t_run
Keeps
current status of the debugged application. Most of the fields in this
structure are for internal use by OllyDbg. Never modify them directly,
or this may destabilize the debugging engine
typedef
struct t_run
{
// Run status of debugged application
t_status
status;
// Operation mode, one of STAT_xxx
ulong
threadid;
// ID of single running thread, 0 if all
ulong
tpausing;
// Tick count when pausing was requested
int
wakestep;
// 0: wait, 1: waked, 2: warned
ulong
eip;
// EIP at last debugging event
ulong
ecx;
// ECX at last debugging event
ulong
restoreint3addr; // Address of
temporarily removed INT3
ulong
stepoverdest; //
Destination of STAT_STEPOVER
int
updatebppage; // Update
temporarily removed bppage's
DEBUG_EVENT
de;
// Information from WaitForDebugEvent()
int
indebugevent; // Paused
on event, threads suspended
int
netevent;
// Event is from .NET debugger
int
isappexception; // Exception in
application, AE_xxx
ulong
lastexception; // Last
exception in application or 0
int
suspended;
// Suspension counter
int
suspendonpause; // Whether first
suspension on pause
int
updatedebugreg; // 1: set, -1:
reset HW breakpoints
int
dregmodified; // Debug
regs modified by application
} t_run;
Members:
status
One of the constants of type STAT_xxx,
current status of the debugged application. Status is controlled by the
debugging engine. If you really need to modify it, call Setstatus()
threadid
If in the single-thread mode (run trace, stepping, etc.), the identifier of the thread; otherwise, 0
tpausing
Value returned by GetTickCount() when pausing (status=STAT_PAUSING) was requested, used to timeout this request and undertake additional actions
wakestep
Used together with tpausing to wake up sleeping application
eip
Value of register EIP at the moment when last exception was continued, used together with ecx to step over the command in the case that there are several breakpoints of different kind (INT3, hardware and/or memory) set on the same location
ecx
Value of register ECX at the moment when last exception was continued, used together with eip to step over the command in the case that there are several breakpoints of different kind (INT3, hardware and/or memory) set on the same location
restoreint3addr
Address of the temporarily removed INT3 breakpoint
stepoverdest
Destination of the step over, or 0 if any destination is allowed (like conditional jump)
updatebppage
Request to update temporarily restored memory attributes of the memory pages containing memory breakpoints
de
Structure of type DEBUG_EVENT, description of the pending debug event. In general, valid only if status is STAT_PAUSED or STAT_FINISHED
indebugevent
Application is paused on debug event, therefore Suspendallthreads() does not need to call SuspendThread()
netevent
Indicator of event reported by .NET debugging API
isappexception
One of the constants AE_xxx,
describing exception that occured in the application and was not caused
by the OllyDbg (like INT3 or memory breakpoint). Only application
exception of type AE_APP can be passed to the application
lastexception
Code of the last reported exception
suspended
Suspension counter. If this counter is not 0, application was already suspended. Suspendallthreads() just increases the counter and does not call SuspendThread() again
suspendonpause
updatedebugreg
-1: request to remove, 1: set hardware breakpoints on request to continue execution of the paused application
dregmodified
Indicates that hardware breakpoints were modified by the debugged application