View Full Version : ollydbg 2.01 alpha 4
blabberer
August 3rd, 2011, 22:54
wow at last plugins are supportable good news
August 03, 2011 - OllyDbg 2.01 alpha 4. Here is Alpha 4, here is Bookmarks plugin
As you see, this version already supports plugins. New plugin interface is similar to the old (v1.10) but is not backwards compatible. It includes more than 350 API functions, 60 or so variables and many enumerations and structures that all need to be documented. This will take a while, therefore I decided to make a preliminary release. It includes plugin header file (plugin.h) and commented bookmarks source code (bookmark.c). Writing your own plugins without the documentation is a pure masochism, but at least you will be able to analyse the structure of the interface and send me your comments, wishes and suggestions.
This is the last alpha release. After plugin documentation is ready, I will call it 2.01 beta 1. Then I will start to write OllyDbg help and finally make the full 2.01 release. Till then, I plan no major changes.
Other new features in this version:
- Patch manager, similar to 1.10
- Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven't tested it on Win7, please report any found bugs and incompatibilities!
- Instant .udd file loading. In the previous versions I've postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
- Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
- "Go to" dialog lists of matching names in all modules
-
Logging breakpoints can protocol multiple expressions. 
Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32:
Maximus
August 6th, 2011, 17:00
alpha 3 was way less stable than alpha 2 - I just hope olly did fix the stability in v4.
IDA debugger cant really keep comparison with olly... no way
... but hell yes, plugins
(to me, just being able to use olly on 7x64 had been a TRUE blessing)
rendari
August 11th, 2011, 08:14
Quote:
| (to me, just being able to use olly on 7x64 had been a TRUE blessing) |
I've been running 1.10 fine now for 1 year with Stealth64 on Win7x64... of course you can't debug 64 bit apps...
Maximus
August 12th, 2011, 04:50
Olly 1.1 surely works in 7x64, but not completely.
It has some subtle yet irritating problems that makes it hardly usable over the time, and forced me many times to switch to IDA debugger.
Olly 2 has not such problems, and it is a bless. IDA debugger is not nearly useful as Olly for advanced debugging.
rendari
August 12th, 2011, 20:54
Maximus,
What kinds of problems do you have on 7/64? Curious because I haven't run into any in a long time... maybe I'm doing the wrong sorts of reversing
-rendari
Maximus
August 15th, 2011, 16:08
hmmm... let me remember. Keep in mind they were somewhat 'weird' and did not always appear.
I had the x64 plugin fix, of course, but it didnt help.
1) attach didnt work. Now, it may seems not useful as feature, but attach is essential.
2) I was having some weird problem running/stopping code, even when not attaching.
3) some other minor, irritating problem i do not remember... ah, i.e. sometime breakpoint didnt trig and ended looping forever, etc
Olly is simply too powerful for r3 debugging, no way
jhon thomas
September 2nd, 2011, 10:02
I am trying to use Olly (version 2.01 alpha 4) in windows 7 Ultimate, this version of olly works fine in this O.S., but i am facing this situation:
Even using a Full administrator rights account and starting olly under administrator account. When I try to attach to a process named 'system', I got an error -> ACCESS DENIED-. I need to attach the debugger because i am studying the core of this system.
I searched policies settings in control panel, googled it, everything, but i dont know how to grant ollydbg access to that process.
Maybe Micro$oft dont want us to debug that process? If not, where can I change this setting?
Or Maybe Olly cannot do it? That is why i am posting it here, olly support..
Someone here do know how, or where to disable this policie in Windows 7 Ultimate R 7600?
To reproduce this error in windows 7, just run olly under administrator and try to attach to 'system'.
Thanks in advance!!
2481
blabberer
September 2nd, 2011, 15:09
that is not just olly dbgs problem alone
windbg will also not be able to attach to system process
Debugger initialization Failed Win error 05
and that would not be in just winseven
but also winxp sp3
C:\Program Files\Debugging Tools for Windows (x86)>systeminfo | findstr /b /i /c
:"os" & cdb -pn System & cdb -p 4
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
C:\Program Files\Debugging Tools for Windows (x86)>
also System process iirc does noting but Wait For An Event
jhon thomas
September 2nd, 2011, 15:56
I think there's some way to disable this in the system, by normal means, through a configuration in the system, i just don't know where..
Does someone know where to disable it?
In the worst case, it would be possible to patch the system, so it would let Olly to pass on... But what if that function is inside that process, then it would be very difficult to do..
Maybe, softice would be able to do that? _
Kayaker
September 2nd, 2011, 17:12
Try double clicking on the System process in ProcessExplorer and set Security/SeDebugPrivilege to Full Control. I do this in XP and it allows me to use the Softice command 'ADDR System' to switch context and get full access for other commands such as QUERY, THREAD -x, etc. Maybe Olly/Winny might attach then, though I doubt usermode debugging will give much useful info.
Maximus
September 3rd, 2011, 06:14
hmmm try to run olly under 'system' account, instead of administrastor.
system account != administrator account - i.e. you cannot alter the primary token with an admin account, you need to grab the seSomethingNotObviousIfIRememberWell privilege AND reboot to do that. There is a specific privilege that 'makes you' as part of the syustem... aah found, the one with TCB at end. Get it, and you are the true owner of the machine (care with it).
edit---
SeTcbPrivilege, that's it. This pribilege is removed from admin, not just disabled, so you cannot turn it on by default - that's why you need to grant it to you and reboot to grab it.
jhon thomas
September 3rd, 2011, 08:42
Maximus: I tried to run ollydbg under system account, But it is not possible yet to attach that process. It was under system account, even tried to kill olly with taskmgr, i gotta access denied.
Kayaker: That process have the lowest PID number, (system - PID 4) and doesnt appear under the 'normal' taskmgr, just in olly.. (edit: yes, appear, but you have to show all users process - Description: NT kernel & System - size - 84 K)
blabberer: if you have windbg installed and running could you try what kayaker described, to see if it would work?
Well.. regarding olly, in older versions, when you right click in code window, you have the option to chose what module you want to view, and choose, for example, the main executable. I would appreciate this new version had it. But you just can press that button 'U' - execute until user code, that is very good, but what if you dont want to execute any code, but just browse?
blabberer
September 5th, 2011, 01:12
i dont think granting SeTcbPrivilege would allow you to attach to System Process
basically doing at 00:00 \\drive\\path\\exe schedules a task as system and i dont think starting ollydbg/windbg/ like wise would allow you attach to system process
basically system process is not a process at all it is a collection of threads that has System Privilege
and as such you cant find a system.exe anywhere (NO IMAGE PATH) iirc PsCreateInitialSytem_some_name_whatever function in nt(os\pa\mpa)
starts this System Process during PhaseInitilaisation if i remember correctly
see i have SeTcbPrivilege below still i wont be able to attach to System Process
Code:
C:\Documents and Settings\admi\Desktop>ntrights -u admi +r SeTcbPrivilege
Granting SeTcbPrivilege to admi ... successful
C:\Documents and Settings\admi\Desktop>showpriv.exe SeTcbPrivilege
2 account(s) with the SeTcbPrivilege user right:
VPC\admi
The LookupAccountSid() API returned error 0x00000534All accounts enumerated
C:\Documents and Settings\admi\Desktop>"c:\Program Files\Debugging Tools for Win
dows (x86)\cdb.exe" -pn System
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
C:\Documents and Settings\admi\Desktop>
and neither would using kd give access to System process
C:\Documents and Settings\admi\Desktop>"c:\Program Files\Debugging Tools for Win
dows (x86)\ntsd.exe" -d -pn System
C:\Documents and Settings\admi\Desktop>
kd> g
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not been granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not been granted those access rights."
nor would attaching from kd work
Code:
kd> !bpid -a -s 4
Finding winlogon.exe (-1)...
Waiting for winlogon.exe to break. This can take a couple of minutes...
Break instruction exception - code 80000003 (first chance)
Stepping to g_AttachProcessId check...
Break into process 4 set. The next break should be in the desired process.
Stopping in winlogon.exe
kd> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0141fe8c 7c927e71 00000000 00000001 00079500 0x1030f2d
0141fed8 7c928325 01030ed0 00000000 00000001 ntdll!RtlpWaitOrTimerCallout+0x73
0141fef8 7c927aa2 00079500 7c97b440 00e41888 ntdll!RtlpAsyncTimerCallbackCompletion+0x1c
0141ff40 7c927ae3 7c928309 00079500 00000000 ntdll!RtlpWorkerCallout+0x70
0141ff60 7c927ba5 00000000 00079500 00e41888 ntdll!RtlpExecuteWorkerRequest+0x1a
0141ff74 7c927b7c 7c927ac9 00000000 00079500 ntdll!RtlpApcCallout+0x11
0141ffb4 7c80b713 00000000 00000000 00000000 ntdll!RtlpWorkerThread+0x87
0141ffec 00000000 7c910230 00000000 00000000 0x7c80b713
kd> bl
kd> g
Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"<Unable to get error code text>"
Debuggee initialization failed, NTSTATUS 0xC0000022
"<Unable to get error code text>"
if you are wondering whats this bpid magic here is a flow of how it works (in thi output ntsd is old in system 32 dir in target use latest ntsd from debugging tools dir
for production usage)
Code:
kd> !bpid -a -s 0n1636
Finding winlogon.exe (0)...
Waiting for winlogon.exe to break. This can take a couple of minutes...
Break instruction exception - code 80000003 (first chance)
Stepping to g_AttachProcessId check...
Break into process 664 set. The next break should be in the desired process.
Stopping in winlogon.exe
kd> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0141fe8c 7c927e71 00000000 00000001 00079500 0x1030f2d
0141fed8 7c928325 01030ed0 00000000 00000001 ntdll!RtlpWaitOrTimerCallout+0x73
0141fef8 7c927aa2 00079500 7c97b440 00e41888 ntdll!RtlpAsyncTimerCallbackCompletion+0x1c
0141ff40 7c927ae3 7c928309 00079500 00000000 ntdll!RtlpWorkerCallout+0x70
0141ff60 7c927ba5 00000000 00079500 00e41888 ntdll!RtlpExecuteWorkerRequest+0x1a
0141ff74 7c927b7c 7c927ac9 00000000 00079500 ntdll!RtlpApcCallout+0x11
0141ffb4 7c80b713 00000000 00000000 00000000 ntdll!RtlpWorkerThread+0x87
0141ffec 00000000 7c910230 00000000 00000000 0x7c80b713
kd> u 0x1030f2d
01030f2d 85c0 test eax,eax
01030f2f 740d je 01030f3e
01030f31 50 push eax
01030f32 e88cfdffff call 01030cc3
01030f37 83259844070100 and dword ptr ds:[1074498h],0
01030f3e 33c0 xor eax,eax
01030f40 c9 leave
01030f41 c20800 ret 8
kd> ub 0x1030f2d
01030f10 ff75fc push dword ptr [ebp-4]
01030f13 ff15c8160001 call dword ptr ds:[10016C8h]
01030f19 a194440701 mov eax,dword ptr ds:[01074494h]
01030f1e 85c0 test eax,eax
01030f20 7406 je 01030f28
01030f22 50 push eax
01030f23 e8b0feffff call 01030dd8
01030f28 a198440701 mov eax,dword ptr ds:[01074498h]
kd> g
Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded exts extension DLL
The call to LoadLibrary(uext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded ntsdexts extension DLL
WARNING: SRV*Z:\symbols\* is not accessible, ignoring
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
Executable search path is:
ModLoad: 00400000 00404000 C:\Documents and Settings\admi\Desktop\msgbox.exe
ModLoad: 7c900000 7c9af000 C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\user32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
Break instruction exception - code 80000003 (first chance)
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=008bffcc ebp=008bfff4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:001> kb
kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
008bfff4 00000000 00000000 00000008 0007ae5c ntdll!DbgBreakPoint
0:001> ~*kb
~*kb
0 id: 664.6c8 Suspend: 1 Teb 7ffde000 Unfrozen
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\user32.dll -
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012faac 7e4249c4 000e00e2 00000000 00000001 ntdll!KiFastSystemCallRet
0012fad4 7e43a956 7e410000 001434e0 00000000 user32!GetCursorFrameInfo+0x1cc
0012fd94 7e43a2bc 0012fef0 00000000 ffffffff user32!SoftModalMessageBox+0x677
0012fee4 7e4663fd 0012fef0 00000028 00000000 user32!MessageBoxIndirectA+0x23a
0012ff3c 7e4664a2 00000000 00143058 00143098 user32!MessageBoxTimeoutW+0x7a
0012ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x9c
0012ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b
*** WARNING: Unable to verify checksum for C:\Documents and Settings\admi\Desktop\msgbox.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\admi\Desktop\msgbox.exe
0012ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45
0012fff0 00000000 00401000 00000000 78746341 msgbox+0x1013
. 1 id: 664.3ec Suspend: 1 Teb 7ffdd000 Unfrozen
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
008bfff4 00000000 00000000 00000008 0007ae0c ntdll!DbgBreakPoint
0:001>
Kayaker
September 5th, 2011, 02:41
I think you're exactly right blabberer. There is minimal usermode presence for the System process:
Code:
:addr system
:query system
Address Range Flags MMCI PTE Name
00010000-00033000 04000000 823C4310 E100E6C8
00060000-00060000 04000000 822726E8 E14D0658
00070000-0016F000 04000000 81F8ECD0 E1ABBBF8 Heap
00170000-0056F000 04000000 8218C0C0 E176C038
02180000-0257F000 04000000 822055C0 E13A7038
7C900000-7C9AF000 07100005 823C72D8 E1493A48 ntdll.dll
The first thread points to your _Phase1Initialization (now there's a googlable term..) recollection.
All subsequent system threads seem to begin at Start EIP: _ExpWorkerThread.
Code:
:thread -x system
Extended Thread Info for thread 8
KTEB: 823C8548 TID: 008 Process: System(04)
Base Pri: 0 Dyn. Pri: 0 Quantum: 5
Mode: Kernel Suspended: 0 Switches: 00002E33
TickCount: 0006E195 Wait Irql: 0
Status: Kernel Wait for WrFreePage
Start EIP: _Phase1Initialization (806A033E)
Affinity: 00000001 Context Flags: A
KSS EBP: 00000000 Callback ESP: 00000000
Kernel Stack: F8975000 - F8978000 Stack Ptr: F897779C
Kernel Time: 00000241 User Time: 00000000
Create Time: 0000000000000000
SpinLock: 00000000 Service Table: 80559B80 Queue: 00000000
SE Token: 00000000 SE Acc. Flags: 001F03FF
UTEB: 00000000
IRP Queue at 823C8758 is empty
Thread Wait List:
Event Object at 8055F490
Timer Object at 80560480
Registers: ESI=FFDFF120 EDI=823C8548 EBX=823C85B8 EBP=F89777F8
Restart : EIP=804DBDE0 a.k.a. @KiSwapContext+002E
FrameEBP RetEIP Syms Symbol
F89777B8 804DC6A6 Y ntoskrnl!@KiSwapContext+002E
F89777C4 804E40FD Y ntoskrnl!@KiSwapThread+0038
F89777F8 804E83ED Y ntoskrnl!_KeWaitForMultipleObjects+0170
F8977844 8069EE76 Y ntoskrnl!_MmZeroPageThread+0061
btw, while browsing I found a funky way of getting the EPROCESS of the System process using PsActiveProcessHead or PsInitialSystemProcess
http://66.14.166.45/whitepapers/compforensics/memory/Introduction To Windows Memory Forensic.pdf
Code:
kd> ?PsInitialSystemProcess
Evaluate expression: -2141844268 = 80560cd4
kd> dd 80560cd4 L1
80560cd4 823b47c0
kd> dt nt!_EPROCESS 823b47c0
...
+0x174 ImageFileName : [16] "System"
...
+0x1b0 Peb : (null)
Not surprisingly, no PEB, so nothing to attach to.
blabberer
September 5th, 2011, 04:40
yes kayaker it is officially documented
http://msdn.microsoft.com/en-us/library/ff559943%28v=vs.85%29.aspx
you can do it like this in windbg
Code:
lkd> dt nt!_Eprocess poi(nt!PsInitialSystemProcess) -y Ima
+0x174 ImageFileName : [16] "System"
or
edit added second way
Code:
lkd> dt nt!_EPROCESS ImageFilename poi(nt!PsActiveProcessHead)-@@c++(#FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks)))
+0x174 ImageFileName : [16] "System"
that is subtract FieldOffset (0x88) from *PsActiveProcesshead for getting the System process ImageFileFilename (related .blink manipulation)
someone (who probably lurks here but wont admit it) wrote a blog i cant find now ill link it later if i find for the edited windbg magic
jhon thomas
September 6th, 2011, 08:34
Thanks for the information, now I just have to learn more about it and try to get there.
I am thinking that would be possible to create a plugin that could do this Eprocess stuff so it would be loaded in Ollydbg.
Maybe am I wrong? But i will try to create a setup --> windbg + windows 7 in a virtual machine as an alternative to Olly.
I think this proccess have too many interesting things..
I think Ollydbg is just the best user mode debugger, credits to Mr Oleh for the very nice work.
In older versions, when you right click inside the code window, you have the option to chose what module you want to view, and choose, for example, the main executable. I would appreciate this new version had it. You still can press the 'U' button (execute until user code), that is very good, but sometimes I need just browse, not just run.
Darkelf
September 6th, 2011, 14:32
in order to debug a process owned by "SYSTEM" you have to become SYSTEM yourself. It's way more privileged than the Administrator account.
Under XP that was quite simple. You just had to create an interactive task. This "problem" is fixed under Vista and seven, but it's nevertheless possible. To work under the NT-Authority/SYSTEM account you must create an interactive service. Windows will pretend it's not possible but don't let it fool you - it will work.
Open a commandline as Administrator (even if you are under an Admin account you must do a right-click "run as Administrator"
. In this commandline type:
Code:
sc create makeMeKing binpath= "cmd /K start" type= own type= interact
Please note the blanks between the "=" and the text that follows it. It's mandatory.
Now you can start this service everytime you want:
When you start this service a window pops up telling you that a process wants to display a message. Let it show this message. Your explorer will disappear and your screen will become light-blue showing just the commandline. Now do a "cd .." and then an "explorer.exe". Congrats, you now have a fully working desktop as "NT-Authority/SYSTEM". Now you REALLY rule that machine.
Happy debugging.
Regards
darkelf
blabberer
September 7th, 2011, 00:01
darkelf:\>kd -kl -c ".foreach /pS 3 /ps 3 (place {.shell -ci \"!process 0 1 cmd.exe\" grep -i -e \"Token\" -e \"Ima\"} ) {.echo place ; dt nt!_TOKEN TokenSource.Sourcename place} ; q"
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Connected to Windows XP 2600 x86 compatible target at (Wed Sep 7 10:24:06.843 2
011 (UTC + 5:30)), ptr64 FALSE
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Wed Sep 7 10:24:06.921 2011 (UTC + 5:30)
System Uptime: 0 days 0:38:51.493
lkd> kd: Reading initial command '.foreach /pS 3 /ps 3 (place {.shell -ci "!proc
ess 0 1 cmd.exe" grep -i -e "Token" -e "Ima"} ) {.echo place ; dt nt!_TOKEN Toke
nSource.Sourcename place} ; q'
e3924c60
+0x000 TokenSource :
+0x000 SourceName : [8] "*SYSTEM*"
quit:
darkelf:\>cdb -pn System"
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
darkelf:\>sc qc makemeking
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: makemeking
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : cmd /K start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : makeMeKing
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
darkelf:\>sc start makemeking
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
darkelf:\>
Darkelf
September 7th, 2011, 08:21
Hi blabberer,
if I understand your post right, starting of the service failed. Right?
Are you under Vista or Seven? I ask because in your post there is this line:
Code:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
As I've written in my first post, the procedure under XP is different.
To become SYSTEM under XP you must open a commandline and there you type:
Code:
at 15:12 /interactive "cmd.exe"
Replace 15:12 with the time you want the SYSTEM commandline to start.
When the time has come, a second commandline will open. It has a slightly different title bar where it says: C:\WINDOWS\System32\svchost.exe
Now open the taskmanager and kill "explorer.exe". Your desktop disappears and only the two commandlines remain. Close the one you typed the "at" command and keep the one with svchost in the title bar open. In the open commandline do "cd .." and then "explorer.exe". Now you are the SYSTEM user under XP.
Hope that helps.
Regards
darkelf
jhon thomas
September 7th, 2011, 08:32
Darkelf: Really nice trick, Darkelf, I got a Desktop but even am still getting access denied, but this trick is very nice, it may be very useful to all sort of things, thanks for sharing.
blabberer
September 7th, 2011, 10:19
http://www.woodmann.com/forum/showthread.php?14452-ollydbg-2.01-alpha-4&p=91009#post91009
>blabberer
i dont think granting SeTcbPrivilege would allow you to attach to System Process
basically doing at 00:00 \\drive\\path\\exe schedules a task as system and i dont think starting ollydbg/windbg/ like wise would allow you attach to system process
like i already posted task scheduling wont allow you to attach to a system process the original question was attaching to system process not
elevating oneself to system privilege
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.