Log in

View Full Version : Olly crashes when I try to attach to a new process that malware started

Sunk
April 21st, 2012, 10:57
I can watch malware create a new process and just before it is set to resume the thread, I launch another Olly and try to debug that new process and Olly crashes. How can I start debugging this new process?
Teutonic
April 21st, 2012, 18:45
Olly probably isn't but best tool for this problem. If you have access to IDA I would strongly suggest that you leverage its ability to use a different back-end debugger and select WinDbg. Then when you have stepped one or two instructions (not sure why it doesn't always show up right away) enter the following command in the debugger window (should be near the bottom): '.childdbg 1' without the ticks of course. Then find the start address for the process and drop a hardware break point on one of the first instructions to obtain active control of the child process. If you don't have IDA then just use windbg directly but that's a little less user friendly but extremely powerful! I do hope this helps.

Regards,
Teutonic
Sunk
April 22nd, 2012, 07:10
Quote:
[Originally Posted by Teutonic;92368]Olly probably isn't but best tool for this problem. If you have access to IDA I would strongly suggest that you leverage its ability to use a different back-end debugger and select WinDbg. Then when you have stepped one or two instructions (not sure why it doesn't always show up right away) enter the following command in the debugger window (should be near the bottom): '.childdbg 1' without the ticks of course. Then find the start address for the process and drop a hardware break point on one of the first instructions to obtain active control of the child process. If you don't have IDA then just use windbg directly but that's a little less user friendly but extremely powerful! I do hope this helps.

Regards,
Teutonic


IDA is really expensive and WinDbg is really complicated. If I just had to learn a few WinDbg commands to pause the child process and could then start debugging again with Olly I'd give it a try. However, I won't be able to switch back to OllyDbg, because you can only have one debugger on a process at a time, right?
disavowed
April 22nd, 2012, 08:36
Something you could try:
Patch the child program on-disk such that the code at the entrypoint is EB FE. Then let the the malware start that child process and let it resume its thread. After the thread is resumed, the process will be running and it will be spinning at its entrypoint. You can then attach OllyDbg, undo the code modification at the entrypoint, and continue debugging the child process.
Sunk
April 22nd, 2012, 08:54
Quote:
[Originally Posted by disavowed;92371]Something you could try:
Patch the child program on-disk such that the code at the entrypoint is EB FE. Then let the the malware start that child process and let it resume its thread. After the thread is resumed, the process will be running and it will be spinning at its entrypoint. You can then attach OllyDbg, undo the code modification at the entrypoint, and continue debugging the child process.


That's pretty clever. I'll give it a try, thanks!
Maximus
April 22nd, 2012, 09:41
just in case, do the same for thread initialization's directory if it's set in PE header, or your malware might run before your jmp self is reached!
Sunk
April 22nd, 2012, 16:31
It worked! This is freaking awesome. It crashed after a while of debugging. Not sure why, but I'll look into that tomorrow... It was creating new threads so in addition to learning how to debug new processes, I'm going to have to learn how to debug new threads. Any tips on that?