Posted: Sat Nov 26, 2022 2:53 am Post subject: auto attach and auto break
hi all
there is an app which executes another tiny exe with some parameters.
i want to stop right at the beginning of that tiny exe and start debugging.
i tried below Lua code, BP is set on right location (entry point) but that tiny exe gets terminated and i am not breaking on this spot.
Code:
PROCESS_NAME = 'XXX.exe'
--------
-------- Auto Attach
--------
local autoAttachTimer = nil ---- variable to hold timer object
local autoAttachTimerInterval = 100 ---- Timer intervals are in milliseconds
local autoAttachTimerTicks = 0 ---- variable to count number of times the timer has run
local autoAttachTimerTickMax = 5000 ---- Set to zero to disable ticks max
local function autoAttachTimer_tick(timer) ---- Timer tick call back
---- Destroy timer if max ticks is reached
if autoAttachTimerTickMax > 0 and autoAttachTimerTicks >= autoAttachTimerTickMax then
timer.destroy()
end
---- Check if process is running
if getProcessIDFromProcessName(PROCESS_NAME) ~= nil then
timer.destroy() ---- Destroy timer
openProcess(PROCESS_NAME) ---- Open the process
debugProcess(2) -- Attach Debugger to the process.
debug_setBreakpoint('XXX.exe+29F54')
---pause()
end
autoAttachTimerTicks = autoAttachTimerTicks + 1 ---- Increase ticks
end
autoAttachTimer = createTimer(getMainForm()) ---- Create timer with the main form as it's parent
autoAttachTimer.Interval = autoAttachTimerInterval ---- Set timer interval
autoAttachTimer.OnTimer = autoAttachTimer_tick ---- Set timer tick call back
If you're trying to find the tiny exe process and set a breakpoint on the entry point before it starts running, that's not going to happen. Even a single millisecond is a ridiculously long time for a CPU. It would be like trying to catch a bullet with a pair of chopsticks- it's not possible.
Use Lua to start the process yourself. celua.txt:
Quote:
createProcess(path, parameters OPTIONAL, debug OPTIONAL, breakonentrypoint OPTIONAL) : Creates a process. If debug is true it will be created using the windows debugger and if breakonentry is true it will cause a breakpoint to occur on entrypoint
If the other app needs to execute the tiny exe, I don't know any easy way for CE to break on entry. You could hook the call that creates the process and do something there. {$ccode} will be helpful. _________________
I don't know where I'm going, but I'll figure it out when I get there.
If the other app needs to execute the tiny exe, I don't know any easy way for CE to break on entry. You could hook the call that creates the process and do something there. {$ccode} will be helpful.
it is possible with gflags or windbg global flags.
i am doing what i want with x64dbg and IDA, both break at the entry.
but because CE's flexibility+LUA, i want to do it with CE too.
i dont know if Darkbyte will add this capability of gflag compatibility to CE or not. i coudnt make it work so far.
ill try hooking until some good news come from this forum.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum