childdbg added to my modified cmdline plugin for ollydbg
 anonymouse <any_anonymouse yahoo com> |
Saturday, August 16 2008 06:58.19 CDT |
many a times one finds the droppers creating child process and getting lost
with windbg in hand one could do simply .childdbg 1 but windbg is not as handy as ollydbg for user level debugging
and in ollydbg it is pita to ebfe ,detach ,reattach remember old bytes ,change and then debug the child
and recently i was pestered with one quadruplet so i added this command childdbg 1 || childdbg 0 :) to my modified commandline plugin
hope its usefull
anyone willing to test this on some tougher beasts are welcome
usage as usual hit alt+f1 type childdbg 1 or childdbg 0 to enable or disable debugging of child
the settings are per process only (similar to windbg in concept in windbg child will be in one single console window here i spawn a seperate ollydbg)
Added One more command childdbg
usage
alt+f1
type childdbg 1 to enable debugging of child process
type childdbg 0 to disable debugging of child process
code for main module
#define STRICT // Avoids some type mismatches
#include <windows.h>
#include <stdio.h>
#include "plugin.h"
extern char string[TEXTLEN]; // defined in cmdexec.c
typedef enum _PROCESSINFOCLASS {
ProcessDebugFlags=31 // From ntddk.h
} PROCESSINFOCLASS;
typedef DWORD (NTAPI *NTSETINFORMATIONPROCESS)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
int Childdbg(char *answer,ulong parm)
{
char buf[TEXTLEN]={0};
int DebugFlag;
HMODULE hNtdll;
NTSETINFORMATIONPROCESS ntsetinfproc;
strncpy(buf,string,(TEXTLEN-1));
if(strnicmp(buf,"0",1)==0)
{
if((hNtdll = LoadLibrary("ntdll.dll")) == NULL)
{
Addtolist(0,1,"loadlib failed in command childdbg");
return GetLastError();
}
if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL)
{
Addtolist(0,1,"GetProcAddress failed in command childdbg");
return GetLastError();
}
DebugFlag = 0;
ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag));
Addtolist(0,1,"hello Childdbg Disabled");
}
else if(strnicmp(buf,"1",1)==0)
{
if((hNtdll = LoadLibrary("ntdll.dll")) == NULL)
{
Addtolist(0,1,"loadlib failed in command childdbg");
return GetLastError();
}
if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL)
{
Addtolist(0,1,"GetProcAddress failed in command childdbg");
return GetLastError();
}
DebugFlag = 1;
ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag));
Addtolist(0,1,"hello Childdbg Enabled");
}
else
{
Addtolist(0,1,"use \"childdbg 0 to Disable or childdbg 1 to Enable\" ");
}
return 0;
}
code for command.c Pluginmainloop
// This function is called each time OllyDbg passes main Windows loop. When
// debugged application stops, bring command line window in foreground.
extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent)
{
t_status status; // existing declaration in orignal src
// additional declarations and code as follows for childdbg command
DWORD Eventcode;
DWORD dwIdle;
DWORD postres = 0;
DEBUG_EVENT debev;
DEBUGACTIVEPROCESSSTOP dbgactprocstop;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hThread;
HANDLE hProcess;
char scratch[0X200] = {0};
char savebyte[0x20] = {0};
char reprocmem[0x20] = {0};
char wriprocmem[4] = {0xeb,0xfe,0,0};
if(debugevent !=0)
{
debev = *debugevent;
Eventcode = debev.dwDebugEventCode;
if((Eventcode == CREATE_PROCESS_DEBUG_EVENT))
{
if(debev.dwProcessId != (DWORD) Plugingetvalue(VAL_PROCESSID))
{
dbgactprocstop = (DEBUGACTIVEPROCESSSTOP) GetProcAddress((LoadLibrary("kernel32.dll")),"DebugActiveProcessStop");
if(!dbgactprocstop)
{
MessageBox(0,"DebugActiveProcessStop Is Not Available Needs Xp And Above","CHILDDBG",MB_OK);
return;
}
hThread = OpenThread(THREAD_ALL_ACCESS,FALSE,debev.dwThreadId);
if(!hThread)
{
MessageBox(0,"OpenThreadFailed","CHILDDBG",MB_OK);
return;
}
SuspendThread(hThread);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,debev.dwProcessId);
if(!hProcess)
{
MessageBox(0,"OpenProcessFailed","CHILDDBG",MB_OK);
return;
}
if((ReadProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,reprocmem,4,0)) == 0)
{
MessageBox(0,"ReadProcMem Failed","CHILDDBG",0);
return;
}
memcpy(savebyte,reprocmem,0x1f);
// this child will spin infinite on resume
if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,wriprocmem,2,0)) == 0)
{
MessageBox(0,"WriteProcMemFailed Before Resume","CHILDDBG",MB_OK);
return;
}
ResumeThread(hThread);
sprintf(scratch,"ollydbg -p %d",debev.dwProcessId);
// detach for reattaching with new ollydbg
dbgactprocstop(debev.dwProcessId);
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
// reattaching
if((CreateProcess( NULL,scratch,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi ))== 0)
{
MessageBox(0,"Reattaching Failed :(","CHILDDBG",MB_OK);
return;
}
dwIdle = WaitForInputIdle(pi.hProcess,INFINITE);
if(dwIdle == 0xffffffff)
{
Addtolist(0,1,"Wait Failed with %d",GetLastError());
return;
}
SuspendThread(hThread);
if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,savebyte,2,0)) == 0)
{
MessageBox(0,"WriteProcMem Failed :( after Arraching","CHILDDBG",MB_OK);
return;
}
while(postres == 0)
{
Sleep(300);
postres = PostThreadMessage((DWORD)pi.dwThreadId,WM_KEYDOWN,VK_F12,0);
}
MessageBox(0,"Attached Again if this msgbox shows up at ntdll_dbgbreak do\n"
"Alt+E -> Follow Entry and set a break before dismissing this\n","CHILDDBG",MB_OK);
ResumeThread(hThread);
CloseHandle(hThread);
CloseHandle(hProcess);
Addtolist(0,1,"called from cdbg");
}
}
};
// end of additional code for childdbg
// existing code in orignal src for pluginmainloop
if (hwcmd!=NULL)
{
status=Getstatus();
if (status==STAT_NONE || status==STAT_RUNNING)
poponstop=1;
else if (poponstop!=0 && (status==STAT_STOPPED || status==STAT_FINISHED))
{
SetForegroundWindow(hwcmd);
SetFocus(hwbox);
poponstop=0;
};
};
};
also file cmdexec.c modified with new declarations for childdbg function
results of plugin as follows
Log data
Address Message
OllyDbg v1.10
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
Command line plugin v1.10
Written by Oleh Yuschuk
File 'F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe'
New process with ID 000006F8 created
00401000 Main thread with ID 00000D74 created
00400000 Module F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe
77D40000 Module C:\WINDOWS\system32\USER32.DLL
77F10000 Module C:\WINDOWS\system32\GDI32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
00401000 Program entry point
hello Childdbg Enabled <-------------------------
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL
called from cdbg
Event 00000003 from different process (ID 00000D04) <-----------------
hello Childdbg Disabled <-----------------------------
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
5AD70000 Module C:\WINDOWS\system32\uxtheme.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
Process terminated, exit code 1
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |