PDA

View Full Version : Ollydbg - Trace over Systems Calls


fred26
March 31st, 2015, 06:16
Dear all,

My first post here. I aumsing Ollydbg to trace into a piece of code, however the trace goes into some systems dlls and never comes back.

I tried checking the option boxes in the Ollydbg Options, also tried this link http://www.woodmann.com/forum/archive/index.php/t-11550.html but nothing

Any ideias?

Thanks

BanMe_2
March 31st, 2015, 15:07
http://www.woodmann.com/forum/showthread.php?14602-OllyDbg-trace-gets-quot-lost-quot-in-OS-code
http://webpages.sou.edu/~ackler/teaching/cs458-s13/slides/olly.html

Your words are the tools I used to find these. I duckduckgo'd "Trace Over System Dll's".

Searching is key to learning.

Regards.

fred26
March 31st, 2015, 18:45
Quote:
[Originally Posted by BanMe_2;97004]http://www.woodmann.com/forum/showthread.php?14602-OllyDbg-trace-gets-quot-lost-quot-in-OS-code
http://webpages.sou.edu/~ackler/teaching/cs458-s13/slides/olly.html

Your words are the tools I used to find these. I duckduckgo'd "Trace Over System Dll's".

Searching is key to learning.

Regards.

Honestly and if I am not mistaken, you are posting 2 links about: setting Olly's Trace Options, a link to a plugin and a link to this same article.

Nor setting the Options nor the conditional BP approach, nor the manual approach let me 'go over' systems calls.

Can you be more specific on how to solve this?

Thanks

Kayaker
March 31st, 2015, 20:55
Do you have an example of the specific set of instructions that lead to the syscall? It might help to come up with a solution.

blabberer
April 1st, 2015, 01:14
if it doesn't return back you have the following options
1) find it in the park it is strolling
2)register a complaint in police station about missing call
3)advertise in tv in the have you seen this call section
4)stop worrying it didn't like you and is better off somewhere else

and honestly there are always breadcrumbs in the forest you have to trace your way and if you want some one else to find it for you you need to show the bread crumbs that you started with and where you got lost tracing the untraceable

so you started ctrl+f11 or ctrl+f12 // or ?? f9 ?? / ctrl+f9 // ?? at 0x4010XXX
have you noticed that ollydbg run trace window has a logging capacity ? did you tell it to log
have you noticed that run trace memory can be expanded from default xx kb to highest capacity of yyyyy mbs ?? so that the buffer can hold
right from millions of instructions to billions of instructions ? did you increase the memory ??

have you noticed ollydbg runtrace has a profiling option (global profile and module profile that show concise summary of what instructions were executed how many times ?? have you profiled the run trace and analysed the outcome ??

do you know ollydbg also has a hit trace mechanism and exclude procedure from hit trace mechanism to narrow down the exit paths ??

have you hit traced ??

do you have a clue where the call was last seen before disaappearing in the circus crowd ?? i mean what jacket it was wearing what was the color the brief it was wearing ?

the question as it stands is vague and unanswerable no one not even putting notices on interpol can find the missing call without information (pertinent information not vague descriptions noticed by a a bystander wearing dark glasses ogling the streets )

fred26
April 1st, 2015, 08:59
My trace stops at 200F624C:

200F624B 56 PUSH ESI
>>200F624C FF15 90180E20 CALL DWORD PTR DS:[<&KERNEL32.SwitchToFiber>]
200F6252 B8 01000000 MOV EAX,1

If I BP before and after, and in between F9, seems to work in most cases.

The conditional BP at 200F6252 with the "1==2" approach does not work.

Any thoughts?

Thanks

blabberer
April 2nd, 2015, 03:51
well what are the questions that arise when you see the call ?? do you have any ?? have you thought what a fiber is ? does switch ring a bell ?? doesn't switch mean something similar to well SWITCH which well means changing from something to some-other thing ?? if that is what it means where does it go ?? it surely must have some place to go when it switches ?? doesn't it ? if it switched how does it switch back ?? will it switch back ?? if yes will it crash the gate or some one will bring it back ?? does it hang out with bad doodets when it switched hacking the main switch and finding ways to bypass the road that leads to home ??

can you read the code and explain what happens here and tell me if you can distinguish the results ? and explain the outcome ?? what methodologies will you use ? what tools you will use if at all and what will be the results ?

Code:

#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"kernel32.lib"
PVOID foo , blah , boo;
VOID CALLBACK FibbFunc( _In_ PVOID lpParameter) {
UNREFERENCED_PARAMETER(lpParameter);
ExitProcess(0x29a);
}
VOID CALLBACK FibFunc( _In_ PVOID lpParameter) {
if(lpParameter != 0)
SwitchToFiber(blah);
SwitchToFiber(boo);
}
void main (void) {
blah = CreateFiber(0,FibbFunc,0);
if((foo = CreateFiber(0,FibFunc,(PVOID)IsDebuggerPresent())) != 0){
boo = ConvertThreadToFiber(0);
SwitchToFiber(foo);
ExitProcess(0x539);
}
}

BanMe_2
April 3rd, 2015, 07:21
I had to read up on the function to understand how it worked. But based on that description my answer to the questioning meant to make op rethink his approach and methodology.

In the function main there are 2 fibers created. blah and foo.
The ConvertThreadToFiber function converts the current thread to a fiber,
this fiber then switches to the foo Fiber which executes FibFunc.
The FibFunc is passed in the return value of isDebuggerPresent().
This parameter is checked for 0 to see if its being debugged.
If it is being debugged call function blah if not call boo.
the way to determine which function called "ExitProcess" is looking at the return code, i.e. x29a(bad boy) and x539(good boy).
[edit]
I agree with blabberers approach but I like moving things along to get to the answer. Pardon my impatience.
[update]
Armed with my incomplete answer I will take a wild guess as to why it is not coming back out of the SwitchToFiber Function.
Because the call to SwitchToFiber(boo) to switch back to the Current execution state never occurs in ops code?
[ps]
This is really fun.. for further reading and a better explanation from the horses mouth read:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686919(v=vs.85).aspx

[fuckit]
regards

blabberer
April 3rd, 2015, 14:50
yeah the exorcist's should identify the demon and make it leet

BanMe_2
April 3rd, 2015, 17:56
To many uncertainties to address this statement.. please clarify.

But the value in the register ESI of op code contains the fiber that is performing the nefarious action or one of the fibers called after.

Kayaker
April 3rd, 2015, 21:53
I was curious if the pseudo context switch itself of SwitchToFiber would really cause the Olly trace to fail, but no, it seems to handle it fine, Ctrl-F11 or Ctrl-F12.
In fact, if you deselect 'Always trace over system dlls' in the Trace menu, it will also trace through KERNEL32.SwitchToFiber and log the new Fiber instructions as well before
returning to the primary fiber/thread (if the fiber is coded with the appropriate return SwitchToFiber call).

Code:
002F8538 Main MOV EAX,DWORD PTR DS:[MyFiber] ; EAX=008A4A68
002F853D Main PUSH EAX
002F853E Main CALL DWORD PTR DS:[<&KERNEL32.SwitchToFiber>]; EAX=00896698, ECX=008A59B8, EDX=7EFDD000
002F8544 Main CMP ESI,ESP


So whatever the original problem is, it's not a direct fault of Olly trace vs SwitchToFiber context switch.

blabberer
April 4th, 2015, 02:38
Quote:
please clarify
well ill give you some more code (slightly obfuscated but simplified version of the code pasted above )
and a bat file in response

fibmodtest.cpp so that exe will be name fibmodtest.exe

Code:

#include <windows.h>
PVOID fibers[2];
ULONG ret = 0x29a;
#pragma comment(lib,"kernel32.lib"
VOID CALLBACK FibFunc( _In_ PVOID lpParameter) {
if(!IsDebuggerPresent())
ret += (ret+5);
SwitchToFiber(fibers[1]);
}
void main (void) {
fibers[0] = CreateFiber(0,FibFunc,0);
fibers[1] = ConvertThreadToFiber(0);
SwitchToFiber(fibers[0]);
ExitProcess(ret);
}


i prefer small but you may projectize with bloat and build

compiled and linked with

Code:

@call "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" x86
cl /Zi /EHsc /nologo /W4 /analyze *.cpp /link /RELEASE /ENTRY:main /FIXED /MERGE:.data=.text /MERGE:.rdata=.text /ALIGN:16


once you have the exe run this batfile you must have procmon / windbg &| cdb / powershell / and gnuwin32 grep

Code:

set procmonpath=<path to procmon.exe here>
set PM=%procmonpath%\procmon.exe
start %PM% /quiet /minimized /backingfile .\modfib.pml
%PM% /waitforidle
fibmodtest.exe
cdb -c "g;q" fibmodtest.exe
%PM% /terminate
start %PM% /openlog .\modfib.pml /SaveAs2 foo.xml
%PM% /waitforidle
%PM% /terminate
powershell ([xml] ( Get-Content .\foo.xml)).procmon.eventlist.event | grep Detail
pause




@k

no need to uncheck the traceover it can be painful in a very large binary when nobrainonlybrawn approach is used you need to find the function that is called and set atlest one breakpoint somewhere in the function for ollydbg to get control of the new (pseudo thread function a fiber function is a pseudo thread function fibers simulate multithreaded operation in a single thread)

if you might have missed the CreateFiber and you are stuck on SwitchFiber the callback can be obtained from the Fiber Address

or alt+f1 bp [DWORD [esp] + 0xc + 0xb8]

fiber address typedef is as below in xpsp3

typedef _PSEUDOFIBBY {
DWORD whatever[3];
CONTEXT fibcontext;
}PseudoFibby,*PPseudoFibby;

here is a run trace for the code pasted above

Code:

New session
Address Thread Command ; Registers and comments
004002A1 Main MOV EBP, ESP ; EBP=0013FFC0
004002A3 Main PUSH 0 ; Arg3 = 00000000
004002A5 Main PUSH fibmodte.FibFunc ; Arg2 = 00400260
004002AA Main PUSH 0 ; Arg1 = 00000000
004002AC Main CALL NEAR DWORD PTR DS:[<&KERNEL32.CreateFiber>]; EAX=001529C8, ECX=0150FFFC
004002B2 Main MOV DWORD PTR DS:[fibers], EAX
004002B7 Main PUSH 0 ; Arg1 = 00000000
004002B9 Main CALL NEAR DWORD PTR DS:[<&KERNEL32.ConvertThreadToFiber>]; EAX=00152CC8, ECX=00152CC8, EDX=0013FFE0
004002BF Main MOV DWORD PTR DS:[400304], EAX
004002C4 Main MOV EAX, DWORD PTR DS:[fibers] ; EAX=001529C8
004002C9 Main PUSH EAX
004002CA Main CALL NEAR DWORD PTR DS:[<&KERNEL32.SwitchToFiber>]; EAX=00152CC8, ECX=004002D0, EDX=7FFDF000
004002D0 Main MOV ECX, DWORD PTR DS:[ret] ; ECX=0000029A
004002D6 Main PUSH ECX ; ExitCode = 29A
004002D7 Main CALL NEAR DWORD PTR DS:[<&KERNEL32.ExitProcess>]; EBX=00000000, EBP=0013FFA0, ESI=7C90DE6E, EDI=0000029A
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXX
004002A1 Main MOV EBP, ESP ; EBP=0013FFC0
004002A3 Main PUSH 0 ; Arg3 = 00000000
004002A5 Main PUSH fibmodte.FibFunc ; Arg2 = 00400260
004002AA Main PUSH 0 ; Arg1 = 00000000
004002AC Main CALL NEAR DWORD PTR DS:[<&KERNEL32.CreateFiber>]; EAX=001529C8, ECX=0150FFFC
004002B2 Main MOV DWORD PTR DS:[fibers], EAX
004002B7 Main PUSH 0 ; Arg1 = 00000000
004002B9 Main CALL NEAR DWORD PTR DS:[<&KERNEL32.ConvertThreadToFiber>]; EAX=00152CC8, ECX=00152CC8, EDX=0013FFE0
004002BF Main MOV DWORD PTR DS:[400304], EAX
004002C4 Main MOV EAX, DWORD PTR DS:[fibers] ; EAX=001529C8
004002C9 Main PUSH EAX
004002CA Main CALL NEAR DWORD PTR DS:[<&KERNEL32.SwitchToFiber>]; EAX=00000001, ECX=7C82FF9A, EDX=7FFDF000, EBX=00000000, EBP=0150FFB4, ESI=BAADF00D, EDI=BAADF00D
Breakpoint at fibmodte.00400269
00400269 Main TEST EAX, EAX ; EAX=00000000
0040026B Main JNZ SHORT fibmodte.00400282
0040026D Main MOV EAX, DWORD PTR DS:[ret] ; EAX=0000029A
00400272 Main MOV ECX, DWORD PTR DS:[ret] ; ECX=0000029A
00400278 Main LEA EDX, DWORD PTR DS:[ECX+EAX+5] ; EDX=00000539
0040027C Main MOV DWORD PTR DS:[ret], EDX
00400282 Main MOV EAX, DWORD PTR DS:[400304] ; EAX=00152CC8
00400287 Main PUSH EAX
00400288 Main CALL NEAR DWORD PTR DS:[<&KERNEL32.SwitchToFiber>]; ECX=004002D0, EDX=7FFDF000, EBX=7FFD8000, EBP=0013FFC0, ESI=7C9115F9, EDI=00560000
004002D0 Main MOV ECX, DWORD PTR DS:[ret] ; ECX=00000539
004002D6 Main PUSH ECX ; ExitCode = 539
004002D7 Main CALL NEAR DWORD PTR DS:[<&KERNEL32.ExitProcess>]; EBX=00000000, EBP=0013FFA0, ESI=7C90DE6E, EDI=00000539
Run trace closed


fred26
April 4th, 2015, 06:56
Thanks to all! Too much info to digest.

Will analyze and revert back.

BanMe_2
April 4th, 2015, 08:10
Quote:
[Originally Posted by blabberer;97011]yeah the exorcist's should identify the demon and make it leet


Excellent play on words...You where speaking to usage of the functionality in a refined software environment as a tool. Now I get it.