search

x64dbg / x64dbg

An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
http://x64dbg.com
Other
44.37k stars 2.41k forks source link

No "Attach Breakpoint" Event Option in snapshot_2020-11-12_05-12 #2528

Closed STaRDoGGCHaMP closed 3 years ago

STaRDoGGCHaMP commented 3 years ago

The option is still listed in the docs.

How can i attach with an attach breakpoint set?

mrexodia commented 3 years ago

No, that feature has been removed. The reason is that the breakpoint requires a thread to be created in the debuggee and this is a way to detect the debugger.

If you want to stop the execution for some reason, you can press the pause button. What is your use case for the attach breakpoint?

On Sat, 28 Nov 2020 at 16:29, STaRDoGG notifications@github.com wrote:

https://camo.githubusercontent.com/68ebac3aab434023a9d36021211aa6322f54333772ba9f61083dbb4b7e544d66/68747470733a2f2f692e696d6775722e636f6d2f5969577a4f4b452e706e6723766f494d76757a4335314e6e626c6a

The option is still listed in the docs https://github.com/x64dbg/docs/blob/385f2aee6ed2e4a4f87d6be4097bbc923c386305/gui/settings/Events.md#attach-breakpoint .

How can i attach with an attach breakpoint set?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/x64dbg/x64dbg/issues/2528, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASYFGNT54E7CTUURCWCENDSSEJOJANCNFSM4UF3NEDA .

STaRDoGGCHaMP commented 3 years ago

What is your use case for the attach breakpoint?

I was reversing some malware that I could only attach to. Starting the malware with a debugger was not really possible without things getting too annoying. The malware was constantly running some anti-debugging logic loop that would terminate the process as soon as I was attached. I had to get lucky by pressing the pause button as fast as possible after attaching, which was a bit annoying. I then discovered the anti-debugging logic and removed it, but getting there took some time because of this issue. I guess with an attach breakpoint this would have been smoother? But I'm not that familiar with x64dbg nor am I a reversing expert, maybe I'm missing some obvious option.

rmi1974 commented 3 years ago

https://github.com/x64dbg/x64dbg/issues/2525 ("Snapshot 2020-11-12_05-12 broke debugging via attach-to-process in Wine ('safe attach' is now default, no longer configurable)") is related since Wine also relies on the standard method.

Wine follows the way Windows debugging API implements process attaching:

debugger process:

target process:

remote debugger breakin "breakpoint" thread:

But I guess there were too many DbgUiRemoteBreakin detection / bypass methods? ;-)

mrexodia commented 3 years ago

Unfortunately there are quite a few. You can hook a few functions in ntdll that will be executed whenever a new thread is created (so even if you allocate your own page with an int3 you are not safe). These could potentially be bypassed if you hijack the thread before creation, but it requires direct syscalls and is too much of a pain.

Additionally there are various weird bugs in ntoskrnl that allow you to detect a new thread being created without any way to bypass it, so the safest option is to not break at all.

ScyllaHide should have been fixed and the debugger can be hidden on time.

On Thu, 17 Dec 2020 at 09:51, Robert Michelsen notifications@github.com wrote:

2525 https://github.com/x64dbg/x64dbg/issues/2525 ("Snapshot

2020-11-12_05-12 broke debugging via attach-to-process in Wine ('safe attach' is now default, no longer configurable)") is related since Wine also relies on the standard method.

Wine follows the way Windows debugging API implements process attaching:

debugger process:

  • DebugBreakProcess
  • DbgUiIssueRemoteBreakin -> sends APC to target process (APC_BREAK_PROCESS)

target process:

  • invoke_system_apc
  • APC_BREAK_PROCESS handler -> NtCreateThreadEx ( ... DbgUiRemoteBreakin)

remote debugger breakin "breakpoint" thread:

  • DbgUiRemoteBreakin
  • if (NtCurrentTeb()->Peb->BeingDebugged) call DbgBreakPoint()
  • breakpoint thread exit

But I guess there were too many DbgUiRemoteBreakin detection / bypass methods? ;-)

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x64dbg/x64dbg/issues/2528#issuecomment-747301634, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASYFGNDDEZ2OXZRBK6BBZLSVHBABANCNFSM4UF3NEDA .