OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Saturday, August 16 2008 06:58.19 CDT Modified: Saturday, August 16 2008 07:03.43 CDT

Printer Friendly ...

childdbg added to my modified cmdline plugin for ollydbg

Author: anonymouse

# Views: 11779

many a times one finds the droppers creating child process and getting lost
with windbg in hand one could do simply .childdbg 1 but windbg is not as handy as ollydbg for user level debugging

and in ollydbg it is pita to ebfe ,detach ,reattach remember old bytes ,change and then debug the child

and recently i was pestered with one quadruplet so i added this command childdbg 1 || childdbg 0 :) to my modified commandline plugin

hope its usefull

anyone willing to test this on some tougher beasts are welcome

usage as usual hit alt+f1 type childdbg 1 or childdbg 0 to enable or disable debugging of child
the settings are per process only (similar to windbg in concept in windbg child will be in one single console window here i spawn a seperate ollydbg)

Added One more command childdbg

usage

alt+f1
type childdbg 1 to enable debugging of child process
type childdbg 0 to disable debugging of child process

code for main module





#define STRICT                         // Avoids some type mismatches

#include <windows.h>

#include <stdio.h>

#include "plugin.h"



extern char string[TEXTLEN];  // defined in cmdexec.c



typedef enum _PROCESSINFOCLASS {

ProcessDebugFlags=31 // From ntddk.h

} PROCESSINFOCLASS;



typedef DWORD (NTAPI *NTSETINFORMATIONPROCESS)(

IN HANDLE ProcessHandle,

IN PROCESSINFOCLASS ProcessInformationClass,

IN PVOID ProcessInformation,

IN ULONG ProcessInformationLength

);





int Childdbg(char *answer,ulong parm)

{  

	char					buf[TEXTLEN]={0};

	int						DebugFlag;

	HMODULE					hNtdll;

	NTSETINFORMATIONPROCESS ntsetinfproc;



	strncpy(buf,string,(TEXTLEN-1));



	if(strnicmp(buf,"0",1)==0)

	{

		if((hNtdll = LoadLibrary("ntdll.dll")) == NULL)

		{

			Addtolist(0,1,"loadlib failed in command childdbg");

			return GetLastError();

		}



		if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL)

		{

			Addtolist(0,1,"GetProcAddress failed in command childdbg");

			return GetLastError();

		}

		DebugFlag = 0;

		ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag));

		Addtolist(0,1,"hello Childdbg Disabled");

	}

	else if(strnicmp(buf,"1",1)==0)

	{

		if((hNtdll = LoadLibrary("ntdll.dll")) == NULL)

		{

			Addtolist(0,1,"loadlib failed in command childdbg");

			return GetLastError();

		}



		if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL)

		{

			Addtolist(0,1,"GetProcAddress failed in command childdbg");

			return GetLastError();

		}

		DebugFlag = 1;

		ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag));

		Addtolist(0,1,"hello Childdbg Enabled");

	}

	else

	{

		Addtolist(0,1,"use \"childdbg 0 to Disable or childdbg 1 to Enable\" ");

	}

	return 0;

}

code for command.c Pluginmainloop







// This function is called each time OllyDbg passes main Windows loop. When

// debugged application stops, bring command line window in foreground.

extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent)

{

  t_status					status; // existing declaration in orignal src

  // additional declarations and code as follows for childdbg command

  DWORD						Eventcode;

  DWORD						dwIdle;

  DWORD						postres = 0;

  DEBUG_EVENT				debev;

  DEBUGACTIVEPROCESSSTOP	dbgactprocstop;

  STARTUPINFO				si;

  PROCESS_INFORMATION 		pi;

  HANDLE		 			hThread;

  HANDLE					hProcess;

  char						scratch[0X200] = {0};

  char						savebyte[0x20] = {0};

  char 						reprocmem[0x20] = {0};

  char 						wriprocmem[4] = {0xeb,0xfe,0,0};

  

  if(debugevent !=0)

  {

	debev = *debugevent;

	Eventcode = debev.dwDebugEventCode;

	if((Eventcode == CREATE_PROCESS_DEBUG_EVENT))

	{

		if(debev.dwProcessId != (DWORD) Plugingetvalue(VAL_PROCESSID))

		{

			dbgactprocstop = (DEBUGACTIVEPROCESSSTOP) GetProcAddress((LoadLibrary("kernel32.dll")),"DebugActiveProcessStop");

			if(!dbgactprocstop)

			{

				MessageBox(0,"DebugActiveProcessStop Is Not Available Needs Xp And Above","CHILDDBG",MB_OK);

				return;

			}								

			hThread = OpenThread(THREAD_ALL_ACCESS,FALSE,debev.dwThreadId);

			if(!hThread)

			{

				MessageBox(0,"OpenThreadFailed","CHILDDBG",MB_OK);

				return;

			}

			SuspendThread(hThread);

			hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,debev.dwProcessId);

			if(!hProcess)

			{

				MessageBox(0,"OpenProcessFailed","CHILDDBG",MB_OK);

				return;

			}

			if((ReadProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,reprocmem,4,0)) == 0)

			{

				MessageBox(0,"ReadProcMem Failed","CHILDDBG",0);

				return;

			}

			memcpy(savebyte,reprocmem,0x1f);

// this child will spin infinite on resume 

			if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,wriprocmem,2,0)) == 0)

			{

				MessageBox(0,"WriteProcMemFailed Before Resume","CHILDDBG",MB_OK);

				return;

			}

			ResumeThread(hThread);

			sprintf(scratch,"ollydbg -p %d",debev.dwProcessId);

// detach for reattaching with new ollydbg 

			dbgactprocstop(debev.dwProcessId); 

			ZeroMemory( &si, sizeof(si) );

			si.cb = sizeof(si);

			ZeroMemory( &pi, sizeof(pi) );

// reattaching 

			if((CreateProcess( NULL,scratch,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi ))== 0)

			{

				MessageBox(0,"Reattaching Failed :(","CHILDDBG",MB_OK);

				return;

			} 

			dwIdle = WaitForInputIdle(pi.hProcess,INFINITE);

			if(dwIdle == 0xffffffff)

			{

				Addtolist(0,1,"Wait Failed with %d",GetLastError());

				return;

			}

			SuspendThread(hThread);

			if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,savebyte,2,0)) == 0)

			{

				MessageBox(0,"WriteProcMem Failed :( after Arraching","CHILDDBG",MB_OK);

				return;

			}

			while(postres == 0)

			{

				Sleep(300);

				postres = PostThreadMessage((DWORD)pi.dwThreadId,WM_KEYDOWN,VK_F12,0);

			}

			MessageBox(0,"Attached Again if this msgbox shows up at ntdll_dbgbreak do\n"

						 "Alt+E -> Follow Entry and set a break before dismissing this\n","CHILDDBG",MB_OK); 

			ResumeThread(hThread);

			CloseHandle(hThread);

			CloseHandle(hProcess);

			Addtolist(0,1,"called from cdbg");

		}

	}

  };



// end of additional code for childdbg

// existing code in orignal src for pluginmainloop

  if (hwcmd!=NULL) 

  {

    status=Getstatus();

    if (status==STAT_NONE || status==STAT_RUNNING)

      poponstop=1;

    else if (poponstop!=0 && (status==STAT_STOPPED || status==STAT_FINISHED)) 

    {

      SetForegroundWindow(hwcmd);

      SetFocus(hwbox);

      poponstop=0;

    };

  };

};

also file cmdexec.c modified with new declarations for childdbg function

results of plugin as follows





Log data

Address    Message

           OllyDbg v1.10

           Bookmarks sample plugin v1.06 (plugin demo)

             Copyright (C) 2001, 2002 Oleh Yuschuk

           Command line plugin v1.10

             Written by Oleh Yuschuk



           File 'F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe'

           New process with ID 000006F8 created

00401000   Main thread with ID 00000D74 created

00400000   Module F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe

77D40000   Module C:\WINDOWS\system32\USER32.DLL

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

00401000   Program entry point

           hello Childdbg Enabled  <-------------------------

77DD0000   Module C:\WINDOWS\system32\ADVAPI32.DLL

           called from cdbg

           Event 00000003 from different process (ID 00000D04) <-----------------

           hello Childdbg Disabled <-----------------------------

77E70000   Module C:\WINDOWS\system32\RPCRT4.dll

5AD70000   Module C:\WINDOWS\system32\uxtheme.dll

77C10000   Module C:\WINDOWS\system32\msvcrt.dll

           Process terminated, exit code 1

There are 31,316 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit