Jump & Break into new process / thread ? [Archive]

View Full Version : Jump & Break into new process / thread ?

at2oo3

September 24th, 2011, 15:39

Hi There,

i try to analyze a tool wich allocates Memory (VirtualAlloc), creates a new paused thread loads something into it and starts it:

Code:

75FAB66B   .  FF15 4413FA75              call    dword ptr [<&ntdll.NtResumeThread>]                                              ;  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Here the thread starts

Thread exits directly after NtResumeThread is called becouse a Hardware ID verification failed.... How can i jump into it and start dubugging this new process / Thread? Any other ideas? Probably Dump? How to Dump?

Trieed to hook on the new process by using ospy or another olly instance without any success (probably protected by themida)...

2497

live_dont_exist

September 25th, 2011, 09:27

How about this thread on the same page? I had a similar problem a while ago

http://www.woodmann.com/forum/showthread.php?14442-Tracking-threads-in-Olly

Hope that helps.

Arvind

blabberer

September 25th, 2011, 23:57

if you are on ollydbg 1 you can break into a child process with modified commandline plugin with childdbg functionality

if you are on ollydbg 2 you can break on child debugee using inbuilt support for breaking on child process

options -> debugging options