Just a simple x64 Windows debugger written in C++
These are the usefull functions provided by the Windows API which are used for making the core functionalities of this debugger.
-
CreateProcessA : Creates a new process. Setting DEBUG_PROCESS as a flag for the dwCreationFlags parameter allows the process to receive all related debug events using the WaitForDebugEvent function.
-
OpenProcess : Opens an existing process. In order to perform debugging, we have to set the dwDesiredAccess parameter to PROCESS_ALL_ACCESS.
-
DebugActiveProcess : Attach the debugger to an active process.
-
WaitForDebugEvent : Waits for a debugging event to occur in a debugged process. The provided DEBUG_EVENT structure contains a dwDebugEventCode member that can informs us if the event comes from a breakpoint (EXCEPTION_DEBUG_EVENT). If the event is triggered by a breakpoint, then the u member would be an EXCEPTION_DEBUG_INFO structure which can provides us extra informations about the event via its EXCEPTION_RECORD structure member.
-
ContinueDebugEvent : Enables a debugger to continue a thread that previously reported a debugging event. The options to continue the thread that reported the debugging event have to be specified inside the dwContinueStatus parameter.
-
CreateToolhelp32Snapshot : Creates a snapshot of a given process. Setting TH32CS_SNAPTHREAD as a flag for dwFlags will provides all the threads in the snapshot. We will then have to compare each thread's owner ID to the ID of the debugged process.
-
Thread32First : Retrieves the first thread of a process' snapshot as a THREADENTRY32 structure.
-
Thread32Next : Loops through the rest of the threads of a process' snapshot.
-
OpenThread : Opens a thread so we can get its context.
-
GetThreadContext : Retrieves the context of a given thread in which we can find all its registers' states. Feeding the CONTEXT with CONTEXT_FULL and CONTEXT_DEBUG_REGISTERS grants us access to all of the thread's registers we need.
-
SetThreadContext : Sets the context of a given thread which allows us to modify its registers' states.
-
ReadProcessMemory : Reads the memory of a process at a given address.
-
WriteProcessMemory : Writes to the memory of a process at a given address.
-
GetSystemInfo : Provides us a SYSTEM_INFO stucture that contains a dwPageSize member which gives us the correct page size of the system.
-
VirtualQueryEx : Retrieves informations about the memory page of a given address of a process. The MEMORY_BASIC_INFORMATION structure provides us the BaseAddress of the memory page as well as its access Protection (which are defined in the Memory Protection Constants)
-
VirtualProtectEx : Allows us to edit the access protection of a given memory page of a process. We can add a GUARD_PAGE access protection to a memory page in order to trigger memory breakpoint on access to this page.
-
GetModuleHandle : Provides a HMODULE handle of a specified loaded module.
-
GetProcAddress : Retrieves the address of an exported function or variable from a given module handle.