experiment : hook on idapython

idapython  中的例子, 演示了怎么使用Hook回调.

在进入断点回调后:

* 打印出函数名称

* 加入了继续执行的请求, 使程序继续跑下去. 用于观察函数执行流程.

#---------------------------------------------------------------------# Debug notification hook test## This script start the executable and steps through the first five# instructions. Each instruction is disassembled after execution.## Original Author: Gergely Erdelyi <gergely.erdelyi@d-dome.net>## Maintained By: IDAPython Team##---------------------------------------------------------------------from idaapi import *class MyDbgHook(DBG_Hooks):    """ Own debug hook class that implementd the callback functions """    def dbg_process_start(self, pid, tid, ea, name, base, size):        print("MyDbgHook : Process started, pid=%d tid=%d name=%s" % (pid, tid, name))    def dbg_process_exit(self, pid, tid, ea, code):        print("MyDbgHook : Process exited pid=%d tid=%d ea=0x%x code=%d" % (pid, tid, ea, code))    def dbg_library_unload(self, pid, tid, ea, info):        print("MyDbgHook : Library unloaded: pid=%d tid=%d ea=0x%x info=%s" % (pid, tid, ea, info))        return 0    def dbg_process_attach(self, pid, tid, ea, name, base, size):        print("MyDbgHook : Process attach pid=%d tid=%d ea=0x%x name=%s base=%x size=%x" % (pid, tid, ea, name, base, size))    def dbg_process_detach(self, pid, tid, ea):        print("MyDbgHook : Process detached, pid=%d tid=%d ea=0x%x" % (pid, tid, ea))        return 0    def dbg_library_load(self, pid, tid, ea, name, base, size):        print "MyDbgHook : Library loaded: pid=%d tid=%d name=%s base=%x" % (pid, tid, name, base)    def dbg_bpt(self, tid, ea):        print "MyDbgHook : Break point at %s[0x%x] pid=%d" % (GetFunctionName(ea), ea, tid)                # continue, bp only for calculate        idaapi.continue_process()                # return values:        #   -1 - to display a breakpoint warning dialog        #        if the process is suspended.        #    0 - to never display a breakpoint warning dialog.        #    1 - to always display a breakpoint warning dialog.        return 0    def dbg_suspend_process(self):        print "MyDbgHook : Process suspended"    def dbg_exception(self, pid, tid, ea, exc_code, exc_can_cont, exc_ea, exc_info):        print("MyDbgHook : Exception: pid=%d tid=%d ea=0x%x exc_code=0x%x can_continue=%d exc_ea=0x%x exc_info=%s" % (            pid, tid, ea, exc_code & idaapi.BADADDR, exc_can_cont, exc_ea, exc_info))        # return values:        #   -1 - to display an exception warning dialog        #        if the process is suspended.        #   0  - to never display an exception warning dialog.        #   1  - to always display an exception warning dialog.        return 0    def dbg_trace(self, tid, ea):        print("MyDbgHook : Trace tid=%d ea=0x%x" % (tid, ea))        # return values:        #   1  - do not log this trace event;        #   0  - log it        return 0    def dbg_step_into(self):        print("MyDbgHook : Step into")        self.dbg_step_over()    def dbg_run_to(self, pid, tid=0, ea=0):        print "MyDbgHook : Runto: tid=%d" % tid        idaapi.continue_process()    def dbg_step_over(self):        eip = GetRegValue("EIP")        print("MyDbgHook : 0x%x %s" % (eip, GetDisasm(eip)))        self.steps += 1        if self.steps >= 5:            request_exit_process()        else:            request_step_over()# Remove an existing debug hooktry:    if debughook:        print("MyDbgHook : Removing previous hook")        debughook.unhook()except:    pass# Install the debug hookdebughook = MyDbgHook()debughook.hook()debughook.steps = 0# Stop at the entry pointep = GetLongPrm(INF_START_IP)print "GetLongPrm(INF_START_IP) = 0x%X" % (ep)request_run_to(ep)# Step one instructionrequest_step_over()# Start debuggingrun_requests()

脚本执行结果(加载脚本， IDA下断点， 然后用IDA运行被调试的程序)

MyDbgHook : Removing previous hookGetLongPrm(INF_START_IP) = 0x133133CWindbg: using debugging tools from 'C:\Program Files (x86)\Debugging Tools for Windows (x86)\'1330000: process D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe has started (pid=5652)MyDbgHook : Process started, pid=5652 tid=6996 name=D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe77020000: loaded ntdll.dllMyDbgHook : Library loaded: pid=5652 tid=6996 name=ntdll.dll base=77020000Unloaded MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=5652 tid=6996 ea=0x770301b4 info=75560000: loaded C:\Windows\syswow64\kernel32.dllMyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\syswow64\kernel32.dll base=7556000074B90000: loaded C:\Windows\syswow64\KERNELBASE.dllMyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\syswow64\KERNELBASE.dll base=74b9000071B70000: loaded C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dllMyDbgHook : Library loaded: pid=5652 tid=6996 name=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll base=71b70000MyDbgHook : Runto: tid=0MyDbgHook : Break point at _wmain[0x1331000] pid=6996MyDbgHook : Break point at _wmain[0x1331006] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331051] pid=6996MyDbgHook : Break point at _wmain[0x133102a] pid=6996MyDbgHook : Break point at _wmain[0x1331060] pid=6996Debugger: process has exited (exit code 0)MyDbgHook : Process exited pid=5652 tid=6996 ea=0x7703fca2 code=0Windbg: using debugging tools from 'C:\Program Files (x86)\Debugging Tools for Windows (x86)\'1330000: process D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe has started (pid=6812)MyDbgHook : Process started, pid=6812 tid=6240 name=D:\LsWorkDir\Demo\TestConsole\Release\TestConsole.exe77020000: loaded ntdll.dllMyDbgHook : Library loaded: pid=6812 tid=6240 name=ntdll.dll base=77020000Unloaded MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=Unloaded MyDbgHook : Library unloaded: pid=6812 tid=6240 ea=0x770301b4 info=75560000: loaded C:\Windows\syswow64\kernel32.dllMyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\syswow64\kernel32.dll base=7556000074B90000: loaded C:\Windows\syswow64\KERNELBASE.dllMyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\syswow64\KERNELBASE.dll base=74b9000071B70000: loaded C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dllMyDbgHook : Library loaded: pid=6812 tid=6240 name=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll base=71b70000MyDbgHook : Break point at _wmain[0x1331000] pid=6240MyDbgHook : Break point at _wmain[0x1331006] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331051] pid=6240MyDbgHook : Break point at _wmain[0x133102a] pid=6240MyDbgHook : Break point at _wmain[0x1331060] pid=6240Debugger: process has exited (exit code 0)MyDbgHook : Process exited pid=6812 tid=6240 ea=0x7703fca2 code=0