Attach to hidden process


Author: David Zimmer
Date: 10.05.10 - 5:06pm



there is probably a way to do this with an olly plugin, but here is a native way..if you have a process which hides itself (i am assuming userland rootkit in this case) you can use ollys "just in time debugging" command line support to attach to it even though its not visible in the process list.

first you have to get its pid though. I used my gdiprocs from the malcode analyst pack. then you can goto a command line and

ollydbg -AEDEBUG [decimal pid] 1

Note this even works if you are dealing with a process created in a suspended state and being injected into. In this state olly will not show it in the attach to menu, but you can attach to it using this technique.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 64 + 2 = ? followed by the letter: G 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 ( 6 )
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation