IDA 7.1 Debugger API 7.1 Porting Guide

IDA 7.1 debugging module: Porting from IDA 4.9-7.0 API to IDA 7.1 API

Introduction

The most important change is the use of the notification codes instead of callbacks.

We added the new hook type HT_IDD and replaced all callback pointers by notifications.

The debugger module in the debugger_t structure should provide only two callbacks now:

set_dbg_options - with the same meaning as was before
callback - this callback will be hooked to the HT_IDD notification point when the debugger is loaded and unhooked during the debugger unloading. The debugger plugin will be the last one to receive notifications.

Notifications

In most cases the name of a notification event corresponds to the old callback name prefixed with "ev_". However, please note that we renamed some events, for example:

stopped_at_debug_event to ev_suspended.

Many notification callbacks now have an additional argument - errbuf, which is used to report the detailed error message.

original callback	notification code
init_debugger	ev_init_debugger
term_debugger	ev_term_debugger
get_processes	ev_get_processes
start_process	ev_start_process
attach_process	ev_attach_process
detach_process	ev_detach_process
get_debapp_attrs	ev_get_debapp_attrs
rebase_if_required_to	ev_rebase_if_required_to
prepare_to_pause_process	ev_request_pause
exit_process	ev_exit_process
get_debug_event	ev_get_debug_event
continue_after_event	ev_resume
set_exception_info	ev_set_exception_info
stopped_at_debug_event	ev_suspended
thread_suspend	ev_thread_suspend
thread_continue	ev_thread_continue
set_resume_mode	ev_set_resume_mode
read_registers	ev_read_registers
write_register	ev_write_register
thread_get_sreg_base	ev_thread_get_sreg_base
get_memory_info	ev_get_memory_info
read_memory	ev_read_memory
write_memory	ev_write_memory
is_ok_bpt	ev_check_bpt
update_bpts	ev_update_bpts
update_lowcnds	ev_update_lowcnds
open_file	ev_open_file
close_file	ev_close_file
read_file	ev_read_file
write_file	ev_write_file
map_address	ev_map_address
get_debmod_extensions	ev_get_debmod_extensions
update_call_stack	ev_update_call_stack
appcall	ev_appcall
cleanup_appcall	ev_cleanup_appcall
eval_lowcnd	ev_eval_lowcnd
send_ioctl	ev_send_ioctl
dbg_enable_trace	ev_dbg_enable_trace
is_tracing_enabled	ev_is_tracing_enabled
rexec	ev_rexec
get_srcinfo_path	ev_get_srcinfo_path

original callback

notification code

init_debugger

ev_init_debugger

term_debugger

ev_term_debugger

get_processes

ev_get_processes

start_process

ev_start_process

attach_process

ev_attach_process

detach_process

ev_detach_process

get_debapp_attrs

ev_get_debapp_attrs

rebase_if_required_to

ev_rebase_if_required_to

prepare_to_pause_process

ev_request_pause

exit_process

ev_exit_process

get_debug_event

ev_get_debug_event

continue_after_event

ev_resume

set_exception_info

ev_set_exception_info

stopped_at_debug_event

ev_suspended

thread_suspend

ev_thread_suspend

thread_continue

ev_thread_continue

set_resume_mode

ev_set_resume_mode

read_registers

ev_read_registers

write_register

ev_write_register

thread_get_sreg_base

ev_thread_get_sreg_base

get_memory_info

ev_get_memory_info

read_memory

ev_read_memory

write_memory

ev_write_memory

is_ok_bpt

ev_check_bpt

update_bpts

ev_update_bpts

update_lowcnds

ev_update_lowcnds

open_file

ev_open_file

close_file

ev_close_file

read_file

ev_read_file

write_file

ev_write_file

map_address

ev_map_address

get_debmod_extensions

ev_get_debmod_extensions

update_call_stack

ev_update_call_stack

appcall

ev_appcall

cleanup_appcall

ev_cleanup_appcall

eval_lowcnd

ev_eval_lowcnd

send_ioctl

ev_send_ioctl

dbg_enable_trace

ev_dbg_enable_trace

is_tracing_enabled

ev_is_tracing_enabled

rexec

ev_rexec

get_srcinfo_path

ev_get_srcinfo_path

New notification code:

ev_bin_search

IDA needs to know if the debugger module will react to specific notification codes. To describe this, the following flags have been added:

DBG_HAS_GET_PROCESSES
DBG_HAS_ATTACH_PROCESS
DBG_HAS_DETACH_PROCESS
DBG_HAS_REQUEST_PAUSE
DBG_HAS_SET_EXCEPTION_INFO
DBG_HAS_THREAD_SUSPEND
DBG_HAS_THREAD_CONTINUE
DBG_HAS_SET_RESUME_MODE
DBG_HAS_THREAD_GET_SREG_BASE
DBG_HAS_CHECK_BPT
DBG_HAS_OPEN_FILE
DBG_HAS_UPDATE_CALL_STACK
DBG_HAS_APPCALL
DBG_HAS_REXEC

Please see idd.hpp for more details.

Structures

There are several changes in the structures used by the debugger module.

debugger_t

Renamed fields and methods:

original name	new name
register_classes	regclasses
register_classes_default	default_regclasses
_registers	registers
registers_size	nregs
register	regs()

original name

new name

register_classes

regclasses

register_classes_default

default_regclasses

_registers

registers

registers_size

nregs

regs()

event_id_t

Renamed events:

original name	new name
PROCESS_START	PROCESS_STARTED
PROCESS_EXIT	PROCESS_EXITED
THREAD_START	THREAD_STARTED
THREAD_EXIT	THREAD_EXITED
LIBRARY_LOAD	LIB_LOADED
LIBRARY_UNLOAD	LIB_UNLOADED
PROCESS_ATTACH	PROCESS_ATTACHED
PROCESS_DETACH	PROCESS_DETACHED
PROCESS_SUSPEND	PROCESS_SUSPENDED

original name

new name

PROCESS_START

PROCESS_STARTED

PROCESS_EXIT

PROCESS_EXITED

THREAD_START

THREAD_STARTED

THREAD_EXIT

THREAD_EXITED

LIBRARY_LOAD

LIB_LOADED

LIBRARY_UNLOAD

LIB_UNLOADED

PROCESS_ATTACH

PROCESS_ATTACHED

PROCESS_DETACH

PROCESS_DETACHED

PROCESS_SUSPEND

PROCESS_SUSPENDED

Removed events:

SYSCALL
WINMESSAGE

Please note that the event codes have been changed.

debug_event_t

Changed to be more robust and controlled.

Public fields have been replaced by accessors.

original field	new accessor
eid	eid(), set_eid()
modinfo	modinfo(), set_modinfo()
exit_code	exit_code(), set_exit_code()
info	info(), set_info()
bpt	bpt(), set_bpt()
exc	exc(), set_exc()

original field

new accessor

eid

eid(), set_eid()

modinfo

modinfo(), set_modinfo()

exit_code

exit_code(), set_exit_code()

info

info(), set_info()

bpt

bpt(), set_bpt()

exc

exc(), set_exc()

Please note that the event THREAD_STARTED can return the thread name using the info accessor.

bpt_t

Added new fields:

pid - breakpoint process id
tid - breakpoint thread id

Example

Plugin highlighter have been ported to use the new debugger module API.

Last updated 3 months ago