Ollydbg and MSACCESS/MDB [Archive] - RCE Messageboard's Regroupment

View Full Version : Ollydbg and MSACCESS/MDB

PaulGerken

July 7th, 2006, 13:03

Hi All,

I can't seem to get Ollydbg to work with MSACCESS, and/or visa-versa...

I am using Win2000 SP2, Ollydbg v1.10, and MSACCESS 2003 (11.5614.5606).

The Ollydbg install seems to be ok.
I have tried Ollydbg with Notebook, and that works fine.

MSACCESS by itself has been working ok for several years...
I have created a small MDB for this test, and it comes up ok.

I have tried both Olly-File-Open and Olly-File-Attach.
1.One failing sequence is-
start Ollydbg
Olly->File->Open->...system32\MSACCESS.exe
then Olly does the Analyze ok,
Olly->...Run
MSACCESS->File->Open->test.mdb
Olly->Run
Olly then has status-line with Exception...
Olly->press Shift-F8
MSACCESS then pops up modal window saying--
Microsoft Visual C++ Runtime Library
RunTime Error: Program C:\...\...\MSACCESS.EXE
abnormal termination

2.Another failing sequence is--
start MSACCESS
start Ollydbg
Olly->File->Attach->...MSACCESS
then Olly does the Analyze ok
Olly->...Run
MSACCESS->File->Open->test.mdb
MSACCESS then pops up modal window saying the same as before--
Microsoft Visual C++ Runtime Library
RunTime Error: Program C:\...\...\MSACCESS.EXE
abnormal termination

Each sequence terminates with the same result--
I would like some advice on how to persue getting this to run.
What items should I look at next?
What sequence might be better?
Thanks for the effort in reading/responding...

tkx, Paul

Kayaker

July 8th, 2006, 00:42

Hi

This may just be an unintended side effect of working with MS databases under a debugger. You should try WinDbg or MSVC debugger as well.

One thought that came to mind is that when a process is started under a debugger a special debug heap is used. API's such as malloc() and new() function differently, there are extra heap checks and the memory layout is a little different. I *thought* the problem might be due to the fact that the MDB is loaded into this debug heap memory and msaccess glitches because of it somehow.

This was just a wild guess, but on second thought you mention this also occurs when you *attach* to msaccess.exe and *then* try to open a DB, in which case the special debug heap *shouldn't* be used. But, who knows, maybe the check occurs when the DB is opened and at that point it still appears to msaccess that it is running under a debugger and behaves accordingly.

In explanation, directly from the WinDbg docs, and you'll find a few Google references to this as well:

Processes created by the debugger behave slightly differently than they would under normal conditions.

Instead of using the standard heap API, processes created by the debugger use a special debug heap. On Microsoft® Windows XP and Microsoft Windows Server™ 2003, you can force a spawned process to use the standard heap instead of the debug heap by using the _NO_DEBUG_HEAP environment variable or the -hd command-line option.

There are other behavioural differences when running under a debugger that might annoy msaccess, a few which were touched on in a thread I read - timing/synchronization, working directory, environment variables (e.g. PATH), checks for running under a debugger, etc.

You'll have to try to find out what's causing the error, perhaps setting up a secondary debugger (such as MSVC++) as a JIT debugger might cause a break instead of an uninformative error message and you might at least get an exception address to home in on.

Is there any chance msaccess logs errors to a file or the event viewer? What if instead of opening an existing mdb you create a new one and work with it, still get a crash?

Can't think of anything else to suggest.

Kayaker

blabberer

July 8th, 2006, 11:11

if what kayaker guessed is indeed right then you can force it to use a
standard debugheap by running the gflags.exe from windbg package
with glags -htc -hfc -hpc on commandline

C:\Program Files\SUPPOR~1>gflags -i msgbox.exe
Current Registry Settings for msgbox.exe executable are: 00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking

C:\Program Files\SUPPOR~1>

or use a registry key to disable heaplookaside
IMAGEFILEEXECUTIONOPTIONS

you can check this thread out for a few details about using the registrykey
and gflags

http://exetools.com/forum/showthread.php?t=7363&page=1&pp=15

edit

just out of kicks i loaded msaccess in ollydbg and opened a .mdb from within msaccess

Code:





           File 'C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE'

           New process with ID 000004A0 created

30001A0C   Main thread with ID 0000023C created

30000000   Module C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE

             Debugging information (Microsoft format) available

77D40000   Module C:\WINDOWS\system32\USER32.dll

             CRC changed, discarding .udd data

             Debugging information (Microsoft format) available

77F10000   Module C:\WINDOWS\system32\GDI32.DLL

             CRC changed, discarding .udd data

             Debugging information (Microsoft format) available

7C800000   Module C:\WINDOWS\system32\kernel32.dll

             CRC changed, discarding .udd data

             Debugging information (Microsoft format) available

7C900000   Module C:\WINDOWS\system32\ntdll.dll

             CRC changed, discarding .udd data

<-------------------------------- snip ------------------------>



7C810856  New thread with ID 00000680 created

7C810856  New thread with ID 00000200 created

7C810856  New thread with ID 0000054C created

7C81EB33  Debug string: C:\Documents and Settings\******\Application Data\Microsoft\Access\System1.mdw



<---------------------snip--------------->



the mdb opened without any problems 



i clicked an object tab (create object some thing in the mdb )

it erred with an exception e0####



02580000  Unload C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\ZJBIG.dll

7C81EB33  Exception E06D7363

7C81EB33  Exception E06D7363



<----------------snip------------->



i asked olly to pass the exception to program 

options-->debugging options --> exceptions --> add last exception --> check mark ignore the following box --> ok



shift +f9  



it happily obliged 



clicked close on msaccess 



<-------------------snip --------------->



          Thread 00000680 terminated, exit code 0

          Thread 00000200 terminated, exit code 0

          Thread 0000054C terminated, exit code 0

4EC50000  Unload C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll

593F0000  Unload C:\WINDOWS\system32\wiashext.dll

73D70000  Unload C:\WINDOWS\system32\shgina.dll



<----------- snip--------->



          Thread 0000028C terminated, exit code 0

          Process terminated, exit code 0

02490000  Unload C:\WINDOWS\system32\odbcint.dll



<-----------snip---------->



30000000  Unload C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE

30B00000  Unload C:\Program Files\Common Files\Microsoft Shared\office10\mso.dll



<------------------snip----------->

no problems here no flags changed no image execution options changed

the mdb i opened was some ias.mdb available in office folder
some example i think