let us assume that there is a application (i have its executable) that reads a file (of some unknown format). I want to trace the input (e.g. a file) that is parsed by a executable i.e. I want to know when a input is read and how is it "consumed" by the executable. Is there a generic way to setting breakpoints to do so? I asked for a generic method because I may not be using a particular debugger.
让我们假设有一个应用程序(我有它的可执行文件)读取文件(某种未知格式)。我想跟踪由可执行文件解析的输入(例如文件),即我想知道何时读取输入以及它如何被可执行文件“消耗”。是否有通用的方法设置断点?我问了一个泛型方法,因为我可能没有使用特定的调试器。
thanks -Sanjay
谢谢 - 桑杰
1 个解决方案
#1
1
The generic way for settings the breakpoints could be as follows:
设置断点的一般方法如下:
- Load the executable in the debugger.
- 在调试器中加载可执行文件。
- Get a list of all intermodular calls in the executable.
- 获取可执行文件中所有模块间调用的列表。
- At least some of the calls in the list are Windows API functions. The most common functions that are used for reading a file are
ReadFileandReadFileEx. The executable might also useNtReadFile. Set breakpoints on these functions. - 列表中至少有一些调用是Windows API函数。用于读取文件的最常用函数是ReadFile和ReadFileEx。可执行文件也可能使用NtReadFile。在这些函数上设置断点。
#1
1
The generic way for settings the breakpoints could be as follows:
设置断点的一般方法如下:
- Load the executable in the debugger.
- 在调试器中加载可执行文件。
- Get a list of all intermodular calls in the executable.
- 获取可执行文件中所有模块间调用的列表。
- At least some of the calls in the list are Windows API functions. The most common functions that are used for reading a file are
ReadFileandReadFileEx. The executable might also useNtReadFile. Set breakpoints on these functions. - 列表中至少有一些调用是Windows API函数。用于读取文件的最常用函数是ReadFile和ReadFileEx。可执行文件也可能使用NtReadFile。在这些函数上设置断点。