Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

ollydbg 2.01 alpha 4

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
jhon thomas
Junior Member
Posts: 5
Joined: Wed Aug 31, 2011 12:05 pm

Post by jhon thomas »

Thanks for the information, now I just have to learn more about it and try to get there.
I am thinking that would be possible to create a plugin that could do this Eprocess stuff so it would be loaded in Ollydbg.
Maybe am I wrong? But i will try to create a setup --> windbg + windows 7 in a virtual machine as an alternative to Olly.
I think this proccess have too many interesting things..

I think Ollydbg is just the best user mode debugger, credits to Mr Oleh for the very nice work.

In older versions, when you right click inside the code window, you have the option to chose what module you want to view, and choose, for example, the main executable. I would appreciate this new version had it. You still can press the 'U' button (execute until user code), that is very good, but sometimes I need just browse, not just run.
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

in order to debug a process owned by "SYSTEM" you have to become SYSTEM yourself. It's way more privileged than the Administrator account.

Under XP that was quite simple. You just had to create an interactive task. This "problem" is fixed under Vista and seven, but it's nevertheless possible. To work under the NT-Authority/SYSTEM account you must create an interactive service. Windows will pretend it's not possible but don't let it fool you - it will work.
Open a commandline as Administrator (even if you are under an Admin account you must do a right-click "run as Administrator"). In this commandline type:

Code: Select all

sc create makeMeKing binpath= "cmd /K start" type= own type= interact
Please note the blanks between the "=" and the text that follows it. It's mandatory.
Now you can start this service everytime you want:

Code: Select all

sc start makeMeKing
When you start this service a window pops up telling you that a process wants to display a message. Let it show this message. Your explorer will disappear and your screen will become light-blue showing just the commandline. Now do a "cd .." and then an "explorer.exe". Congrats, you now have a fully working desktop as "NT-Authority/SYSTEM". Now you REALLY rule that machine.
Happy debugging.

Regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

darkelf:\>kd -kl -c ".foreach /pS 3 /ps 3 (place {.shell -ci \"!process 0 1 cmd.exe\" grep -i -e \"Token\" -e \"Ima\"} ) {.echo place ; dt nt!_TOKEN TokenSource.Sourcename place} ; q"

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Connected to Windows XP 2600 x86 compatible target at (Wed Sep 7 10:24:06.843 2
011 (UTC + 5:30)), ptr64 FALSE
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Wed Sep 7 10:24:06.921 2011 (UTC + 5:30)
System Uptime: 0 days 0:38:51.493

lkd> kd: Reading initial command '.foreach /pS 3 /ps 3 (place {.shell -ci "!proc
ess 0 1 cmd.exe" grep -i -e "Token" -e "Ima"} ) {.echo place ; dt nt!_TOKEN Toke
nSource.Sourcename place} ; q'
e3924c60
+0x000 TokenSource :
+0x000 SourceName : [8] "*SYSTEM*"
quit:


darkelf:\>cdb -pn System"

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Cannot debug pid 4, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."
Debuggee initialization failed, NTSTATUS 0xC0000022
"{Access Denied} A process has requested access to an object, but has not b
een granted those access rights."

darkelf:\>sc qc makemeking
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: makemeking
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : cmd /K start
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : makeMeKing
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

darkelf:\>sc start makemeking
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

darkelf:\>
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

Hi blabberer,

if I understand your post right, starting of the service failed. Right?
Are you under Vista or Seven? I ask because in your post there is this line:

Code: Select all

Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
As I've written in my first post, the procedure under XP is different.
To become SYSTEM under XP you must open a commandline and there you type:

Code: Select all

at 15:12 /interactive "cmd.exe"
Replace 15:12 with the time you want the SYSTEM commandline to start.

When the time has come, a second commandline will open. It has a slightly different title bar where it says: C:\WINDOWS\System32\svchost.exe
Now open the taskmanager and kill "explorer.exe". Your desktop disappears and only the two commandlines remain. Close the one you typed the "at" command and keep the one with svchost in the title bar open. In the open commandline do "cd .." and then "explorer.exe". Now you are the SYSTEM user under XP.

Hope that helps.

Regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
jhon thomas
Junior Member
Posts: 5
Joined: Wed Aug 31, 2011 12:05 pm

Post by jhon thomas »

Darkelf: Really nice trick, Darkelf, I got a Desktop but even am still getting access denied, but this trick is very nice, it may be very useful to all sort of things, thanks for sharing.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

http://www.woodmann.com/forum/showthrea ... #post91009

>blabberer

i dont think granting SeTcbPrivilege would allow you to attach to System Process

basically doing at 00:00 \\drive\\path\\exe schedules a task as system and i dont think starting ollydbg/windbg/ like wise would allow you attach to system process


like i already posted task scheduling wont allow you to attach to a system process the original question was attaching to system process not

elevating oneself to system privilege
Locked