Hello,

is it possible to debug a DLL which has been injected by a loader into another process? Attaching to the process would be too late since the DLL has done all the necessary stuff (hook win32 functions etc).

Thanks

Hi,

Why don't you attach the debugger to the process before the DLL get injected into it and set bp on module load events ?

hex edit an int 3 or infinite loop at the entry point of the dll
then catch the exception or break into it with a debugger

you could also step through the loader till you hit a CreateProcess call

if the loader is using CreateRemoteThread you can catch that from a thread attach message

well i would have to attach the debugger to the loader (injector) of the DLL - and then how do i have my DLL loaded into IDA (the current project would only show code for the loader)? I think IDA only supports one main executable or DLL during debugging?

What about replacing first two bytes of the entrypoint of the dll with EBFEh, it will make an infinite loop, so u can attach to the process, restore the two original bytes, and trace what the dll is doing.

alright, let me see if i get this right

1. create an endless loop in the injected dll by manually editing the entrypoint
2. the loader will start target process and inject the dll
3. the target process will wait for the injected dll because of an endless loop
4. i can now attach a debugger to the target process (exe)

point 4 is a bit unclear to me - so i simply can attach my IDA project with the DLL database to the target process (even tho IDA has no database for the target process open?)
and IDA will find the position of the loop automatically?

The position of loop is not hard, once attached, let the target process run, and pause it again, u will stop on the entrypoint, where u have to replace the two bytes to the original. However, i dont know if the .idb for the dll can be loaded, to use it for ur target, there u have to look for urself, maybe someone can say more. Otherwise u just have to work on ur own.

Forgive for resurrecting an old post but I hope you found a way around your problem. I had the same issue crop up and here is how I got around it.

The process that was doing the injecting (referred to here out as 'injector') I just set breakpoints on writeprocessmemory() and once there I knew what was being injected (referred to as 'injectee'). So once this break was hit I opened up another copy of ollydbg and attached to the 'injectee'. Looking at the memory map of the injectee I could see that the destination addresses in this attached processes space were being allocated. After I got the code locations and writeprocessmemory() in the injector was done writing it's code to the injectee's sections I set breakpoints on the code locations in the injectee. I resumed execution on the injector which subsequently terminated itself. Sure enough the injectee broke on one of my code locations that was recently written. Analysis was resumed from here. Hopefully this overall strategy will work for your case (if you haven't solved it already).

Thanks for your post, no i havent solved it and this does sound like alot of hassle todo for every debugging session =)

If you want to get the the address of your loop at run time, and, or, a way to signal it got there you can use Sysinternals DebugView ("http://technet.microsoft.com/en-us/sysinternals/bb896647") or the log view window in OllyDBG to

Example:


For formatted output:


Then you can print addresses and what not.
Replace the "OutputDebugStringA" in the above example: