0

When i start the program by just double clicking the .exe, it has a certain behavior. This behavior differs when i start the program from running the launcher provided. I’d like to figure out how to get the same behavior from the program without using the launcher. I tried to trace in x64dbg but I just got nonsense where it was the same instruction over and over again.

Thanks.

Improve this question
4
  • 1
    I would first start with some high level overview of the executions using tools like Process Monitor to see if the traces are different and at what point. Commented Dec 29, 2019 at 20:58
  • Consider using a tool like intel PIN Commented Dec 30, 2019 at 6:33
  • I did use process explorer. I mostly figured out how to use trace in x64dbg. Is there any way I can record information such as which jumps I took during a particular execution? Commented Dec 31, 2019 at 8:44
  • I’ll try intel pin. That seems promising. Commented Dec 31, 2019 at 8:59

2 Answers 2

Reset to default
1

It might be useful to check the command line that was used to start the program. Open the Details tab of Task Manager and right click on any column (Name/PID/status). Then choose "Select columns" and in the new window scroll down and check the "Command line" box (below the I/O ones).

Improve this answer
2
  • While this doesn't answer the question in the headline, it does solve the problem as it is stated in a much more efficient way than tracing the flow :) Commented Dec 31, 2019 at 1:27
  • There is no difference in the command line. The program detects whether the launcher is running and behaves differently if it is. Commented Dec 31, 2019 at 7:24
0

Your program may be using certain tricks like using the exception handler vector in order to misguide the execution of your program when launched by a debugger.

Be sure to use a non invasive debugger which also does not register itself as a debugger. I think that natively x64dbg requires a plugin for this job, but usually I resort to ollydbg.

When you manage to defeat the debugging protection, you should be able to trace both the executions.

Bonus: it happened a few times that the victim program walked the process chain (the one you see in sysinternals process explorer) in order to guess who was calling whom, the other processes in execution and their PE attributes.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.