Hi! You had to go and have an interesting problem, so I wrote a crappy sample :p https://gist.github.com/mook/33abbeb13b6bb511fc21 - Note that I didn't close the handles that I should (see the various WaitForDebugEvent-related documentation).
On 11/14/2014 07:49 AM, Vincent Torri wrote: > Hey, > > thanks for the answer. coments below > > On Fri, Nov 14, 2014 at 3:35 PM, lh_mouse <lh_mo...@126.com> wrote: >> Possible solution: >> 0) Load the debugee in suspended mode; >> 1) Calculate the address of its entry point (typically mainCRTStartup or >> WinMainCRTStartup) from its PE header, since its header should now have been >> loaded into RAM; If you're using debugging anyway, DEBUG_EVENT.u.CreateProcessInfo.lpStartAddress looks suspiciously like what the entry point would be anyway. (In my tests - ran on Wine, not real Windows, because I don't have one of those handy anymore - it's _mainCRTStartup). Of course, this solution won't work if somebody spawns their own children with DEBUG_PROCESS set for whatever reason. >> 2) Overwrite the byte at that address with 0xCC (a.k.a. int3 instruction on >> both x86 and x64); >> 3) Resume the process and it should hit the breakpoint, after all >> statically-linked DLLs have been loaded successfully, before any static >> constructors are invoked; > > shouldn't I have to wait a bit so that all the DLL are loaded ? It > might take some time to load them, no ? That's what is done in the > link that i have posted No, since lh_mouse's solution traps the breakpoint instruction, you just wait until that breakpoint is hit. (Note that there's an additional breakpoint in the loader, you don't want that one - it's a bit early.) The solution you linked to patches it with an infinite loop, so it must poll for the loop to be hit. The downside to breakpointing, of course, is that you must be the debugger in order to be able to catch that breakpoint. >> 4) Restore that byte; >> 5) Inject your DLL; (I didn't implement that part, because I'm lazy. Beware ASLR, etc.) >> 6) Resume the process as normal. If you feel like code-splunking, I believe ConEmu has an implementation of hooking descendant processes (to redirect console output). I have no idea how easy that is to read, though; I've never tried. -- Mook ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
