IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API

Introduction

The most important change is the use of the notification codes instead of callbacks.

We added the new hook type HT_IDD and replaced all callback pointers by notifications.

The debugger module in the debugger_t structure should provide only two callbacks now:

Notifications

In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_". However, please note that we renamed some events, for example:

Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.

original callback notification code
init_debugger ev_init_debugger
term_debugger ev_term_debugger
get_processes ev_get_processes
start_process ev_start_process
attach_process ev_attach_process
detach_process ev_detach_process
get_debapp_attrs ev_get_debapp_attrs
rebase_if_required_to ev_rebase_if_required_to
prepare_to_pause_process ev_request_pause
exit_process ev_exit_process
get_debug_event ev_get_debug_event
continue_after_event ev_resume
set_exception_info ev_set_exception_info
stopped_at_debug_event ev_suspended
thread_suspend ev_thread_suspend
thread_continue ev_thread_continue
set_resume_mode ev_set_resume_mode
read_registers ev_read_registers
write_register ev_write_register
thread_get_sreg_base ev_thread_get_sreg_base
get_memory_info ev_get_memory_info
read_memory ev_read_memory
write_memory ev_write_memory
is_ok_bpt ev_check_bpt
update_bpts ev_update_bpts
update_lowcnds ev_update_lowcnds
open_file ev_open_file
close_file ev_close_file
read_file ev_read_file
write_file ev_write_file
map_address ev_map_address
get_debmod_extensions ev_get_debmod_extensions
update_call_stack ev_update_call_stack
appcall ev_appcall
cleanup_appcall ev_cleanup_appcall
eval_lowcnd ev_eval_lowcnd
send_ioctl ev_send_ioctl
dbg_enable_trace ev_dbg_enable_trace
is_tracing_enabled ev_is_tracing_enabled
rexec ev_rexec
get_srcinfo_path ev_get_srcinfo_path

New notification code:

IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:

Please see idd.hpp for more details.

Structures

There are several changes in the structures used by the debugger module.

debugger_t

Renamed fields and methods:

original namenew name
register_classes regclasses
register_classes_default default_regclasses
_registers registers
registers_size nregs
register regs()

event_id_t

Renamed events:

original name new name
PROCESS_START PROCESS_STARTED
PROCESS_EXIT PROCESS_EXITED
THREAD_START THREAD_STARTED
THREAD_EXIT THREAD_EXITED
LIBRARY_LOAD LIB_LOADED
LIBRARY_UNLOAD LIB_UNLOADED
PROCESS_ATTACH PROCESS_ATTACHED
PROCESS_DETACH PROCESS_DETACHED
PROCESS_SUSPEND PROCESS_SUSPENDED

Removed events:

Please note that the event codes have been changed.

debug_event_t

Changed to be more robust and controlled.

Public fields have been replaced by accessors.

original field new accessor
eid eid(), set_eid()
modinfo modinfo(), set_modinfo()
exit_code exit_code(), set_exit_code()
info info(), set_info()
bpt bpt(), set_bpt()
exc exc(), set_exc()

Please note that the event THREAD_STARTED can return the thread name using the info accessor.

bpt_t

Added new fields:

Example

Plugin highlighter have been ported to use the new debugger module API.