CodeExplorer Posted June 27, 2018 Share Posted June 27, 2018 Visual C++ code: int processflags = 0|CREATE_SUSPENDED; // Create a child process. if (strlen(environmentstr)>2) { fSuccess = CreateProcess(processname, NULL, NULL, NULL, TRUE, processflags, (LPVOID) chNewEnv, // environment NULL, &siStartInfo, &piProcInfo); } else { fSuccess = CreateProcess(processname, NULL, NULL, NULL, TRUE, processflags, NULL, // No environment NULL, &siStartInfo, &piProcInfo); } If I attach with Olly to the new created process I get this: 02980000 CC INT3 02980001 68 7F23BF77 PUSH 0x77BF237F 02980006 C3 RETN INT3 should be there but shouldn't be actually executed, I think! After that the child process crushes and for any exe I've tested! If I execute child process for some time it will work, which tell me that some process info are not yet loaded when I attach with Olly. Solution on how to fix this problem will be great! Link to comment
deepzero Posted June 27, 2018 Share Posted June 27, 2018 Olly1.1 cant attach to suspended Processes. That's a limitation in Olly ... or the Windows Debug Api. (Have you tried x64db?) You could do the EBFE trick; patch EP of the suspended process to EBFE, resume process, then attach to it again. Link to comment
CodeExplorer Posted June 27, 2018 Author Share Posted June 27, 2018 Thank you deepzero for clarification, so for Olly will be two options "EBFE on system" and "EBFE on EP". Link to comment
CodeExplorer Posted June 27, 2018 Author Share Posted June 27, 2018 (edited) Update: "EBFE on system" doesn't work, "EBFE on EP" works like charm, the problem is not the suspended process, but it seems something is initialized before entry point, I don't know yet what exactly is causing this problem! Edited June 27, 2018 by CodeExplorer Link to comment
evlncrn8 Posted June 27, 2018 Share Posted June 27, 2018 7 hours ago, CodeExplorer said: but it seems something is initialized before entry point tls callbacks ? Link to comment
CodeExplorer Posted June 28, 2018 Author Share Posted June 28, 2018 8 hours ago, evlncrn8 said: tls callbacks ? No. This happens for any executable I've tested. It would be great if someone will bring some light on why Olly can't properly attach to the process if I don't stop the process at entry point. Suspended processes don't seems to cause any problem with the Olly debugger (v1.1) I'm using. Link to comment
skylark Posted June 29, 2018 Share Posted June 29, 2018 As far as I know, PEB isn't completely initialized in a process if it's started in suspended state, so when olly tries to get handles of all modules used by that process, it fails (since peb isn't initialized yet, the structure that holds handles of modules is also not initialized). Maybe that's why your child process was crashing. But when you let it run for some time, maybe peb gets fully initialized, so it doesn't crash anymore. I am just making a guess though, I am not fully sure. 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now