3

I have created a set of multi-platform C++ components to load and manage various types of digitally signed shared libraries. This handles all aspects of loading and initialziation including mapping them into the calling process, applying branch fix-ups, binding any imports and calling the initialization entry point. The components cannot use LoadLibrary() as it is platform specific and not all of the shared libraries are in PE format.

One of the few remaining issues I am faced with is providing appropriate debugger support for targeted platforms and development environments. In MS Windows environments this includes getting the debuggers to load symbol information generated by the compiler and linker (or converted from other source). Because the loading and initialization of the libraries occurs outside of the kernel, the debugger never receives LOAD_DLL_DEBUG_EVENT and UNLOAD_DLL_DEBUG_EVENT events. This leads to the following questions:

  1. Is there an API or system call that allows events such as LOAD_DLL_DEBUG_EVENT to be sent directly to the debugger?
  2. Is there a documented way to communicate directly with the program or session debug managers or with the machine debug manager service?
  3. Is there an API or system call available to notify the kernel and subsequently the debugger that a DLL has been loaded? Since PE files are one of the primary supported formats this is the most desirable option. It also has the potential benefit of allowing the library to appear in the module list of the process.
  4. Does the WinDBG SDK apply to debugging on Windows as a whole and can WinDBG extensions be used to instruct the debugger to load the symbol information?

I have search extensively for information on the above mentioned topics but have come up short. I have located a bit of information about the data structures used by the Windows debugger but nothing relevant to my specific situation.

I am open to API/system calls and approaches that are documented or undocumented and those requiring elevated privileges to function.

Improve this question
3
  • Why do you need kernel mode debugging? Commented Jul 19, 2011 at 8:24
  • @ajay I don't. Is there something in my post that is unclear? Commented Jul 19, 2011 at 8:30
  • @CaptainObvlious have you found a way to send LOAD_DLL_DEBUG_EVENT after 8 years now ? :) I'm looking for the same thing for the same kind of problem ! Commented Apr 9, 2020 at 16:55

2 Answers 2

Reset to default
3
+50

I don't think that there is a way to directly send the kind of events that you want (like LOAD_DLL_DEBUG_EVENT) to a process, at least not easily. Why don't you simply wrap your libraries inside normal DLLs in Windows? Maybe you embed your custom module loading mechanism inside each "proxy" DLL, in this way you would not need to replicate so much functionality that the OS already provides for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Unfortunately using stub dll's provides only a partial solution to the problem. Depending on the type of shared library additional fixups are applied which have to be done at runtime.
1

If I understood the problem, you may see:

  1. Writing a basic Windows Debuggers
  2. Writing Windows Debugger (Detailed)
Improve this answer

4 Comments

I'm not writing a debugger, I need to communicate certain events to it.
But I see all three actions are automatically performed by OS. The debugger would receive the events.
Since the debuggee is started by debugger using CreateProcess(...DEBUG_PROCESS...), it is hard to hook into debugger-loop to send information. I can suggest Process Monitor to start with: technet.microsoft.com/en-us/sysinternals/bb896645. Using this you may see what is happening when debugger gets events, and try to send those events yourself.
But I don't believe it is any easy to do this stuff!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.