Attaching Olly to a process created on suspend mode:

[CodeExplorer]

Visual C++ code:

int processflags = 0|CREATE_SUSPENDED;

// Create a child process.
if (strlen(environmentstr)>2)
{
fSuccess = CreateProcess(processname, NULL, NULL, NULL,
TRUE,
processflags,
(LPVOID) chNewEnv, // environment
NULL, &siStartInfo, &piProcInfo);
}
else
{
fSuccess = CreateProcess(processname, NULL, NULL, NULL,
TRUE,
processflags,
NULL, // No environment
NULL, &siStartInfo, &piProcInfo);
}

If I attach with Olly to the new created process I get this:

02980000    CC                 INT3
02980001    68 7F23BF77        PUSH 0x77BF237F
02980006    C3                 RETN

INT3 should be there but shouldn't be actually executed, I think!
After that the child process crushes and for any exe I've tested!
If I execute child process for some time it will work,
which tell me that some process info are not yet loaded when I attach with Olly.
Solution on how to fix this problem will be great!

 

[deepzero]

Olly1.1 cant attach to suspended Processes. That's a limitation in Olly ... or the Windows Debug Api. (Have you tried x64db?)

You could do the EBFE trick; patch  EP of the suspended process to EBFE, resume process, then attach to it again.

[CodeExplorer]

Thank you deepzero for clarification,
so for Olly will be two options "EBFE on system" and "EBFE on EP".
 

[CodeExplorer]

Update: "EBFE on system" doesn't work, "EBFE on EP" works like charm,
the problem is not the suspended process, but it seems something is initialized before entry point,
I don't know yet what exactly is causing this problem!
 

Edited June 27, 2018 by CodeExplorer

[evlncrn8]

7 hours ago, CodeExplorer said:

 but it seems something is initialized before entry point

tls callbacks ?

[CodeExplorer]

8 hours ago, evlncrn8 said:

tls callbacks ?

No. This happens for any executable I've tested.
It would be great if someone will bring some light on why Olly can't properly attach to the process
if I don't stop the process at entry point.
Suspended processes don't seems to cause any problem with the Olly debugger (v1.1) I'm using.

 

[skylark]

As far as I know, PEB isn't completely initialized in a process if it's started in suspended state, so when olly tries to get handles of all modules used by that process, it fails (since peb isn't initialized yet, the structure that holds handles of modules is also not initialized). Maybe that's why your child process was crashing. But when you let it run for some time, maybe peb gets fully initialized, so it doesn't crash anymore.

 

I am just making a guess though, I am not fully sure.