OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: November 14, 2007 04:15 CST by djnemo .

Hi ...
i search a little on the NET about how debuggers work ,Debug api and so ... i seen MSDN ,Iczelion ,some from woodman website But Iczelion said in their tutorials don't use sample programs with big application ,the others said in windows NT you cann't debug Protected process but in Win9x no problem !!!

Now the question is :
Is there any other library for debugging ?
What is the right way of using Debug Api in Real World ,and do'nt have the problems i explained befor (with big programs ,and Protected process HOW olly or others Do)

TanX Alote -Nemo

Neitsa		November 14, 2007 05:17.02 CST
> djnemo > Now the question is : > Is there any other library for debugging ? Nop, you'll have to use the system debugging API because debugging relies on some internal (i.e : kernel) mechanisms . (That's a bit different for ring0 debuggers). You may find some debugging frameworks that wraps the debugging API for ease of use but you won't find any new debugging APIs. > What is the right way of using Debug Api in Real World ,and do\'nt have the problems i explained befor (with big programs ,and Protected process HOW olly or others Do) > > TanX Alote -Nemo The MSDN / Iczelion ways are the right ways to start using the debugging APIs, but you'll have to dig a little bit further for complex programs. Protected programs (by packers and/or protectors) use a lot of anti-debugging tricks from very simple (IsDebuggerPresent for ex.) to hardcore ones (Dongle + VM). If you want to program a debugger, do not start thinking that you will handle all those tricks. Start to program a very good and reliable debugger base, which will handles all known and documented debugging case (see all cases and sub-cases in the DEBUG_EVENT struct.) and make your debugger expandable with a plug-in architecture.

jms		November 14, 2007 08:56.31 CST
An excellent case study is PyDbg, which is downloadable from OpenRce. It is using the Windows debugging API, is well commented and very easy to read. As well, look at Ero's pefile found here as it will give you an excellent idea of how the PE file format is laid out.

djnemo		November 14, 2007 10:19.47 CST
Hi and tanx about you answers , this is some of tutorials i was read , http://www.woodmann.com/fravia/iceman1.htm , i mean from Protected process mean OS protected process like svchost.exe (high privileged processes) http://win32assembly.online.fr/tut28.html , http://win32assembly.online.fr/tut29.html , http://win32assembly.online.fr/tut30.html , Warning: Don't use the example in this tutorial with a large program: tracing is SLOW. You may have to wait for ten minutes before you can close the debuggee . Can you explain more on this The MSDN / Iczelion ways are the right ways to start using the debugging APIs, but you'll have to dig a little bit further for complex programs. ? and about how to use pyDBG ,can i use it as a Debugger or it's Framework for other programs ,can you give me some start point using pyDBG ,Start process to debug ,attach to debuggee ,breackpoint ,Thread Context and and other general use of debuggers

jms		November 14, 2007 11:59.12 CST
If you read the documentation on PyDbg, Pedram gives a quick usage example on how to setup a socket recv() hook. It should get you started. You can also just search this site for keyword "pydbg" and it will turn up snippets that others have already done.

lafkuku		November 14, 2007 12:36.23 CST
Here is a quick snippet i made when i was learning PyDbg. Might be useful to you. By all means not perfect, but something to get you started. from pydbg import * from pydbg.defines import * def getPIDFromName(aName): procList = pydbg().enumerate_processes() for proc in procList: if proc[1] == aName: return proc[0] return None def attachByName(aName): pid = getPIDFromName(processName) if(pid != None): dbg = pydbg() dbg.attach(pid) return dbg else: return None def handler(pydbg): if(pydbg.first_breakpoint == True): return DBG_CONTINUE else: print pydbg.dump_context() return DBG_CONTINUE #processName = "calc.exe" #dbg = pydbg() # Attach to a already running proc if it's open #if(attachByName(processName) != None): # print "Attached to: " + processName # dbg.detach # print dbg #else: # print "Process Not Found" # Start a proc and attach dbg = pydbg() dbg.load("C:\\Windows\\system32\\calc.exe") dbg.bp_set(0x01001f51,"WinMain", True, handler) dbg.run() dbg.event_loop_handler()

djnemo		November 17, 2007 01:32.58 CST
http://web.vip.hr/inga.vip/debuggy.zip http://web.vip.hr/inga.vip/debuggy_unleashed.zip i found this 2 links on NET a Debugger ,coded in VB :-O it seems it works pyDbg is not a debugger like Olly it's a Framework for codeing a custom debugging tools ,Right ??

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit