Hi, sorry my english first

the program i'm debugging creates a process with CreateProcessA in OllyDbg, i want to debug this child process too.
There is no way to do this from ollyDbg??
Thanks

yes, put a bp in createprocess, change the value to 4 in the stack for suspended process, go to RET of the father.
if the father are debugging the child, go to any blank part of code and write

Push (PID OF CHILDREN)
Call DebugActiveProcessStop
nop

and mark the first line (the push) and select NEW ORIGIN HERE

trace with F8 and when you reach the NOP if EAX is 1 the child is not debugged more.

For RUN the child put a infinite loop in the entrt point and with process memory manupulator quit the resume, for make the child run and looping.

next atach with OLLY without problem, pause and quit the infinite loop and continue debugging.



Ricardo Narvaja

Thanks for your response Ricardo,

after CreateProcess i call DebugActiveProcessStop with PID of new process and fails with ERROR_ACCESS_DENIED (00000005). Does this mean the father was not debugging the child?

For run the child, how can i put a infinite loop in the entry point and resume?
I don't understand this, maybe do you mean modify the source code?

An important thing i forgot to say, the father is injecting code into the child process, and when I attach with OllyDbg (right after CreateProcessA with CREATE_SUSPENDED) a popup says "0xC0000142, application failed to initialize properly" and OllyDbg stops with "Exception C0000142 DLL_INIT_FAILED".

patch the original instruction with EB FE (jumps on the same line of eip)
but you have to remember the patched byte you need it later.
Select resume thread from the thread menu.

for the father debug the child there are two options:

1) in the stack when the process is created in the parameter you change to suspended 4, there are a value for DEBUG ONLY or DEBUG ONLY THS PROCESS

2) the father call to api DegugActiveProcess , following the call to createprocess

if 1 or 2 not appear the child is not debugged, (but if is not debugged the child is possible to attach with olly without problems)

the process created is originated in a file, look the name of the file in the stack, open peeditor open the file previously, and look the entry point.

If in peedittor say 1020, and image base 400000 the entry point will be 401020 for example.

when you create the process suspended, open pupe go to patch and look the value in 401020 (example) and change the 2 bytes for EB FE (write in a paper the old values)

next you put EB FE (infinite loop in the entry point) and quit the father debug if is necesary, next quit the resume with process memory manipulator, the program start to run looping, and next attach with olly, when stop in debug break RUN, and pause again, OLLY stop in the Entry point, change the values for the original values and continue debugging.

Obviously the father continue need continue running in the original, you need study what changes make tha father to the child, with WriteProcessmemory by example, and what read child from the father, maybe there are a intercourse of information.

Other possibility is change the bytes in the child file, and save the changes, and when are looping, change in memory but cn be detected is all try and try, hehe.



Ricardo Narvaja

thanks to all, i tried to put EB FE and it worked!