What's the recommended way that debuggers terminate the currently-debugged process? TerminateProcess? or ContinueDebugEvent DBG_TERMINATE_PROCESS? Or ... ?
MSDN and Google wont give me an answer to that so hopefully somebody here will know. Many thanks in advance!

Well, I'd say DBG_TERMINATE_PROCESS as TerminateProcess() should really only be used in extreme circumstances and doesn't allow notification to DLL's that the target may have loaded. However, since DBG_TERMINATE_PROCESS is undocumented by Microsoft, there's only the TerminateProcess() left to use.

Yeah, I havent been able to find any info on DBG_TERMINATE_PROCESS either
I wonder how Oleh does it?

I need to find out because Ive written a small debugger simply to list the DLLs that get loaded - you couldn't even call it a debugger, but it does use a couple of the debug APIs, but I cant find any information on terminating the debuggee, which to me seems like a simple enough thing!

Well, I loaded Ollydbg into itself to find this out :-)

Ollydbg debugging Ollydbg debugging hello.exe (simple asm "Hello world" I wrote)
Then I asked the Ollydbg debugging hello.exe to close the debug session whilst I had breakpoints on the useful debugging functions in the first ollydbg.

This is what it broke on:

0046E00B |> 6A 00 PUSH 0 ; /ExitCode = 0
0046E00D |. 8B0D 70404C00 MOV ECX,DWORD PTR DS:[4C4070] ; |
0046E013 |. 51 PUSH ECX ; |hProcess => 00000124 (window)
0046E014 |. E8 F11D0300 CALL <JMP.&KERNEL32.TerminateProcess> ; &#92;TerminateProcess

interesting eh?

Many thanks! I also tried OllyDbg'ing OllyDbg but didn't get as far as you got , but your understanding of assembly is obviously better than mine!

I had tried using TerminateProcess but it didn't seem to work, but as OllyDbg is using it, it must work, as it works fine in OllyDbg so obviously I'm just not calling TerminateProcess correctly. I'll try again in the morning (3:30am here, time for sleep!)

Once again, _many_ kind thanks - your help is very much appreciated, as unfortunately I simply cannot proceed with my current project until I can terminate the debuggee! It'd be nice to hear from the author of OllyDbg regarding this matter, but your analysis will hopefully solve my problem

Greets,

there are several ways to close a debuggee.

The natural way is, that win32 app should cleanup before closing. For instance closing files, handles and freeing memory, unloading DLLs, writing registry or ini file whatever...

I would suggest the following steps for windows applications:

1. use PostMessage() to post WM_QUIT to main application window

if that fails (no message processing, hung whatever), the debugger should:

2. try to call the ExitProcess API on the debuggee's behalf
2.1. create a thread in the debuggee (CreateRemoteThread) and call ExitProcess
2.2. use SetThreadContext to let the target process/thread call ExitProcess()
(both are clean ways, 2.2. maybe a bit tricky)

if that fails, the debugger should:

3. Terminate its debugging thread - which will in turn close the debuggee's main thread.
(this behavior is by OS design)

if that fails, the debugger should:

4. TerminateProcess() - extreme brutal and should only be used as last resort

For console apps (no message queue), step 1. can be omitted .

Hope this helps...

Regards,

Anastasius Focht

Thanks!
Im using your #3 technique -- doing the debugging in a seperate thread, and closing that thread when Im done which is also taking out the debuggee, its working well so far!