olldbg原理分析~載入程序

原創

Nightsay

2020-02-21 12:14

od載入程序時又兩種方式，第一種方式是打開，第二種方式是附加。

關於打開，實際上是利用了CreateProcess創建一個用以調試的新進程，ollydbg接受到目標進程發生的調試事件。

用od分析od，爲驗證我們的猜想，直接在createprocess函數上下斷，運行分析，發現函數中斷如下圖

分析函數，createprocess

BOOL CreateProcess( 
  LPCWSTR pszImageName, 
  LPCWSTR pszCmdLine, 
  LPSECURITY_ATTRIBUTES psaProcess, 
  LPSECURITY_ATTRIBUTES psaThread, 
  BOOL fInheritHandles, 
  DWORD fdwCreate, 
  LPVOID pvEnvironment, 
  LPWSTR pszCurDir, 
  LPSTARTUPINFOW psiStartInfo, 
  LPPROCESS_INFORMATION pProcInfo
);

參數從右往左進棧，其他參數省略不講，主要看 DWORD fdwCreate這個參數，msdn中這樣講到：

Value	Description
CREATE_DEFAULT_ERROR_MODE	Not supported.
CREATE_NEW_CONSOLE	The new process has a new console, instead of inheriting the parent's console.
CREATE_NEW_PROCESS_GROUP	Not supported.
CREATE_SEPARATE_WOW_VDM	Not supported.
CREATE_SHARED_WOW_VDM	Not supported.
CREATE_SUSPENDED	The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.
CREATE_UNICODE_ENVIRONMENT	Not supported.
DEBUG_PROCESS	If this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. Child processes of the new process are also debugged. The system notifies the debugger of all debug events that occur in the process being debugged. If you create a process with this flag set, only the calling thread (the thread that called CreateProcess) can call the WaitForDebugEvent function.
DEBUG_ONLY_THIS_PROCESS	If this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. No child processes of the new process are debugged. The system notifies the debugger of all debug events that occur in the process being debugged.
DETACHED_PROCESS	Not supported.
INHERIT_CALLER_PRIORITY	If this flag is set, the new process inherits the priority of the creator process.