I'm trying to write a small "debugger" for one specific app. For starters i want to get to EP but i dont know how to do that. Here is how i tried to do so, but when i sompare used memory of app how Olly loaded and how i loaded it, Ollys child process has occupied more memory.
Code:
if DWORD(CreateProcess('1.exe',nil,nil,nil,FALSE,DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS,nil,nil,si,pi)) = 0 then begin
ShowLastError();
ExitProcess(0);
end;
WaitForDebugEvent(dbevent, INFINITE);
ContinueDebugEvent(pi.dwProcessId , pi.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
if dbevent.dwDebugEventCode <> CREATE_PROCESS_DEBUG_EVENT then begin
MessageBox(0, 'Couldnt get to EP !', 'Error !!!', MB_ICONERROR);
Exit;
end;
if dbevent.dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT then MessageBox(0, 'Got to EP !', 'OK !!!', MB_ICONERROR);
stop := False;
while not stop do begin
stop := True;
if dbevent.dwDebugEventCode = LOAD_DLL_DEBUG_EVENT then Stop := False;
if dbevent.dwDebugEventCode = CREATE_THREAD_DEBUG_EVENT then Stop := False;
if dbevent.dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT then Stop := False;
WaitForDebugEvent(dbevent, INFINITE);
dwStat := DBG_EXCEPTION_NOT_HANDLED;
case dbevent.dwDebugEventCode of
EXCEPTION_DEBUG_EVENT: begin
case dbevent.Exception.ExceptionRecord.ExceptionCode of
EXCEPTION_BREAKPOINT: dwStat := DBG_CONTINUE;
end;
end;
EXIT_PROCESS_DEBUG_EVENT: begin
MessageBoxA(0, 'Prog exited :/', 'Error', MB_ICONERROR);
CloseHandle(hFile);
ExitProcess(0);
end;
end;
ContinueDebugEvent(dbevent.dwProcessId,dbevent.dwThreadId,dwStat);
end;
I've also tried to write $CC to EP and run until debug exception, but it doesnt break
ir just runs. Like i wrote int3 to wrong process. But i didnt miss the handles for sure...