本文探讨了在软件调试过程中保存和恢复快照的技术难点,包括内存变化的感知、句柄关闭的影响及如何正确捕获运行时状态。
保存快照和恢复快照 其实是个比较复杂的事情,因为快照前后,内存可能分配了释放,保护属性可能也改变,或内存释放了被分配,
所以,只是简单的保存commit且是带写属性的内存还是不够的。其二是前后可能涉及句柄的关闭问题,快照前打开的句柄,只是一个数字,恢复了之后,可能在
快照后被关闭过,内核已经清楚这个对象,造成打开句柄失败,影响流程。
所以,要感知内存的变化,屏蔽掉句柄的关闭操作,过滤掉释放内存分配的操作,或许可能还有其它未想到的。
def process_snapshot (self):
'''Take memory / context snapshot of the debuggee. All threads must be suspended before calling this routine.
@raise pdx: An exception is raised on failure.
@rtype: pydbg
@return: Self
'''
self.pydbg_log("taking debuggee snapshot")
do_not_snapshot = [PAGE_READONLY, PAGE_EXECUTE_READ,PAGE_GUARD, PAGE_NOACCESS]
cursor = 0
# reset the internal snapshot data structure lists.
self.memory_snapshot_blocks = []
self.memory_snapshot_contexts = []
# enumerate the running threads and save a copy of their contexts.
for thread_id in self.enumerate_threads():
context = self.get_thread_context(None, thread_id)
self.memory_snapshot_contexts.append(memory_snapshot_context(thread_id, context))
self.pydbg_log("saving thread context of thread id: %08x" % thread_id)
# scan through the entire memory range and save a copy of suitable memory blocks.
while cursor < 0xFFFFFFFF:
save_block = True
try:
mbi = self.virtual_query(cursor)
except:
break
# do not snapshot blocks of memory that match the following characteristics.
# XXX - might want to drop the MEM_IMAGE check to accomodate for self modifying code.
# or mbi.Type == MEM_IMAGE
if mbi.State != MEM_COMMIT:
save_block = False
for has_protection in do_not_snapshot:
if mbi.Protect & has_protection:
save_block = False
break
if save_block:
self.pydbg_log("Adding %08x +%d to memory snapsnot." % (mbi.BaseAddress, mbi.RegionSize))
# read the raw bytes from the memory block.
data = self.read_process_memory(mbi.BaseAddress, mbi.RegionSize)
self.memory_snapshot_blocks.append(memory_snapshot_block(mbi, data))
cursor += mbi.RegionSize
return self.ret_self()
扫一扫
5442
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
