System function 69 - debugging.
A process can load other process as debugged by set of corresponding bit by call to subfunction 7 of function 70.
A process can have only one debugger; one process can debug some others. The system notifies debugger on events occuring with debugged process. Messages are written to the buffer defined by subfunction 0.
Format of a message:
+0: dword: message code;
+4: dword: PID of debugged process;
+8: there can be additional data depending on message code.
Message codes:
1 = exception in addition dword-number of the exception is given process is suspended;
2 = process has terminated comes at any termination: both through the system function -1, and at "murder" by any other process (including debugger itself);
3 = debug exception int 1 = #DB in addition dword-image of the register DR6 is given: bits 0-3: condition of the corresponding breakpoint (set by subfunction 9) is satisfied bit 14: exception has occured because of the trace mode (flag TF is set TF) process is suspended.
When debugger terminates, all debugged processes are killed. If debugger does not want this, it must previously detach by
subfunction 3.
All subfunctions are applicable only to processes/threads started from the current by function 70 with set debugging flag. Debugging of multithreaded programs is not supported yet.
The full list of subfunctions:
subfunction 0 - define data area for debug messages
subfunction 1 - get contents of registers of debugged thread
subfunction 2 - set contents of registers of debugged thread
subfunction 3 - detach from debugged process
subfunction 4 - suspend debugged thread
subfunction 5 - resume debugged thread
subfunction 6 - read from the memory of debugged process
subfunction 7 - write to the memory of debugged process
subfunction 8 - terminate debugged thread
subfunction 9 - set/clear hardware breakpoint
Value for register eax - 69 (SF_DEBUG).
Values for register ebx:
0 - SSF_SET_MESSAGE_AREA - subfunction 0 - define data area fror debug messages.
1 - SSF_GET_REGISTERS - subfunction 1 - Get contents of registers of debugged thread.
2 - SSF_SET_REGISTERS - subfunction 2 - Set contents of registers of debugged thread.
3 - SSF_DETACH - subfunction 3 - detach from debugged process.
4 - SSF_SUSPEND - subfunction 4 - suspend debugged thread.
5 - SSF_RESUME - subfunction 5 - resume debugged thread.
6 - SSF_READ_MEMORY - subfunction 6 - read from memory of debugged process.
7 - SSF_WRITE_MEMORY - subfunction 7 - write to memory of debugged process.
8 - SSF_TERMINATE - subfunction 8 - terminate debugged thread.
9 - SSF_DEFINE_BREAKPOINT - subfunction 9 - set/clear hardware breakpoint.
created 23.08.2020 by Alex2003