Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: Tracing Over System Calls In OllyDbg

  1. #1

    Tracing Over System Calls In OllyDbg

    Things have been quiet over here since installing Life 2.0, so to start warming things up again I present a simple trick to counter a frustrating problem. This isn’t particularly clever, but it didn’t occur to me first few times ’round so maybe it will save some newbies a little time.

    How many times have you attempted a run-trace in Olly with a break-condition set, only to find that the break never occurs and you have to start over? It happens to me all the time, and it’s usually my fault. But sometimes the cause isn’t a poorly thought-out condition, but the presence of a system call during the trace. Being a lowly ring3 process, OllyDbg doesn’t have permission to follow the CPU’s execution of your program into kernel space, so when it encounters a SYSCALL, SYSENTER, or CALL/JMP FAR out of the debuggee’s address-space, no choice remains other than to let the process run away and hope it comes back. As we’ve established, this doesn’t always happen.

    Now, the most commonly encountered system calls are those in ntdll, but these pose no problem to us. Set ‘Always trace over system DLLs’ in Olly’s ‘Trace’ options and you’ll never need to trace over such an instruction directly. (If this still isn’t working for you, be sure to ‘Mark [ntdll] as system DLL’ in the ‘Executable modules’ dialog). But if you play with some nastier targets, such kernel transitions will occur in modules you need the trace data for.

    Olly intrinsically supports three modes of tracing (although it doesn’t give you much control over which it uses): hardware breakpoints, software breakpoints and execution trapping (using the EFlags ‘trap bit’). Unfortunately, given the way Windows implements its kernel transitions, we can’t use any of these to our advantage. Arguments are passed to these system calls via the general-purpose registers, rather than by the stack-frame system we’re all used to, and moreover the return address isn’t always that of the instruction following the system call. Hence without complete knowledge of these ‘fastcall’ specifications, there’s no way to be sure where user-mode execution will resume, and so we’re at a loss when it comes to placing the next breakpoint. For this reason, there is no one-size-fits-all solution that I’m aware of, but it is possible to clean up this little mess on a per-case basis with only minimal effort.

    Take a look at the run trace produced by your failed run. It’s probably a lot shorter than you expected, with its dying instructions indicating an upcoming transition to ring0. Scroll up a little and work out a location where execution is very likely to pass through shortly after ring3 execution resumes. This doesn’t need to be the actual return address, but ideally something that follows soon after. Usually, the saved return-address belonging to the function at the top of the call stack does a good job. Our goal is to trap execution at this point and resume the trace. Of course, we could do this manually by placing a breakpoint and keeping our fingers on ctrl-F11, but that’s the dumb way. The last piece of the puzzle is to make OllyDbg automate this for us: employ a conditional breakpoint, with an impossible condition (say, 1 == 2). Now our trace executes over the system call flawlessly without the need for us to lift a finger.



    http://www.ring3circus.com/rce/tracing-over-system-calls-in-ollydbg/

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Nice trick Admiral. And what's with the Life 2.0, new girlfriend or child?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Nothing quite so glamorous, I'm afraid. I just hit the two-month mark of a new job in a new town. I'm new to the world of security but really enjoying it and embracing the opportunity to push my RCE skills to their absolute limit. It also gives me plenty of ideas and material to write about, if I can only find the time .

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    well ollydbg provides a native way to do this

    rightclick -> runtrace -> skip selection when tracing

    now you might ask what to skip

    right click ->search for ->sequence of commands

    Code:
    mov edx,7ffe0300  <--- standard signature  for calls that go through syscall interface 
    call edx
    then comes some long manual process which you can automate with a simple plugin
    hint
    undocumented FindAllSequences() api and documented ModifyHitTrace (..,..,ATR_RTSKIP) in all modules at one go

    the manual process is keep hitting ctrl+l and then right clicking -> run trace -> skip selection from runtrace on every sequence
    in say user32.dll, advapi32.dll,gdi32.dll,and ntdll.dll (only system modules that have syscall calls )
    ollydbg will happily ignore all those syscalls and simply turn back to executing runtrace on retn #n in all these

    like you can see here ollydbg has skipped ZwQuerySystemInformation Syscall in this runtrace log

    Code:
    77E784AE	Main	MOV EBP,ESP	EBP=0012FEE0
    77E784B0	Main	SUB ESP,18C
    77E784B6	Main	PUSH EBX
    77E784B7	Main	PUSH ESI
    77E784B8	Main	PUSH EDI
    77E784B9	Main	XOR EDI,EDI	EDI=00000000
    77E784BB	Main	PUSH EDI	pReqsize = NULL
    77E784BC	Main	PUSH 138	Bufsize = 138 (312.)
    77E784C1	Main	LEA EAX,DWORD PTR SS:[EBP-18C]	EAX=0012FD54
    77E784C7	Main	PUSH EAX	Buffer = 0012FD54
    77E784C8	Main	PUSH 2	InfoType = SystemPerformanceInfo
    77E784CA	Main	CALL DWORD PTR DS:[<&ntdll.NtQuerySystemInformation>]
    ZwQuerySystemInformation	Main	MOV EAX,0AD	EAX=000000AD
    77F76157	Main	MOV EDX,7FFE0300	EAX=00000000, ECX=0012FD30, EDX=7FFE0304
    77F7615E	Main	RETN 10
        End of gathered information, live log begins
    Attached Images Attached Images  

  5. #5
    Great stuff, blabberer .

  6. #6
    Hi
    i try to use your explanation :
    "Scroll up a little and work out a location where execution is very likely to pass through shortly after ring3 execution resumes"

    i don't get it ... what do you mean ? can you show an example of code that you do this ?
    blabberer : Is there a plug that already doing this ?
    Last edited by LaBBa; June 4th, 2008 at 01:59.

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    sorry to wake this thread up

    i thought i did some work on such a plugin so i rummaged through old crap and it seems i didnt find a way to send message to context menu

    does some one know how i can sendmessage

    using FindWindow or native Plugingetvalue so that i can simulate clicking on the FindAllSequences ??

    i tried thusfar it seems and didnt work

    Code:
    				  foo = (t_dump *)Plugingetvalue(VAL_CPUDASM);
    				  hWnd		= foo->table.hw;
    				  Addtolist(0,-1,"hwnd is %x",hWnd);
    				  SendMessage(hWnd, WM_RBUTTONDOWN, 0, 3);
    				  SendMessage(hWnd, WM_RBUTTONUP, 0, 3);
    
    this pops up the appearance tab iirc not other items on the context menu
    i need code to send a click to
    Right click -> search for -> All Sequences

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    A few quick thoughts which maybe you've already discounted. Olly may handle that context menu the same way as we need to do in a plugin, through WM_USER_MENU.

    If you could send SendMessage(,WM_USER_MENU,wparam,lparam) it should trigger it. I think the problem might be finding lparam. If you look at our CBL code, part of the handling is

    // Returns menu selection
    menuselection = Tablefunction(&jmptbl, hwnd, WM_USER_MENU, 0, (LPARAM)menu);

    but you might not be able to get the lparam menu handle from

    menu = CreatePopupMenu();



    Another tact is to create the dialog directly, or at least see how it's called. ResHack says the template name is DIA_GET_SEQ. Doing an IDA string search for that shows where the DialogBoxParamA call is. Maybe you can figure out the MSG params required to call that code.


    Lastly, seems that _Findallsequences is an exported function. Figure out the params required and maybe you can create your own dialog or just call the function as required.

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    yep i used wm_user_menu all it does is activate the context menu
    i didn't find way to Search for and Find all Seq

    Code:
     Addtolist(0,-1,"hwnd is %x",hWnd);
    				  // WM_USER_MENU Seems to activate the context menu have to find way to submenu selection and hit it :(
    				  //SendMessage(hWnd, WM_USER_MENU, 0x70, 0);  0x70 is some menu id or some crap in winproc case switch in odbg
    				  // al this findwindow shit returns 0 :(
    				  //for (i=0; i<0x20 ; i++)
    				  //{
    					//  childwind = FindWindowEx(hWnd,NULL,"#32768",0);
    					  //Addtolist(0,-1,"childwind is %x",childwind);
    				 // }

    calling find Sequences using either ctrl+s SendMessage() or directly only returns one sequence not all sequences

    and didnt look customisable either (say wee need to skip N Different sequences )

    because Find Sequence and Find All Sequence both use Same Dialog
    the difference is in either menuid or
    the setup of NSEQ and NMODELS i dont know so i dropped it then it seems

    so leaving alone reversing ollydbg for now

    isnt there a generic way to SendMessage() SendInput() to a right click context menu From An External program no one did it ever ?? ??? just curious

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    MS Spy++ indicates WM_MENUSELECT, and a few other WM_MENU* messages are involved in the process on that window...

  11. #11
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    yes kayaker
    I saw them too viz WM_ENTERMENULOOP , WM_INITMEMU , WM_INITPOPUPMENU , WM_SELECTMENU
    except WM_ENTERMENULOOP all else Require a HMENU
    How To Obtain It ?? Any Ideas


    Anyway i did what i do best found the places and hijacked them

    Can Some one test this
    Test Skipping some Junk Blocks Too if some one has them
    Any Failures features / blah blah may be posted to this thread

    Code:
    syntax for syscall in xpsp3  could be like
    
    mov RA,CONST      // mov eax ,1
    MOB RB,CONST     // mov edx , 0x7ffe0300
    CALL [RB]            // call dword ptr ds:[edx]
    Attached Files Attached Files

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    It doesn't seem to be working for me, but it's probably my syntax.

    For example, I load notepad and set an exit breakpoint some lines down.

    01006420 PUSH EBP
    01006421 MOV EBP,ESP
    01006423 PUSH -1

    I want for example the second instruction to be skipped from the Runtrace, so in the plugin Find Sequence of Commands dialog I enter exactly
    MOV EBP,ESP

    Hit Ctrl-F11, but the runtrace still contains that instruction. What am I doing wrong?



    In a second test I wanted all conditional jumps to be skipped, so I entered
    JCC OFFSET
    as the condition in the plugin dialog box and clicked Find. The Found Sequences window came up with the proper listing of sequences, but on top of that was an error message that kept repeating. I had to kill Olly with Process Explorer to get out of the error message loop. Pressing Ok/Cancel would just repeat the error message ad infinitum.

    ---------------------------
    Possibly invalid selection
    ---------------------------
    When OllyDbg encounters sequence of commands excluded from the Run trace, it sets temporary breakpoint after the end of the sequence. The selected range contains data, invalid commands, returns or jumps outside the selection, which may cause trace errors. Are you sure that the only exit from the selection is on its end?
    Ok Cancel

    Again, the exit breakpoint / scan block size was only about 10 lines long. so I'm not sure where these invalid commands etc. would come from.

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    Q1:

    what am i doing wrong well nothing this works similar to hw bp see the first post in this thread by me where i do it manually

    i skipped 2 instruction but in rtrace dump you can see the first instruction (dynamic comparison logged first compared and skipped) try skipping two or more instructions

    probably should should work ok

    Code:
    disasm
    
    7C912EBB ntdll.RtlEqualUnicodeString  /$  8BFF          MOV     EDI, EDI
    7C912EBD                              |.  55            PUSH    EBP
    7C912EBE                              |.  8BEC          MOV     EBP, ESP
    7C912EC0                              |.  8B4D 08       MOV     ECX, DWORD PTR SS:[EBP+8]
    
    
    Run trace, selected line	Back=127381.	 Thread=Main	 Module=ntdll	 Address=7C912EBB RtlEqualUnicodeString	 Command=MOV     EDI, EDI 	
    
    Run trace, selected line	Back=127380.	 Thread=Main 	Module=ntdll	 Address=7C912EC0			 Command=MOV     ECX, DWORD PTR SS:[EBP+8]



    Q2:

    i think olly issues them based on its analysis

    i postulate that since you were checking with jcc const
    they all are again single instruction and ollydbg might have analysed that
    since it is a conditional jump the immediate instruction may not be where the execution returns
    so it asks you to decide and spew is because the msgbox is emitted for every reference

    again try sequences with definitive return and check

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    suppose you have some code like this

    Code:
    #include <windows.h>
    
    int WINAPI WinMain(HINSTANCE hIstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd){
    	int i,isdbgd;
    	if(IsDebuggerPresent()){
    		isdbgd = 2;
    	}else{
    		isdbgd = 4;
    	}
    	for(i=0;i<isdbgd;i++){
    		CreateFile("c:\\runtracetest.txt",
    			GENERIC_READ|GENERIC_WRITE,
    			FILE_SHARE_READ|FILE_SHARE_WRITE,
    			0,
    			OPEN_ALWAYS,
    			FILE_ATTRIBUTE_NORMAL,
    			NULL
    			);
    	}
    }
    
    compiled and linked with
    
    skipsys:\>wmic os get caption,CSDVersion  /format:list
    
    
    Caption=Microsoft Windows XP Professional
    CSDVersion=Service Pack 3
    
    
    
    
    skipsys:\>dir /b
    createfile.c
    
    skipsys:\>cl /c createfile.c
    Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    createfile.c
    
    skipsys:\>link /DEBUG /Entry:WinMain "c:\Program Files\Microsoft SDKs\Windows\v7
    .1\Lib\Kernel32.Lib" createfile.obj
    Microsoft (R) Incremental Linker Version 9.00.30729.01
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    
    skipsys:\>dir /b
    createfile.c
    createfile.exe
    createfile.ilk
    createfile.obj
    createfile.pdb
    
    skipsys:\>
    and suppose the final value of int i; plays an important role somewhere down the line
    you can skip the create file call and others just to narrow down the var int i

    this is just an example

    Code:
    skip sequence
    
    jcc const                           //based on i value
    any 7                               // params to createfilea
    call [const]                       //calls import table resolved address
    jmp const                        // end of if () clause
    result with and without masking isdebugger present

    Code:
    New session
    Address	Thread	Command	Registers and comments
    WinMain	Main	PUSH    EBP
    00401011	Main	MOV     EBP, ESP	EBP=0013FFC0
    00401013	Main	SUB     ESP, 8
    
    0040101C	Main	TEST    EAX, EAX
    0040101E	Main	JE      SHORT createfi.00401029
    00401020	Main	MOV     DWORD PTR SS:[EBP-8], 2
    00401027	Main	JMP     SHORT createfi.00401030
    00401030	Main	MOV     DWORD PTR SS:[EBP-4], 0
    00401037	Main	JMP     SHORT createfi.00401042
    00401042	Main	MOV     ECX, DWORD PTR SS:[EBP-4]	ECX=00000000
    00401045	Main	CMP     ECX, DWORD PTR SS:[EBP-8]
    00401048	Main	JGE     SHORT createfi.00401069	EAX=00000002, ECX=00000002, EDX=00160608
    00401069	Main	MOV     ESP, EBP
    0040106B	Main	POP     EBP	EBP=0013FFF0
        Breakpoint at createfi.0040106C
    0040106C	Main	RETN    10
        Run trace stopped
    WinMain	Main	PUSH    EBP
    00401011	Main	MOV     EBP, ESP	EBP=0013FFC0
    00401013	Main	SUB     ESP, 8
    
    0040101C	Main	TEST    EAX, EAX
    0040101E	Main	JE      SHORT createfi.00401029
    00401029	Main	MOV     DWORD PTR SS:[EBP-8], 4
    00401030	Main	MOV     DWORD PTR SS:[EBP-4], 0
    00401037	Main	JMP     SHORT createfi.00401042
    00401042	Main	MOV     ECX, DWORD PTR SS:[EBP-4]	ECX=00000000
    00401045	Main	CMP     ECX, DWORD PTR SS:[EBP-8]
    00401048	Main	JGE     SHORT createfi.00401069	EAX=00000004, ECX=00000004, EDX=00160608
    00401069	Main	MOV     ESP, EBP
    0040106B	Main	POP     EBP	EBP=0013FFF0
        Breakpoint at createfi.0040106C
    here too ollydbg will isue the warning but since there is only one jcc that matches clciking yes once will result in working ok and skipping ok

    hope that clarifies the question #2
    Last edited by blabberer; February 6th, 2012 at 08:56.

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    btw i dont know if you have used ctrl+f8 and ctrl +f7 functionality in ollydbg

    if not compile the above code try it on that

    do search for

    call [const]

    (single instruction sequence i chose for example )

    and hit ctrl+f7

    you will notice ollydbg wont enter the calls

    it will work as if you hit f8 when on call and f7 all other lines

Similar Threads

  1. Kernel Tracing
    By t321 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: September 17th, 2012, 15:57
  2. Programming Loader under MAC -> API Calls
    By Drigo in forum The Newbie Forum
    Replies: 6
    Last Post: September 1st, 2009, 21:10
  3. Tracing into IIS
    By mashedpatatas in forum The Newbie Forum
    Replies: 2
    Last Post: March 19th, 2003, 11:37
  4. Calls and jumps to imported functions???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 5th, 2003, 00:50
  5. Tracing into Dll's?
    By Argoth in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: January 22nd, 2001, 16:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •