Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-07-2015, 06:16
MCKSys Argentina MCKSys Argentina is offline
Friend
 
Join Date: Mar 2012
Location: Argentina
Posts: 7
Rept. Given: 8
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 5 Times in 4 Posts
MCKSys Argentina Reputation: 0
Exclamation Problem debugging 32 bit system process with Olly

Hi all!

I'm trying to debug a 32 bits SYSTEM process (a service) with Olly 1.10 and Olly 2.01 on Windows 2003 X86.

In Olly 2 the problem arises when trying to attach to the process. It says "attaching" and stays like that forever. I´m using the last version.

Olly 1.10 allows me to attach to the process, but when I put a BP on the process (Any kind of BP: hard-soft, in any module) and the BP trigguers, the GUI freezes. I also tested this with patched versions of Olly 1.10, and I get the same result.
I tried with the 32 bits version of x64_dbg: It attaches well, breaks on the BP's and the GUI responds, BUT it has a weird behaviour. First, It doesn't stop on the BP addr; it stops in the next one. HBPs doesn't stop at all. But the worse thing is when you hit "step into" (F7) or "step over" (F8): it runs like if you've pressed F9. Also, it crashed several times (I'm naking a report to upload it to the x64_dbg forum).

The only solution I found was to use Olly 1.08 or windbg (honestly, I prefer Olly when debugging user mode).

My question is: Have any of you guys faced this situation before? Do you have a different solution from the one I have?

Thanks!

PS: Forgive my bad English. I speak Spanish everyday.
Reply With Quote
The Following User Says Thank You to MCKSys Argentina For This Useful Post:
Indigo (07-19-2019)
  #2  
Old 02-07-2015, 06:40
Pansemuckl Pansemuckl is offline
Friend
 
Join Date: Nov 2005
Posts: 34
Rept. Given: 5
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 15
Thanks Rcvd at 44 Times in 15 Posts
Pansemuckl Reputation: 4
Anti-Debug code most-likely. I'd be interested to get some info on this too. Im on x64 and crApps like SafeEngine Shielden are often used to hide malware.
Reply With Quote
The Following User Says Thank You to Pansemuckl For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 02-07-2015, 06:53
MCKSys Argentina MCKSys Argentina is offline
Friend
 
Join Date: Mar 2012
Location: Argentina
Posts: 7
Rept. Given: 8
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 5 Times in 4 Posts
MCKSys Argentina Reputation: 0
It's not anti-debug. The program doesn't have any kind of packer/protection. It's pure C/C++ code.

I believe the problem it's that the process runs as service with the SYSTEM user account; and even when I checked the option to allow the SYSTEM process to communicate with user desktop, Olly 1.10 has some kind of issue when trying to "pop-up" after a BPs has been reached (or when you hit "pause", or any other kind of interaction with it).

EDIT: Olly2 has the same problem too.
Reply With Quote
The Following User Says Thank You to MCKSys Argentina For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 02-07-2015, 07:39
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 867
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 168
Thanks Rcvd at 376 Times in 211 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Very interesting topic
some hints here
http://support.microsoft.com/kb/824344
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 02-11-2015, 03:35
MCKSys Argentina MCKSys Argentina is offline
Friend
 
Join Date: Mar 2012
Location: Argentina
Posts: 7
Rept. Given: 8
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 5 Times in 4 Posts
MCKSys Argentina Reputation: 0
OK. I've found that the problem seems to be plugins or Olly 1.10 itself.
Using just the Olly 1.10 exe in a empty folder its works as it should.
When you close Olly, the ini will be created. To make Olly work as expected again, put the value of "Restore windows" key to "0".

That will solve the problem, and keep all your preferences and BPs.

I'm still testing with plugins, but in my case (SYSTEM service debugging) I don't need any of them, so I consider this problem solved.

Thanks for your responses!
Reply With Quote
The Following User Says Thank You to MCKSys Argentina For This Useful Post:
Indigo (07-19-2019)
Reply

Tags
debug, ollydbg, ollydbg2, process, system

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Debugging Problem Hexcode General Discussion 5 09-23-2021 05:16
IDA remote debugging problem Av0id General Discussion 3 08-08-2011 18:51
Attaching a process with Olly peleon General Discussion 8 09-28-2005 17:28
GDB debugging problem ??? Help needed Nelson_Wee General Discussion 4 06-30-2005 10:40


All times are GMT +8. The time now is 10:49.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )