Results 1 to 10 of 10

Thread: gdb: multi process debugging

  1. #1
    avi
    Guest

    gdb: multi process debugging

    Hi guys,

    I'm trying to follow one of the crackmes solved by tiga, I'm using ida pro for linux for static analysis and trying to debug the thing with gdb while running it under wine.

    The problem is that once wine creates a new process gdb seems to freeze, I'm trying with set follow-fork-mode child and set detach-on-fork off, with the default values of those the program finishes without debugging.

    I've tried to set a catchpoint in the fork and attach a new instance of gdb to the new proccess but it can't be attached even running as root, any ideas?

    Debian lenny, gdb 6.7.1-debian, linux 2.6.21.1
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Which crackme are you talking about?
    Just to be sure, was it a Windows or Linux crackme?

    My guess would be a Windows crackme on Linux since you mentioned Wine.
    There's a paper on that called "The Alien Autopsy" made in the times of IDA 4.7 or 4.3, before remote debugging.

    I have a simpler method if the crackme runs under Wine, simply run the IDA Windows server under Wine (or a Windows VM) and remote debug from the Linux version of IDA.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  3. #3
    avi
    Guest
    It is the one from the video solution for br0ken crackme, it's a windows crackme.

    I've read that paper but it relies on a breakpoint at PROCESS_InitWine symbol that doesn't exist anymore (at least I can't find it) and I guess previous wine versions didn't create a new process because the paper don't talk about that.

    I would like to solve the multi process debugging problem under gdb, I know ida under wine is a possibility but that would be avoiding the problem I'm willing to solve (with you help I hope)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Quote Originally Posted by TiGa View Post
    There's a paper on that called "The Alien Autopsy" made in the times of IDA 4.7 or 4.3, before remote debugging.

    TiGa
    Is that the "Alien Autopsy: Reverse Engineering Win32 Trojans on Linux" by Joe Steward?

  5. #5
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Yes, that's the paper that I was talking about.
    http://www.secureworks.com/research/articles/alien

    The paper is starting to get a little dated as it was made with IDA 4.1 in 2002.

    I made an updated version in video using the method that I described previously.
    http://rapidshare.com/files/130047662/AlienAutopsy2008.rar.html

    If you set a BP on the EntryPoint in IDA or GDB, you shouldn't get lost in the WINE code.

    I should really start my own Video-On-Demand channel.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  6. #6
    avi
    Guest
    Thanks TiGa it's a great video as usual

    I think I'll try your way and post a question about multi process debugging at the gdb mailing list, and count on my subscription to the video on demand channel
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Thanks TiGa for the video, I'll check it out, and if you come out with a ondemand channel let us know. I'll subscribe to it.

    By the way, congratulations for becoming a crew member on ARteam. I meant to post something there but I forgot what was my handle or the password I used. I will eventually remember it. Anyway, congratulations.

  8. #8
    avi
    Guest
    yeah, what do you use to make those fancy screencasts? those are great

    Damn! my mouse don't work with idal and it's getting on my nerves, I wonder why those borland geniuses didn't use shift-TAB to go back, there must be a key for that
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    Thank you, I used Instant Demo to make the video but Camtasia Studio gives a more professional result.

    ESC to go back?

    Can't say much about the mouse problem.
    IDA for Linux is kind of evil, yes, that's why I prefer to use remote debugging from Windows instead.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  10. #10
    avixz
    Guest
    I mean when you cycle through options with tab and you want to cycle back you can't use shift-tab in the borland ide, anyway I have the mouse working now.

    I don't have windows installed on my computer and until now I didn't have any reason to install it, but I admit ida is a good reason.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Help about tracing a multi-thread program
    By kcynice in forum The Newbie Forum
    Replies: 5
    Last Post: September 29th, 2008, 21:08
  2. Remote debugging with process servers (dbgsrv)
    By Nynaeve in forum Blogs Forum
    Replies: 0
    Last Post: April 22nd, 2008, 22:00
  3. Theory behind debugging process request -Armadillo
    By mr haggar in forum OllyScript Plugin
    Replies: 5
    Last Post: September 29th, 2005, 15:13
  4. How to make multi conditional BP with negations?
    By kao in forum OllyDbg Support Forums
    Replies: 4
    Last Post: April 16th, 2004, 01:55
  5. help with a multi(?) packed .dll
    By Exocist in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: August 3rd, 2002, 22:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •