
// ݼ¼,Ը

// һʼ¼ݵlog.txt,nCounterֵ
// lbl_debugǺʱӵ

var	pfnCreateProcessA
var	pfnWaitForDebugEvent
var	pfnSetThreadContext

var	nCounter
var	regEsp
var	ThreadID		// ӽ̵ǰthread id
var	pDebugEvent		// 408FD3ʱstackȡĵ¼ṹַ
var	DebugEventCode		// ¼
var	ExceptionAddress	// child process쳣ַ
var	MyContext		//
var	AddrOfEsp		// MyContextеesp
var	EspOfChild		// ӽcontextеespֵ

var	AddrOfEip
var	EipOfChild		// ӽcontextеeipֵ

var	pContext		// SetThreadContextʱõָ
var	EipInContext

////////////////////////////////////////////////////////////////////////////


gpa 	"CreateProcessA", "kernel32.dll"
mov	pfnCreateProcessA,$RESULT

bphws 	pfnCreateProcessA, "x"
run

bphwc	pfnCreateProcessA
gpa 	"WaitForDebugEvent", "kernel32.dll"
mov	pfnWaitForDebugEvent,$RESULT
bphws 	pfnWaitForDebugEvent, "x"

run

bphwc	pfnWaitForDebugEvent
rtr
sti	// WaitForDebugEventķ
sti	// event code	
sti
bphws	eip, "x"	// 00408BD3

gpa	"SetThreadContext", "kernel32.dll"
mov	pfnSetThreadContext,$RESULT
log	pfnSetThreadContext
bp 	pfnSetThreadContext


eob	lbl_record
eoe	lbl_record
mov	nCounter,0

mov	MyContext,0040A570		// ҸеַGetThreadContext
mov	[MyContext],00010007		// CONTEXT_FULL

log	"begin the debug loop now"
run

lbl_record:

	inc nCounter
	log nCounter
	
	
	// ͨnCounterжֵ,ͣlog.txtиȤĵط
	
	cmp nCounter,1F		// 
	//cmp nCounter,20	// SetThreadContext
	je lbl_debug		

	//

	cmp eip,pfnSetThreadContext	// SetThreadContext?
	jne lbl_debug_event

	mov regEsp,esp
	add regEsp,8
	mov pContext,[regEsp]
	add pContext,0B8
	mov EipInContext,[pContext]
	log EipInContext		// ¼õeip
	log " "
	esto	
	
	
lbl_debug_event:
	
	mov pDebugEvent,004062AF
	add pDebugEvent,ebp
	mov DebugEventCode,[pDebugEvent]
	log DebugEventCode	// ¼¼
	
	cmp DebugEventCode,1	// ǷΪEXCEPTION_DEBUG_EVENT?
	jne lbl_continue
	
	add pDebugEvent,8
	mov ThreadID,[pDebugEvent]	// Thread ID

	log ThreadID

	add pDebugEvent,10
	mov ExceptionAddress,[pDebugEvent]
	log ExceptionAddress

	cmp ExceptionAddress,70000000	// kernel32ڵ쳣(DebugBreak)
	ja lbl_continue	

	
	// ȡchild processcontext
	// execᴥ408BD3Ķϵ,scriptѭ
	// Ԥϵ,ִٻָ
	
	bphwc 00408BD3			// 峡
	bc pfnSetThreadContext
	cob
	coe

	// ȡchildcontext

	exec

	push {ThreadID}
	push 0
	push 001f03ff
	call OpenThread
	push eax		// handle
	
	push {MyContext}	// GetThreadContext
	push eax
	call GetThreadContext
	call CloseHandle	

	ende

	//
		
	bphws 00408BD3, "x"	// ָϵ
	bp pfnSetThreadContext
	eob lbl_record
	eoe lbl_record

	mov AddrOfEsp,MyContext
	add AddrOfEsp,0C4
	mov EspOfChild,[AddrOfEsp]
	log EspOfChild

		
lbl_continue:
	log " "
	esto

lbl_debug:

	bphwc 00408BD3	//
	bphws 00408EFF, "x"	//Event code
	cob
	coe
	run

	//bphwc 00408EFF	// replaced codeִ	
	pause
	

	

	



