ollydbg 2.01 alpha 4

[blabberer]

wow at last plugins are supportable good news

August 03, 2011 - OllyDbg 2.01 alpha 4. Here is Alpha 4, here is Bookmarks plugin

As you see, this version already supports plugins. New plugin interface is similar to the old (v1.10) but is not backwards compatible. It includes more than 350 API functions, 60 or so variables and many enumerations and structures that all need to be documented. This will take a while, therefore I decided to make a preliminary release. It includes plugin header file (plugin.h) and commented bookmarks source code (bookmark.c). Writing your own plugins without the documentation is a pure masochism, but at least you will be able to analyse the structure of the interface and send me your comments, wishes and suggestions.

This is the last alpha release. After plugin documentation is ready, I will call it 2.01 beta 1. Then I will start to write OllyDbg help and finally make the full 2.01 release. Till then, I plan no major changes.

Other new features in this version:

- Patch manager, similar to 1.10
- Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven't tested it on Win7, please report any found bugs and incompatibilities!
- Instant .udd file loading. In the previous versions I've postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
- Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
- "Go to" dialog lists of matching names in all modules
- Logging breakpoints can protocol multiple expressions. Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32:

[Maximus]

alpha 3 was way less stable than alpha 2 - I just hope olly did fix the stability in v4.
IDA debugger cant really keep comparison with olly... no way

... but hell yes, plugins

(to me, just being able to use olly on 7x64 had been a TRUE blessing)

[rendari]

(to me, just being able to use olly on 7x64 had been a TRUE blessing)

I've been running 1.10 fine now for 1 year with Stealth64 on Win7x64... of course you can't debug 64 bit apps...

[Maximus]

Olly 1.1 surely works in 7x64, but not completely.
It has some subtle yet irritating problems that makes it hardly usable over the time, and forced me many times to switch to IDA debugger.
Olly 2 has not such problems, and it is a bless. IDA debugger is not nearly useful as Olly for advanced debugging.

[rendari]

Maximus,

What kinds of problems do you have on 7/64? Curious because I haven't run into any in a long time... maybe I'm doing the wrong sorts of reversing

-rendari

[Maximus]

hmmm... let me remember. Keep in mind they were somewhat 'weird' and did not always appear.
I had the x64 plugin fix, of course, but it didnt help.

1) attach didnt work. Now, it may seems not useful as feature, but attach is essential.
2) I was having some weird problem running/stopping code, even when not attaching.
3) some other minor, irritating problem i do not remember... ah, i.e. sometime breakpoint didnt trig and ended looping forever, etc

Olly is simply too powerful for r3 debugging, no way

[jhon thomas]

I am trying to use Olly (version 2.01 alpha 4) in windows 7 Ultimate, this version of olly works fine in this O.S., but i am facing this situation:


Even using a Full administrator rights account and starting olly under administrator account. When I try to attach to a process named 'system', I got an error -> ACCESS DENIED-. I need to attach the debugger because i am studying the core of this system.

I searched policies settings in control panel, googled it, everything, but i dont know how to grant ollydbg access to that process.

Maybe Micro$oft dont want us to debug that process? If not, where can I change this setting?
Or Maybe Olly cannot do it? That is why i am posting it here, olly support..

Someone here do know how, or where to disable this policie in Windows 7 Ultimate R 7600?

To reproduce this error in windows 7, just run olly under administrator and try to attach to 'system'.

Thanks in advance!!

[blabberer]

that is not just olly dbgs problem alone

windbg will also not be able to attach to system process

Debugger initialization Failed Win error 05

and that would not be in just winseven

but also winxp sp3


C:\Program Files\Debugging Tools for Windows (x86)>systeminfo | findstr /b /i /c
:"os" & cdb -pn System & cdb -p 4
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600


Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."

C:\Program Files\Debugging Tools for Windows (x86)>


also System process iirc does noting but Wait For An Event

[jhon thomas]

I think there's some way to disable this in the system, by normal means, through a configuration in the system, i just don't know where..

Does someone know where to disable it?

In the worst case, it would be possible to patch the system, so it would let Olly to pass on... But what if that function is inside that process, then it would be very difficult to do..

Maybe, softice would be able to do that? _

[Kayaker]

Try double clicking on the System process in ProcessExplorer and set Security/SeDebugPrivilege to Full Control. I do this in XP and it allows me to use the Softice command 'ADDR System' to switch context and get full access for other commands such as QUERY, THREAD -x, etc. Maybe Olly/Winny might attach then, though I doubt usermode debugging will give much useful info.

[Maximus]

hmmm try to run olly under 'system' account, instead of administrastor.
system account != administrator account - i.e. you cannot alter the primary token with an admin account, you need to grab the seSomethingNotObviousIfIRememberWell privilege AND reboot to do that. There is a specific privilege that 'makes you' as part of the syustem... aah found, the one with TCB at end. Get it, and you are the true owner of the machine (care with it).

edit---
SeTcbPrivilege, that's it. This pribilege is removed from admin, not just disabled, so you cannot turn it on by default - that's why you need to grant it to you and reboot to grab it.

[jhon thomas]

Maximus: I tried to run ollydbg under system account, But it is not possible yet to attach that process. It was under system account, even tried to kill olly with taskmgr, i gotta access denied.

Kayaker: That process have the lowest PID number, (system - PID 4) and doesnt appear under the 'normal' taskmgr, just in olly.. (edit: yes, appear, but you have to show all users process - Description: NT kernel & System - size - 84 K)

blabberer: if you have windbg installed and running could you try what kayaker described, to see if it would work?

Well.. regarding olly, in older versions, when you right click in code window, you have the option to chose what module you want to view, and choose, for example, the main executable. I would appreciate this new version had it. But you just can press that button 'U' - execute until user code, that is very good, but what if you dont want to execute any code, but just browse?

[blabberer]

i dont think granting SeTcbPrivilege would allow you to attach to System Process

basically doing at 00:00 \\drive\\path\\exe schedules a task as system and i dont think starting ollydbg/windbg/ like wise would allow you attach to system process

basically system process is not a process at all it is a collection of threads that has System Privilege

and as such you cant find a system.exe anywhere (NO IMAGE PATH) iirc PsCreateInitialSytem_some_name_whatever function in nt(os\pa\mpa)

starts this System Process during PhaseInitilaisation if i remember correctly

see i have SeTcbPrivilege below still i wont be able to attach to System Process

Code:

C:\Documents and Settings\admi\Desktop>ntrights -u admi +r SeTcbPrivilege
 Granting SeTcbPrivilege to admi   ... successful

C:\Documents and Settings\admi\Desktop>showpriv.exe SeTcbPrivilege
2 account(s) with the SeTcbPrivilege user right:
VPC\admi
The LookupAccountSid() API returned error 0x00000534All accounts enumerated

C:\Documents and Settings\admi\Desktop>"c:\Program Files\Debugging Tools for Win
dows (x86)\cdb.exe" -pn System

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
    "{Access Denied}  A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
    "{Access Denied}  A process has requested access to an object, but has not b
een granted those access rights."

C:\Documents and Settings\admi\Desktop>

and neither would using kd give access to System process

C:\Documents and Settings\admi\Desktop>"c:\Program Files\Debugging Tools for Win
dows (x86)\ntsd.exe" -d -pn System

C:\Documents and Settings\admi\Desktop>

kd> g

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
    "{Access Denied}  A process has requested access to an object, but has not been granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
    "{Access Denied}  A process has requested access to an object, but has not been granted those access rights."

nor would attaching from kd work

Code:

kd> !bpid -a -s 4
Finding winlogon.exe (-1)...
Waiting for winlogon.exe to break.  This can take a couple of minutes...
Break instruction exception - code 80000003 (first chance)
Stepping to g_AttachProcessId check...
Break into process 4 set.  The next break should be in the desired process.
Stopping in winlogon.exe
kd> kb
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0141fe8c 7c927e71 00000000 00000001 00079500 0x1030f2d
0141fed8 7c928325 01030ed0 00000000 00000001 ntdll!RtlpWaitOrTimerCallout+0x73
0141fef8 7c927aa2 00079500 7c97b440 00e41888 ntdll!RtlpAsyncTimerCallbackCompletion+0x1c
0141ff40 7c927ae3 7c928309 00079500 00000000 ntdll!RtlpWorkerCallout+0x70
0141ff60 7c927ba5 00000000 00079500 00e41888 ntdll!RtlpExecuteWorkerRequest+0x1a
0141ff74 7c927b7c 7c927ac9 00000000 00079500 ntdll!RtlpApcCallout+0x11
0141ffb4 7c80b713 00000000 00000000 00000000 ntdll!RtlpWorkerThread+0x87
0141ffec 00000000 7c910230 00000000 00000000 0x7c80b713
kd> bl

kd> g

Microsoft (R) Windows User-Mode Debugger  Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
    "<Unable to get error code text>"
Debuggee initialization failed, NTSTATUS 0xC0000022
    "<Unable to get error code text>"

if you are wondering whats this bpid magic here is a flow of how it works (in thi output ntsd is old in system 32 dir in target use latest ntsd from debugging tools dir
for production usage)

Code:

kd> !bpid -a -s 0n1636
Finding winlogon.exe (0)...
Waiting for winlogon.exe to break.  This can take a couple of minutes...
Break instruction exception - code 80000003 (first chance)
Stepping to g_AttachProcessId check...
Break into process 664 set.  The next break should be in the desired process.
Stopping in winlogon.exe
kd> kb
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0141fe8c 7c927e71 00000000 00000001 00079500 0x1030f2d
0141fed8 7c928325 01030ed0 00000000 00000001 ntdll!RtlpWaitOrTimerCallout+0x73
0141fef8 7c927aa2 00079500 7c97b440 00e41888 ntdll!RtlpAsyncTimerCallbackCompletion+0x1c
0141ff40 7c927ae3 7c928309 00079500 00000000 ntdll!RtlpWorkerCallout+0x70
0141ff60 7c927ba5 00000000 00079500 00e41888 ntdll!RtlpExecuteWorkerRequest+0x1a
0141ff74 7c927b7c 7c927ac9 00000000 00079500 ntdll!RtlpApcCallout+0x11
0141ffb4 7c80b713 00000000 00000000 00000000 ntdll!RtlpWorkerThread+0x87
0141ffec 00000000 7c910230 00000000 00000000 0x7c80b713
kd> u 0x1030f2d
01030f2d 85c0            test    eax,eax
01030f2f 740d            je      01030f3e
01030f31 50              push    eax
01030f32 e88cfdffff      call    01030cc3
01030f37 83259844070100  and     dword ptr ds:[1074498h],0
01030f3e 33c0            xor     eax,eax
01030f40 c9              leave
01030f41 c20800          ret     8
kd> ub 0x1030f2d
01030f10 ff75fc          push    dword ptr [ebp-4]
01030f13 ff15c8160001    call    dword ptr ds:[10016C8h]
01030f19 a194440701      mov     eax,dword ptr ds:[01074494h]
01030f1e 85c0            test    eax,eax
01030f20 7406            je      01030f28
01030f22 50              push    eax
01030f23 e8b0feffff      call    01030dd8
01030f28 a198440701      mov     eax,dword ptr ds:[01074498h]
kd> g

Microsoft (R) Windows User-Mode Debugger  Version 5.1.2600.0
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Loaded dbghelp extension DLL
The call to LoadLibrary(ext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded exts extension DLL
The call to LoadLibrary(uext) failed with error 2.
Please check your debugger configuration and/or network access
Loaded ntsdexts extension DLL
WARNING: SRV*Z:\symbols\* is not accessible, ignoring
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
Executable search path is: 
ModLoad: 00400000 00404000   C:\Documents and Settings\admi\Desktop\msgbox.exe
ModLoad: 7c900000 7c9af000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\user32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f03000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
Break instruction exception - code 80000003 (first chance)
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=008bffcc ebp=008bfff4 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - 
ntdll!DbgBreakPoint:
7c90120e cc               int     3
0:001> kb
kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
008bfff4 00000000 00000000 00000008 0007ae5c ntdll!DbgBreakPoint

0:001> ~*kb
~*kb

   0  id: 664.6c8   Suspend: 1 Teb 7ffde000 Unfrozen
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\user32.dll - 
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012faac 7e4249c4 000e00e2 00000000 00000001 ntdll!KiFastSystemCallRet
0012fad4 7e43a956 7e410000 001434e0 00000000 user32!GetCursorFrameInfo+0x1cc
0012fd94 7e43a2bc 0012fef0 00000000 ffffffff user32!SoftModalMessageBox+0x677
0012fee4 7e4663fd 0012fef0 00000028 00000000 user32!MessageBoxIndirectA+0x23a
0012ff3c 7e4664a2 00000000 00143058 00143098 user32!MessageBoxTimeoutW+0x7a
0012ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x9c
0012ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b
*** WARNING: Unable to verify checksum for C:\Documents and Settings\admi\Desktop\msgbox.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\admi\Desktop\msgbox.exe
0012ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45
0012fff0 00000000 00401000 00000000 78746341 msgbox+0x1013

.  1  id: 664.3ec   Suspend: 1 Teb 7ffdd000 Unfrozen
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
008bfff4 00000000 00000000 00000008 0007ae0c ntdll!DbgBreakPoint
0:001>

[Kayaker]

I think you're exactly right blabberer. There is minimal usermode presence for the System process:

Code:

:addr system
:query system
Address Range      Flags     MMCI      PTE       Name
00010000-00033000  04000000  823C4310  E100E6C8
00060000-00060000  04000000  822726E8  E14D0658
00070000-0016F000  04000000  81F8ECD0  E1ABBBF8  Heap
00170000-0056F000  04000000  8218C0C0  E176C038
02180000-0257F000  04000000  822055C0  E13A7038
7C900000-7C9AF000  07100005  823C72D8  E1493A48  ntdll.dll

The first thread points to your _Phase1Initialization (now there's a googlable term..) recollection.
All subsequent system threads seem to begin at Start EIP: _ExpWorkerThread.

Code:

:thread -x system
                               Extended Thread Info for thread 8
    KTEB:      823C8548  TID:       008  Process:   System(04)
    Base Pri:         0  Dyn. Pri:    0  Quantum:          5
    Mode:      Kernel    Suspended:   0  Switches:  00002E33
    TickCount: 0006E195  Wait Irql:   0
    Status:    Kernel Wait for WrFreePage

    Start EIP:      _Phase1Initialization (806A033E)
    Affinity:       00000001             Context Flags:        A
    KSS EBP:        00000000             Callback ESP:  00000000
    Kernel Stack:   F8975000 - F8978000  Stack Ptr:     F897779C
    Kernel Time:    00000241             User Time:     00000000
    Create Time:    0000000000000000

    SpinLock:  00000000  Service Table: 80559B80  Queue:    00000000
    SE Token:  00000000  SE Acc. Flags: 001F03FF
    UTEB:      00000000

    IRP Queue at 823C8758 is empty

    Thread Wait List:
               Event Object at 8055F490
               Timer Object at 80560480

    Registers:  ESI=FFDFF120  EDI=823C8548  EBX=823C85B8  EBP=F89777F8
    Restart  :  EIP=804DBDE0 a.k.a. @KiSwapContext+002E

FrameEBP  RetEIP  Syms Symbol
F89777B8  804DC6A6  Y  ntoskrnl!@KiSwapContext+002E
F89777C4  804E40FD  Y  ntoskrnl!@KiSwapThread+0038
F89777F8  804E83ED  Y  ntoskrnl!_KeWaitForMultipleObjects+0170
F8977844  8069EE76  Y  ntoskrnl!_MmZeroPageThread+0061

btw, while browsing I found a funky way of getting the EPROCESS of the System process using PsActiveProcessHead or PsInitialSystemProcess

http://66.14.166.45/whitepapers/compforensics/memory/Introduction To Windows Memory Forensic.pdf

Code:

kd> ?PsInitialSystemProcess
Evaluate expression: -2141844268 = 80560cd4

kd> dd 80560cd4 L1
80560cd4  823b47c0

kd> dt nt!_EPROCESS 823b47c0
...
   +0x174 ImageFileName    : [16]  "System"
...
   +0x1b0 Peb              : (null)

Not surprisingly, no PEB, so nothing to attach to.

[blabberer]

yes kayaker it is officially documented

http://msdn.microsoft.com/en-us/library/ff559943%28v=vs.85%29.aspx

you can do it like this in windbg

Code:

lkd> dt nt!_Eprocess poi(nt!PsInitialSystemProcess) -y Ima
   +0x174 ImageFileName : [16]  "System"

or

edit added second way

Code:

lkd> dt nt!_EPROCESS ImageFilename poi(nt!PsActiveProcessHead)-@@c++(#FIELD_OFFSET(nt!_EPROCESS,ActiveProcessLinks)))
   +0x174 ImageFileName : [16]  "System"

that is subtract FieldOffset (0x88) from *PsActiveProcesshead for getting the System process ImageFileFilename (related .blink manipulation)

someone (who probably lurks here but wont admit it) wrote a blog i cant find now ill link it later if i find for the edited windbg magic