_d_
08-07-2005, 08:58 AM
i i followed this tutorial, to debug the child process
Here are the steps I followed:
- Open the target in OllyDbg
- set the IsDebuggerPresent byte to 00
- bp WriteProcessMemory
- F9 twice as the 2nd WriteProcessmemory is the one where you write the loop
- Edit the buffer in the WriteProcessMemory call to be EB FE so that the child process will be in an infinite loop (take a note of the bytes so you can put them back later)
- F9 again to run the parent - should see 2 processes with the same name in task manager and CPU usage of the child process will be ~100%
- bp WaitForDebugEvent to stop the parent
- Find the process id of the child by doing open in the OllyDbg that is running the parent and finding the process that isn't in red - press cancel
- pick a point in the parent and assemble in
PUSH <process id>
CALL DebugActiveProcessStop
NOP
- right click->new origin here on the inserted PUSH - this moves the current execution point to the selected line. It doesn't restart the process.
- breakpoint the NOP and F9
- when the execution stops at the NOP, check EAX is 1 that indicates the DebugActiveProcessStop command was successful
- the child process is no longer being debugged by the parent process so we can attach a new OllyDbg to the child. Leave the parent paused but don't close the OllyDbg.
- press F9 and then F12 in the new debugger after attaching and you should be paused at the EB FE loop in the child process.
- Edit back in the original 2 bytes to remove the loop
Now I'm not sure if what I did next was correct.
- set the IsDebuggerPresent to 00
- put a memory access breakpoint on the first section after the PE header in the memory window
- press F9
but in the child process there are a bunch of 0xcc, so it make no sense to detach the arma-debugger because only the father process knows the replaced bytes.
are there any papers regarding this problem ?
best regards
Here are the steps I followed:
- Open the target in OllyDbg
- set the IsDebuggerPresent byte to 00
- bp WriteProcessMemory
- F9 twice as the 2nd WriteProcessmemory is the one where you write the loop
- Edit the buffer in the WriteProcessMemory call to be EB FE so that the child process will be in an infinite loop (take a note of the bytes so you can put them back later)
- F9 again to run the parent - should see 2 processes with the same name in task manager and CPU usage of the child process will be ~100%
- bp WaitForDebugEvent to stop the parent
- Find the process id of the child by doing open in the OllyDbg that is running the parent and finding the process that isn't in red - press cancel
- pick a point in the parent and assemble in
PUSH <process id>
CALL DebugActiveProcessStop
NOP
- right click->new origin here on the inserted PUSH - this moves the current execution point to the selected line. It doesn't restart the process.
- breakpoint the NOP and F9
- when the execution stops at the NOP, check EAX is 1 that indicates the DebugActiveProcessStop command was successful
- the child process is no longer being debugged by the parent process so we can attach a new OllyDbg to the child. Leave the parent paused but don't close the OllyDbg.
- press F9 and then F12 in the new debugger after attaching and you should be paused at the EB FE loop in the child process.
- Edit back in the original 2 bytes to remove the loop
Now I'm not sure if what I did next was correct.
- set the IsDebuggerPresent to 00
- put a memory access breakpoint on the first section after the PE header in the memory window
- press F9
but in the child process there are a bunch of 0xcc, so it make no sense to detach the arma-debugger because only the father process knows the replaced bytes.
are there any papers regarding this problem ?
best regards