Welcome to the NIDebugger Project.
NIDebugger aims to provide fun, intuitive, and fast way to Non-Intrusively debug and manipulate Windows native x86 applications using your favorite .NET Language. NIDebugger is not a user-friendly end user application but rather a .NET library that developers can utilize to debug and manipulate processes in a programmatic fashion.
What is Non-Intrusive Debugging.
Non-Intrusive debugging is a method by which one process (the debugger) can control another process (the debugee) without registering itself as a real debugger using the Windows APIs. Standard debuggers utilize the INT3 opcode to raise exceptions in the debugged process so that the debugger can take control, these are in effect breakpoints.
However since we are NOT a true debugger we are unable to receive exceptions that are thrown in the debugee and instead rely on the clever usage of 'EBFE' commands. 'EBFE' in x86 assembly is an infinite loop. A non-intrusive debugger is one in which these EBFE commands are strategically placed and then the thread(s) of an application are allowed to run in short bursts, after every burst each thread is checked to see if it is stuck on an EBFE 'Breakpoint'.
These techniques give us a close analog to the INT3 utilized by standard debuggers. However Non-Intrusive debuggers do have limits, there are certain things that cannot be done without be registered and behaving as a true debugger.
Why Non-Intrusive
Some programs can alter the way they behave based on if they are being debugged or not, in some cases the only way to 'see' what a program is doing is debugging it without the executable detecting that it is being debugged. Non-Intrusive debugging technique prevent this all together (except possible timing checks).
In a move advanced situation some programs launch as a parent and then spawn another copy of themselves as the child, they then set the parent process up to debug the child one, where the child actually does the work. In this scenario it is impossible to attach a real debugger to the child as Windows only allows a single debugger to debug a process. Non-Intrusive techniques can work well here too!
Documentation
Documentation for the NIDebugger library can be found here.
Examples
To Be Completed.
Authors and Contributors
NIDebugger was primarily developed by @tslater2006, and is the 3rd implementation of such a debugger. The original NIDebugger was written in Visual Basic 6 with a lack-luster port of it being made to the .NET environment. Due to this the developer felt the best option would be to perform a complete rewrite of the debugger, starting from scratch and implementing features in .NET as they should have been implemented instead of porting over the VB6 version of the methods.
Certain features like SingleStep would not have been possible without the amazing work of @vol4ok on the ldasm64 project which allows for the length-disassembly of x86 instructions.
The concept of using 'EBFE' commands in lieu of breakpoints comes from the awesome mind of Shub Nigurrath over at ARTeam who credits an individual by the name of yates.
Throughout the various incarnations of this non-intrusive debugger, Ghandi (another individual over at ARTeam) provided invaluable help and support in reaching the end goal of a functional debugging library.