我想在ida pro中使用插件boch进行调试。我有IDA Pro 6.4和Bochs 2.5.1。
使用我所有的可执行文件,当我启动bochs(使用PE模式)时,我将执行此执行:
bochsys:E0001810 bochsys_R3Entry:
bochsys:E0001810 mov eax, [esp+8]
bochsys:E0001814 mov dword_E0002004, eax
bochsys:E0001819 cmp eax, 1
bochsys:E000181C mov eax, [esp+4]
bochsys:E0001820 jnz short **loc_E000182C**
bochsys:E0001822 push 0
bochsys:E0001824 push eax
bochsys:E0001825 call near ptr unk_E0001A50
bochsys:E000182A jmp short loc_E0001890
bochsys:E000182C ; ---------------
bochsys:E000182C
bochsys:E000182C **loc_E000182C:** ; CODE XREF: bochsys:bochsys_R3Entry+10j
bochsys:E000182C mov dword_E00022D8, eax
bochsys:E0001831 mov ecx, [eax+3Ch]
bochsys:E0001834 add ecx, eax
bochsys:E0001836 lea edx, [ecx+0C0h]
bochsys:E000183C mov dword_E0003638, ecx
bochsys:E0001842 mov dword_E00022D4, edx
bochsys:E0001848 mov ecx, [ecx+28h]
bochsys:E000184B add ecx, eax
bochsys:E000184D push 1
bochsys:E000184F mov dword_E0002630, ecx
bochsys:E0001855 mov dword_E00022E0, 0
bochsys:E000185F mov dword_E0002634, eax
bochsys:E0001864 call near ptr unk_E0001770
bochsys:E0001869 push offset aExitprocess ; "ExitProcess"
bochsys:E000186E push offset aKernel32_dll_0 ; "kernel32.dll"
bochsys:E0001873 call near ptr bochsys_BxGetModuleHandleA
bochsys:E0001878 push eax
bochsys:E0001879 call near ptr bochsys_BxGetProcAddress
bochsys:E000187E mov edx, dword_E0002630
bochsys:E0001884 push eax
bochsys:E0001885 push edx
bochsys:E0001886 call **near ptr unk_E0001A50**
bochsys:E000188B jmp short loc_E0001890
在E0001820中,程序跳到函数LOC_E000182C。当程序在PTR UNK_E0001A50附近执行时,它会停止消息:
Debugger: process has exited (exit code 0)
Bochs debugger has been terminated.
它永远不会使用我的代码。我尝试了使用Visual C 制成的各种程序。
如果要调试与MSVCRT链接的二进制文件,则由于MSVCRT初始化代码崩溃,甚至无法达到应用程序的main()。MSVCRT的问题附带了___tmainCRTStartup()功能中的一些代码,该代码试图在调用main()之前试图初始化环境变量:
您需要将Python激活为IDA中的默认解释器
将此脚本放在〜/.idapro或%appdata% hex射线 ida pro
下# idapythonrc.py
import idaapi
idaapi.enable_extlang_python(1)
然后在ida_root plugins bochs startup.py
中替换:
def bochs_startup():
print "[Python] Bochs debugger has been initialized!n"
return 0
def bochs_startup():
import idautils
msg("[Python] Bochs debugger has been initialized!n")
ienv = idc.get_name_ea_simple("__initenv")
ienv_loc = idc.get_wide_dword(ienv)
auto_bps = []
ep = idc.get_name_ea_simple("start")
idc.add_bpt(ep)
idc.set_bpt_cond(ep,"bochs_late_startup()")
auto_bps.append(ep)
for xref in idautils.XrefsTo(ienv,idaapi.XREF_ALL):
write_p = {xref.frm:("BochsVirtProtect(SegStart(0x%x),SegEnd(0x%x)-SegStart(0x%x),1)" %(ienv_loc,ienv_loc,ienv_loc))}
for ea in write_p.keys():
if idc.get_bpt_attr(ea,BPTATTR_COND) not in [-1,""]:
msg("[Python] Skipping BP at %08xn" %ea)
continue
idc.add_bpt(ea)
auto_bps.append(ea)
cond = write_p[ea]
msg("[Python] Adding bp at %08x with cond %sn" %(ea,cond))
idc.set_bpt_cond(ea,cond)
return 1
@ https://tuts4you.com/download.php?view.3136