11

When I attach OllyDbg or ImmunityDebugger to a process, it automatically breaks execution. I'm attaching to a user-mode service running as SYSTEM and only need to catch exceptions, so this is not ideal. Is there a way to disable the break-on-attach behaviour?

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
Polynomial
  • 1,272
  • 2
  • 12
  • 21
  • You would like to attach the debugger to the program and immediately perform a 'continue', is it correct ? – perror Apr 12 '13 at 10:20
  • Pretty much. I'd prefer to avoid the breakpoint entirely. I just want the debugger to break if an exception occurs. – Polynomial Apr 12 '13 at 10:42
  • @Polynomial will anti-debugging techniques be an option as well? – Denis Laskov Apr 12 '13 at 11:11
  • @DenisLaskov An option? I'm not sure I follow. – Polynomial Apr 12 '13 at 12:40
  • @Polynomial well, my English is far from ideal :) let me re-phrase: You looking for way to protect binary from been intercepted, or for way to look into binary while it executed, without break-on-attach technique? – Denis Laskov Apr 12 '13 at 13:18
  • @0xC0000022L I'm debugging a user-mode service running as SYSTEM on Windows. Also, giving a downvote for such an ambiguity seems a little harsh. – Polynomial Apr 12 '13 at 14:49
  • 1
    @Polynomial: uhm, why is it harsh? a.) I could just have downvoted and not told you why, so you would have never known b.) downvotes on questions affect your rep (true) but not mine (so even if you checked everyones rep all the time you couldn't tell who downvoted) c.) you can simply edit your question to be less ambiguous and I'll gladly retract my downvote - it may even end up as an upvote. Last but not least, I stand by the downvote and the reason for it. Downvotes on answers affect both (-1 for voter, -2 for person answering), btw. But check out my profile I downvote also answers ;) – 0xC0000022L Apr 12 '13 at 14:54
  • @0xC0000022L Fine. Fixed. – Polynomial Apr 12 '13 at 15:06
  • @Polynomial: ditto ;) – 0xC0000022L Apr 12 '13 at 15:30

3 Answers3

16

Explanation

The break on attach is due to the ntdll DbgUiRemoteBreakin and DbgBreakPoint functions being called. If you check the kernel32 DebugActiveProcess function called by the debugger, OllyDbg or ImmunityDebugger, you will see a call to the CreateRemoteThread, CreateRemoteThreadEx, or ZwCreateThreadEx function depending on your OS.

So, i guess one way to bypass breaking is:

  1. debug the debugger itself
  2. go to the DbgUiIssueRemoteBreakin function and spot the call to the function creating the remote thread.
  3. change the lpStartAddress parameter in case of CreateRemoteThread/CreateRemoteThreadEx to DbgBreakPoint+1 RETN 0xC3

Plugin

I created an OllyDbg v1.10 plugin which NOPs the INT3 in DbgBreakPoint in the process with the PID you choose. It has only been tested on Windows 7.

Usage

Place SilentAttach.dll in OllyDbg directory, fire OllyDbg, Press Alt+F12, and then enter process Id of the process you want to silently attach to.

N.B. Since no break occurs, OllyDbg does not extract many piece of info. e.g. list of loaded module. So, you have to activate the context by something like Alt+E then Alt+C

Community
  • 1
waliedassar
  • 864
  • 5
  • 6
8

One way to do this is to have an OllyDbg plug-in that performs a

WriteProcessMemory(hDebuggee, GetProcAddress(GetModuleHandle("ntdll"), "DbgBreakPoint"), &mynop, 1, NULL)

where hDebuggee is the handle for the process being debugged (I believe that OllyDbg has an API for retrieving this value), and mynop is a variable that holds a 0x90 byte (nop instruction).

That will clear the int3 instruction that is causing the break, allowing the execution to continue immediately. It's a common anti-debugging trick.

peter ferrie
  • 4,709
  • 4
  • 19
  • 33
6

I don't think this is possible without doing something extremely invasive. Either patching OllyDbg to use an alternative ZwXX/NtXX function which accepts some flags or patching the kernel. The initial break is done by the operating system so that the debugger can gather information about the process it is being attached to.

I haven't verified but my guess is that OllyDbg is calling DebugActiveProcess in order to attach to it. The documentation for it states:

After the system checks the process identifier and determines that a valid debugging attachment is being made, the function returns TRUE. Then the debugger is expected to wait for debugging events by using the WaitForDebugEvent function. The system suspends all threads in the process, and sends the debugger events that represents the current state of the process.

And later on

After all of this is done, the system resumes all threads in the process. When the first thread in the process resumes, it executes a breakpoint instruction that causes an EXCEPTION_DEBUG_EVENT debugging event to be sent to the debugger. All future debugging events are sent to the debugger by using the normal mechanism and rules.

Peter Andersson
  • 5,701
  • 1
  • 32
  • 49