1
00:00:01,020 --> 00:00:05,820
In the previous video, we have seen how to detect if the product is attached to debugger or not.

2
00:00:06,030 --> 00:00:11,770
In this video we'll be seeing the debugger is present, will be detaching from the process.

3
00:00:12,270 --> 00:00:18,150
We can use the function currently remote process and it is in that A.L..

4
00:00:20,540 --> 00:00:24,540
And the first parameter is the process handle and the pyramid is the big object.

5
00:00:25,340 --> 00:00:31,310
So we already get in the process and so we need to get this debug of your tenders.

6
00:00:31,380 --> 00:00:32,750
So you're going to get these.

7
00:00:36,440 --> 00:00:45,080
By passing the process, people can do the process, decode information process.

8
00:00:47,680 --> 00:00:52,900
So in the previous video we have posted is priceless basic information.

9
00:00:53,110 --> 00:00:58,870
And you should know that we will be passing this direct one that is that people tend to.

10
00:01:00,140 --> 00:01:06,230
And there is some slight difference in the signature of the function we need to pass by the reference.

11
00:01:07,070 --> 00:01:13,640
So you need to copy this and paste this and change this one by reference.

12
00:01:13,940 --> 00:01:16,010
So this is like function already.

13
00:01:16,850 --> 00:01:19,310
Same function and different parameters.

14
00:01:23,020 --> 00:01:31,930
So no, I it is a normal previous program that's going to run this one and we can see that this president

15
00:01:32,920 --> 00:01:40,450
now we are going to get the debugger object handler so this will be stored in debug candidate is equal

16
00:01:40,600 --> 00:01:43,450
to inferior dot zero.

17
00:01:46,100 --> 00:01:50,750
Now we need to get the candidate using the antiquated information process.

18
00:01:51,290 --> 00:01:56,540
So the first one is the proper candidate will be passing the current process.

19
00:01:56,720 --> 00:02:02,210
And you can also open the handle for the process using the body.

20
00:02:02,720 --> 00:02:03,980
You can pass that as well.

21
00:02:04,220 --> 00:02:07,990
And second parameter is the direct money.

22
00:02:08,030 --> 00:02:19,250
That is the representation of that enum positive object, kind of constant and third parameter use.

23
00:02:21,310 --> 00:02:24,670
Debugger and reference debugger handle.

24
00:02:25,000 --> 00:02:28,180
And the fourth parameter is the length.

25
00:02:28,330 --> 00:02:36,310
So that will be the eight depending upon architectural file type or the process.

26
00:02:37,840 --> 00:02:39,490
I am comparing this first 60.

27
00:02:39,640 --> 00:02:40,660
We saw the.

28
00:02:42,760 --> 00:02:43,990
Addresses will be a.

29
00:02:48,480 --> 00:02:50,370
And the last one is the.

30
00:02:54,740 --> 00:02:55,820
Equals to zero.

31
00:03:00,520 --> 00:03:02,350
And with passing reference out.

32
00:03:08,100 --> 00:03:10,820
And we are going to print this debug handle.

33
00:03:25,360 --> 00:03:27,100
And we can see we are the people.

34
00:03:28,270 --> 00:03:33,340
And now we are calling this function and be more brothers.

35
00:03:34,000 --> 00:03:38,320
I have already written the signature is just simple blue handles.

36
00:03:40,860 --> 00:03:50,370
Now pass this process and it and second one is our debug handle and it's a result.

37
00:03:55,910 --> 00:03:58,700
So this would return to zero if the success.

38
00:03:58,880 --> 00:04:01,310
So that's 33 questions equals zero.

39
00:04:05,770 --> 00:04:06,670
That means.

40
00:04:09,910 --> 00:04:11,000
Successfully.

41
00:04:11,200 --> 00:04:12,760
That should be good.

42
00:04:14,080 --> 00:04:16,300
And now we can query.

43
00:04:16,300 --> 00:04:18,070
This is the present.

44
00:04:21,060 --> 00:04:22,380
So let's go and rent this one.

45
00:04:23,100 --> 00:04:25,020
And here you can see we get the files.

46
00:04:25,290 --> 00:04:31,290
At first we got the debugger is present because we are running in the debugger and that were running

47
00:04:31,290 --> 00:04:31,980
this process.

48
00:04:32,580 --> 00:04:40,980
And after getting the handle we called this and debug and after the functional decoded the process became

49
00:04:40,980 --> 00:04:42,960
independent and.

50
00:04:44,560 --> 00:04:48,460
We can see the forest value is deeper in forests.

51
00:04:49,580 --> 00:04:54,920
Now we can also see here we can put into some lines.

52
00:04:57,260 --> 00:04:58,220
It's being one.

53
00:05:03,810 --> 00:05:06,000
And down rent testing boot.

54
00:05:09,150 --> 00:05:10,680
So what I'm going to do is.

55
00:05:10,680 --> 00:05:11,880
I'm going to.

56
00:05:15,470 --> 00:05:16,220
Sample one.

57
00:05:16,400 --> 00:05:18,560
I'm going to put the breakpoint at this one.

58
00:05:28,600 --> 00:05:31,300
So I am putting the breakpoint at this one.

59
00:05:33,120 --> 00:05:35,100
So let's go on this one.

60
00:05:36,510 --> 00:05:39,300
And here we can see we did not put into this report.

61
00:05:39,750 --> 00:05:43,490
So let's go and step into this and we can see that we will handle.

62
00:05:44,400 --> 00:05:49,770
Now we are going to remove this detached from this process.

63
00:05:50,460 --> 00:05:55,980
That means whenever this function was executed, the process continues execution.

64
00:05:56,760 --> 00:05:58,990
Because it is it became independent, original.

65
00:05:59,370 --> 00:06:05,610
Now, if I go and step in boot, now I can see the print segments and sample one and success.

66
00:06:07,110 --> 00:06:09,200
And remaining pretty statements.

67
00:06:09,420 --> 00:06:10,920
So that's going to win, too.

68
00:06:11,880 --> 00:06:18,900
And now we can see the the print statements have been executed, even though we have stopped only once

69
00:06:20,550 --> 00:06:22,650
because the brothers became independent.

70
00:06:23,520 --> 00:06:26,520
So we successfully debated the democracy and the process.

71
00:06:27,210 --> 00:06:31,180
So whenever you go and click on Stop, this will go in Internet routing.

72
00:06:31,380 --> 00:06:33,520
So you need to close this process.

73
00:06:33,540 --> 00:06:35,370
So the zip code will be zero.

74
00:06:35,700 --> 00:06:39,810
And then our research area becomes normal.

75
00:06:40,590 --> 00:06:45,840
So this is how you that were go to fund the process using the entire remote process debug function.