Page 2 of 2 FirstFirst 12
Results 16 to 21 of 21

Thread: ollydbg 2.01 alpha 4

  1. #16
    Thanks for the information, now I just have to learn more about it and try to get there.
    I am thinking that would be possible to create a plugin that could do this Eprocess stuff so it would be loaded in Ollydbg.
    Maybe am I wrong? But i will try to create a setup --> windbg + windows 7 in a virtual machine as an alternative to Olly.
    I think this proccess have too many interesting things..

    I think Ollydbg is just the best user mode debugger, credits to Mr Oleh for the very nice work.

    In older versions, when you right click inside the code window, you have the option to chose what module you want to view, and choose, for example, the main executable. I would appreciate this new version had it. You still can press the 'U' button (execute until user code), that is very good, but sometimes I need just browse, not just run.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    in order to debug a process owned by "SYSTEM" you have to become SYSTEM yourself. It's way more privileged than the Administrator account.

    Under XP that was quite simple. You just had to create an interactive task. This "problem" is fixed under Vista and seven, but it's nevertheless possible. To work under the NT-Authority/SYSTEM account you must create an interactive service. Windows will pretend it's not possible but don't let it fool you - it will work.
    Open a commandline as Administrator (even if you are under an Admin account you must do a right-click "run as Administrator"). In this commandline type:

    Code:
    sc create makeMeKing binpath= "cmd /K start" type= own type= interact
    Please note the blanks between the "=" and the text that follows it. It's mandatory.
    Now you can start this service everytime you want:

    Code:
    sc start makeMeKing
    When you start this service a window pops up telling you that a process wants to display a message. Let it show this message. Your explorer will disappear and your screen will become light-blue showing just the commandline. Now do a "cd .." and then an "explorer.exe". Congrats, you now have a fully working desktop as "NT-Authority/SYSTEM". Now you REALLY rule that machine.
    Happy debugging.

    Regards
    darkelf
    Last edited by Darkelf; September 6th, 2011 at 15:32.
    I flout Chuck Norris, Spongebob barbecues underwater!

  3. #18
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    darkelf:\>kd -kl -c ".foreach /pS 3 /ps 3 (place {.shell -ci \"!process 0 1 cmd.exe\" grep -i -e \"Token\" -e \"Ima\"} ) {.echo place ; dt nt!_TOKEN TokenSource.Sourcename place} ; q"

    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    Connected to Windows XP 2600 x86 compatible target at (Wed Sep 7 10:24:06.843 2
    011 (UTC + 5:30)), ptr64 FALSE
    Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols

    Executable search path is:
    *******************************************************************************
    WARNING: Local kernel debugging requires booting with kernel
    debugging support (/debug or bcdedit -debug on) to work optimally.
    *******************************************************************************
    Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp3_gdr.100216-1514
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
    Debug session time: Wed Sep 7 10:24:06.921 2011 (UTC + 5:30)
    System Uptime: 0 days 0:38:51.493

    lkd> kd: Reading initial command '.foreach /pS 3 /ps 3 (place {.shell -ci "!proc
    ess 0 1 cmd.exe" grep -i -e "Token" -e "Ima"} ) {.echo place ; dt nt!_TOKEN Toke
    nSource.Sourcename place} ; q'
    e3924c60
    +0x000 TokenSource :
    +0x000 SourceName : [8] "*SYSTEM*"
    quit:


    darkelf:\>cdb -pn System"

    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    Cannot debug pid 4, NTSTATUS 0xC0000022
    "{Access Denied} A process has requested access to an object, but has not b
    een granted those access rights."
    Debuggee initialization failed, NTSTATUS 0xC0000022
    "{Access Denied} A process has requested access to an object, but has not b
    een granted those access rights."

    darkelf:\>sc qc makemeking
    [SC] GetServiceConfig SUCCESS

    SERVICE_NAME: makemeking
    TYPE : 110 WIN32_OWN_PROCESS (interactive)
    START_TYPE : 3 DEMAND_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : cmd /K start
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : makeMeKing
    DEPENDENCIES :
    SERVICE_START_NAME : LocalSystem

    darkelf:\>sc start makemeking
    [SC] StartService FAILED 1053:

    The service did not respond to the start or control request in a timely fashion.

    darkelf:\>
    Last edited by blabberer; September 7th, 2011 at 00:02. Reason: forgot this takes bbcode not html

  4. #19
    Hi blabberer,

    if I understand your post right, starting of the service failed. Right?
    Are you under Vista or Seven? I ask because in your post there is this line:

    Code:
    Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
    As I've written in my first post, the procedure under XP is different.
    To become SYSTEM under XP you must open a commandline and there you type:

    Code:
    at 15:12 /interactive "cmd.exe"
    Replace 15:12 with the time you want the SYSTEM commandline to start.

    When the time has come, a second commandline will open. It has a slightly different title bar where it says: C:\WINDOWS\System32\svchost.exe
    Now open the taskmanager and kill "explorer.exe". Your desktop disappears and only the two commandlines remain. Close the one you typed the "at" command and keep the one with svchost in the title bar open. In the open commandline do "cd .." and then "explorer.exe". Now you are the SYSTEM user under XP.

    Hope that helps.

    Regards
    darkelf
    I flout Chuck Norris, Spongebob barbecues underwater!

  5. #20
    Darkelf: Really nice trick, Darkelf, I got a Desktop but even am still getting access denied, but this trick is very nice, it may be very useful to all sort of things, thanks for sharing.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    http://www.woodmann.com/forum/showthread.php?14452-ollydbg-2.01-alpha-4&p=91009#post91009

    >blabberer

    i dont think granting SeTcbPrivilege would allow you to attach to System Process

    basically doing at 00:00 \\drive\\path\\exe schedules a task as system and i dont think starting ollydbg/windbg/ like wise would allow you attach to system process


    like i already posted task scheduling wont allow you to attach to a system process the original question was attaching to system process not

    elevating oneself to system privilege

Similar Threads

  1. OllyDbg 2.01 intermediate alpha
    By GamingMasteR in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: November 27th, 2010, 13:45
  2. IDA Pro 5.5 goes alpha
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: June 2nd, 2009, 15:17
  3. Bochs plugin goes alpha
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: February 7th, 2009, 16:50
  4. OllyDbg 2.0 new alpha release
    By Polaris in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: March 12th, 2008, 03:38
  5. OllyDbg 2.0 Pre-alpha version released
    By JMI in forum OllyDbg Support Forums
    Replies: 14
    Last Post: October 27th, 2007, 23:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •