debugger

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Trigger Intents

触发场景

Use this skill when user asks to:

add/remove/modify breakpoints
patch bytes or revert patches
create patch inventories and debugging action plans
instrument analysis-driven break/watch workflows

Route to:

```
analysis
```
/
```
xrefs
```
for selecting meaningful targets first
```
disassembly
```
for opcode-level patch context
```
annotations
```
for documenting patch rationale and outcomes

当用户有以下需求时使用本技能：

添加/移除/修改断点
打字节补丁或回滚补丁
创建补丁清单和调试行动计划
构建基于分析的断点/监视工作流

关联路由：

先通过
```
analysis
```
/
```
xrefs
```
选择有意义的目标
通过
```
disassembly
```
获取指令级补丁上下文
通过
```
annotations
```
记录补丁的依据和结果

Do This First (Warm-Start Sequence)

第一步操作（预热流程）

sql

-- 1) Current breakpoint inventory
SELECT printf('0x%X', address) AS addr, type_name, enabled
FROM breakpoints
ORDER BY address;

-- 2) Current patch inventory
SELECT printf('0x%X', ea) AS ea, original_value, patched_value
FROM patched_bytes
ORDER BY ea
LIMIT 50;

-- 3) Validate target bytes before patch
SELECT ea, value, original_value, is_patched
FROM bytes
WHERE ea = 0x401000;

Interpretation guidance:

Confirm existing instrumentation before adding more.
Always snapshot current/original byte state before mutating.

sql

-- 1) 当前断点清单
SELECT printf('0x%X', address) AS addr, type_name, enabled
FROM breakpoints
ORDER BY address;

-- 2) 当前补丁清单
SELECT printf('0x%X', ea) AS ea, original_value, patched_value
FROM patched_bytes
ORDER BY ea
LIMIT 50;

-- 3) 补丁前验证目标字节
SELECT ea, value, original_value, is_patched
FROM bytes
WHERE ea = 0x401000;

解读指南：

添加新的 instrumentation 前，先确认已有的配置。
在修改字节状态前，务必先快照当前/原始字节状态。

Failure and Recovery

故障与恢复

Breakpoint insert/update failed:
- Validate address existence and hardware size/type compatibility.
Patch verification mismatch:
- Re-read
```
bytes
```
  and
```
patched_bytes
```
  , then retry with precise address.
Unintended patch side effects:
- Revert with
```
revert_byte(...)
```
  and reassess target instruction context.

断点插入/更新失败：
- 验证地址是否存在，以及硬件断点的大小/类型兼容性。
补丁验证不匹配：
- 重新读取
```
bytes
```
  和
```
patched_bytes
```
  表，然后使用精确地址重试。
补丁产生意外副作用：
- 使用
```
revert_byte(...)
```
  回滚补丁，重新评估目标指令上下文。

Handoff Patterns

交接模式

```
debugger
```
->
```
disassembly
```
to validate instruction semantics around patch site.
```
debugger
```
->
```
xrefs
```
to assess blast radius of patched/broken call paths.
```
debugger
```
->
```
annotations
```
to leave durable analyst breadcrumbs.

```
debugger
```
->
```
disassembly
```
：验证补丁位置周围的指令语义。
```
debugger
```
->
```
xrefs
```
：评估补丁/损坏调用路径的影响范围。
```
debugger
```
->
```
annotations
```
：留下持久化的分析痕迹。

breakpoints

breakpoints（断点）

Debugger breakpoints. Supports full CRUD (SELECT, INSERT, UPDATE, DELETE). Breakpoints persist in the IDB even without an active debugger session.

Column	Type	RW	Description
`address`	INT	R	Breakpoint address
`enabled`	INT	RW	1=enabled, 0=disabled
`type`	INT	RW	Breakpoint type (0=software, 1=hw_write, 2=hw_read, 3=hw_rdwr, 4=hw_exec)
`type_name`	TEXT	R	Type name (software, hardware_write, etc.)
`size`	INT	RW	Breakpoint size (for hardware breakpoints)
`flags`	INT	RW	Breakpoint flags
`pass_count`	INT	RW	Pass count before trigger
`condition`	TEXT	RW	Condition expression
`loc_type`	INT	R	Location type code
`loc_type_name`	TEXT	R	Location type (absolute, relative, symbolic, source)
`module`	TEXT	R	Module path (relative breakpoints)
`symbol`	TEXT	R	Symbol name (symbolic breakpoints)
`offset`	INT	R	Offset (relative/symbolic)
`source_file`	TEXT	R	Source file (source breakpoints)
`source_line`	INT	R	Source line number
`is_hardware`	INT	R	1=hardware breakpoint
`is_active`	INT	R	1=currently active
`group`	TEXT	RW	Breakpoint group name
`bptid`	INT	R	Breakpoint ID

sql

-- List all breakpoints
SELECT printf('0x%08X', address) as addr, type_name, enabled, condition
FROM breakpoints;

-- Add software breakpoint
INSERT INTO breakpoints (address) VALUES (0x401000);

-- Add hardware write watchpoint
INSERT INTO breakpoints (address, type, size) VALUES (0x402000, 1, 4);

-- Add conditional breakpoint
INSERT INTO breakpoints (address, condition) VALUES (0x401000, 'eax == 0');

-- Disable a breakpoint
UPDATE breakpoints SET enabled = 0 WHERE address = 0x401000;

-- Delete a breakpoint
DELETE FROM breakpoints WHERE address = 0x401000;

-- Find which functions have breakpoints
SELECT b.address, f.name, b.type_name, b.enabled
FROM breakpoints b
JOIN funcs f ON b.address >= f.address AND b.address < f.end_ea;

调试器断点。支持完整的CRUD（SELECT、INSERT、UPDATE、DELETE）操作。即使没有活跃的调试会话，断点也会保存在IDB中。

列名	类型	读写权限	描述
`address`	INT	R	断点地址
`enabled`	INT	RW	1=启用，0=禁用
`type`	INT	RW	断点类型（0=软件断点，1=硬件写断点，2=硬件读断点，3=硬件读写断点，4=硬件执行断点）
`type_name`	TEXT	R	类型名称（software、hardware_write等）
`size`	INT	RW	断点大小（针对硬件断点）
`flags`	INT	RW	断点标志位
`pass_count`	INT	RW	触发前的通过次数
`condition`	TEXT	RW	条件表达式
`loc_type`	INT	R	位置类型代码
`loc_type_name`	TEXT	R	位置类型（absolute、relative、symbolic、source）
`module`	TEXT	R	模块路径（相对断点）
`symbol`	TEXT	R	符号名称（符号断点）
`offset`	INT	R	偏移量（相对/符号断点）
`source_file`	TEXT	R	源文件（源断点）
`source_line`	INT	R	源文件行号
`is_hardware`	INT	R	1=硬件断点
`is_active`	INT	R	1=当前处于活跃状态
`group`	TEXT	RW	断点组名称
`bptid`	INT	R	断点ID

sql

-- 列出所有断点
SELECT printf('0x%08X', address) as addr, type_name, enabled, condition
FROM breakpoints;

-- 添加软件断点
INSERT INTO breakpoints (address) VALUES (0x401000);

-- 添加硬件写监视断点
INSERT INTO breakpoints (address, type, size) VALUES (0x402000, 1, 4);

-- 添加条件断点
INSERT INTO breakpoints (address, condition) VALUES (0x401000, 'eax == 0');

-- 禁用断点
UPDATE breakpoints SET enabled = 0 WHERE address = 0x401000;

-- 删除断点
DELETE FROM breakpoints WHERE address = 0x401000;

-- 查找哪些函数设置了断点
SELECT b.address, f.name, b.type_name, b.enabled
FROM breakpoints b
JOIN funcs f ON b.address >= f.address AND b.address < f.end_ea;

bytes (Byte Patching)

bytes（字节补丁）

Pure mapped-byte program view with patch support. This table is one row per mapped byte address; IDA item metadata such as size/type belongs to

heads

Column	Type	RW	Description
`ea`	INT	R	Byte address
`value`	INT	RW	Current byte value (UPDATE patches byte)
`original_value`	INT	R	Original byte value before patch
`is_patched`	INT	R	1 if byte differs from original
`fpos`	INT	R	Physical/input file offset (NULL when unavailable)

sql

-- Read one address
SELECT ea, value, original_value, is_patched
FROM bytes WHERE ea = 0x401000;

-- Read a byte range, including item-tail bytes
SELECT ea, value
FROM bytes
WHERE ea >= 0x401000 AND ea < 0x401010
ORDER BY ea;

-- Get item metadata separately
SELECT address, size, type, flags, disasm
FROM heads
WHERE address = 0x401000;

-- Patch via table update
UPDATE bytes SET value = 0x90 WHERE ea = 0x401000;

-- Inspect patch inventory
SELECT * FROM patched_bytes LIMIT 20;

-- Persist once done
SELECT save_database();

带有补丁支持的纯映射字节程序视图。该表每行对应一个映射字节地址；IDA项元数据（如大小/类型）属于

heads

表。

列名	类型	读写权限	描述
`ea`	INT	R	字节地址
`value`	INT	RW	当前字节值（UPDATE操作会修改字节）
`original_value`	INT	R	补丁前的原始字节值
`is_patched`	INT	R	1表示字节与原始值不同
`fpos`	INT	R	物理/输入文件偏移量（不可用时为NULL）

sql

-- 读取单个地址
SELECT ea, value, original_value, is_patched
FROM bytes WHERE ea = 0x401000;

-- 读取字节范围，包括项尾部字节
SELECT ea, value
FROM bytes
WHERE ea >= 0x401000 AND ea < 0x401010
ORDER BY ea;

-- 单独获取项元数据
SELECT address, size, type, flags, disasm
FROM heads
WHERE address = 0x401000;

-- 通过表更新打补丁
UPDATE bytes SET value = 0x90 WHERE ea = 0x401000;

-- 查看补丁清单
SELECT * FROM patched_bytes LIMIT 20;

-- 完成后持久化
SELECT save_database();

patched_bytes

patched_bytes（已补丁字节）

All patched locations tracked by IDA.

Column	Type	Description
`ea`	INT	Patched address
`original_value`	INT	Original byte value
`patched_value`	INT	Current patched value
`fpos`	INT	File offset when available

sql

SELECT printf('0x%X', ea) AS ea,
       printf('0x%02X', original_value) AS old,
       printf('0x%02X', patched_value) AS new
FROM patched_bytes
ORDER BY ea;

IDA跟踪的所有已补丁位置。

列名	类型	描述
`ea`	INT	补丁地址
`original_value`	INT	原始字节值
`patched_value`	INT	当前补丁值
`fpos`	INT	可用时的文件偏移量

sql

SELECT printf('0x%X', ea) AS ea,
       printf('0x%02X', original_value) AS old,
       printf('0x%02X', patched_value) AS new
FROM patched_bytes
ORDER BY ea;

SQL Functions — Byte Patching

SQL Functions — Byte Patching（SQL函数 — 字节补丁）

Function	Description
`bytes(addr, n)`	Read `n` raw bytes as hex string
`bytes_raw(addr, n)`	Read `n` bytes as BLOB
`load_file_bytes(path, file_offset, address, size[, patchable])`	Load patch bytes from a host file into memory/file image
`patch_byte(addr, val)`	Patch one byte at `addr` (returns 1/0)
`patch_word(addr, val)`	Patch 2 bytes at `addr` (returns 1/0)
`patch_dword(addr, val)`	Patch 4 bytes at `addr` (returns 1/0)
`patch_qword(addr, val)`	Patch 8 bytes at `addr` (returns 1/0)
`revert_byte(addr)`	Revert one patched byte to original
`get_original_byte(addr)`	Read original (pre-patch) byte

sql

-- Read bytes
SELECT bytes(0x401000, 16);

-- Patch one byte (example: NOP)
SELECT patch_byte(0x401000, 0x90) AS ok;

-- Verify current vs original
SELECT bytes(0x401000, 1) AS current, get_original_byte(0x401000) AS original;

-- Revert patch
SELECT revert_byte(0x401000) AS reverted;

-- Persist patches explicitly
SELECT save_database();

load_file_bytes(...)

is the bulk alternative to

patch_*

helpers when patch content already exists in a file.

函数	描述
`bytes(addr, n)`	读取 `n` 个原始字节并以十六进制字符串返回
`bytes_raw(addr, n)`	读取 `n` 个字节并以BLOB返回
`load_file_bytes(path, file_offset, address, size[, patchable])`	将主机文件中的补丁字节加载到内存/文件镜像中
`patch_byte(addr, val)`	在 `addr` 处打一个字节补丁（返回1/0表示成功/失败）
`patch_word(addr, val)`	在 `addr` 处打2字节补丁（返回1/0）
`patch_dword(addr, val)`	在 `addr` 处打4字节补丁（返回1/0）
`patch_qword(addr, val)`	在 `addr` 处打8字节补丁（返回1/0）
`revert_byte(addr)`	将已补丁字节回滚到原始值
`get_original_byte(addr)`	读取原始（补丁前）字节

sql

-- 读取字节
SELECT bytes(0x401000, 16);

-- 打一个字节补丁（示例：NOP指令）
SELECT patch_byte(0x401000, 0x90) AS ok;

-- 验证当前值与原始值
SELECT bytes(0x401000, 1) AS current, get_original_byte(0x401000) AS original;

-- 回滚补丁
SELECT revert_byte(0x401000) AS reverted;

-- 显式持久化补丁
SELECT save_database();

当补丁内容已存在于文件中时，

load_file_bytes(...)

是

patch_*

系列辅助函数的批量替代方案。

Analysis-Driven Breakpoint Workflows

Analysis-Driven Breakpoint Workflows（基于分析的断点工作流）

Set breakpoints on all callers of a security-sensitive API

为安全敏感API的所有调用者设置断点

Use disasm_calls to find every call site and batch-insert breakpoints:

sql

-- Breakpoint on every call to VirtualAlloc (or similar)
INSERT INTO breakpoints (address)
SELECT ea FROM disasm_calls WHERE callee_name LIKE '%VirtualAlloc%';

-- Verify
SELECT printf('0x%08X', address) AS addr, type_name, enabled
FROM breakpoints;

使用disasm_calls查找所有调用点并批量插入断点：

sql

-- 为所有VirtualAlloc（或类似函数）的调用设置断点
INSERT INTO breakpoints (address)
SELECT ea FROM disasm_calls WHERE callee_name LIKE '%VirtualAlloc%';

-- 验证
SELECT printf('0x%08X', address) AS addr, type_name, enabled
FROM breakpoints;

Watchpoints on struct fields discovered via type analysis

为通过类型分析发现的结构体字段设置监视断点

After recovering a struct, set hardware watchpoints on specific field offsets:

sql

-- Hardware write watchpoint on a 4-byte field (e.g., config.flags at base+0x10)
-- First, find where the struct base is stored (requires manual analysis)
INSERT INTO breakpoints (address, type, size) VALUES (0x402010, 1, 4);
-- type=1 is hardware_write, size=4 for DWORD field

恢复结构体后，为特定字段偏移设置硬件监视断点：

sql

-- 为4字节字段设置硬件写监视断点（例如，config.flags在基地址+0x10处）
-- 首先，找到结构体基地址的存储位置（需要手动分析）
INSERT INTO breakpoints (address, type, size) VALUES (0x402010, 1, 4);
-- type=1表示hardware_write，size=4对应DWORD字段

Conditional breakpoints from decompiler analysis

基于反编译器分析的条件断点

Set breakpoints that only trigger when specific conditions are met:

sql

-- Break when first argument (rcx on x64 fastcall) equals a specific enum value
INSERT INTO breakpoints (address, condition)
VALUES (0x401000, 'rcx == 3');

-- Break on error return
INSERT INTO breakpoints (address, condition)
VALUES (0x401050, 'rax == 0xFFFFFFFF');

设置仅在特定条件满足时触发的断点：

sql

-- 当第一个参数（x64 fastcall中的rcx）等于特定枚举值时触发断点
INSERT INTO breakpoints (address, condition)
VALUES (0x401000, 'rcx == 3');

-- 在函数返回错误时触发断点
INSERT INTO breakpoints (address, condition)
VALUES (0x401050, 'rax == 0xFFFFFFFF');

Patching Workflows

Patching Workflows（补丁工作流）

NOP out anti-debug checks

用NOP指令禁用反调试检查

Find and neutralize

IsDebuggerPresent

checks:

sql

-- Find calls to IsDebuggerPresent
SELECT dc.ea, (SELECT name FROM funcs WHERE dc.func_addr >= address AND dc.func_addr < end_ea LIMIT 1) AS func_name,
       disasm_at(dc.ea, 2) AS context
FROM disasm_calls dc
WHERE dc.callee_name LIKE '%IsDebuggerPresent%';

-- Patch the conditional jump after the check (example: jnz → nop nop)
-- First inspect the instruction after the call
SELECT disasm_at(0x401030, 3);
-- Then patch (adjust addresses based on actual binary)
SELECT patch_byte(0x401035, 0x90);
SELECT patch_byte(0x401036, 0x90);

查找并中和

IsDebuggerPresent

检查：

sql

-- 查找IsDebuggerPresent的调用
SELECT dc.ea, (SELECT name FROM funcs WHERE dc.func_addr >= address AND dc.func_addr < end_ea LIMIT 1) AS func_name,
       disasm_at(dc.ea, 2) AS context
FROM disasm_calls dc
WHERE dc.callee_name LIKE '%IsDebuggerPresent%';

-- 补丁检查后的条件跳转（示例：jnz → nop nop）
-- 首先检查调用后的指令
SELECT disasm_at(0x401030, 3);
-- 然后打补丁（根据实际二进制调整地址）
SELECT patch_byte(0x401035, 0x90);
SELECT patch_byte(0x401036, 0x90);

Inventory all patches and generate report

清点所有补丁并生成报告

sql

-- Full patch report: what was changed and where
SELECT printf('0x%X', ea) AS address,
       (SELECT name FROM funcs WHERE ea >= address AND ea < end_ea LIMIT 1) AS func_name,
       printf('0x%02X', original_value) AS original,
       printf('0x%02X', patched_value) AS patched,
       disasm_at(ea) AS context
FROM patched_bytes
ORDER BY ea;

sql

-- 完整补丁报告：修改内容及位置
SELECT printf('0x%X', ea) AS address,
       (SELECT name FROM funcs WHERE ea >= address AND ea < end_ea LIMIT 1) AS func_name,
       printf('0x%02X', original_value) AS original,
       printf('0x%02X', patched_value) AS patched,
       disasm_at(ea) AS context
FROM patched_bytes
ORDER BY ea;

Performance Notes

Performance Notes（性能说明）

Table	Size	Constraint	Notes
`breakpoints`	Small (<100 typical)	none needed	Always fast
`bytes`	All mapped bytes	`ea`	Critical — constrain to one address or a tight range
`patched_bytes`	Small (patch count)	none needed	Scans all patches, usually tiny

```
breakpoints
```
table is small — full scans are fine.
```
bytes
```
table emits one row per mapped byte. Use
```
WHERE ea = X
```
or a tight
```
ea
```
range.
```
patched_bytes
```
iterates only patched locations — always fast.

表名	大小	约束	说明
`breakpoints`	小（通常<100条）	无需约束	始终快速
`bytes`	所有映射字节	`ea`	关键 — 限制为单个地址或窄范围
`patched_bytes`	小（补丁数量级）	无需约束	扫描所有补丁，通常速度很快

```
breakpoints
```
表很小 — 全表扫描没问题。
```
bytes
```
表每行对应一个映射字节。使用
```
WHERE ea = X
```
或窄
```
ea
```
范围查询。
```
patched_bytes
```
仅遍历已补丁位置 — 始终快速。