Log in

View Full Version : SEH and BaseProcessStart

WaxfordSqueers
October 27th, 2012, 03:45
Have not been around for a bit and I need to get my posting totals up. This is a question about Olly in the guise of an SEH problem.

Way back when I used softice, I got a good tip from Kayaker to use _BaseProcessStart in Kernel 32 as a breakpoint for apps that were difficult when it came to stopping at the program entry point. I mean the very first code that is executed by an app, not the OEP in a packed app.

I never gave BaseProcessStart much thought but it turns out to be the function that returns the thread entry point for a process. It is also the function to which a faulting thread returns to find a default exception handler if no other handler is available. Live and learn. It is all laid out here in this excellent SEH article by Matt Pietrek, a code guru.

http://www.microsoft.com/msj/0197/exception/exception.aspx

Anyway, I have not reversed for a bit and I have avoided learning Olly. I fired it up the other night and I could not get it to stop at the apps entry point. It kept stopping in ntdll.dll which freaked me a bit because I did not think Olly would go through system code. Is that something new?

I thought it would be handy if I could set a breakpoint for Kernel32.BaseProcessStart, knowing that would get me out of the nttdll code and straight to the app's entry point.

I finally found the problem with why Olly was not going there but it would still be nice to know how to set a system breakpoint in Olly BEFORE loading an app. Is that too simple a question, or will the RCE police be after me for not doing my homework?
blabberer
October 27th, 2012, 09:26
Quote:

It kept stopping in ntdll.dll which freaked me a bit because I did not think Olly would go through system code. Is that something new?

no dear it is older than the oldest in fact it is as old as old can ever dream of

Quote:

I thought it would be handy if I could set a breakpoint for Kernel32.BaseProcessStart

that is a right advice but kernel32.baseProcessStart is an unexported variable so you would need symbols to set a bp there
Code:


Names in kernel32, item 291

 Address=7C817054

 Section=.text

 Type=Library         <--------------- notice the lib qualifier  (use my symbol loader plugin  you should find it in ollydbg support forum

i have got advance bail from rce police for blatant advertising

 Name=BaseProcessStart

[/B]


olly is probably going there because you have set it in option -> debugging options ->events -> make first pause at system breakpoint

if you want olly to break earlier than that you can make it so

oh btw one tip
if you dont / cant / wont dance with symbols but still want to be at the party

set a conditional break on ntdll.ZwContinue using shift+f4

edit
oh btw i forgot to take note of your seh return query
yes seh returns to usermode code via ZwContinue so the below bp will work on seh too
eax will contain the entry point / return to user code eip/ on break

and to be technically complete the break breaks on
7C810705 kernel32.BaseProcessStartThunk XOR EBP, EBP
if you do f8 three times you will land in baseprocessstart without symbols


Code:




Breakpoints

Address                                Module             Active                                                              Disassembly  

7C90D05E ntdll.ZwContinue      ntdll                 Log "setting break on context->eip"                       MOV     EAX, 20



Log data

7C90D05E   COND: settinb break on context->eip = 7C810705

7C90D05E   Breakpoint at ntdll.ZwContinue

00401000   Program entry point


see snap below
and notice the . <dot> commands (the default command line plugin from oleh should be present for this to work)

pause to plugin the following commands when paused
,bp [[esp+4]+0xb8]
.run

visuals break the decibel barrier they used to say in some olden golden proverbs say so a visual
WaxfordSqueers
October 27th, 2012, 10:37
Quote:
[Originally Posted by blabberer;93541].... kernel32.baseProcessStart is an unexported variable so you would need symbols to set a bp there ....


Hey blabs....how's it going? Long time, no see.

Thanks for info. Olly has come a long way since I last tried it. What's that, symbols and plugins????

I'll look for your plugin for symbols.

I got thrown for a bit of a loop. I thought the app was being shanghied by an SEH but I never thought to look behind Olly. There it was (it's window). Forced me to learn about SEH's, so that's good. Maybe it still is being hijacked because the code freezes and I can't single step. The freeze comes after I have been single-stepping for a while and hit Run. Maybe it is detecting that, or a debugger, or maybe I have just followed a bad code path by setting BP's too far down the code.

Now I'm the blabberer. :-)

I have managed to get well into winmain, so I need to focus a bit and quit messing around. I just wanted to get a feel for the structure.

What do you think of version 2 of Olly? Is it worth checking it out or should I stick with ver 1 till I get the hang of it? It seems straight forward after using softice for so many years, I just need to get up the learning curve till I'm comfortable.
Indy
October 27th, 2012, 11:07
Quote:
Names in kernel32, item 291
Address=7C817054
Section=.text
Type=Library <--------------- notice the lib qualifier (use my symbol loader plugin you should find it in ollydbg support forum
i have got advance bail from rce police for blatant advertising
Name=BaseProcessStart


I also love DXM
blabberer
October 27th, 2012, 11:51
@Indy why are you trying to suppress your cough ?

@Waxf

oh odbg 2 is quiet functional and has got some new options too though you might miss some older functionality especially
call stacks and seh chains
get up to speed in v1 and v2 will be a breeze
Kayaker
October 27th, 2012, 12:48
Nice to see you around again Wax.

Yeah, what he said.

If you do use the Modified Command Line Plugin, i.e. (loadpdb c:\windows\system32\kernel32.dll), access to BaseProcessStart, etc. would be through the CPU window context menu - Search for/Name in all modules. Start typing in the name for autosearch/complete.


Or, someone around here created a plugin for Olly2 that also loads symbols and has the useful side effect, even if the plugin dll is removed later, of making them available in the new and improved Olly Expressions window (Ctrl-G). Just start typing in the function name and it will autocomplete, double click the entry to go there.

http://www.woodmann.com/forum/showthread.php?14904-ollydbg-2-x-plugin-OLLY_LKD
WaxfordSqueers
October 28th, 2012, 05:43
Quote:
[Originally Posted by Kayaker;93547] If you do use the Modified Command Line Plugin, [I]i.e. (loadpdb c:\windows\system32\kernel32.dll)...


Good to see you're still on the go at RCE, Kayaker.

I read that Olly 2 will work in Win 7, but what about the symbols files for Win 7? I imagine there have been wholesale changes. I keep an old desktop going with XP and softice, with all the symbol files loaded. I can make some handy symbol files for use in softice from IDA. Can the same be done with Olly?

I have been meaning to network the desktop with a laptop, on which I run Win 7. Have you had any experience with that? Not looking for a wholesale explanation, just a tip or two, if you have any.
blabberer
October 28th, 2012, 07:53
for olly2 you dont need any plugin created by anyone for loading symbols
support is inbuilt

if you let it access ms symbol server it will fetch the pdbs from net as well
from w2k onwards till w7 (haven't tested with w8 yet

it uses dbghelp directly no dbgeng so no symsrv.dll required

Code:


Log data

Address   Message

          OllyDbg v2.01 (intermediate version - under development!)



          File 'C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201g\odbg201g\msgbox.exe'

          New process (ID 00000B40) created

00401000  Main thread (ID 00000EF8) created

00400000  Module C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201g\odbg201g\msgbox.exe

            PDB file: 'F:\masm32\icztutes\tute02\msgbox.pdb'

            Different PE Data Directory in file and in memory (antivirus?)

            Import table: file (00002064,0000003C), memory (00002F78,0000003C)

64D00000  Module C:\Program Files\Alwil Software\Avast5\snxhk.dll

77F10000  Module C:\WINDOWS\system32\GDI32.dll

            PDB file: 'F:\SYMBOLS\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb'

7C800000  Module C:\WINDOWS\system32\kernel32.dll

            PDB file: 'F:\SYMBOLS\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb'

7C900000  Module C:\WINDOWS\system32\ntdll.dll

            PDB file: 'F:\SYMBOLS\ntdll.pdb\6992F4DAF4B144068D78669D6CB5D2072\ntdll.pdb'

7E410000  Module C:\WINDOWS\system32\user32.dll

            PDB file: 'F:\SYMBOLS\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb'

  

7C90120E  System breakpoint
WaxfordSqueers
November 5th, 2012, 21:28
Quote:
[Originally Posted by WaxfordSqueers;93551]I have been meaning to network the desktop with a laptop, on which I run Win 7. Have you had any experience with that? Not looking for a wholesale explanation, just a tip or two, if you have any.
Replying to my own post...things sure are tough sometimes.

I got a network going between a laptop running Win 7 and a desktop running XP. Msoft sure don't make it easy. So far, it's just file sharing.

Any suggestions on how I might best use windbg over that setup? I seem to recall it wanted a serial connection but will it run via a remote desktop situation?

Maybe it would be better to start a new thread for this.