Jump to content
Tuts 4 You

2.xx Plugins

84 files

  1. OllyPath2

    When using OllyDbg as a portable version (e.g. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly.
    The features:
    DLL, which sets Plugins, UDD and win32.hlp paths automatically Dummy export so it's easy to add the DLL to your olly mod Open source Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed.
    P.S. To add the DLL to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file.
    OllyPath2.dll must be in the same directory than ollydbg.exe

    65 downloads

    2 comments

    Submitted

  2. ZsHBPBar

    An OllyDbg hardware breakpoint bar, something similar to that in LCF-AT's version of OllyDbg.

    40 downloads

    0 comments

    Updated

  3. WinMax

    This is a simple plugin for OllyDbg2 to keep the windows maximized. The plugin support is still in alpha so I have not converted the whole PDK yet, but full Delphi source is included.

    22 downloads

    0 comments

    Submitted

  4. WeakOD

    Hello guys I have written a plugin named WeakOD to help debugging with OllyDBG 2.01h.
    Auto clears debugger bit in PEB on new process creation. Allocate some memory to do small fixes for debugee. Inject DLL, so you can inject a DLL into debugee, to help changing debugee's behavior. Break on DLL, stops on DLL entry point, so you can analysis it, or find out why it's loaded.

    40 downloads

    0 comments

    Submitted

  5. SystemTray

    This simple plugin allows the main Olly2 window to be minimised and hidden, as well as restored from an icon in your system tray.

    24 downloads

    0 comments

    Submitted

  6. SigCreator

    SigCreator is a reproduction of "SigMaker 0.4" for the new OllyDbg version 2.xx.

    SigCreator generates you all needed information for using the selected signature in your code. Furthermore it will give you a list of all occurrences of the signature in the current module.

    Result:
    Sig start // Start-address of signature occurrence Sig end // End-address of signature (both addresses are inclusive) // sizeOfSig = sigEnd - sigStart + 1 Modulebase // Base address of the module Offset // Offset from base address to the signature Signature // Signature in code design Mask // Mask of signature in SigMaker-Style Functions:

    * Scan code for selected signature
    Shows you all occurences of the selected signature.

    * Get unique signature
    Gives you an unique signature next to the selected address.

    Note: SigCreator menu will only appear in the disassembler menu.
    Note: You can copy the results by shortcur "Ctrl+C" or by popup menu.

    57 downloads

    0 comments

    Submitted

  7. Sequential Dumper

    It’s really annoying when you have to deal with the initialization part of a malware, most of the time a malicious executable follows the same alloc/decrypt/jump_to_decrypted_code scheme. So, I decided to write something to ease and automate the initial process investigation of a malware.
    The idea behind the plugin is simple, Sequential Dumper is conceptually able to dump blocks of memory in sequence: it monitors the flow of the malware code trying to dump all the new allocated/decrypted parts in different memory areas containing code of the malware itself.
    A practical example will clarify everything:

    The real malware is obtained after some tedious steps: a runtime allocated buffer is used like a bridge between the original and the real malware. The original malicious file is just used to decrypt a piece of code, and then this particular code will create the real malware replacing the old original file.
    A malware with this behaviour is available at VirusTotal.
    Can I use Sequential Dumper with this kind of malwares? Yes you can, here is the result of the execution with the enabled plugin:

    The left part of the image comes from a folder view, it shows the list of the files created by the plugin at runtime; the right part contains the logged data inside Ollydbg view. There are only two simple cryptic phrases by the plugin inside the log window, it’s pretty minimal in terms of information, but you don’t need anything else because you can understand how the code flow switches from a memory block to another. The first switch has been done from the original file to the block in memory, the other one is the jump back to the real malware. As you can see from the picture there’s a interesting message by Ollydbg “Unload C:\…”: the original malware doesn’t exist anymore, it has been overwritten by something else.
    What kind of files does Sequential Dumper create?
    The listed files are raw dumps taken during the execution of the malware. Every single file has a name starting with “Dump_xx” where the double ‘x’ defines the creation order sequence.
    The last part of the name has two distinct forms, with or without “_on_exit” tag. I prefer to dump a block of memory before and after its execution because a decryption or a simple byte modification could happen in the middle of its code. Take in mind that a single dump will be performed if and only if the memory block has been modified.
    There’s also a checksum algorithm inside the plugin because I wanted to avoid duplicated dumps, if the accessed block of memory was already dumped you’ll see the switch log message only.
    Usage
    Sequential Dumper is a two states plugin: enable or disable. In this first release the menu has two items only, the ‘About’ item and the other one which is used to activate the plugin. It’s not necessary to enable the plugin at the first instruction of the malware, you can activate it whenever you want.
    As you might guess everything relies on Ollydbg trace system, you have to run the debuggee in trace mode otherwise it fails catching a memory switch.
    Ollydbg is not allowed to trace system DLL code by default, but I would suggest you to change this setting. Why? Take a look at 1cd7fe891143415870d1e7cf12100b161d456e777dab23fe7821c53bfed87052 sample:

    The malware uses CallWindowProc to run a snippet from somewhere else, in this specific case the new code resides at 0x3900060. The address is outside the original exe and if you don’t allow Ollydbg to trace into system DLL the plugin won’t catch anything from the *hidden* snippet. I think you can understand why you might need to allow Ollydbg to trace system DLL. It’s not a rule but it might help.
    Final Notes
    Sequential Dumper produces a sort of chronicle of the malware execution. It comes from a simple idea and it was born in few hours so don’t expect too much. Take in mind it’s the very first release and it may be exposed to bug. Just in case don’t hesitate to send a mail with detailed information about the bug.
    The plugin has some limitations but it could be helpful for someone, what do you think?

    41 downloads

    0 comments

    Submitted

  8. ScyllaHide

    ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

    Debugger Hiding:
    PEB - BeingDebugged, NtGlobalFlag, Heap Flags NtSetInformationThread - ThreadHideFromDebugger NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing NtQueryObject - ObjectTypesInformation, ObjectTypeInformation NtYieldExecution NtSetDebugFilterState NtUserBuildHwndList - EnumWindows NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W NtUserQueryWindow NtClose NtCreateThreadEx BlockInput Remove Debug Privileges OutputDebugStringA - OutputDebugStringW Timing Hooks:
    GetTickCount GetTickCount64 GetLocalTime GetSystemTime NtQuerySystemTimeHook NtQueryPerformanceCounter Special functions:
    Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing ! Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware Protecting and Stealthing DRx (Hardware Breakpoints):
    NtGetContextThread NtSetContextThread KiUserExceptionDispatcher (only x86) NtContinue (only x86) Hooks:
    Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

    195 downloads

    0 comments

    Submitted

  9. RenameOD

    Sometimes you may want to rename ollydbg.exe to some thing else like 2llydbg.exe, but if you do that all the plugins would not work. Yes one can modify the import table of each plugin to make it run, but that costs some work.

    Here I provide a plugin to allow this rename operation. Just put aaa_renameod.dll to plugin directory and rename ollydbg to something else like 1234dbg.exe .

    Note: this plugin displays no window nor menu nor button in ollydbg. If you renamed ollydbg.exe and plugins work, then this plugin is working.

    Restriction: to allow each plugin working, this plugin should be the first loaded by ollydbg. So, here I name it to aaa_renameod.dll, If a plugin has a less dictionary order name, rename one of them to keep ordering.

    39 downloads

    0 comments

    Submitted

  10. Playtime

    Playtime is a OllyDbg 2 Plugin which adds LuaJIT for scripting support. The plugin also supports NX breakpoints which are used to break-on-execute.

    We developed this Plugin to go beyond limits with scripting, LuaJIT's FFI library will allow you declare and call C API within Lua, for more information about the FFI library please check the authors website:
    http://luajit.org/ext_ffi.html
    Keep in mind this is a very early stage of the Plugin, we are always looking forward for suggestions and ideas which could help the reverse engineering community.

    Fore more information please check the included Readme.txt and examples in the release.

    49 downloads

    0 comments

    Submitted

  11. OllyTraceGraph

    OllyTraceGraph is a modification made by Jan Beck of OllyGraph by Austyn Krutsinger. It creates a visual compiler graph (VCG) file for OllyDbg 2.01 that is readable by wingraph32, provided by hex-rays.

    38 downloads

    0 comments

    Submitted

  12. OllyTab

    When you have too many windows open in OllyDbg, it is difficult finding the window you want. With OllyTab those windows are organised neatly as tabs within OllyDbg.

    59 downloads

    0 comments

    Submitted

  13. OllySpelunk

    A useful code cave finder for use in OllyDbg.
    Now you can search for more than just a NULL-byte cave. Includes NULL, NOP, INT3, and a custom byte of your choice.

    44 downloads

    0 comments

    Updated

  14. OllySocketTrace

    This plugin is re-written for OllyDbg 2.01. The original version was written by Stephen Fewer for OllyDbg 1.10, OllySocketTrace is a plugin to trace socket operations for the debugged process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

    The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

    45 downloads

    0 comments

    Updated

  15. OllySkin2

    Apply new skins for use with OllyDbg 2.1.

    Installation:
    Copy SkinEngine.dll to OllyDbg directory Copy OllySkin201.dll to OllyDbg Plugin directory Select Skin and hit Apply/Disable skin

    41 downloads

    0 comments

    Submitted

  16. OllySEH

    I used to have such a plugin in Olly 1.10 (OllySSEH) for SEH - BOF exploiting and wrote a basic one for OllyDbg 2.01b2.

    Displays the modules of the loaded target and gives information if the modules have been compiled with "/safeSEH ON" or "/safeSEH OFF" or don't have a SEH at all.

    64 downloads

    0 comments

    Submitted

  17. OllyResourceRefs

    OllyResourceRefs is a plugin for OllyDbg 2.01 that will find possible references to the resource's within the current module being debuged by OllyDbg. This is accomplished find all "push imm" commands where 'imm' is the value of a resource ID. Because some functions may have a constant as a parameter, OllyResourceRefs can only guarantee possible references to the modules resources.
    Copy the plugin to OllyDbg's plugin directory and once you load, or attach, OllyDbg to the module you want to debug, use the plugins menu to find possible references to resources within that module.
    Double clicking on any row in the OllyResourceRefs Log window will bring you to the callers location in the OllyDbg disassembly window.

    46 downloads

    0 comments

    Updated

  18. OllyPlgn

    OllyPlgn is a plugin for OllyDbg 2.xx

    + Menu:

    1. Copy to Clipboard:
    - Code (Masm syntax)
    - Code (Nasm syntax)
    - ASCII string
    - Unicode string
    - Asm array
    - C/C++ array
    - Pascal array
    - BYTE
    - WORD
    - DWORD
    - VA
    - RVA
    - Offset

    2. Tools:
    - Notepad
    - Calculator
    - Hash Tool
    - Import Reconstructor

    3. Set Hardware Breakpoint [ESP]

    48 downloads

    0 comments

    Submitted

  19. OllyPEiD

    Copy OllyPEiD.dll into the Plugins directory. Note: the userdb.txt must be in the same directory as the plugin unless otherwise specified in ollydbg.ini.
    Keep in mind this is an alpha release. I have not fully tested and taken the time to remove all possibility for bugs so there may be a few lingering around.

    51 downloads

    0 comments

    Submitted

  20. OllyMSDN

    This plugin will replace WIN32.HLP with online help from the MSDN website.

    To install:
    Copy OllyMSDN.dll to OllyDbg's or ImmDbg's plugin directory. Start the debugger. If you haven't done so already, go to Help -> Select API help file and select WIN32.HLP as usual. It doesn't need to be the real file, just one named like that. To use:
    When you click on Help -> Open API help file, the MSDN online website will be opened instead. To get help on individual API calls, right-click on the CALL instruction in the CPU pane and click on "Help on symbolic name".

    42 downloads

    0 comments

    Updated

  21. OllyMoreMenu

    This plugin added in Ollydbg menubar gives you access to more menus with your favourite tools for quick-start.

    To install copy this plugin in Olly/plugin Folder:
    add in OllyDbg.ini your tool path for use relative path: [OllyMoreMenu] Toolpath=\Tools\ for add new menu entry go in add menu and add you favourite tools if ok add this plugin new menu's in ollydbg menu bar for quick-start.

    40 downloads

    0 comments

    Submitted

  22. OllyMigrate

    This plugin make it possible to pass debuggee to another debugger without restarting (like VM live migration). Each debuggers have both strong and weak points compared with others.
    We can get only strong point of each debuggers by debuggee migration, e.g. Using OllyDbg to bypass antidebug and detect OEP, after that using Immunity Debugger to fix obfuscated import table.
    Very simple overview:
    OllyMigrate = Debuggee live migration plugin Features:
    Various debuggers supported Migrate debuggee between each debuggers Multi thread and suspended thread aware (running state not required) Migrate software breakpoint settings (keep enabled/disabled status) Migrate selected address of disassemble, memory and stack window Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot) How to use (OllyDbg example):
    Install "same version" plugin to sender(src) and receiver(dst) debuggers. Start sender debugger to add receiver debugger definition.
      Menu > Plugins > OllyMigrate > Options
      Input debugger info
       Path: receiver debugger path (Click [Browse] and select file)
       Tag:  anything is ok (identification only)
       Args: debugger command line argument (usually not need to change)
      Click [Add] and [Save] Open debuggee using sender debugger. Start debugging (e.g. until detect OEP)
      After that switch to another debugger. Paused status is recommended.
       Menu > Plugins > OllyMigrate > Send Debuggee
      Select destination debugger and Click [Migrate] Receiver debugger startup automatically and receive debuggee.
      Continue debugging.

    73 downloads

    0 comments

    Submitted

  23. OllyID

    OllyID scans the loaded module using the same signature database as PEiD. OllyID is compatible with the latest versions of OllyDbg 2.

    Copy OllyID.dll into the Plugins directory. Note: the userdb.txt must be in the same directory as the plugin unless otherwise specified in ollydbg.ini.

    I'd like to hear what the community thinks of this. Ideas and constructive criticism is encourages.

    58 downloads

    0 comments

    Submitted

  24. OllyGraph

    Creates a visual compiler graph (VCG) file for OllyDbg 2.01 that is readable by wingraph32, provided by hex-rays.
     

    47 downloads

    0 comments

    Submitted

  25. OllyDumpEx

    This plugin is process memory dumper for OllyDbg and Immunity Debugger.
    Very simple overview:
    OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features Features:
    Various debuggers supported Select to dump debugee exe, loaded dll or non-listed module Search PE File from memory Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving PE32+ supported (Search and Binary Dump mode only available on 32bit debugger) Native 64bit process supported (IDA Pro, WinDbg and x64dbg) ELF supported (both of 32bit and 64bit) Standalone version available Dump any address space as section even if not in original section header Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...) Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot)

    238 downloads

    0 comments

    Submitted


×
×
  • Create New...