Topic created on: July 9, 2007 10:08 CDT by WeaponX2007  .
Hi,
I have an application that spawns another process which I would like to debug. The parent process communicates with it using named pipes.
I recently managed to set a breakpoint (some kind) in that child process and debugged it. Somehow I cannot reproduce this anymore!
The child process also does not show up in the modules pane, so I wonder how I did that in the first place.
Any ideas?
WX
A bit more context would be greatly appreciated:
1) What operating system?
2) Additional details about the binary - is it packed?
|
> aeppert: A bit more context would be greatly appreciated:
>
> 1) What debugger?
OllyDBG 1.10
>
> 2) What operating system?
Vista
>
> 3) Additional details about the binary - is it packed?
Not much to tell. Its a plain Win32 executable.
So its calling CreateProcess (suspended), creates a thread, creates a named pipe and resumes the process, waitobject in the main thread and communication with named pipe in the thread.
I somehow managed to have it break in that process. I just can't reproduce it anymore, though.
I'm sure its something awefully simple. I just need someone to point it out to me.
|
When a process is created as suspended, you cannot attach to it with another instance of Ollydbg, because it won't show up in the list of process (even though, you can see it with taskmanager, processexplorer and friends).
You can try to set olly as a JIT debugger (in the options), and use ProcessExplorer to debug the suspended process, it will show up in the list of processes..
Might work.
Otherwise, Try to put a jmp eip (0xEB 0xFE) at the created process entry point, so when it resume, it's gonna loop, so u can attach to it and fix the original bytes.
Ghetto style, but works ;-)
|
nico, thanks for that info.
I know that you cannot attach to a suspended process from olly, and I also know that I can just enable JIT and attach from there.
What I'm saying is that, in the same scenario I had somehow set a breakpoint in that child executable from inside olly, and it worked. (multiple times). I don't know how anymore, I believe I remember having 2 ollydbgs open, and was able to just restart the application and the breakpoint would be caught.
Thx,
WX
|
if you don't know what you did, how can we ? :-)
So you say, you did set a BP, on the child, so i suppose you were attached to it, otherwise i don't see how you did it.
You could use some plugins to do writeprocessmemory on the suspended process, and inject 0xCC, but i don't see how you would catch it, if there is no debugger attached to it.
So how did you attach to it, if you actually remember attaching to it ;))
|
Thats the misery of it, I don't remember, or shall I say I was accepting the fact that it worked too quickly, so I didn't pay much attention to it :(
Debug session process 1
process 1 creates process 2 (suspended)
process 1 & 2 do IPC via Named Pipe
I had another odbg open with binary of process 2, (another pid), and was setting some breakpoints up for my next run.
Then I ran debug session 1 and the breakpoints got caught.
Thats all I remember, and then I passed out :)
Just kidding.
But I think that more or less, sums up my memory.
Could it have something to do with hardware breakpoints, execute or read mem bp?
Thx
|
|
the main question is how did you set those BP because, if you cannot attach to it, u can't set them ;-)
|
I agree.
I will spend some more time on investigating it, and then leave it be. Even though it was a nice feature to have, for those few debug sessions.
|
Ok, thats it.
Lets just say I was in the twilight zone, returned and posted on this forum.
So before I go crazy (??), I will stop.
Maybe one day I will return, to the twilight zone! where nothing is, as it seems, except those breakpoints!
Goodday and thanks for the fish!
|
|
All I can say is thank you Weapon... Here I was about to give up on drinking because it served no useful purpose, yet your last post reminded me that comedy does exist outside of George Carlin re-runs!
|
Note: Registration is required to post to the forums.
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}