Attach Extended

[Hero]

Hi all
This is a really small plugin that I have written for improving attach feature of OllyDbg.
With this plugin,you can attach to process by identifing its PID directly,not only selecting process list. In addition,you can find PID of process by dragging a small cursor on each window(This can be used on some protection which remove process from process list like GameGuard).

Please let me know about Bugs, and your suggestions for more process attaching options.

Regards

[arc_]

A possible extra feature would be anti-anti-attach. There are various ways a protection system can detect and even prevent a debugger attaching to it, and there are also various ways to counter these tricks. You could look into this subject and automate the countermeasures in your plugin, completely transparently (ie the plugin simply kills/circumvents any anti-attach when attaching, without the reverser even having to know there was an anti-attach at all).

nezumi documents some interesting techniques in the Blogs forum. There also exists a plugin called AttachAnyway which kills some anti-attach methods, but not all.

[dELTA]

Hey Hero, can it attach to (not yet ResumeThread'ed) processes created with the CREATE_SUSPENDED flag, unlike normal Olly? That would be really great...

[Hero]

nezumi documents some interesting techniques in the Blogs forum. There also exists a plugin called AttachAnyway which kills some anti-attach methods, but not all.

I will try to read it in blog,and add it to this plugin on my free time.

Hey Hero, can it attach to (not yet ResumeThread'ed) processes created with the CREATE_SUSPENDED flag, unlike normal Olly? That would be really great...

hmmmm
I think this will be a good feature too,but is it possible in theory at all?
If process has started in debug mode,in addition of suspended mode,i think we cannot attach it,because as I know we cannot debug a process which is debugged. But perhaps it is possible on a non-debugging suspended creation process.
I should test if I can attach to a suspended process at all,if yes I surely add it.

Regards

[dELTA]

It should absolutely be possible (from a Debug API viewpoint) to attach to a process created with the CREATE_SUSPENDED flag, it's just a bug in Olly that it can't do it I think.

It would indeed be great if you could add it.

I also added it to the CRCETL, please feel free to update its entry as soon as you release an update (and also specify the version number, which I left out because I didn't know it):

http://www.woodmann.com/collaborative/tools/index.php/AttachExtended

[Hero]

It should absolutely be possible (from a Debug API viewpoint) to attach to a process created with the CREATE_SUSPENDED flag, it's just a bug in Olly that it can't do it I think.

It would indeed be great if you could add it.

I also added it to the CRCETL, please feel free to update its entry as soon as you release an update (and also specify the version number, which I left out because I didn't know it):

http://www.woodmann.com/collaborative/tools/index.php/AttachExtended

Hi dELTA
I checked olly and noticed that it cannot attach to a suspended process because DebugActiveProcess fails.
Further check shows that in DebugActiveProcess fails at DbgUiConnectToDbg in this line:

Code:

.text:7C950691                 xor     ecx, ecx
.text:7C950693                 mov     eax, large fs:18h
.text:7C950699                 cmp     [eax+0F24h], ecx
.text:7C95069F                 jnz     short loc_7C9506D5 <-this jump occurs

As I remembr,FS:18h contains information for thread,isn't it? Anybody knows what is that data in [eax+0f24h] for?

Edit1: I was WRONG, because after testing on another computer,I noticed that problem is not here,don't know why my other PC was failing here,but it seems I was wrong.
Edit2:Found a bug in olly which prevents to attach suspended process. Trying to solve it now(donna if it there is more bug,but this one is sure) :P

Regards