3

I have a script that catches say a value of 666 in the RDX register and pauses debugging. The problem is, that this value might be added to the register by other modules aside from the main application that I am debugging, for example by ntdll.dll, which is of course of no use to me.

How do I get the name of the current module that debugger is in at any given moment so I can ignore if the RDX is changed at that module? Something like this:

idaapi.step_into()
idaapi.wait_for_next_event(2, -1)
counter=GetRegValue('RDX')
if counter==666 and (GetCurrentModuleName()!='ntdll.dll'):
        break
MartinRøde
  • 33
  • 2

1 Answers1

3

get_module_info seems to be what you want, it returns modinfo_t structure with full module name.

An untested sketch of example usage would be:

import idaapi, ida_idd, ida_dbg

idaapi.step_into()
idaapi.wait_for_next_event(2, -1)


ea = ida_dbg.get_ip_val()
modinfo = ida_idd.modinfo_t()
ida_dbg.get_module_info(ea, modinfo)


counter = GetRegValue('RDX')
if counter == 666 and modinfo.name != 'ntdll.dll':
    break
mimak
  • 579
  • 1
  • 3
  • 15
  • 1
    Cheers, mate! That did it. Although I have to note that modinfo.name contains full path to the file, so checking it against just the filename is going to fail, you need to extract the filename from it first. Also I am not sure if this line does anything at all: ida_dbg.get_module_info(ea, modinfo) – MartinRøde Jul 10 '23 at 08:16
  • @MartinRøde IDAPython is just a wrapper for IDC and get_module_info populates modinfo pointer, i linked you the docs for it – mimak Jul 10 '23 at 11:59
  • Aye, cheers, now that makes sense. I checked the docs, yeah, but in all honesty, for someone who is not proficient at programming, how is that a meaningful documentation? How does one conclude from that snippet, that it populates the modinfo pointer? def get_module_info (*args) ‑> bool get_module_info(ea, modinfo) -> bool ea: ea_t modinfo: modinfo_t * – MartinRøde Jul 11 '23 at 05:35
  • yeah hexrays' docs are infamous for incompleteness, but that's all we get – mimak Jul 11 '23 at 11:15