Introduction
(dum(b)ug) is a full open source Windows debugger core, implemented as C++ class
architecture for instant debugger creation in the Win32 environment. It supports
a number of features, including:
- Full encapsulation of the Win32 debug API
- PE file format parsing (.exe, .dll files)
- Codeview, COFF and FPO debug symbol support (no PDB yet)
- Single-shot soft breakpoints and automatic restore of original code
- Single stepping
- Disassembly using a libdisasm Windows port, including jump prediction
- Handling of exceptions, breakpoints and other important stuff either by
specification of call-back functions or by overloading virtual prototypes
provided in the class in case you prefer to inherit the functionality.
ltrace for Windows
ltrace for Windows - here named "(dum(b)ug) tracer" is a library call
tracer supporting the logging of calls to library or program functions to
automatically identify function arguments and results, hereby aiding quick
auditing of closed source code for the use of insecure functions. This is a
example implementation for the (dum(b)ug) core.
How it works
The (dum(b)ug) tracer works by specifying the function prototypes that are
supposed to be traced and then attaching the tracer to the process in
question or loading the process. The function prototypes are specified in
a trace definition file. Example:
int printf( char *, char *);
"haxor" == int sprintf( [out] char *buffer, [in] fmtchar *format);
This example illustrates a number of concepts (dum(b)ug) tracer uses:
- You can specify plain C notation function prototypes
- You can name arguments for more readable output
- It supports argument directions. Specification of [in] will cause the
argument to be inspected in depth only when the function is entered, [out]
only then the function returns and [both] or no direction information causes
inspection in both cases. This allows you to ignore uninitialized buffers, for
example the output buffer of a sprintf() call.
- You can perform output matching on the returned buffer (or the first [out]
char buffer, in case the return value is not a char* or wchar* buffer). This
way, you will only see functions whose result contains this string
- Variable number of arguments such as with sprintf(char *, char *, ...) is
not supported and you have to rely on the actual output
- wchar type is supported and the output is tailored to be ASCII again
The following types are supported:
- char - a single character
- char* - a char buffer
- fmtchar* - a char string being a format string
- int - a 32bit integer
- int* - a pointer to a 32bit integer
- void - nothing
- void* - arbirary 32bit pointer
- wchar - a single wide character
- wchar* - a wchar buffer
- fmtwchar* - a wchar string begin a format string
Getting the stuff
Full (dum(b)ug) and ltrace source: dumbugVegasRelease.zip
ltrace for Windows Executable only: dumbug_bin_0.3.zip
Blackhat Las Vegas 2004 speech: Bugs.pdf
DEF CON 12 speech: Shutup.pdf