olldbg原理分析~载入程序

原創

Nightsay

2020-02-21 12:14

od载入程序时又两种方式，第一种方式是打开，第二种方式是附加。

关于打开，实际上是利用了CreateProcess创建一个用以调试的新进程，ollydbg接受到目标进程发生的调试事件。

用od分析od，为验证我们的猜想，直接在createprocess函数上下断，运行分析，发现函数中断如下图

分析函数，createprocess

BOOL CreateProcess( 
  LPCWSTR pszImageName, 
  LPCWSTR pszCmdLine, 
  LPSECURITY_ATTRIBUTES psaProcess, 
  LPSECURITY_ATTRIBUTES psaThread, 
  BOOL fInheritHandles, 
  DWORD fdwCreate, 
  LPVOID pvEnvironment, 
  LPWSTR pszCurDir, 
  LPSTARTUPINFOW psiStartInfo, 
  LPPROCESS_INFORMATION pProcInfo
);

参数从右往左进栈，其他参数省略不讲，主要看 DWORD fdwCreate这个参数，msdn中这样讲到：

Value	Description
CREATE_DEFAULT_ERROR_MODE	Not supported.
CREATE_NEW_CONSOLE	The new process has a new console, instead of inheriting the parent's console.
CREATE_NEW_PROCESS_GROUP	Not supported.
CREATE_SEPARATE_WOW_VDM	Not supported.
CREATE_SHARED_WOW_VDM	Not supported.
CREATE_SUSPENDED	The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.
CREATE_UNICODE_ENVIRONMENT	Not supported.
DEBUG_PROCESS	If this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. Child processes of the new process are also debugged. The system notifies the debugger of all debug events that occur in the process being debugged. If you create a process with this flag set, only the calling thread (the thread that called CreateProcess) can call the WaitForDebugEvent function.
DEBUG_ONLY_THIS_PROCESS	If this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. No child processes of the new process are debugged. The system notifies the debugger of all debug events that occur in the process being debugged.
DETACHED_PROCESS	Not supported.
INHERIT_CALLER_PRIORITY	If this flag is set, the new process inherits the priority of the creator process.