Hello!

As I wrote in my previous posts I want to create an external logger for my application. I wanted to use code injection, but I found that there are too many problems with this method.

I decided to use a dll and now I have problems with putting LoadLibrary code into the process.
I want to use DebugActiveProcess. I set the privilleges and the application returns a debug event CREATE_PROCESS_DEBUG_EVENT, so it means that the process was successufully set to being debugged.

Unfortunately the process is suspended all the time :( and I can't even open it's window as it is like 'frozen' and I don't get any further debug exceptions etc.

I'm sorry, but the code is in C++:



#include <windows.h>
#include <tlhelp32.h>

#define FILENAME "WREX.EXE"

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
HANDLE tok;
if ( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tok ) ) // settin' privilleges for WinNT
{
LUID luid;
TOKEN_PRIVILEGES tp;

LookupPrivilegeValue( NULL, SE_SHUTDOWN_NAME, &luid );
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
AdjustTokenPrivileges( tok, FALSE, &tp, NULL, NULL, NULL );

LookupPrivilegeValue( NULL, SE_SECURITY_NAME, &luid );
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
AdjustTokenPrivileges( tok, FALSE, &tp, NULL, NULL, NULL );

CloseHandle(tok);
}

DWORD dwProcID = 0;
PROCESSENTRY32 proc;
HANDLE hProcess;

HANDLE snap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, NULL ); // this part is irrelevant as it only finds the process in memory

proc.dwSize = sizeof(PROCESSENTRY32);

if ( Process32First( snap, &proc ) == FALSE )
{
return -1;
}
for ( int i=0; i<(int)strlen(proc.szExeFile); i++ )
{
if ( (proc.szExeFile[i]>='a') && (proc.szExeFile[i]<='z') )
proc.szExeFile[i]-=32;
}

if ( strstr(proc.szExeFile, FILENAME) != NULL )
{
hProcess = OpenProcess( PROCESS_ALL_ACCESS, NULL, proc.th32ProcessID );
dwProcID = proc.th32ProcessID;
}

while ( Process32Next( snap, &proc ) == TRUE )
{
for ( int i=0; i<(int)strlen(proc.szExeFile); i++ )
{
if ( (proc.szExeFile[i]>='a') && (proc.szExeFile[i]<='z') )
proc.szExeFile[i]-=32;
}
if ( strstr(proc.szExeFile, FILENAME) != NULL )
{
hProcess = OpenProcess( PROCESS_ALL_ACCESS, NULL, proc.th32ProcessID );
dwProcID = proc.th32ProcessID;
}
}

CloseHandle(snap);

if ( dwProcID == 0 )
return -1;

DEBUG_EVENT DBEvent;

if ( DebugActiveProcess(dwProcID) == TRUE )
{
while (1)
{
WaitForDebugEvent( &DBEvent, INFINITE );
if ( DBEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT )
break;
if ( DBEvent.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT ) // this is the only event my app receives
{
MessageBox(0,"Debugging started!","Ble",0);
}
else if ( DBEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT )
{
if ( DBEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT )
{
ContinueDebugEvent( DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE );
continue;
}
ContinueDebugEvent( DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED );
}
}
}
else
{
MessageBox( 0, "Can't debug!", ":(", 0 );
CloseHandle(hProcess);
}

return 0;
}
Posted on 2004-04-17 06:19:20 by blackd0t
Did you have a look at Iczelion's debugging tutorials? http://win32assembly.online.fr/tut28.html and forward...
Posted on 2004-04-17 08:41:39 by f0dder
Yes, I did, they're great!

But Iczelion is only describing in detail the process of debugging a process right after it's opening and I want to debug a process that is already in memory with DebugActiveProcess.

When I call the function, though, the process freezes and there is nothing to do about it :(.
Posted on 2004-04-17 09:06:15 by blackd0t
Actually I found out that even this method with running an application in debug mode freezes the application. In that case it has to have something to do with VC++ because in ASM everything works fine.

If any of you have any idea what can be the cause of the problem please reply.
Posted on 2004-04-17 10:04:00 by blackd0t
IIRC you dont have to call OpenProcess.
Besides, the logic of your piece of code can be improved a lot.
Posted on 2004-04-17 10:10:22 by japheth
Oh yeah, sorry, I copypasted the process finding code from my other app. OpenProcess is not needed for sure.
Posted on 2004-04-17 10:22:07 by blackd0t
Please, can anyone check in VC++ if the following code works for them?
You'll have to pick an exe for debugging.
The idea is to check if the debugged application runs normally.



#include <windows.h>
#include <tlhelp32.h>

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
HANDLE tok;
if ( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tok ) )
{
LUID luid;
TOKEN_PRIVILEGES tp;

LookupPrivilegeValue( NULL, SE_SHUTDOWN_NAME, &luid );
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
AdjustTokenPrivileges( tok, FALSE, &tp, NULL, NULL, NULL );

LookupPrivilegeValue( NULL, SE_SECURITY_NAME, &luid );
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
AdjustTokenPrivileges( tok, FALSE, &tp, NULL, NULL, NULL );

CloseHandle(tok);
}

OPENFILENAME ofn = {0};
char szName[MAX_PATH];
*szName = 0;
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.hwndOwner = NULL;
ofn.lpstrFilter = NULL;
ofn.lpstrFilter = "Exe files (*.exe)\0*.exe\0All files (*.*)\0*.*\0";
ofn.lpstrCustomFilter = NULL;
ofn.nFilterIndex = 1;
ofn.lpstrFile = &szName[0];
ofn.nMaxFile = MAX_PATH;
ofn.lpstrInitialDir = NULL;
ofn.lpstrTitle = "Open Text File";
ofn.lpstrFileTitle = NULL;
ofn.lpstrDefExt = "EXE";
ofn.Flags = OFN_FILEMUSTEXIST | OFN_HIDEREADONLY | OFN_PATHMUSTEXIST | OFN_EXPLORER;

if ( GetOpenFileName(&ofn)!=TRUE )
{
MessageBox(0,"Error opening file!",":(",0);
return -1;
}

STARTUPINFO startinfo;
PROCESS_INFORMATION pi;

GetStartupInfo(&startinfo);
CreateProcess( szName, NULL, NULL, NULL, FALSE, DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS, NULL, NULL, &startinfo, &pi );

DEBUG_EVENT DBEvent;

while (1)
{
WaitForDebugEvent( &DBEvent, INFINITE );
if ( DBEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT )
break;
if ( DBEvent.dwDebugEventCode == CREATE_PROCESS_DEBUG_EVENT )
{
MessageBox(0,"Debugging started!","Ble",0);
}
else if ( DBEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT )
{
if ( DBEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT )
{
ContinueDebugEvent( DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE );
continue;
}
ContinueDebugEvent( DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED );
}
}
return 0;
}
Posted on 2004-04-17 13:47:32 by blackd0t
Ok, I somehow managed to make it work, but I don't know how :)
Posted on 2004-04-17 15:34:07 by blackd0t
it was the spirit of this forum
Posted on 2004-04-17 21:28:33 by comrade
Hi blackd0t !
Your code don't work, the debug process hanged.
I add a line: ContinueDebugEvent(DBEvent.dwProcessId, BEvent.dwThreadId, DBG_CONTINUE) at the end of while loop to allow debug process continue run. At the end, the app will run well.
Regards !
Posted on 2004-04-18 22:49:15 by TQN
Afternoon, blackd0t.

Please keep non-win32asm enquiries to The Heap, thank you.

Cheers,
Scronty
Posted on 2004-04-19 06:04:54 by Scronty