Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

Назад: 9. OllyDbg

Дальше: The OllyDbg Interface

. If the program you are debugging requires arguments, specify them in the Arguments field of the Open dialog. (During loading is the only time you can pass command-line arguments to OllyDbg.)
, we discuss how TLS callbacks can be used for anti-debugging and how to protect yourself from them.

Attaching to a Running Process

In addition to opening an executable directly, you can attach OllyDbg to a running process. You’ll find this feature useful when you want to debug running malware.

To attach OllyDbg to a process, select File ▶ Attach. This will bring up a menu in which you can select the process to which you want to attach. (You’ll need to know the process ID if there is more than one process with the same name.) Next, select the process and choose Attach from the menu. OllyDbg should break in and pause the program and all threads.

Once you are attached with OllyDbg, the current executing thread’s code will be paused and displayed on your screen. However, you might have paused while it was executing an instruction from within a system DLL. You don’t want to debug Windows libraries, so when this happens, the easiest way to get to the main code is to set a breakpoint on access to the entire code section. This will cause the program to break execution the next time the code section is accessed. We will explain setting breakpoints like these later in this chapter.

Назад: 9. OllyDbg

Дальше: The OllyDbg Interface