I want to attach OllyDbg or IDA to a process as soon as it is loaded in memory before a single instruction of it being executed. How do I do This??? I cant use File->Open for some reason. I can only attach to it.
Asked
Active
Viewed 3,572 times
4
-
"I cant use File->Open for some reason." -- What error message do you get when you try to use File->Open? – Jason Geffner Nov 22 '14 at 18:14
1 Answers
7
One way to do is create a new process using CreateProcess with dwCreationFlags as CREATE_SUSPENDED. Next attach to the suspended process using your debugger, and resume all threads.
Some other way would be to edit the PE file and change the bytes at the entrypoint to EB FE.
This is an instruction that jumps to itself, i.e. it is an infinite loop. Next start the application normally. Now use a debugger to attach to it. Restore the original bytes at the entrypoint and resume the process.
0xec
- 6,090
- 3
- 23
- 33
-
2You can also do CC at the entry point which is int 3 and will ask if you want to debug. – offbyseveral Nov 24 '14 at 17:33
-