New Anti-debug protection? [Archive] - RCE Messageboard's Regroupment

View Full Version : New Anti-debug protection?

br00t_4_c

April 14th, 2005, 06:38

Recently reported security vulnerability in multiple debugging platforms (Olly, Windbg, etc -see hxxp://www.security-assessment.com/Whitepapers/PreDebug.pdf for further details) seems to present some interesting possibilities for anti-debugging protections. A protection of this nature could probably be easily circumvented by placing breakspoints on module loads, but might be a worthwhile trick to add to the anti-debugging arsenal?? Has anyone seen this implemented yet? I've looked around and haven't found much of anything.

Actually, let me clarify: this paper seems to provide us with a means of better hiding standard anti-debug protections and other nastiness.

disavowed

April 14th, 2005, 09:54

Quote:

[Originally Posted by br00t_4_c]A protection of this nature could probably be easily circumvented by placing breakspoints on module loads

If you mean checking the "break-on-module-load" checkbox in OllyDbg, then no, that doesn't apply to DLLs in the IT. They're loaded into memory before Windows passes control to OllyDbg.

If you mean scanning the IT for DLLs and placing a breakpoint at the EP of each file on disk, then yes, that would work as long as you have JIT-debugging set up appropriately. However, this is problematic when it comes to DLLs that are already in use (like kernel32.dll) and can't easily be modified on disk. But in such situations, you can use side-by-side (SxS) DLLs.

blabberer

April 14th, 2005, 10:14

if i recall correctly ricardo narvaja had a challenge that actually caused a dll to be executed before reaching entry point and it was discussed in ollydbg forum long ago i think error 11 some thing is the topic title

hold on ill post the link

http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1&topic=576&page=0#29

yes LdrLoadDll on its way to debugger executes an init routine in every
dll that it loads

you can find what is the init routine of every program
if you enable LDR_SHOW_SNAPS (using what he mention Execution options)
or using gflags or its clones ( i wrote a half plugin dll to enable these flags in olly but kinda dropped it

here is the debug print
Log data, item 0
Address=77F9FA77
Message=Debug string: C:\WINNT\system32\KERNEL32.DLL init routine 77e8c3d8

it gets these option by this function in loader then goes
to execute the init routine

Code:



77F9985D  PUSH    EBX                              ; /Arg6 = 00000000

77F9985E  PUSH    4                                ; |Arg5 = 00000004

77F99860  LEA     EAX, DWORD PTR SS:[EBP-24]       ; |

77F99863  PUSH    EAX                              ; |Arg4 = 000732A4

77F99864  PUSH    4                                ; |Arg3 = 00000004

77F99866  PUSH    ntdll.77F9979A                   ; |Arg2 = 77F9979A

77F9986B  LEA     EAX, DWORD PTR DS:[ESI+2C]       ; |

77F9986E  PUSH    EAX                              ; |Arg1 = 000732A4

77F9986F  CALL    ntdll.LdrQueryImageFileExecution>; \LdrQueryImageFileExecutionOptions



77F8E715  PUSH    DWORD PTR SS:[EBP+8]             ; /Arg4 = 00000000

77F8E718  PUSH    1                                ; |Arg3 = 00000001

77F8E71A  PUSH    DWORD PTR DS:[ESI+18]            ; |Arg2 = 77D40000

77F8E71D  PUSH    EDI                              ; |Arg1 = 77D43958

77F8E71E  CALL    ntdll.LdrpCallInitRoutine        ; \LdrpCallInitRoutine





Log data

Address    Message

77F9FA77   Debug string: LDR: RPCRT4.DLL loaded.

77F9FA77   Debug string:  - Calling init routine at 77d43958

well as far as the other hack is concerned does he mention about
windows file protection problems one might encounter when replacing a system dll ?? ( i did not read throughly sorry if i didnt grasp some thing correctly )

regards

laola

April 14th, 2005, 10:19

Replacing a system DLL is not necessarily required, in addition there are tools to disable WFP programmatically. I haven't had the time to see how they do it but I guess it is just as easy as disabling the stupid warning about unsigned driver installations

blabberer

April 14th, 2005, 10:25

hehe the question here is not about disbaling it or forcing it

i know it can be done i am meaning a specially crafted malware which would be able to do it on the fly by the proposed vulnerabilities how easy or hard is it thats the question

ok i reread it again it seems he is hexing a malware dll in the iat of compiled app so actually he isnt replacing any system dll

sorry for dud question

blabberer

April 14th, 2005, 10:46

no actually placing a single break point in ntdll LdrInit blah suffices to get the entry point of all dlls disawoved ( break on modules wont break) but you can break on the first executed code of init from any dll if you place a break on ntdll inti routine
here i paste log of all breaks that i get before ep is reached from iczelions messagebox.exe (tut -02)

Code:





Log data

Address    Message



           File 'C:\masm32\ICZTUTES\TUTE02\tut02\msgbox.exe'

           New process with ID 00000278 created

00401000   Main thread with ID 000003E8 created

77F9FA77   Debug string: LDR: PID: 0x278 started - '"C:\masm32\ICZTUTES\TUTE02\tut02\msgbox.exe"'

77F9FA77   Debug string: LDR: NEW PROCESS

77F9FA77   Debug string:      Image Path: C:\masm32\ICZTUTES\TUTE02\tut02\msgbox.exe (msgbox.exe)

77F9FA77   Debug string:      Current Directory: C:\masm32\ICZTUTES\TUTE02\tut02\

77F9FA77   Debug string:      Search Path: C:\masm32\ICZTUTES\TUTE02\tut02;.; snip

77F9FA77   Debug string: LDR: KERNEL32.dll used by msgbox.exe

77F9FA77   Debug string: LDR: KERNEL32.dll bound to NTDLL.DLL

77F9FA77   Debug string: LDR: KERNEL32.dll has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: Snapping imports for msgbox.exe from KERNEL32.dll

77F9FA77   Debug string: LDR: USER32.dll used by msgbox.exe

77F9FA77   Debug string: LDR: USER32.dll bound to NTDLL.DLL

77F9FA77   Debug string: LDR: USER32.dll has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: USER32.dll bound to KERNEL32.DLL

77F9FA77   Debug string: LDR: USER32.dll has correct binding to KERNEL32.DLL

77F9FA77   Debug string: LDR: USER32.dll bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll

77F9FA77   Debug string: LDR: USER32.dll has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: USER32.dll bound to GDI32.DLL

77F9FA77   Debug string: LDR: GDI32.DLL bound to NTDLL.DLL

77F9FA77   Debug string: LDR: GDI32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: GDI32.DLL bound to KERNEL32.DLL

77F9FA77   Debug string: LDR: GDI32.DLL has correct binding to KERNEL32.DLL

77F9FA77   Debug string: LDR: GDI32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll

77F9FA77   Debug string: LDR: GDI32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: GDI32.DLL bound to USER32.DLL

77F9FA77   Debug string: LDR: GDI32.DLL has correct binding to USER32.DLL

77F9FA77   Debug string: LDR: USER32.dll has correct binding to GDI32.DLL

77F9FA77   Debug string: LDR: Snapping imports for msgbox.exe from USER32.dll

77F9FA77   Debug string: LDR: Refcount   KERNEL32.dll (1)

77F9FA77   Debug string: LDR: Refcount   USER32.dll (1)

77F9FA77   Debug string: LDR: Refcount   KERNEL32.DLL (2)

77F9FA77   Debug string: LDR: Refcount   GDI32.DLL (1)

77F9FA77   Debug string: LDR: Refcount   KERNEL32.DLL (3)

77F9FA77   Debug string: LDR: Refcount   USER32.DLL (2)

00400000   Module C:\masm32\ICZTUTES\TUTE02\tut02\msgbox.exe

77E10000   Module C:\WINNT\system32\USER32.dll

77E80000   Module C:\WINNT\system32\KERNEL32.dll

77F40000   Module C:\WINNT\system32\GDI32.DLL

77F80000   Module C:\WINNT\System32\ntdll.dll

77F86CDC   Breakpoint at ntdll.77F86CDC

77F8C31F   Breakpoint at ntdll.LdrpRunInitializeRoutines  <------ broke here  

77F9FA77   Debug string: LDR: Real INIT LIST

77F9FA77   Debug string:      C:\WINNT\system32\KERNEL32.dll init routine 77e8c3d8

77F9FA77   Debug string:      C:\WINNT\system32\USER32.dll init routine 77e33bb4 first init is done here

77F9FA77   Debug string: LDR: KERNEL32.dll loaded.

77F9FA77   Debug string:  - Calling init routine at 77e8c3d8 second init here

77F9986F   Breakpoint at ntdll.77F9986F

77F9FA77   Debug string: LDR: USER32.dll loaded. <--------dll loaded 

77F9FA77   Debug string:  - Calling init routine at 77e33bb4

77F8E71E   Breakpoint at ntdll.77F8E71E

77F9FA77   Debug string: LDR: LdrGetDllHandle, searching for C:\WINNT\System32\IMM32.DLL from

77F9FA77   Debug string: LDR: LdrGetDllHandle, searching for C:\WINNT\System32\IMM32.DLL from C:\masm32\ICZTUTES\TUTE02\tut02;.;

77F9FA77   Debug string: LDR: LdrLoadDll, loading C:\WINNT\System32\IMM32.DLL from C:\masm32\ICZTUTES\TUTE02\tut02;

77F9FA77   Debug string: LDR: Loading (DYNAMIC) C:\WINNT\System32\IMM32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to USER32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to USER32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to NTDLL.DLL

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to KERNEL32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to KERNEL32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to GDI32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to GDI32.DLL

77F9FA77   Debug string: LDR: IMM32.DLL bound to ADVAPI32.DLL

75E60000   Module C:\WINNT\System32\IMM32.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL bound to NTDLL.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL bound to KERNEL32.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL has correct binding to KERNEL32.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll

77F9FA77   Debug string: LDR: ADVAPI32.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL bound to RPCRT4.DLL

77DB0000   Module C:\WINNT\system32\ADVAPI32.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL bound to NTDLL.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL bound to KERNEL32.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL has correct binding to KERNEL32.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll

77F9FA77   Debug string: LDR: RPCRT4.DLL has correct binding to NTDLL.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL bound to ADVAPI32.DLL

77F9FA77   Debug string: LDR: RPCRT4.DLL has correct binding to ADVAPI32.DLL

77F9FA77   Debug string: LDR: ADVAPI32.DLL has correct binding to RPCRT4.DLL

77F9FA77   Debug string: LDR: IMM32.DLL has correct binding to ADVAPI32.DLL

77F9FA77   Debug string: LDR: Refcount   ADVAPI32.DLL (1)

77F9FA77   Debug string: LDR: Refcount   RPCRT4.DLL (1)

77F9FA77   Debug string: LDR: Refcount   ADVAPI32.DLL (2)

77F8797F   Breakpoint at ntdll.77F8797F

77F8C31F   Breakpoint at ntdll.LdrpRunInitializeRoutines

77F9FA77   Debug string: LDR: Real INIT LIST

77F9FA77   Debug string:      C:\WINNT\system32\RPCRT4.DLL init routine 77d43958

77F9FA77   Debug string:      C:\WINNT\system32\ADVAPI32.DLL init routine 77db87c7

77F9FA77   Debug string:      C:\WINNT\System32\IMM32.DLL init routine 75e61264

77F9986F   Breakpoint at ntdll.77F9986F

77F9FA77   Debug string: LDR: RPCRT4.DLL loaded.

77F9FA77   Debug string:  - Calling init routine at 77d43958

77F8E71E   Breakpoint at ntdll.77F8E71E

77F9FA77   Debug string: LDR: LdrLoadDll, loading kernel32.dll from C:\masm32\ICZTUTES\TUTE02\tut02;

77F9FA77   Debug string: LDR: LdrGetProcedureAddress by

77F9FA77   Debug string: NAME - InterlockedCompareExchange

77F9986F   Breakpoint at ntdll.77F9986F

77F9FA77   Debug string: LDR: ADVAPI32.DLL loaded.

77F9FA77   Debug string:  - Calling init routine at 77db87c7

77F8E71E   Breakpoint at ntdll.77F8E71E

77F9986F   Breakpoint at ntdll.77F9986F

77F9FA77   Debug string: LDR: IMM32.DLL loaded.

77F9FA77   Debug string:  - Calling init routine at 75e61264

77F8E71E   Breakpoint at ntdll.77F8E71E

snip=====================

77F9FA77   Debug string: LDR: LdrGetDllHandle, searching for C:\WINNT\System32\IMM32.DLL from

77F9FA77   Debug string: LDR: LdrGetDllHandle, searching for C:\WINNT\System32\IMM32.DLL from C:\masm32\ICZTUTES\TUTE02\tut02;

77E87900   Breakpoint at KERNEL32.77E87900

00401000   Program entry point

disavowed

April 14th, 2005, 23:58

blabberer, regarding your last post, was that from ollydbg or your own debugger code? i presume the latter. if the former, how?

blabberer

April 15th, 2005, 00:18

hehe i am not so l33t to code my own debugger disawoved

its is from ollydbg
actually loader emits debug strings when it is loading any application which
you can log them and analyze them if you have set LDR_SHOW_SNAPS
Global Flag

as i said i wrote a standlone exe to enable it per system session
it use ZwSetSystemInfo api to set NtGlobalFlag aka peb:some number i cant remember right off iwrote it in masm and when i tried to convert it into a plugin dll using ollydbg.inc,ollydbg.lib by eviloid i faced lot of problems so i dropped it

but if you want to try to enable it you open regedit and set this value

Code:



Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

"GlobalFlag"=dword:00000002

you will see olly spitting all those debug messages

if you have windbg you can use its gflags.exe to enable this flag
per session or permanently ( for per session it uses ZwSetSystemInfo for permanancy it uses RegCreateKey,RegSetValue)

and getting all those .pdb from ms sysmbol servers and analysing the all modules with ollydbg (look into ollydbg forum for details on symbol path hack ) will actually give you lot of names
one of them is LdrInitroutine call
if you set a break there olly will let you trace all init code

hope it helps

disavowed

April 15th, 2005, 10:05

Ahh... sorry... I misread your gflags comment earlier. Cool.

One more question: how do you set a useful breakpoint on LdrInitroutine if the DLL init functions are called before OllyDbg gets ahold of the target .exe?

0rp

April 15th, 2005, 19:40

Quote:

[Originally Posted by disavowed]If you mean checking the "break-on-module-load" checkbox in OllyDbg, then no, that doesn't apply to DLLs in the IT. They're loaded into memory before Windows passes control to OllyDbg.

eh?
no

for every dll in the IT WaitForDebugEvent returns with LOAD_DLL_DEBUG_EVENT

blabberer

April 15th, 2005, 23:35

as far as i ve seen the system creates a thread then maps the exe
snpas its import table and maps it and confirms the validity then if all are ok it maps ntdll.dll (creates the 7fffde000 and 7fffdf000 sections )
and handles control to ntdll.dll for further actions using KiUserApcDispatch some blah

if you locate this in ntdll.dll and set a f2 break point (not call eax but actaul procedure) olly will break there
now it checks for fs:[30]+68 (7fffdf068) and ands it value with 2 and sets
LdrShowSnaps flag to 2
then from there it proceeds to run LdrApplicationCompatGoo () LdrInitializeRoutine () QueryImageFileExecuteOption() for every dll ClearLoadinprogress() etc etc you can set f2 break on all these functions
in ntdll.dll and olly will break on all these functions because they are all run in user context (if that is the technical term

KiUserApcDespatch sets the context and context body in stack and has already initialized ntdll.dll

i have a commented snippet of the process in some hdd ill paste it later here

0rp what do you mean ?? if you set (debug options --> events break on load module olly will not break for any dll that is in iat is what disavowed said and it is true as far as i know can you elaborate on the event your specify and your method to break there with ollydbg ???

0rp

April 16th, 2005, 04:04

Quote:

[Originally Posted by blabberer]0rp what do you mean ?? if you set (debug options --> events break on load module olly will not break for any dll that is in iat is what disavowed said and it is true as far as i know can you elaborate on the event your specify and your method to break there with ollydbg ???

ollydbg is somewhat strange with break on oep and it dlls, but if you use windbg or write an own debugger, you will get a LOAD_DLL_DEBUG_EVENT for each it-dll

try to use windbg, open notepad, enable dll load event in debug events

the PEB for the first breaks doesnt contain any ldr table at all (!):

Code:

7c810867 ??               ???

0:000> !peb

PEB at 7ffda000

    InheritedAddressSpace:    No

    ReadImageFileExecOptions: No

    BeingDebugged:            Yes

    ImageBaseAddress:         01000000

    Ldr                       00000000

    *** unable to read Ldr table at 00000000

    SubSystemData:     00000000

    ProcessHeap:       00000000

    .....

in fact the process doesnt even has the exe image loaded (thats why disasm shows '???')

next break:

Code:

7c91eb94 c3               ret

0:000> !peb

PEB at 7ffda000

    InheritedAddressSpace:    No

    ReadImageFileExecOptions: No

    BeingDebugged:            Yes

    ImageBaseAddress:         01000000

    Ldr                       001a1ea0

    Ldr.Initialized:          Yes

    Ldr.InInitializationOrderModuleList: 001a1f58 . 001a1f58

    Ldr.InLoadOrderModuleList:           001a1ee0 . 001a1f48

    Ldr.InMemoryOrderModuleList:         001a1ee8 . 001a1f50

            Base TimeStamp                     Module

         1000000 41107cc3 Aug 04 08:05:55 2004 C:\WINDOWS\notepad.exe

        7c910000 411096d4 Aug 04 09:57:08 2004 C:\WINDOWS\system32\ntdll.dll

    SubSystemData:     00000000

    ProcessHeap:       000a0000

    ....

blabberer

April 30th, 2005, 08:17

yes windbg catches ntdll.dll loading and mapping of peb while olly doesnt it seems olly can only break at the first debug string
viz
77f98f8e "LDR: PID: 0x%x started - '%wZ'."

while with windbg it is possible to trace through

ntdll!LdrInitializeThunk:
77f83406 8d442410 lea eax,[esp+0x10]
77f8340a 89442404 mov [esp+0x4],eax
77f8340e 33ed xor ebp,ebp

ntdll!LdrpInitialize:
77f83410 55 push ebp

ntdll!LdrpInitializeProcess:
77f91b3b 55 push ebp

on which this dbgprint is situated
ntdll!LdrpInitializeProcess+0x5c3:
77f991de 68ae8ff977 push 0x77f98fae
77f991e3 e8b5efffff call ntdll!DbgPrint (77f9819d)

0:000> da 77f98f8e
77f98f8e "LDR: PID: 0x%x started - '%wZ'."

a snap shot for those who are curious

Code:





i enabled both load module and debug strings in 

debug events and had gflags set the 

LDR_SHOW_SNAPS (0x02)



0:000> .restart

CommandLine: C:\masm32\project\setsysteminfo\debugcrap.exe

Symbol search path is:c:\symbols;

srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

ModLoad: 00400000 00404000   image00400000

ModLoad: 77f80000 77ff9000   ntdll.dll

eax=00401000 ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000

eip=77e878c1 esp=0012fffc ebp=00000000 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000200

DBGHELP: ntdll.dll is stripped.  Searching for dbg file

DBGHELP: ntdll - public symbols  

         c:\symbols\ntdll.dbg\38175B3079000\ntdll.dbg

         c:\symbols\ntdll.pdb\380FCC4F2\ntdll.pdb

77e878c1 ??               ???

0:000> t

eax=00401000 ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=0012fd30

eip=77f9fb64 esp=0012fd20 ebp=00000000 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!KiUserApcDispatcher+0x4:

77f9fb64 58               pop     eax

0:000> t

eax=77f83406 ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=0012fd30

eip=77f9fb65 esp=0012fd24 ebp=00000000 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!KiUserApcDispatcher+0x5:

77f9fb65 ffd0             call    eax {ntdll!LdrInitializeThunk (77f83406)}

 <--- i tried to set a break here olly cant restore it 

=================================

=================================

snip

=================================

=================================

0:000> t

eax=ffffffff ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=0012fd30

eip=77f8343d esp=0012fcac ebp=0012fd1c iopl=0         nv up ei pl zr na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

ntdll!LdrpInitialize+0x2d:

77f8343d 64a118000000     mov     eax,fs:[00000018] fs:003b:00000018=7ffde000



0:000> g

LDR: PID: 0x110 started - 'C:\masm32\project\setsysteminfo\debugcrap.exe'





eax=0012f6f8 ebx=00000000 ecx=0012f75c edx=0012f7a5 esi=00000000 edi=00000000

eip=77f9fa77 esp=0012f6d0 ebp=0012f974 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

ntdll!DbgPrint+0x12a:

77f9fa77 64a118000000     mov     eax,fs:[00000018] fs:003b:00000018=7ffde000



well even at this point the peb isnt yet fully avl



0:000> !peb

PEB at 7FFDF000

    InheritedAddressSpace:    No

    ReadImageFileExecOptions: No

    BeingDebugged:            Yes

    ImageBaseAddress:         00400000

    *** unable to read Ldr table at 00000000

    SubSystemData:     0

    ProcessHeap:       0

    ProcessParameters: 20000

        WindowTitle:  'C:\masm32\project\setsysteminfo\debugcrap.exe'

        ImageFile:    'C:\masm32\project\setsysteminfo\debugcrap.exe'

        CommandLine:  'C:\masm32\project\setsysteminfo\debugcrap.exe'

        DllPath:      'C:\masm32\project\setsysteminfo;.

        Environment:  0x10000







olly first break occurs only here  



Log data

Address    Message

           Process terminated

77F83406   Unable to restore breakpoint



           File 'C:\masm32\project\setsysteminfo\debugcrap.exe'

           New process with ID 00000178 created

00401000   Main thread with ID 000002F0 created

77F9FA77   Debug string: LDR: PID: 0x178 started - 

'"C:\masm32\project\setsysteminfo\debugcrap.exe"'





so windbg breaks a lot earlier and we can trace ntdlls 

mapping and setting up of peb also with 

windbg while we cannot trace ntdlls init in ollydbg 





the instruction which cant be traced in olly dynamically while windbg 

can are as follows



i snipped off the dissassembly part of ntdll.dll if some one is 

interested i can paste it provided it is ok to paste the disassembly