IDA 7.1 Debugger API 7.1 Porting Guide

IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API

Introduction

The most important change is the use of the notification codes instead of callbacks.

We added the new hook type HT_IDD and replaced all callback pointers by notifications.

The debugger module in the debugger_t structure should provide only two callbacks now:

  • set_dbg_options - with the same meaning as was before

  • callback - this callback will be hooked to the HT_IDD notification point when the debugger is loaded and unhooked during the debugger unloading. The debugger plugin will be the last one to receive notifications.

Notifications

In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_". However, please note that we renamed some events, for example:

  • stopped_at_debug_event to ev_suspended.

Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.

New notification code:

  • ev_bin_search

IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:

  • DBG_HAS_GET_PROCESSES

  • DBG_HAS_ATTACH_PROCESS

  • DBG_HAS_DETACH_PROCESS

  • DBG_HAS_REQUEST_PAUSE

  • DBG_HAS_SET_EXCEPTION_INFO

  • DBG_HAS_THREAD_SUSPEND

  • DBG_HAS_THREAD_CONTINUE

  • DBG_HAS_SET_RESUME_MODE

  • DBG_HAS_THREAD_GET_SREG_BASE

  • DBG_HAS_CHECK_BPT

  • DBG_HAS_OPEN_FILE

  • DBG_HAS_UPDATE_CALL_STACK

  • DBG_HAS_APPCALL

  • DBG_HAS_REXEC

Please see idd.hpp for more details.

Structures

There are several changes in the structures used by the debugger module.

debugger_t

Renamed fields and methods:

event_id_t

Renamed events:

Removed events:

  • SYSCALL

  • WINMESSAGE

Please note that the event codes have been changed.

debug_event_t

Changed to be more robust and controlled.

Public fields have been replaced by accessors.

Please note that the event THREAD_STARTED can return the thread name using the info accessor.

bpt_t

Added new fields:

  • pid - breakpoint process id

  • tid - breakpoint thread id

Example

Plugin highlighter have been ported to use the new debugger module API.

Last updated