Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Stop at system dlls.

Topic created on: October 30, 2012 02:58 CDT by dewew .

How I can make my ollydbg or immunity debugger to stop at calling system dlls?

  waleedassar     October 30, 2012 15:01.26 CDT
Options --> Debugging Options ---> Events ---> Break on new module (DLL).
This causes OllyDbg to pause at the point the "ZwMapViewOfSection" function has just returned.

If you want to break at the "DllMain" function of a system DLL, instruct OllyDbg to pause at "System Breakpoint", select ntdll.dll from executable modules table (ALT+E), and then CTRL+S to search for the following sequence of instructions.

push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xC]
call [ebp+0x8]

Place a breakpoint on the call [ebp+0x8] instruction. Each time the breakpoint is hit, inspect the stack to see if it is the system dll you are expecting.

I am not sure if Immunity has a built-in command for that. In Windbg, it is much easier.

Note: Registration is required to post to the forums.

There are 31,054 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit