Idebug2 - LOAD_DLL_DEBUG_EVENT, UNLOAD_DLL_DEBUG_EVENT

Idebug2 - LOAD_DLL_DEBUG_EVENT, UNLOAD_DLL_DEBUG_EVENT

post id: 81

post length: 7188

post datetime: 5/7/2011 8:30:09 PM

post ip: 10.10.10.254

IDebug2

LOAD_DLL_DEBUG_EVENT, UNLOAD_DLL_DEBUG_EVENT

IDebug, DebugActiveProcess, LOAD_DLL_DEBUG_EVENT, UNLOAD_DLL_DEBUG_EVENT

Option Strict Off : Option Explicit On

#Region " Imports "

Imports System.Runtime.InteropServices _

, System.Threading _

, System.Security _

, System.Text

#End Region

<SuppressUnmanagedCodeSecurity()> _

Public NotInheritable Class IDebug

#Region " .ctor "

Public Shared Event DataReceived(ByRef Message As String)

#End Region

#Region " .Event`s "

Public Shared Sub OnDataReceived(ByRef Message As String)

'

RaiseEvent DataReceived(Message)

''

End Sub

#End Region

#Region " D E B U G "

<DllImport("kernel32")> _

Public Shared Function DebugActiveProcess(ByVal PID As UInt32) As UInt32

End Function

<DllImport("kernel32")> _

Public Shared Function DebugActiveProcessStop(ByVal PID As UInt32) As UInt32

End Function

<DllImport("kernel32")> _

Public Shared Function WaitForDebugEvent(<Out()> ByVal LpDebugEvent As [IntPtr] _

, <[In]()> ByVal TTL As UInt32) As Boolean

End Function

<DllImport("kernel32")> _

Public Shared Function ContinueDebugEvent(ByVal dwProcessId As UInt32 _

, ByVal dwThreadId As UInt32 _

, ByVal dwContinueStatus As UInt32 _

) As UInt32

End Function

<DllImport("ntdll.dll", CallingConvention:=CallingConvention.StdCall _

, CharSet:=CharSet.Auto, SetLastError:=True)> _

Public Shared Function ZwQueryInformationFile( _

<[In]()> ByVal FileHandle As Integer _

, <[Out]()> ByVal IoStatusBlock As [IntPtr] _

, <[Out]()> ByVal FileInformation As [IntPtr] _

, <[In]()> ByVal Length As Integer _

, <[In]()> ByVal FileInformationClass As Integer _

) As Integer

End Function

#End Region

<SuppressUnmanagedCodeSecurity()> _

Public NotInheritable Class DEBUG_PROCESSING

#Region " .ctor "

Public Event DataReceived(ByRef Message As String)

Public Shared PID As UInt32

Sub New(ByVal T As UInt32)

PID = T

End Sub

#End Region

Public Function GET_NAME_BY_HANDLE_ALL(ByVal IHandle As [Int32], ByVal IGrantedAccess As Integer) AsString

'

Dim Ret As String = ""

'

If Not (IGrantedAccess = &H100000) And Not (IGrantedAccess = &H12019F) Then

'

'|--------------

'| Get [FNI] |

'|---------------

Dim FNI As IntPtr = Marshal.AllocHGlobal(512) _

'

If ZwQueryInformationFile(IHandle, Marshal.AllocHGlobal(8), FNI, 512, 9) = 0 Then

'

With Encoding.ASCII

'

Ret = Marshal.PtrToStringBSTR( _

New IntPtr(FNI.ToInt32 + 4)) _

.Split(.GetChars(New Byte() {0} _

, 0, 1))(0)

'

End With

'

End If

'

Marshal.FreeHGlobal(FNI)

'

End If

'

Return Ret

''

End Function

Public Function ReceiveCallback()

'

If Not (DebugActiveProcess(PID) = 0) Then

'

Dim IPtr As [IntPtr] _

= Marshal.AllocHGlobal(10000)

'

While Not (WaitForDebugEvent(IPtr, 100000) = 0)

'

Dim dwDebugEventCode As Int32 _

= Marshal.ReadInt32(IPtr, 0) _

, dwProcessId As Int32 _

= Marshal.ReadInt32(IPtr, 4) _

, dwThreadId As Int32 _

= Marshal.ReadInt32(IPtr, 8) _

, EventHandle As [IntPtr] = Nothing _

, EventObject As String = Nothing _

, EventCode As String = Nothing

'

Select Case dwDebugEventCode

Case 6UI

'

EventCode = "LOAD_DLL_DEBUG_EVENT" _

: EventHandle = Marshal.ReadInt32(IPtr, 12) _

: EventObject = GET_NAME_BY_HANDLE_ALL(EventHandle, Nothing)

'

Case 7UI

'

'

End Select

'

RaiseEvent DataReceived(String.Concat(EventCode, " | ", Process.GetProcessById(dwProcessId).ProcessName, " | ", EventHandle, " | ", EventObject))

'

ContinueDebugEvent(dwProcessId, dwThreadId, &H10002L)

'

End While

'

DebugActiveProcessStop(PID)

'

End If

'

Return Nothing

''

End Function

End Class

Public Shared Sub Processing(ByVal PID As Integer)

'

With New DEBUG_PROCESSING(PID)

'

AddHandler .DataReceived, AddressOf OnDataReceived

Dim th As Thread _

= New Thread(AddressOf .ReceiveCallback)

'

th.Priority = ThreadPriority.Lowest

'

th.Start()

'

End With

''

End Sub

End Class

---------------------------

Module Main

#Region "...Invoke"

Delegate Sub GetDataInvoke(ByRef Message As String)

Public Sub DataMessage(ByRef Message As String)

'

Try

'

If Me.InvokeRequired Then

'

Dim d As New GetDataInvoke(AddressOf DataMessage)

'

Me.Invoke(d, New Object() {Message})

'

Else

'

ICase.Text = String.Concat(ICase.Text, Message, vbCrLf)

'

End If

'

Catch ex As Exception

End Try

''

End Sub

#End Region

#Region " .Event`s "

Public Sub OnDataReceived(ByRef Message As String)

'

DataMessage(Message)

''

End Sub

#End Region

Sub Main()

'

AddHandler IDebug.DataReceived, AddressOf OnDataReceived

'

IDebug.Processing(Process.GetProcessesByName("ProcName")(0).Id)

''

End Sub

End Module