IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API

Introduction

The most important change is the use of the notification codes instead of callbacks.

We added the new hook type HT_IDD and replaced all callback pointers by notifications.

The debugger module in the debugger_t structure should provide only two callbacks now:

  • set_dbg_options – with the same meaning as was before
  • callback – this callback will be hooked to the HT_IDD notification point when the debugger is loaded and unhooked during the debugger unloading. The debugger plugin will be the last one to receive notifications.

Notifications

In most cases the name of a notification event corresponds to the old callback name prefixed with “ev_”. However, please note that we renamed some events, for example:

  • stopped_at_debug_event to ev_suspended.

Many notification callbacks now have an additional argument – errbuf, which is used to report the detailed error message.

original callback notification code
init_debugger ev_init_debugger
term_debugger ev_term_debugger
get_processes ev_get_processes
start_process ev_start_process
attach_process ev_attach_process
detach_process ev_detach_process
get_debapp_attrs ev_get_debapp_attrs
rebase_if_required_to ev_rebase_if_required_to
prepare_to_pause_process ev_request_pause
exit_process ev_exit_process
get_debug_event ev_get_debug_event
continue_after_event ev_resume
set_exception_info ev_set_exception_info
stopped_at_debug_event ev_suspended
thread_suspend ev_thread_suspend
thread_continue ev_thread_continue
set_resume_mode ev_set_resume_mode
read_registers ev_read_registers
write_register ev_write_register
thread_get_sreg_base ev_thread_get_sreg_base
get_memory_info ev_get_memory_info
read_memory ev_read_memory
write_memory ev_write_memory
is_ok_bpt ev_check_bpt
update_bpts ev_update_bpts
update_lowcnds ev_update_lowcnds
open_file ev_open_file
close_file ev_close_file
read_file ev_read_file
write_file ev_write_file
map_address ev_map_address
get_debmod_extensions ev_get_debmod_extensions
update_call_stack ev_update_call_stack
appcall ev_appcall
cleanup_appcall ev_cleanup_appcall
eval_lowcnd ev_eval_lowcnd
send_ioctl ev_send_ioctl
dbg_enable_trace ev_dbg_enable_trace
is_tracing_enabled ev_is_tracing_enabled
rexec ev_rexec
get_srcinfo_path ev_get_srcinfo_path

New notification code:

  • ev_bin_search

IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:

  • DBG_HAS_GET_PROCESSES
  • DBG_HAS_ATTACH_PROCESS
  • DBG_HAS_DETACH_PROCESS
  • DBG_HAS_REQUEST_PAUSE
  • DBG_HAS_SET_EXCEPTION_INFO
  • DBG_HAS_THREAD_SUSPEND
  • DBG_HAS_THREAD_CONTINUE
  • DBG_HAS_SET_RESUME_MODE
  • DBG_HAS_THREAD_GET_SREG_BASE
  • DBG_HAS_CHECK_BPT
  • DBG_HAS_OPEN_FILE
  • DBG_HAS_UPDATE_CALL_STACK
  • DBG_HAS_APPCALL
  • DBG_HAS_REXEC

Please see idd.hpp for more details.

Structures

There are several changes in the structures used by the debugger module.

debugger_t

Renamed fields and methods:

original namenew name
register_classes regclasses
register_classes_default default_regclasses
_registers registers
registers_size nregs
register regs()

event_id_t

Renamed events:

original name new name
PROCESS_START PROCESS_STARTED
PROCESS_EXIT PROCESS_EXITED
THREAD_START THREAD_STARTED
THREAD_EXIT THREAD_EXITED
LIBRARY_LOAD LIB_LOADED
LIBRARY_UNLOAD LIB_UNLOADED
PROCESS_ATTACH PROCESS_ATTACHED
PROCESS_DETACH PROCESS_DETACHED
PROCESS_SUSPEND PROCESS_SUSPENDED

Removed events:

  • SYSCALL
  • WINMESSAGE

Please note that the event codes have been changed.

debug_event_t

Changed to be more robust and controlled.

Public fields have been replaced by accessors.

original field new accessor
eid eid(), set_eid()
modinfo modinfo(), set_modinfo()
exit_code exit_code(), set_exit_code()
info info(), set_info()
bpt bpt(), set_bpt()
exc exc(), set_exc()

Please note that the event THREAD_STARTED can return the thread name using the info accessor.

bpt_t

Added new fields:

  • pid – breakpoint process id
  • tid – breakpoint thread id

Example

Plugin highlighter have been ported to use the new debugger module API.