Results 1 to 5 of 5

Thread: How to use Olly to debug a Windows process

  1. #1
    jkally
    Guest

    How to use Olly to debug a Windows process

    A real newbie question:

    I would like to know what API Windows is using to update a device driver, so I mark a device driver node, right click and select "Update driver".

    How can I debug what follows with Olly DBG?

    If I attach Olly to mms, then it's not on any break point, since the process is running.

    I would like to intercept the button click and see with Olly what follows

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    It's probably using CreateService(...) or ZwSetSystemInformation(SystemLoadAndCallImage, ...).

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    You can also have OllyDbg break on windows messages sent to specific buttons (see the Windows view in OllyDbg's View menubar).

  4. #4
    redblack
    Guest

    Cool

    Quote Originally Posted by disavowed View Post
    You can also have OllyDbg break on windows messages sent to specific buttons (see the Windows view in OllyDbg's View menubar).
    I prefer this one
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Registered User
    Join Date
    Mar 2004
    Location
    maze of twisty little passages, all alike
    Posts
    133
    Quote Originally Posted by jkally View Post
    If I attach Olly to mms, then it's not on any break point, since the process is running.
    Also, just to address this:

    1) Technically it is at a breakpoint -- specifically at ntdll.DbgBreakPoint. Any breakpoints you set will be triggered by the app's main thread(s) if they encounter them. If you need to see Olly's analysis of mmc's code section, use the memory map to find it, Ctrl+G from the CPU window to go there, and then hit Ctrl+A to analyze it.

    That said, if you know what API you want to breakpoint, you can go straight there in Olly without analyzing anything. Olly understands symbolic address references, so you can always tell it to go to "SS:[EBP+8]" or "user32.GetDlgItem". Setting a manual breakpoint at the EP of, say, GetDlgItem works perfectly fine; you just have to (trivially) trace your way to the user code. The call stack works wonders here, or even just hitting Alt+F9 (run til user code) in simple cases.

    2) You can also start mmc.exe from within Ollydbg rather than attaching to a running mmc instance. You can even use the "Arguments" field if you need to debug something more complicated like "mmc.exe c:\windows\system32\compmgmt.msc"
    The debugging of a thousand lines of code begins with a single-step.

    "It has always therefore been one of my main endeavors as a teacher to persuade the young that first-hand knowledge is not only more worth acquiring than second-hand knowledge, but is usually much easier and more delightful to acquire." -- C.S. Lewis

    I think I can, I think I can, I think I can...

Similar Threads

  1. Replies: 10
    Last Post: April 8th, 2008, 00:54
  2. How to debug a Windows service program
    By BjT in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: October 13th, 2007, 01:21
  3. How to debug child process
    By Quasar in forum OllyDbg Support Forums
    Replies: 5
    Last Post: May 24th, 2005, 10:20
  4. Replies: 1
    Last Post: February 9th, 2003, 09:01
  5. Windows,its debug binaries and SoftIce
    By latig0 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: July 23rd, 2001, 14:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •