I am trying to attach debugger(windbg,ollydbg) to running process but there's an error saying Debugger is already attached then how can i detach that unknown debugger from that process?
Process includes multi thread, one thread can be attached to debugger and other can't.
0
votes
1 Answers
3
votes
The process might be spawning a second process which attaches to the first process for debugging using DebugActiveProcess() in order to prevent people from debugging the first process. Keep in mind that a process cannot debug itself using this method, so a second process must be spawned to do this.
Things you could try:
- Use any sort of process monitor or even task manager to figure out what process the first process spawns
- Inject code into the second process to call
DebugActiveProcessStop()to detach it from the first process - Hook
DebugActiveProcess()(kernel32.DebugActiveProcess,ntdll.ZwDebugActiveProcess, or in kernelmode) and redirect it to attach to a different dummy process - Kill the second process
- Prevent the second process from getting a handle to the first process with the needed permissions -
DebugActiveProcess()will then fail - Use alternative debugging methods (Cheat engine with VEH debugging for example) that don't use the normal debugging API's and therefore bypass this problem
