wuhailinjerry / edb-debugger Goto Github PK

I want to replace Replace the code for register view with one which uses the 
model/view system of QT4, it'll be cleaner, easier to follow and likely faster.

I would like there to be comments in the disassembly viewer. Some of them user 
supplied, some of them provided by the analysis system.

Whenever I try start edb I get the message "Failed to load debugger core 
plugin. Please make sure it exists and that the plugin path is correctly 
configured.
This is normal if EDB has not been previously run or the configuration file has 
been removed.", after this I get a configuration dialog, and I'm able to change 
any options.

As soon as I close this configuration dialog edb crashes with the message: "In 
file DebuggerMain.cpp, line 1597: Out of memory
Segmentation fault (core dumped)".

I compiled edb 0.8.22 from scratch on Kubuntu 7.10 without problem

Symbol viewer should be able to follow functions in the code view. I think that 
this is best implemented in a context menu where you can select where to view 
it.

I would like it if EDB had a mechanism for plugins to add to context menus. 
Actually getting a menu item is simple, but giving the plugin information 
necessary to do something useful when it is selected is the trouble.

I would it if the Environment Viewer plugin could set the environment variables 
it finds.

Under certain circumstances, the restart feature doesn't work correctly. It 
appears to fail to attach to the process.

I would like have a "lock stack" feature. This would make the stack view not 
scroll when updating the display. This would make it easier to watch local 
variables.

I would like to come up with a nice way to have a plugin export APIs that other 
plugins can use, this would also go hand in hand with a notion of plugins that 
depend on others (likely a specific version) being present.

It would be nice if EDB could scroll by whole instructions. This is 
unfortunately difficult because instructions are variable length on x86.

I want EDB to have session files which would hold information that we should 
save on detach and restore upon reattach. Plugins should also have a proper 
interface to adding and retrieving information from the session file.

I use the tool scanmem in conjunction with watchpoints a lot in reverse 
engineering. Unless I'm missing something obvious, it seems they aren't 
available in edb. I suppose you'd need to write an additional plugin to support 
them. Should be pretty simple -- just needs to behave like gdb's 'watch', 
'rwatch', and 'awatch' commands (break on read, write, and both). A right-click 
context menu entry on the memory window would be the easiest way to set them.

There is a slight difference in behavior if you select and move the mouse above 
a QHexView, if you have a row width of 1, it will select downward to the end of 
the view, otherwise, it will follow the mouse upwards. This is a minor issue, I 
may or may not care.

It is possible to deadlock EDB by attaching the it's parent console. I've only 
observed this with konsole from KDE.

EDB currently has no support for debugging multi-threaded applications. When 
you attach to a process, it simple attaches to the primary thread.

I would be interested in seeing a "log console" plugin which would hook the 
logger and display it in the GUI in real time.

I would like to see EDB be able to show and utilize the base and limit of the 
segment descriptors. I am guessing that this would require either use of 
/dev/kmem which unfortunately would not work on every machine, or an LKM that 
comes packaged with EDB. This LKM would simply provide a new system call or 
ioctl which would allow EDB to probe the kernel memory to get this data.

I would like if EDB were ported to FreeBSD

Created attachment 1
Source file used to test gcc optimisation on x86_64

Dear Evan,

Thank you for EDB project. I tried to learn how gcc optimisation works, using 
edb and simple source file. But unfortunately it looks like, EDB gets exception 
every time it tries to process linux kernel system call.

EDB message is:
"The debugged application encountered a segmentation fault!
The address 0x18 could not be accessed.
If you would like to pass this exception to the application press 
Shift+[F7/F8/F9]"

I tried to compile attached file with using "gcc -O2 -g 9.cpp".
EDB get an exception, when it executes kernel call posix_memalign()

Could you please tell me any solution or workaround?

With best regards,
Vladimir

g++ -Wl,--no-undefined -shared -o libELFBinaryInfo.so ELFBinaryInfo.o ELF32.o 
ELF64.o moc_ELFBinaryInfo.o   -L/usr/lib -lQtGui -lQtCore -lpthread 
ELFBinaryInfo.o: In function `ELFBinaryInfo':
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELFBinaryInfo.cpp:39: 
undefined reference to `BinaryInfo::RegisterBinaryInfo(BinaryInfo* (*)(QString 
const&))'
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELFBinaryInfo.cpp:40: 
undefined reference to `BinaryInfo::RegisterBinaryInfo(BinaryInfo* (*)(QString 
const&))'
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELFBinaryInfo.cpp:39: 
undefined reference to `BinaryInfo::RegisterBinaryInfo(BinaryInfo* (*)(QString 
const&))'
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELFBinaryInfo.cpp:40: 
undefined reference to `BinaryInfo::RegisterBinaryInfo(BinaryInfo* (*)(QString 
const&))'
ELF32.o: In function `ELF32':
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELF32.cpp:28: undefined 
reference to `BinaryInfo::BinaryInfo(QString const&)'
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELF32.cpp:28: undefined 
reference to `BinaryInfo::BinaryInfo(QString const&)'
ELF64.o: In function `ELF64':
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELF64.cpp:28: undefined 
reference to `BinaryInfo::BinaryInfo(QString const&)'
/home/shift/downloads/debugger/plugins/ELFBinaryInfo/ELF64.cpp:28: undefined 
reference to `BinaryInfo::BinaryInfo(QString const&)'
collect2: ld returned 1 exit status
make[2]: *** [../../libELFBinaryInfo.so] Error 1
make[2]: Leaving directory 
`/home/shift/downloads/debugger/plugins/ELFBinaryInfo'
make[1]: *** [sub-ELFBinaryInfo-make_default] Error 2
make[1]: Leaving directory `/home/shift/downloads/debugger/plugins'
make: *** [sub-plugins-make_default] Error 2

EDB needs an API to search for a sequence of commands in a generic fashion. 
This would likely require an assembler of sorts to be implemented.

It would be nice if EDB could scroll by whole instructions. This is 
unfortunately difficult because instructions are variable length on x86.

I would like to make tabs able to be "labeled" and potentially remember them in 
a debugging session file.

I don't know if this is the intended behavior, but after finishing a succesfull 
run (eg. just F9 then S-F9), and clicking 'OK' in the popup ("Debugged 
application exited..."), EDB unloads the application. This also happens when 
you had breakpoints set, so you have to re-open the app and re-set the 
breakpoints. It would be nice if EDB just reset the app and kept things like 
breakpoints intact.

PS This is on EDB v0.9.2, but Bugzilla version field only goes up to v0.9.0

I would like to have a regression test system which can verify that all 
possible instruction combinations disassemble correctly against a known good.

I would like to have a colour coded disassembly option. Eventually allowing the 
user to specify colours for different parts of the instructions.

I would to be able to take a snapshot of the state of the target application 
and be able to rewind back to it.

The heap plugin displays a lot of results, it would be very useful if it were 
somehow searchable.

I would like there to be a graphical indicator of jump directions. This could 
be something as simple as an arrow.

I am unable to get EDB to build on an Ubuntu 8.04 machine. Here is the output 
I'm running into:

shell> qmake-qt4 QT_ARCH=i386

shell> make
... (taken out to save space) ...
cd src/ && make -f Makefile 
make[1]: Entering directory `/home/hinmanm/debugger/src'
g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB 
-DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore 
-I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtGui 
-I/usr/include/qt4 -I../include -Iwidgets -Iedisassm -Ios/unix 
-I../include/os/unix -Iarch/i386 -I../include/arch/i386 -I. -I. -o Debugger.o 
Debugger.cpp
Debugger.cpp: In function

limit font choices to fixed width, the variable width ones don't make sense.

edisassm needs to support the undocumented nop mod/rm instructions. An example 
of one is 0f 19 00 which encodes to nop [eax]. This CAN cause a page fault.

The previous disassembler engine had AT&T support. The new one should have this 
too.

I would like to be able to import debugging information similarly to other 
debuggers. This way plugins could do cool things like show source code when 
available.

Linux does not appear to be able to tell the difference between a segmentation 
fault and a privileged instruction, is there a way to do so?

The "Run Until Return" option (under Debug menu) is always grayed out for me, 
no matter what I do. When I've entered a subroutine/procedure/function that 
clearly ends with a RET instruction, I still can't use "Run Until Return".

Here's an example:

0804:83b0 55                    push   ebp
0804:83b1 89 e5             mov    ebp,esp
0804:83b3 83 ec 08          sub    esp,0x8
0804:83b6 c7 04 24 cc 84 04 08  mov    DWORD PTR [esp],0x80484cc
0804:83bd e8 3a ff ff ff    call   0x80482fc <puts@plt>
0804:83c2 c9                leave  
0804:83c3 c3                ret    

I've set a BP on 0804:83b0 and when I hit it, I can't use "Run Until Return" 
(grayed out), Also after one or more "step into"/"step over" commands, I'm 
never able to use "Run Until Return".

In this example, it doesn't matter ofcourse, but when you enter long library 
functions (perhaps because you wanted to step over instead of into) it would be 
nice to have a quick escape handy :)

There should be some mechanism for plugins to depend on other plugins.

the debugging core will return the original byte when a read occurs where a 
breakpoint is at. we should detect if the byte was overwritten/changed, and 
somehow notify the user.

If you run EDB and attach/run a program, the tabs work perfect. But if you 
detach or the program exits for any reason. While detacted, you can create new 
tabs. These new tabs do not correctly copy the 0 - 0 (NULL to NULL) range that 
the first tab has, but instead copy the range of the data before the detach.

scrolling the various views while not paused gives all 0xff's, EDB should 
temporarily pause and get the right data. I think perhaps we should do some 
"read-ahead" to reduce the pause time when scrolling and cache whole pages of 
data, and have this data expire after a certain amount of time.

QT version 4.2 offers some nice features which aren't used due to the desire to 
compile with QT 4.1.

I would like to have the function analysis plugin be able to create code flow 
diagrams.

*With qt4 and qt4-devel with the latest packages from yum*

It doesn't compile at all (even with QT_ARCH=i386) on Fedora 8. (maybe I'm 
doing something wrong).

You know me and usually I'll be at least able to compile the program but I 
couldn't even do that this time.

It would be nice if EDB could scroll by whole instructions. This is 
unfortunately difficult because instructions are variable length on x86.

I don't have any experience with qmake, but for a while I wasn't able to 
compile the plugins using just "qmake;make" at the root of the source tree. 
After a long search I found a proper fix. I'm running debian 4.0 (testing) and 
apparently one of the LFLAGS set in qmake by default breaks the plugin linking. 
I don't know if this applies to other people or just me, I only submit this as 
a bug for your consideration.

Here's a diff of my fix. One simple line:

--- plugins/plugins.pri.old     2008-02-06 18:19:37.263584000 -0800
+++ plugins/plugins.pri 2008-02-06 18:19:39.828148000 -0800
@@ -12,6 +12,7 @@

 unix {
        QMAKE_CXXFLAGS  +=
+       QMAKE_LFLAGS    -= -Wl,--no-undefined
        LIBS                    +=
        INCLUDEPATH += ../../include/os/unix
 }

It would be a cool feature if EDB could allocate and free regions in the target 
process.

I would like to have EDB work on x86-64.

I would like to see the heap plugin have a visualization feature where blocks 
are graphed showing which have pointers to which.

When the application is waiting in a scanf(), while I'm typing the input text 
in the "edb output" window, if I simply click on "edb main" disassembler 
window, edb crashes with the following line on the console ::

ASSERT: "buf_size != 0" in file widgets/QDisassemblyView.cpp, line 326

Could you also make breakpoints persistent in between application restarts and 
set the color of the line, where breakpoint is set, to a different color. If 
you can support "F2" as a shortcut to set breakpoints in the disassembler 
window, that would be super-cool.

I'm constantly using EDB for reverse engineering. And very happy with EDB since 
it's effort to imitate OllyDBG. If you would like any contribution, I would be 
happy to do so.

Cheers,
-Babil.

start using QT 4.2's QDialogButtonBox, it will simplify code and make things 
more consistent with other desktops.