Results 1 to 7 of 7

Thread: Question about a self-debugging program

  1. #1

    Question about a self-debugging program

    I read some documents and know that one application can create another process to debug this program. In addition, i found some examples about cracking such programs were using ring0 level debugger like softICE.
    So, I wanna to know if such applications can be debugged by a ring3 debugger,like OllyDbg?
    If so, how to debug it?

  2. #2
    well you'd have to attach to each process with olly, and bounce between then i guess...

  3. #3
    but, did you mean debug them at meantime?
    I think its a little too difficult.
    for the main program(being debugged by the second process),if you debugged it using a ring0 debugger, all is ok, but if using a ring3 debugger like OllyDgb, the program will crash

  4. #4
    This type of protection is not uncommon but it is rare to find it implemented in a rigid way, mainly because it's so difficult to spread the workload across both processes. Armadillo's Debug Blocker feature, for example, spawns two instances of the program, with one debugging the other. But because the protection is applied retroactively it is very difficult to enforce a necessity for both processes to remain alive. In this instance, the debuggee process does all the work of the underlying program while the debugger makes a token effort to remain attached. With some work it is possible to detach the parent process and attach your own ring3 debugger if desired, thus overcoming a large portion of the protection.

    Perhaps the main constraining factor here is that a process may be debugged by at most one other user-mode process at any time, using the Win32 Debug API. For this reason it is often easier to use a ring0 debugger, which can do pretty much what it likes. However this is far less convenient and so we aim to remove the unwanted debugger whenever possible. Other solutions exist, such as the AttachAnyway plugin for Olly which bypasses the OS's 'one-at-a-time' rule. Obviously, this privilege doesn't come without its costs but sometimes it's all you need. Alternatively, if the job can be done without using the Win32 Debug API then there is nothing stopping you using one of the many non-intrusive debuggers, which trade-off some power for anonymity.

  5. #5
    but now, most of the ring3 debuggers use windows api, OllyDbg included. So, we can't use a ring3 debugger to bypass this tricks, right?

  6. #6
    Mmm, I thought I covered that
    As far as I can tell, all ring3 debuggers use the Debug API unless they claim to be non-intrusive. If you're not sure what that is, Google it and take a look on the CRCETL. Nevertheless, there are ways of confusing the OS sufficiently to allow a typical ring3 debugger to attach to a process that's already running under another ring3 debugger. Take a look at AttachAnyway if you don't believe me

  7. #7
    yes. I also have seen the thread attachanyway at the forum of
    But i didn't read it carefully. Then i will return to the thread and read it carefully. Thanks

Similar Threads

  1. Replies: 3
    Last Post: December 4th, 2008, 01:57
  2. Help - problem loading a program for debugging
    By pepak in forum Plugins (General)
    Replies: 5
    Last Post: October 10th, 2006, 01:17
  3. Question: Trying to learn from a program called 'X'
    By zambuka42 in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: July 31st, 2006, 21:14
  4. Need help with debugging
    By crackzilla in forum The Newbie Forum
    Replies: 6
    Last Post: November 26th, 2002, 18:20
  5. Help with finding keyfile a program used by program
    By Polt in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 14th, 2001, 15:41


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts