Introduction
The most important change is the use of the notification codes instead of callbacks.
We added the new hook type HT_IDD and replaced all callback pointers by notifications.
The debugger module in the debugger_t structure should provide only two callbacks now:
- set_dbg_options - with the same meaning as was before
- callback - this callback will be hooked to the HT_IDD notification point when the debugger is loaded and unhooked during the debugger unloading. The debugger plugin will be the last one to receive notifications.
Notifications
In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_". However, please note that we renamed some events, for example:
- stopped_at_debug_event to ev_suspended.
Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.
| original callback | notification code |
|---|---|
| init_debugger | ev_init_debugger |
| term_debugger | ev_term_debugger |
| get_processes | ev_get_processes |
| start_process | ev_start_process |
| attach_process | ev_attach_process |
| detach_process | ev_detach_process |
| get_debapp_attrs | ev_get_debapp_attrs |
| rebase_if_required_to | ev_rebase_if_required_to |
| prepare_to_pause_process | ev_request_pause |
| exit_process | ev_exit_process |
| get_debug_event | ev_get_debug_event |
| continue_after_event | ev_resume |
| set_exception_info | ev_set_exception_info |
| stopped_at_debug_event | ev_suspended |
| thread_suspend | ev_thread_suspend |
| thread_continue | ev_thread_continue |
| set_resume_mode | ev_set_resume_mode |
| read_registers | ev_read_registers |
| write_register | ev_write_register |
| thread_get_sreg_base | ev_thread_get_sreg_base |
| get_memory_info | ev_get_memory_info |
| read_memory | ev_read_memory |
| write_memory | ev_write_memory |
| is_ok_bpt | ev_check_bpt |
| update_bpts | ev_update_bpts |
| update_lowcnds | ev_update_lowcnds |
| open_file | ev_open_file |
| close_file | ev_close_file |
| read_file | ev_read_file |
| write_file | ev_write_file |
| map_address | ev_map_address |
| get_debmod_extensions | ev_get_debmod_extensions |
| update_call_stack | ev_update_call_stack |
| appcall | ev_appcall |
| cleanup_appcall | ev_cleanup_appcall |
| eval_lowcnd | ev_eval_lowcnd |
| send_ioctl | ev_send_ioctl |
| dbg_enable_trace | ev_dbg_enable_trace |
| is_tracing_enabled | ev_is_tracing_enabled |
| rexec | ev_rexec |
| get_srcinfo_path | ev_get_srcinfo_path |
New notification code:
- ev_bin_search
IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:
- DBG_HAS_GET_PROCESSES
- DBG_HAS_ATTACH_PROCESS
- DBG_HAS_DETACH_PROCESS
- DBG_HAS_REQUEST_PAUSE
- DBG_HAS_SET_EXCEPTION_INFO
- DBG_HAS_THREAD_SUSPEND
- DBG_HAS_THREAD_CONTINUE
- DBG_HAS_SET_RESUME_MODE
- DBG_HAS_THREAD_GET_SREG_BASE
- DBG_HAS_CHECK_BPT
- DBG_HAS_OPEN_FILE
- DBG_HAS_UPDATE_CALL_STACK
- DBG_HAS_APPCALL
- DBG_HAS_REXEC
Please see idd.hpp for more details.
Structures
There are several changes in the structures used by the debugger module.
debugger_t
Renamed fields and methods:
| original name | new name |
|---|---|
| register_classes | regclasses |
| register_classes_default | default_regclasses |
| _registers | registers |
| registers_size | nregs |
| register | regs() |
event_id_t
Renamed events:
| original name | new name |
|---|---|
| PROCESS_START | PROCESS_STARTED |
| PROCESS_EXIT | PROCESS_EXITED |
| THREAD_START | THREAD_STARTED |
| THREAD_EXIT | THREAD_EXITED |
| LIBRARY_LOAD | LIB_LOADED |
| LIBRARY_UNLOAD | LIB_UNLOADED |
| PROCESS_ATTACH | PROCESS_ATTACHED |
| PROCESS_DETACH | PROCESS_DETACHED |
| PROCESS_SUSPEND | PROCESS_SUSPENDED |
Removed events:
- SYSCALL
- WINMESSAGE
Please note that the event codes have been changed.
debug_event_t
Changed to be more robust and controlled.
Public fields have been replaced by accessors.
| original field | new accessor |
|---|---|
| eid | eid(), set_eid() |
| modinfo | modinfo(), set_modinfo() |
| exit_code | exit_code(), set_exit_code() |
| info | info(), set_info() |
| bpt | bpt(), set_bpt() |
| exc | exc(), set_exc() |
Please note that the event THREAD_STARTED can return the thread name using the info accessor.
bpt_t
Added new fields:
- pid - breakpoint process id
- tid - breakpoint thread id
Example
Plugin highlighter have been ported to use the new debugger module API.