Results 1 to 6 of 6

Thread: How to debug child process

  1. #1
    Quasar
    Guest

    How to debug child process

    Hi, sorry my english first

    the program i'm debugging creates a process with CreateProcessA in OllyDbg, i want to debug this child process too.
    There is no way to do this from ollyDbg??
    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    How to debug child process

    yes, put a bp in createprocess, change the value to 4 in the stack for suspended process, go to RET of the father.
    if the father are debugging the child, go to any blank part of code and write

    Push (PID OF CHILDREN)
    Call DebugActiveProcessStop
    nop

    and mark the first line (the push) and select NEW ORIGIN HERE

    trace with F8 and when you reach the NOP if EAX is 1 the child is not debugged more.

    For RUN the child put a infinite loop in the entrt point and with process memory manupulator quit the resume, for make the child run and looping.

    next atach with OLLY without problem, pause and quit the infinite loop and continue debugging.



    Ricardo Narvaja

  3. #3
    Quasar
    Guest

    How to debug child process

    Thanks for your response Ricardo,

    after CreateProcess i call DebugActiveProcessStop with PID of new process and fails with ERROR_ACCESS_DENIED (00000005). Does this mean the father was not debugging the child?

    For run the child, how can i put a infinite loop in the entry point and resume?
    I don't understand this, maybe do you mean modify the source code?

    An important thing i forgot to say, the father is injecting code into the child process, and when I attach with OllyDbg (right after CreateProcessA with CREATE_SUSPENDED) a popup says "0xC0000142, application failed to initialize properly" and OllyDbg stops with "Exception C0000142 DLL_INIT_FAILED".
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    arjuns
    Guest

    How to debug child process

    patch the original instruction with EB FE (jumps on the same line of eip)
    but you have to remember the patched byte you need it later.
    Select resume thread from the thread menu.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5

    How to debug child process

    for the father debug the child there are two options:

    1) in the stack when the process is created in the parameter you change to suspended 4, there are a value for DEBUG ONLY or DEBUG ONLY THS PROCESS

    2) the father call to api DegugActiveProcess , following the call to createprocess

    if 1 or 2 not appear the child is not debugged, (but if is not debugged the child is possible to attach with olly without problems)

    the process created is originated in a file, look the name of the file in the stack, open peeditor open the file previously, and look the entry point.

    If in peedittor say 1020, and image base 400000 the entry point will be 401020 for example.

    when you create the process suspended, open pupe go to patch and look the value in 401020 (example) and change the 2 bytes for EB FE (write in a paper the old values)

    next you put EB FE (infinite loop in the entry point) and quit the father debug if is necesary, next quit the resume with process memory manipulator, the program start to run looping, and next attach with olly, when stop in debug break RUN, and pause again, OLLY stop in the Entry point, change the values for the original values and continue debugging.

    Obviously the father continue need continue running in the original, you need study what changes make tha father to the child, with WriteProcessmemory by example, and what read child from the father, maybe there are a intercourse of information.

    Other possibility is change the bytes in the child file, and save the changes, and when are looping, change in memory but cn be detected is all try and try, hehe.



    Ricardo Narvaja

  6. #6
    Quasar
    Guest

    How to debug child process

    thanks to all, i tried to put EB FE and it worked!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. How to use Olly to debug a Windows process
    By jkally in forum The Newbie Forum
    Replies: 4
    Last Post: March 29th, 2010, 15:29
  2. Replies: 10
    Last Post: April 8th, 2008, 00:54
  3. How to locate child process entry point ?
    By GIJoe in forum OllyDbg Support Forums
    Replies: 9
    Last Post: May 11th, 2004, 01:59
  4. Replies: 1
    Last Post: February 9th, 2003, 09:01
  5. debug dll'?
    By Anonymous in forum OllyDbg Support Forums
    Replies: 4
    Last Post: January 7th, 2003, 03:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •