer

fmtchar* - a char string being a format string

int - a 32bit integer

int* - a pointer to a 32bit integer

void - nothing

void* - arbirary 32bit pointer

wchar - a single wide character

wchar* - a wchar buffer

fmtwchar* - a wchar string begin a format string

Getting the stuff