Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Attaching Olly to a process created on suspend mode:

CodeExplorer
CodeExplorer
in Programming and Coding

Featured Replies

Posted

Visual C++ code: 

int processflags = 0|CREATE_SUSPENDED;

// Create a child process.
if (strlen(environmentstr)>2)
{
fSuccess = CreateProcess(processname, NULL, NULL, NULL,
TRUE,
processflags,
(LPVOID) chNewEnv, // environment
NULL, &siStartInfo, &piProcInfo);
}
else
{
fSuccess = CreateProcess(processname, NULL, NULL, NULL,
TRUE,
processflags,
NULL, // No environment
NULL, &siStartInfo, &piProcInfo);
}

If I attach with Olly to the new created process I get this:

02980000    CC                 INT3
02980001    68 7F23BF77        PUSH 0x77BF237F
02980006    C3                 RETN

INT3 should be there but shouldn't be actually executed, I think!
After that the child process crushes and for any exe I've tested!
If I execute child process for some time it will work,
which tell me that some process info are not yet loaded when I attach with Olly.
Solution on how to fix this problem will be great!

 

Olly1.1 cant attach to suspended Processes. That's a limitation in Olly ... or the Windows Debug Api. (Have you tried x64db?)

You could do the EBFE trick; patch  EP of the suspended process to EBFE, resume process, then attach to it again.

  • Author

Thank you deepzero for clarification,
so for Olly will be two options "EBFE on system" and "EBFE on EP".
 

  • Author

Update: "EBFE on system" doesn't work, "EBFE on EP" works like charm,
the problem is not the suspended process, but it seems something is initialized before entry point,
I don't know yet what exactly is causing this problem!
 

Edited by CodeExplorer

7 hours ago, CodeExplorer said:

 but it seems something is initialized before entry point

tls callbacks ?

  • Author
8 hours ago, evlncrn8 said:

tls callbacks ?

No. This happens for any executable I've tested.
It would be great if someone will bring some light on why Olly can't properly attach to the process
if I don't stop the process at entry point.
Suspended processes don't seems to cause any problem with the Olly debugger (v1.1) I'm using.

 

As far as I know, PEB isn't completely initialized in a process if it's started in suspended state, so when olly tries to get handles of all modules used by that process, it fails (since peb isn't initialized yet, the structure that holds handles of modules is also not initialized). Maybe that's why your child process was crashing. But when you let it run for some time, maybe peb gets fully initialized, so it doesn't crash anymore.

 

I am just making a guess though, I am not fully sure.

    • Thanks 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.