I try detach a debugger in this case OLLYDBG of the process in XP, read the Microsoft Info for the APIS used for this, DebugActiveProcesSStop with parameter the ID of the process for detach and DebugSetProcessKillOnExit, with parameter 0 for continue process after close OLLYDBG but don't function OLLY close and process exit always, what fails here?

Sorry for my bad english I speak spanish only.

Ricardo Narvaja

hmm wrong section this post shouldbe in TOT

Nah... It's not a question about Olly, it's a question of how to code antidebug code, sortof... (?) And that is not TOT, is it?

Anyway... Someone will hopefully answer with something usefull, because I can't...

/Manko

Hi,

I'm referring to Tools of the Trade forum.

maybe he's refering after using above api it doesn anti-ollydbg or the other way round... just a guess

I am not question for a tool only for the correct use of this apis, and if any have experience detaching any debugger or the process in any form, injecting code, or in any way, the forms i try not function at all, always close process when i close ollydbg, injecting a piece of code with this apis in a way microsoft suggest use this apis.

Ricardo Narvaja

Are you trying to do some anti-debug trick?

something like: Copies itself into another process and continue executing from there.. is that what u want?

Also, what are the "APIs microsoft suggest" you're refering to?

No, no antidebugging, i study this only for cracking, if you make changes and detach teh debugger, RUN and in other point of program atach again you can crack better and antidebugging tricks, are less efective.

In the Microsoft page

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/appendix/hh/appendix/enhancements5_5ppv.asp

Quit and Detach
Windows XP makes it possible to debug a user-mode application and then detach the debugger, without killing the application.

And this


Control over Whether Terminating a Debugger Also Terminates the Process Being Debugged
Prior to Windows XP, terminating a debugger would always kill all processes being debugged by the debugger. The new DebugSetProcessKillOnExit routine allows a debugger to control this behavior and select either a detach or the default kill.

And this

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/debugsetprocesskillonexit.asp


DebugSetProcessKillOnExit

The DebugSetProcessKillOnExit function sets the action to be performed when the debugging thread exits.


BOOL DebugSetProcessKillOnExit(
BOOL KillOnExit
);

Parameters
KillOnExit
[in] If this parameter is TRUE, the debug thread will kill the process being debugged on exit. Otherwise, the debug thread will detach from the process being debugged on exit.
Return Values
If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Requirements
Client: Included in Windows XP.
Server: Included in Windows Server 2003.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Kernel32.lib.


See Also
Basic Debugging Overview, Debugging Functions, DebugActiveProcessStop



And there are debuggers use this feature now

debugger WINE

http://www.winehq.com/hypermail/wine-patches/2002/02/0121.html

XP adds a few new debugging APIs. The most interesting is used to
detach the debugger from its debuggee(s) without actually killing the
debuggee.
this patch implements this (as well as two other untested features)

Patch the debugger for make this (detaching)

Ricardo Narvaja