Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Problem debugging 32 bit system process with Olly (https://forum.exetools.com/showthread.php?t=16525)

MCKSys Argentina 02-07-2015 06:16

Problem debugging 32 bit system process with Olly
 
Hi all!

I'm trying to debug a 32 bits SYSTEM process (a service) with Olly 1.10 and Olly 2.01 on Windows 2003 X86.

In Olly 2 the problem arises when trying to attach to the process. It says "attaching" and stays like that forever. I´m using the last version.

Olly 1.10 allows me to attach to the process, but when I put a BP on the process (Any kind of BP: hard-soft, in any module) and the BP trigguers, the GUI freezes. I also tested this with patched versions of Olly 1.10, and I get the same result.
I tried with the 32 bits version of x64_dbg: It attaches well, breaks on the BP's and the GUI responds, BUT it has a weird behaviour. First, It doesn't stop on the BP addr; it stops in the next one. HBPs doesn't stop at all. But the worse thing is when you hit "step into" (F7) or "step over" (F8): it runs like if you've pressed F9. Also, it crashed several times (I'm naking a report to upload it to the x64_dbg forum).

The only solution I found was to use Olly 1.08 or windbg (honestly, I prefer Olly when debugging user mode).

My question is: Have any of you guys faced this situation before? Do you have a different solution from the one I have?

Thanks!

PS: Forgive my bad English. I speak Spanish everyday.

Pansemuckl 02-07-2015 06:40

Anti-Debug code most-likely. I'd be interested to get some info on this too. Im on x64 and crApps like SafeEngine Shielden are often used to hide malware.

MCKSys Argentina 02-07-2015 06:53

It's not anti-debug. The program doesn't have any kind of packer/protection. It's pure C/C++ code.

I believe the problem it's that the process runs as service with the SYSTEM user account; and even when I checked the option to allow the SYSTEM process to communicate with user desktop, Olly 1.10 has some kind of issue when trying to "pop-up" after a BPs has been reached (or when you hit "pause", or any other kind of interaction with it).

EDIT: Olly2 has the same problem too.

sendersu 02-07-2015 07:39

Very interesting topic
some hints here
http://support.microsoft.com/kb/824344

MCKSys Argentina 02-11-2015 03:35

OK. I've found that the problem seems to be plugins or Olly 1.10 itself.
Using just the Olly 1.10 exe in a empty folder its works as it should.
When you close Olly, the ini will be created. To make Olly work as expected again, put the value of "Restore windows" key to "0".

That will solve the problem, and keep all your preferences and BPs.

I'm still testing with plugins, but in my case (SYSTEM service debugging) I don't need any of them, so I consider this problem solved.

Thanks for your responses!


All times are GMT +8. The time now is 03:06.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX