IDA 7.1 Debugger API 7.1 Porting Guide
IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API
Introduction
The most important change is the use of the notification codes instead of callbacks.
We added the new hook type HT_IDD and replaced all callback pointers by notifications.
The debugger module in the debugger_t structure should provide only two callbacks now:
set_dbg_options - with the same meaning as was before
callback - this callback will be hooked to the HT_IDD notification point when the debugger is loaded and unhooked during the debugger unloading. The debugger plugin will be the last one to receive notifications.
Notifications
In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_". However, please note that we renamed some events, for example:
stopped_at_debug_event to ev_suspended.
Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.
init_debugger
ev_init_debugger
term_debugger
ev_term_debugger
get_processes
ev_get_processes
start_process
ev_start_process
attach_process
ev_attach_process
detach_process
ev_detach_process
get_debapp_attrs
ev_get_debapp_attrs
rebase_if_required_to
ev_rebase_if_required_to
prepare_to_pause_process
ev_request_pause
exit_process
ev_exit_process
get_debug_event
ev_get_debug_event
continue_after_event
ev_resume
set_exception_info
ev_set_exception_info
stopped_at_debug_event
ev_suspended
thread_suspend
ev_thread_suspend
thread_continue
ev_thread_continue
set_resume_mode
ev_set_resume_mode
read_registers
ev_read_registers
write_register
ev_write_register
thread_get_sreg_base
ev_thread_get_sreg_base
get_memory_info
ev_get_memory_info
read_memory
ev_read_memory
write_memory
ev_write_memory
is_ok_bpt
ev_check_bpt
update_bpts
ev_update_bpts
update_lowcnds
ev_update_lowcnds
open_file
ev_open_file
close_file
ev_close_file
read_file
ev_read_file
write_file
ev_write_file
map_address
ev_map_address
get_debmod_extensions
ev_get_debmod_extensions
update_call_stack
ev_update_call_stack
appcall
ev_appcall
cleanup_appcall
ev_cleanup_appcall
eval_lowcnd
ev_eval_lowcnd
send_ioctl
ev_send_ioctl
dbg_enable_trace
ev_dbg_enable_trace
is_tracing_enabled
ev_is_tracing_enabled
rexec
ev_rexec
get_srcinfo_path
ev_get_srcinfo_path
New notification code:
ev_bin_search
IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:
DBG_HAS_GET_PROCESSES
DBG_HAS_ATTACH_PROCESS
DBG_HAS_DETACH_PROCESS
DBG_HAS_REQUEST_PAUSE
DBG_HAS_SET_EXCEPTION_INFO
DBG_HAS_THREAD_SUSPEND
DBG_HAS_THREAD_CONTINUE
DBG_HAS_SET_RESUME_MODE
DBG_HAS_THREAD_GET_SREG_BASE
DBG_HAS_CHECK_BPT
DBG_HAS_OPEN_FILE
DBG_HAS_UPDATE_CALL_STACK
DBG_HAS_APPCALL
DBG_HAS_REXEC
Please see idd.hpp for more details.
Structures
There are several changes in the structures used by the debugger module.
debugger_t
Renamed fields and methods:
register_classes
regclasses
register_classes_default
default_regclasses
_registers
registers
registers_size
nregs
register
regs()
event_id_t
Renamed events:
PROCESS_START
PROCESS_STARTED
PROCESS_EXIT
PROCESS_EXITED
THREAD_START
THREAD_STARTED
THREAD_EXIT
THREAD_EXITED
LIBRARY_LOAD
LIB_LOADED
LIBRARY_UNLOAD
LIB_UNLOADED
PROCESS_ATTACH
PROCESS_ATTACHED
PROCESS_DETACH
PROCESS_DETACHED
PROCESS_SUSPEND
PROCESS_SUSPENDED
Removed events:
SYSCALL
WINMESSAGE
Please note that the event codes have been changed.
debug_event_t
Changed to be more robust and controlled.
Public fields have been replaced by accessors.
eid
eid(), set_eid()
modinfo
modinfo(), set_modinfo()
exit_code
exit_code(), set_exit_code()
info
info(), set_info()
bpt
bpt(), set_bpt()
exc
exc(), set_exc()
Please note that the event THREAD_STARTED can return the thread name using the info accessor.
bpt_t
Added new fields:
pid - breakpoint process id
tid - breakpoint thread id
Example
Plugin highlighter have been ported to use the new debugger module API.
Last updated