Flag: Tornado!
Hurricane!
|
|
Topic created on: February 26, 2006 10:43 CST by alojzy  .
Hello,
OllyDbg makes process freez after attaching to it. I use
W2k SP4. For example IE.. doesn't work after attaching.
How to get rid of it?
- alojzy
Isn't that what you would expect it to do? If you attach a debugger to a process, you usally want to stop it, and start stepping.
I think there's an option to not break on attach.
|
|
alojzy, by default when ollydbg attaches to a process it will pause it. To have the target continue running, you'll have to click Debug->Run (or press F9). The lower-right corner of the ollydbg window will tell you the state of the target (paused, running, terminated).
|
|
Well, I'm pressing F9, its status is Running, but then process is freezing. Try with Internet Explorer..
|
|
Are any exceptions being thrown? Check the status bar in the lower-left corner of the ollydbg window.
|
nope :(
in the status bar there is information that thread xxx was terminated, in the right bar Running.. if I push pause (F12) and run (F9) it asks me to choose some thread to resume. If I do it, apps is still freezed :(
For example I attach to Internet Explorer with loaded some page..without this page (when I'm attaching to clean IE) OllyDbg works fine.
|
what do you mean freezing ?
i just attached this openrce i-e window to ollydbg and i am typing this post with attached :)
[code]
Log data
Address Message
OllyDbg v1.10
Command line plugin v1.10
Written by Oleh Yuschuk
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
File 'C:\Program Files\Internet Explorer\iexplore.exe'
New process with ID 00000950 created
Main thread with ID 00000728 created
77E7D342 New thread with ID 0000052C created
77E7D342 New thread with ID 00000BD0 created
77E7D342 New thread with ID 00000B80 created
77E7D342 New thread with ID 00000BF0 created
77E7D342 New thread with ID 00000BFC created
77E7D342 New thread with ID 00000688 created
77E7D342 New thread with ID 00000990 created
77E7D342 New thread with ID 000002D8 created
77E7D342 New thread with ID 00000BE0 created
77E7D342 New thread with ID 00000BA4 created
77E7D342 New thread with ID 000000C8 created
77E7D342 New thread with ID 00000888 created
77F72838 New thread with ID 00000FAC created
00400000 Module C:\Program Files\Internet Explorer\iexplore.exe
<------------------- snip ---------------->
77F767CD Attached process paused at ntdll.DbgBreakPoint
Thread 00000FAC terminated, exit code 0
Thread 000002D8 terminated, exit code 0
77E7D342 New thread with ID 00000C68 created
Thread 00000C68 terminated, exit code 0
77E7D342 New thread with ID 000001E4 created
77E7D342 New thread with ID 00000264 created
77E7D342 New thread with ID 00000158 created
Thread 00000158 terminated, exit code 0
Thread 00000264 terminated, exit code 0
number of threads that are active while i am typing
Threads
Ident Entry Data block Last error Status Priority User time System time
000000C8 77E7D342 7FFAA000 ERROR_NOT_ENOUGH_MEMORY (00000008) Active 32 + 0 0.1101 s 0.0801 s
000001E4 77E7D342 7FFD7000 ERROR_SUCCESS (00000000) Active 32 + 1 0.0000 s 0.0000 s
0000052C 77E7D342 7FFDD000 ERROR_IO_PENDING (000003E5) Active 32 + 0 0.0300 s 0.0300 s
00000688 77E7D342 7FFD6000 ERROR_SUCCESS (00000000) Active 32 + 0 0.0400 s 0.0500 s
00000728 00000000 7FFDE000 ERROR_SUCCESS (00000000) Active 32 + 0 18.3263 s 14.2104 s
00000888 77E7D342 7FFDA000 00002F76 Active 32 + 0 0.4105 s 0.3104 s
00000990 77E7D342 7FFD5000 ERROR_SUCCESS (00000000) Active 32 + 0 0.0000 s 0.0000 s
00000B80 77E7D342 7FFDB000 ERROR_SUCCESS (00000000) Active 32 + 0 0.0000 s 0.0000 s
00000BA4 77E7D342 7FFAC000 ERROR_SUCCESS (00000000) Active 32 + 0 0.0100 s 0.0000 s
00000BD0 77E7D342 7FFDC000 ERROR_NO_TOKEN (000003F0) Active 32 + 0 0.0000 s 0.0000 s
00000BE0 77E7D342 7FFAD000 ERROR_SUCCESS (00000000) Active 32 + 0 0.0000 s 0.0000 s
00000BF0 77E7D342 7FFD9000 ERROR_SUCCESS (00000000) Active 32 + 15 0.0000 s 0.0000 s
00000BFC 77E7D342 7FFD8000 ERROR_SUCCESS (00000000) Active 32 + 2 0.0000 s 0.0701 s
i hit f12 all threads get paused
i hit f9 again it runs as if nothing happened
i hit and find openrce
here it is
00178324 https://www.openrce.org/img/
00178364 info.png.
|
the post got cut off ? :( message length problem ?
i see rootkit forum too gets cut off on long replies
and gets only half messages
well to make the long story short
i could break and then hit create post and inter net explorer could send the whole info to rce forum
while it was being attached
if it froze and crapped up i wouldnt have been able to post
coz ie would have died with ollydbg
|
|
My answer is in 'Exceptions(...)' topic.
|
Certain programs also freeze for me after OllyDbg's attachment. Once attached, OllyDbg says "Attached process paused at at ntdll.DbgBreakPoint"... but it's actually at the RETN immediately after the INT3 at ntdll.DbgBreakPoint.
Looking at the next piece of code that it returns to (at least for me; ntdll.DbgUiRemoteBreakin), it indicates that the software I'm analysing might have a fairly decent anti-debugging mechanism. Judging by what's going on, it looks like that the code within ntdll.DbgUiRemoteBreakin has been modified, probably by the kernel in an attempt to thwart the debugging user/software from being able to break out of the suspended threads jail.
Watching the Process Manager's thread count for the process before and after attaching, it looks like the thread in which the break-in code is called is created upon attachment. Needless to say, that's not very helpful for a direct method of finding and disabling the code in the target's file on disk. In any case, OllyDbg's Analyse-code and then Find-references-to-selected-command are helpful: it reveals that DbgUiRemoteBreakin appears to only be referenced within ntdll.DbgUiIssueRemoteBreakin, which is referenced from ntdll.DbgUiDebugActiveProcess, which doesn't appear to be referenced from anywhere. No matter, you should hopefully be able to disable ntdll.DbgUiDebugActiveProcess's call to DbgUiIssueRemoteBreakin without trouble, without adverse effects, and without my help (use OpenProcess() and WriteProcessMemory() if at all possible).
@ryanlrussell:
Not always will you want to immediately stop the debugged process (assuming of course that your intrusion would go undetected)... sometimes you will want to set a breakpoint on certain functions (in my case, ws2_32.dll's recv and send exports), and then trace the code backward from there without interest in the program's currently-executing code.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}