March 10, 2014

On-the-fly Switching Between Debuggers

Sometimes it's useful to switch between debuggers without restarting the target application. An example for doing so is when you want to use another debugger's capability that the one doesn't have. Here is how to do by using the well-known EB FE trick.
  • Instruct the debugger to break-in, and memorize the two bytes at EIP.
  • Replace the two bytes at EIP with EB FE that is JMP EIP.
  • Detach the debugger leaving the application in an endless loop.
  • Attach the other debugger to the running process.
  • Locate the thread of the endless loop by switching between threads, and when found, restore the two bytes you memorized.
  • Carry-on with the debugging using the other debugger.
Note, the patched thread could interfere with watchdog thread if any, however I haven't experienced it yet.
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.