Hi all
This is somehow a strange question,but I don't know how I should you this.
Assume that your main application executable file has a loader that you should use it for running that file.
how you can debug this file(i mean main one) for its EP?
I can easily go to loader's CreateProcess,but If I attach to created process,I will go over EP,and I want to start debugging from EP.
I thought changing CreateProcess flags and adding CREATE_SUSSPENDED flag will work,But I notice that you can't attach suspended process.
How can I start debugging of child process from EP,even It should be start with that loader?

Regards

You patch the target program at entry point to always jump to entry point. Then you attach with the debugger, restore the original bytes at entry point and continue your debugging experience.

Btw i never used the above trick, i only read about it in old turorials.

get windbg and tell it .childdebug

or other possible ways include oxebfe(jmp eip) patch as said by blurcode above or patching int3 and setting i3here on sice etc


if you go childdebug way with windbg
this thread could help you

http://www.woodmann.com/forum/showthread.php?t=9356&highlight=child

hi
thanks for reply.
Ok,I want to this in olly(I use WinDbg really low),then It seems I should use patching.
When I should patch entry point for going into jump to itself?
I know I can do it using a hard patching(I mean patching original file in disk),and change it everytime while debugging,But I prefer to do this as a memory patching(like a simple memory patching for armadillo debugblocker).
How I can do it in memory?Is it posssible?(after createing process as suspended,I can't access it to patch)

Regards

create it suspended, write 0xeb 0xfe to the entrypoint (writeprocessmemory), let it resume
getthreadcontext loop until RegisterEip = the entrypoint
suspend, then patch back the original bytes...