Sending debug events to Windows debugger from external source - c++

I have created a set of multi-platform C++ components to load and manage various types of digitally signed shared libraries. This handles all aspects of loading and initialziation including mapping them into the calling process, applying branch fix-ups, binding any imports and calling the initialization entry point. The components cannot use LoadLibrary() as it is platform specific and not all of the shared libraries are in PE format.
One of the few remaining issues I am faced with is providing appropriate debugger support for targeted platforms and development environments. In MS Windows environments this includes getting the debuggers to load symbol information generated by the compiler and linker (or converted from other source). Because the loading and initialization of the libraries occurs outside of the kernel, the debugger never receives LOAD_DLL_DEBUG_EVENT and UNLOAD_DLL_DEBUG_EVENT events. This leads to the following questions:
Is there an API or system call that allows events such as LOAD_DLL_DEBUG_EVENT to be sent directly to the debugger?
Is there a documented way to communicate directly with the program or session debug managers or with the machine debug manager service?
Is there an API or system call available to notify the kernel and subsequently the debugger that a DLL has been loaded? Since PE files are one of the primary supported formats this is the most desirable option. It also has the potential benefit of allowing the library to appear in the module list of the process.
Does the WinDBG SDK apply to debugging on Windows as a whole and can WinDBG extensions be used to instruct the debugger to load the symbol information?
I have search extensively for information on the above mentioned topics but have come up short. I have located a bit of information about the data structures used by the Windows debugger but nothing relevant to my specific situation.
I am open to API/system calls and approaches that are documented or undocumented and those requiring elevated privileges to function.

I don't think that there is a way to directly send the kind of events that you want (like LOAD_DLL_DEBUG_EVENT) to a process, at least not easily.
Why don't you simply wrap your libraries inside normal DLLs in Windows? Maybe you embed your custom module loading mechanism inside each "proxy" DLL, in this way you would not need to replicate so much functionality that the OS already provides for you.

If I understood the problem, you may see:
Writing a basic Windows Debuggers
Writing Windows Debugger (Detailed)

Related

System-wide dynamic library functions hooking on macos

I'm working on on-line encryption driver for MacOS. And one of the issues I encountered recently is that I have to control(hook/intercept) some of the regular system functions (on application/user level) like : mmap, open, close ... on system-wide basis, so that I could arbitrary turn on or off that control.
I looked at some of the examples and solutions available, - probably not all of them, - but they all work for that very application that does the hooking, while I need the sort hook that could intercept system calls made from any other application. For example, what do I do to hook and control the call to, say, 'mmap' in /usr/lib/system/libsystem_kernel.dylib, regardless of what application calls that 'mmap'.
I tried rd_route, substitue ... but they seem to work for the application itself and other applications bypass the hook.

C++ Possible to access kernel-mode registry key accesses?

When I used C# i was only able to access user-mode registry accesses.
Is it very difficult to access kernel-mode registry accesses using C++?
I recall reading somewhere I may have to create a dummy windows driver or something?
EDIT: Basically as a hobby project I wish to create a simple registry monitor. However, I do want to catch kernel mode (as well as user mode) registry accesses..... last time I did this, using C# I could not access the kernel mode activity.
There are two ways to achieve this:
Hook the relevant functions in the kernel - the traditional way - which requires a C/Kernel Driver. This is possible on x86 Windows, but on x64 Kernel Patch Protection will detect these modifications and shut down the system (with a bluescreen).
Build a registry filter driver - this is the now encouraged way to attack this problem and is the way process monitor works. You can also build file system filter drivers this way. Essentially, you simply need to pass the information back to userland which boils down to:
IoRegisterDevice(...somewhere in \Devices\YourDriverName...)
IoCreateSymbolicLink(\\DosDevices\Name -> \Devices\YourDriverName)
then a C, C++, C# application should be able to open the file \\.\YourDriverName and DeviceIoControl to it and receive responses.
It is possible to use C++ to write kernel drivers, but see this before you embark on doing so. To be clearer, you need to be really careful about memory in kernel mode (paged, nonpaged) and you're not going to have access to much of the standard library.
As an aside, you should be aware that:
Not all registry hives are accessible to kernel mode drivers, depending on context.
The paths are not common. So the kernel accesses \Registry\System whereas userland accesses HKLM.

C++ Event Hooks

I'm trying to understand event hooks in C++. I know what an event is, I've used them a lot in Java, C# and Javascript.
What I'm having trouble with is finding the documentation, and tutorials on stuff like global hooks, dll injection, global hooks without a DLL.
Lets say that I wanted to iterate through the browser tabis in FireFox .. would I need to hope that FireFox has an API for C++? Or lets say I wanted to do something when a user opens a new tab would I need to use a hook that FireFox would provide in their API?
The above is just an example so people know what I'm trying to learn/understand. Am I thinking on the right ines?
I seen a post on a forum and for the past 2 hours I've took an interest. I always say that a tricky challange, or a new challange, makes a stronger programmer.
Any resources, or any help, would be very much appreciated.
C++ itself does not have events or hooks, but a lot of C++ libraries and frameworks implement them. For an example of generic events library, see Boost.Signals.
Some of the implementations allow their events to be seen by other applications, but the API is application-specific (e.g. for Firefox, see XPCOM).
Windows has a mechanizm of hooks that allows to monitor various events in its windowing system. However, it is an OS feature, not related to C++. As it's a system mechanizm, all Windows applications are affected even if they don't do anything for it. The documentation for Windows hooks can be found here. Also, since you mentioned "global hooks without a DLL", see SetWinEventHook, which is a higher-level API than Windows hooks linked above and can be used with hook functions both implemented in DLLs or EXEs.
Look up MSDN for SetWindowsHookEx. It should be your entrance in Windows hooks. If you ar etargetting a parituclar window for mthe system then a less intrusive option is SetWindowLongPtr. For the first API you are going to need some Dll injection - which gets automatically for you by the system. Just follow these steps:
Create a Dll that exports a HOOKPROC function (actual type dependent upon the hook tpe - read in the docs)
Load that Dll in your application and retrieve a pointer to the HOOKPROC function. LoadLibrary / GetProcAddress APIs may be used for this.
From your application, make a call to SetWindowsHookEx feeding in the appropriate parameters - this will inject the dll in the target process. So, the dll is now loaded into both your app's process and in the target process. So you will need a mechanism to IPC between the two processes probably. Lots of ways here - sockets, pipes, shared segment in DLL, filesystem, windows messages, COM servers + events, etc etc.
The former API, while less powerful, does not require DLL injection.
Choose wisely & good luck!
I dont think firefox would be having a C++ aPI to find the open tabs....
If you want to find out open tabs or whenever a new tab is open , you can basically hook the firefox window and get all events happening on that window to your hook procedure.
If you open spy++ in VC++ and track firefox window , you can see a new MozillaContentWindowClass gets created every time whenever a new tab is opened. So you can basically iterate through window handles and get information about open tabs.
You can use SetWindowLongPtr to set the subclass procedure for that window.

How can I run my application in place of the default Windows XP shell?

I was having a discussion with a colleague about whether or not the following is possible:
Install an MFC application from a USB drive in Windows XP (this installation would be initiated manually by a user with sufficient privileges to install software).
After rebooting, this application should start instead of the default Windows XP shell (explorer.exe).
Does anyone know how I might accomplish this?
You won't be able to run an MFC application before windows starts up because by definition MFC runs off of windows DLLs that are not loaded until windows itself is. Not to mention that Windows is what is responsible for loading a PE in the first place, so you won't even be able to load a compiled EXE or DLL without a custom bootstrapper.
In order to do what you want to do you have a few options. There are (easy) ways for windows to be set to load an application on startup. If that is what you want, then this is entirely possible.
However, if you wish to execute code before and while windows is starting up, then you must first overwrite the bootstrapper (with something like GRUB), execute your code (again, you will not have access to any standard library - you will have to operate directly on the buffers made available to you by the CPU if you wish to do any sort of I/O), then start up windows by launching its bootstrapper. I have no idea how to do this; but that is the general overview of what must happen.
You mentioned DLL injection, which is another possibility. I am not familiar with what DLLs, and in what order, are loaded during windows startup. That will be an exercise for you. What you will have to take into consideration, is that the higher level you want to exist in (i.e. what libraries are available for you to do File/Console I/O) the higher up you need to execute your code in the windows startup process.
My suggestion to you is simply write a program that executes as a service that is started up during windows initialization. Its easy to do, and you will have the entire HAL loaded and ready to actually perform tasks - rather then you having to write device-specific drivers in order to manipulate hardware before window's loads the HAL.
Modify HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry value with full path to your application. This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma

Debugging embedded Lua

How do you debug lua code embedded in a c++ application?
From what I gather, either I need to buy a special IDE and link in their special lua runtime (ugh). Or I need to build a debug console in to the game engine, using the lua debug API calls.
I am leaning toward writing my own debug console, but it seems like a lot of work. Time that I could better spend polishing the other portions of the game.
There are several tools floating around that can do at least parts of what you want. I have seen references to a VS plugin, there is a SciTE debugger extension in Lua for Windows, and there is the Kepler project's RemDebug, as well as their LuaEclipse.
RemDebug may be on the track of what you need, as it was built to allow for debugging CGI scripts written in Lua. It does require access to the LuaSocket module to provide a communications channel between the target script and a controller as well as a couple of other modules.
A bigger issue might be the ability to load arbitrary modules from within whatever sandbox the game engine has put around your scripts. If you have some control over the engine, then that won't be as big an issue.
This isn't currently possible for developers of Adobe Lightroom plugins, for example, because Lightroom does not expose require inside the plugin's sandbox.
A surprise to me has been how rarely I have felt a need for a debugger when working with Lua. I've built several small applications in it for various projects and have been surprised at how well a combination of complete stack backtraces and the occasional print call works to locate the bugs that require "strict" didn't prevent in the first place.
How about Decoda?? there is a video that explains how to use it, and it works pretty darn well for embedded lua source. (i am a happy customer). and it's pretty cheap.
You don't need to write your own console as you may want to start with one of the existing ones. RemDebug has already been suggested; I have been developing MobDebug, which is a debugger based on RemDebug, but with a host of new features and bug fixes. The detailed list of the changes is in the README.
Enabling debugging in your script may be as simple as adding require('mobdebug').start() (if you are running your app and the debugger server on the same machine). This should try to connect to the debugger listening on a default port on localhost. You can use a command-line interface included in MobDebug, or you can use a ZeroBrane Studio, which is a Lua IDE that integrates with MobDebug to provide debugging capabilities. The IDE supports debugging for Love2d, Moai, and other Lua engines and may well work for your set up too.
You can use my debugger: GRLD (graphical remote lua debugger). Like RemDebug it uses a socket connection, but unlike RemDebug it has a nice graphical interface. The source code is provided, so you can make it work on any platform. It works with the standard lua runtime. Free of charge for non-commercial use.
EDIT: sorry, I had to close the website, so the software is not available for download anymore. I might release it as open source software later, if I ever find the time.
EDIT 2: link updated, now hosted in github under the MIT license (open source)
I don't see how calling DebuggerBreak should work, since that is .NET specific. I would assume that only works with the forked Lua targeting the CLR.
If you are using standard Lua you have some rudementary debugging facilities through the lua function call debug.debug(). That will throw Lua into your console, so if you are running lua from a console, you should be able issue lua commands interactively to inspect your current state. debug.debug() wont put you into the current stack frame, so you have to use debug.getlocal() to read the values of your variables.
I haven't tried it myself yet, but I actually don't think making your own workable debug console is that much work. Remember Lua is not as complicated language as C++, so doing this is a lot easier than making a real C++ debugger like say gdb.
I think there are a lot of people who have done similar things already, whos code you could look at. Here is CLI debugger written in only lua. Just one lua file. Shouldn't be to hard use and modify for your needs.
If you are using windows and VS - Can you use the trick we use?
Copy the lua code in a file. Then in the lua code make a call to the Debugger api (in C++ this is DebuggerBreak() I think - see here). then when the lua code executes the debugger will fire up and you should be able to specify the file. Then debug as normal?