Ollydbg Debugging - Pass exception to application / Step into instruction

Question

I'm trying to identify a bug in a program (32bit) which could probably lead to code execution. So far I debugged the application with ollydbg and ran my exploit code. Then ollydbg gives me an exception.

• If I press "Ctrl+F9" nothing seems to be executed of my shellcode
• In contrast when the exception occures and I step through the next instructions with "F8" I finally reach my shellcode and it gets executet
• If I run the application without ollydbg, my shellcode also doesn't get executed

Why does my shellcode get executed when I step to the next instructions an otherwise not? What's then the normal case when I run my application without a debugger?

Thanks a lot!

Answer 1

When an exception is raised in a thread the system will first check if a debugger is attached.

If a debugger is attached the exception is reported to the debugger (and not to the faulting process or thread). In ollydbg (and most debuggers) you then have the choice to do something with that exception.

The 1st one is to pass that exception to the faulting thread (CTRL+F9) in ollydbg.

The system will look at the EXCEPTION_REGISTRATION_RECORD for the current thread and walks the list of EXCEPTION_REGISTRATION structures (each of these structures has an exception handler) and check if a handler can handle the exception.

• If a handler can handle the exception, the stack is unwind (to a certain point) and the thread might continue its life.

• If no handler can handle the exception, the final handler is called and the program crashes (the system will then usually display a dialog box informing the user that the process crashed).

This is exactly the same behavior in the case no debugger is attached.

Thus, in your case, passing the exception to the debugger will probably unwind the stack, and the thread will continue its execution after the location of the exception (or simply crash the whole application if the exception couldn't be handled).

The second option - when a debugger is attached - is to not pass the exception to the faulting thread (using one of the step [into | over] / run button). In this case the system will not search for any handler and the thread will either simply rethrow the exception (if it can't pass over it) or continue execution like nothing happened (if the debugger knows how to handle it).

You should check which type (most probably one of: Access violation in read / write ; breakpoint exception) of exception is raised and correct the problem (see at the bottom of the ollydbg window, it will tell you which kind of exception has been raised) if you want to execute your shellcode without problem.