olldbg原理分析~载入程序

od载入程序时又两种方式，第一种方式是 打开，第二种方式是 附加。

关于 打开，实际上是利用了CreateProcess创建一个用以调试的新进程，ollydbg接受到目标进程发生的调试事件。

用od分析od，为验证我们的猜想，直接在createprocess函数上下断，运行分析，发现函数中断如下图

分析函数，createprocess

BOOL CreateProcess(   LPCWSTR pszImageName,   LPCWSTR pszCmdLine,   LPSECURITY_ATTRIBUTES psaProcess,   LPSECURITY_ATTRIBUTES psaThread,   BOOL fInheritHandles,   DWORD fdwCreate,   LPVOID pvEnvironment,   LPWSTR pszCurDir,   LPSTARTUPINFOW psiStartInfo,   LPPROCESS_INFORMATION pProcInfo); 

参数从右往左进栈，其他参数省略不讲，主要看 DWORD fdwCreate这个参数，msdn中这样讲到：

ValueDescriptionCREATE_DEFAULT_ERROR_MODENot supported.CREATE_NEW_CONSOLEThe new process has a new console, instead of inheriting the parent's console.CREATE_NEW_PROCESS_GROUPNot supported.CREATE_SEPARATE_WOW_VDMNot supported.CREATE_SHARED_WOW_VDMNot supported.CREATE_SUSPENDEDThe primary thread of the new process is created in a suspended state, and does not run until theResumeThread function is called.CREATE_UNICODE_ENVIRONMENTNot supported.DEBUG_PROCESSIf this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. Child processes of the new process are also debugged.

The system notifies the debugger of all debug events that occur in the process being debugged.

If you create a process with this flag set, only the calling thread (the thread that calledCreateProcess) can call the WaitForDebugEvent function.

DEBUG_ONLY_THIS_PROCESSIf this flag is set, the calling process is treated as a debugger, and the new process is a process being debugged. No child processes of the new process are debugged.

The system notifies the debugger of all debug events that occur in the process being debugged.

DETACHED_PROCESSNot supported.INHERIT_CALLER_PRIORITYIf this flag is set, the new process inherits the priority of the creator process.

查看堆栈中发现如下：

真相大白！调试进程，不继承进程错误模式，无任务调度需求！

关于第二种附加的方式，稍微复杂一些，是利用DebugActiveProcess函数将调试器捆绑到一个正在运行的进程上：

同样的下断，附加记事本，得到验证：

随后是判断附加有无成功的代码段。

写的很浅显，觉得学习逆向不光是只是学习如何去逆向别的软件，更应该了解自己手中的工具，这样才能更好的去利用它去进化它。

未完待续哈哈……