How to debug a self-debugging process?

Question

How do you swap debuggers in Windows?

In my case, I have a process A which creates a copy of itself:

CreateProcessA("XXX.exe", NULL, 0x0023f560, 0x0023f560, TRUE,      
               **DEBUG_ONLY_THIS_PROCESS**, NULL, NULL, 0x0023f5f8, 0x0023f550)

It, then, debugs its child (Process B) using WaitForDebugEvent(50ms) to modify the control flow of B. After a highly active startup WaitForDebugEvent will time out(Return false) unless I click a button in B.

Question: How do I get rid of the Debugger(Process A) and attach my own debugger to B ?

I tried to call DebugActiveProcessStop by injection code into A (DLL Injection) as well as by debugging A and calling it from the thread that debugs B. (inline code injection) both ways I get ACCESS_DENIED!

If you try to attach a 2nd debugger you get Error 87 (ERROR_INVALID_PARAMETER).

Environment: Win 7 x64

second attach failure should result in error 0xc000048 not error 0n87 the process may not be debugging an exact copy of itself because it will result in a chain reaction. ( each copy will be copying itself and spawning a child until resource exhaust) — blabb, Apr 17 '15 at 21:05
@blabb, the code can create a mutex to prevent that from occurring, see section G.i. in The "Ultimate" Anti-Debugging Reference — peter ferrie, May 15 '15 at 16:41

score 2 · Answer 1 · answered Apr 17 '15 at 18:08

2

Use ProcessHacker to pause the parent process and then try to Stop deattach debugger from Processhacker

answered Apr 17 '15 at 18:08

0xdead

21
2

score 0 · Answer 2 · answered May 14 '15 at 04:07

First you have to find for call IsDebuggerPresent and modify return value in EAX register to 0. Then after you have to find call GetCurrentProcessId and modify input parameter with your dummy process id. Second process you have to done before starting of new thread then after you can attach your debugger to that child process. I've fetched same situation in all-in-one keylogger

How to debug a self-debugging process?

2 Answers2