#1
|
|||
|
|||
Problem debugging 32 bit system process with Olly
Hi all!
I'm trying to debug a 32 bits SYSTEM process (a service) with Olly 1.10 and Olly 2.01 on Windows 2003 X86. In Olly 2 the problem arises when trying to attach to the process. It says "attaching" and stays like that forever. I´m using the last version. Olly 1.10 allows me to attach to the process, but when I put a BP on the process (Any kind of BP: hard-soft, in any module) and the BP trigguers, the GUI freezes. I also tested this with patched versions of Olly 1.10, and I get the same result. I tried with the 32 bits version of x64_dbg: It attaches well, breaks on the BP's and the GUI responds, BUT it has a weird behaviour. First, It doesn't stop on the BP addr; it stops in the next one. HBPs doesn't stop at all. But the worse thing is when you hit "step into" (F7) or "step over" (F8): it runs like if you've pressed F9. Also, it crashed several times (I'm naking a report to upload it to the x64_dbg forum). The only solution I found was to use Olly 1.08 or windbg (honestly, I prefer Olly when debugging user mode). My question is: Have any of you guys faced this situation before? Do you have a different solution from the one I have? Thanks! PS: Forgive my bad English. I speak Spanish everyday. |
The Following User Says Thank You to MCKSys Argentina For This Useful Post: | ||
Indigo (07-19-2019) |
#2
|
|||
|
|||
Anti-Debug code most-likely. I'd be interested to get some info on this too. Im on x64 and crApps like SafeEngine Shielden are often used to hide malware.
|
The Following User Says Thank You to Pansemuckl For This Useful Post: | ||
Indigo (07-19-2019) |
#3
|
|||
|
|||
It's not anti-debug. The program doesn't have any kind of packer/protection. It's pure C/C++ code.
I believe the problem it's that the process runs as service with the SYSTEM user account; and even when I checked the option to allow the SYSTEM process to communicate with user desktop, Olly 1.10 has some kind of issue when trying to "pop-up" after a BPs has been reached (or when you hit "pause", or any other kind of interaction with it). EDIT: Olly2 has the same problem too. |
The Following User Says Thank You to MCKSys Argentina For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
|||
|
|||
Very interesting topic
some hints here http://support.microsoft.com/kb/824344 |
The Following User Says Thank You to sendersu For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
OK. I've found that the problem seems to be plugins or Olly 1.10 itself.
Using just the Olly 1.10 exe in a empty folder its works as it should. When you close Olly, the ini will be created. To make Olly work as expected again, put the value of "Restore windows" key to "0". That will solve the problem, and keep all your preferences and BPs. I'm still testing with plugins, but in my case (SYSTEM service debugging) I don't need any of them, so I consider this problem solved. Thanks for your responses! |
The Following User Says Thank You to MCKSys Argentina For This Useful Post: | ||
Indigo (07-19-2019) |
Tags |
debug, ollydbg, ollydbg2, process, system |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Debugging Problem | Hexcode | General Discussion | 5 | 09-23-2021 05:16 |
IDA remote debugging problem | Av0id | General Discussion | 3 | 08-08-2011 18:51 |
Attaching a process with Olly | peleon | General Discussion | 8 | 09-28-2005 17:28 |
GDB debugging problem ??? Help needed | Nelson_Wee | General Discussion | 4 | 06-30-2005 10:40 |