Jump to content
Tuts 4 You

2.xx Plugins

84 files

  1. Vic Plug-In-2

    ----- [ MENU ] -----     Show the toolbar in the title of OllyDbg window     Maximize OllyDbg window when staring     Maximize OllyDbg child windows when staring     Show address info in status bar     Use APIs menu in OllyDbg menu bar     Apply confirm exit for OllyDbg     Make the transparency for OllyDbg window     Debuggee Data         Delete UDD data of the current session         Delete all UDD data         Open UDD data list         Delete recent debuggee files     Data Converter     DLL Process Viewer     File Location Converter     PE Viewer     Thread Viewer     Lookup Error Code     Find events of C++ Builder / Delphi VCL GUI application     Advanced Map File Importer         Map File Importer         Open Label window         Open Comment window     Bypass Anti Debugging         Hide the PEB     Data Copier         VA Address         RVA Address         Offset Address         ANSI String         UNICODE String         Code Ripped     Breakpoint Manager         INT3 Delete all         INT3 Import         INT3 Export         HWBP Delete all         HWBP Import         HWBP Export         MBP Delete all         MBP Import         MBP Export     Follow Me         Follow in Disassembler at <address>         Follow in Dump at <address>         Copy <address> to clipboard     Check for update     Information  

    1,281 downloads

    0 comments

    Updated

  2. OllyExt

    OllyExt is a plugin for Olly 2.xx debugger. The main intention of this plugin is to provide the biggest anti-anti debugging features and bug fixes for Olly 2.xx. VMProtect support!
    The currently available commands are the following:
    Code Rip to Clipboard Code Rip to Clipboard Recursive Data Rip to Clipboard Signature Rip to Clipboard The currently supported protections are the following:
    IsDebuggerPresent NtGlobalFlag HeapFlag ForceFlag CheckRemoteDebuggerPresent OutputDebugString NtClose SeDebugPrivilege BlockInput ProcessDebugFlags ProcessDebugObjectHandle TerminateProcess NtSetInformationThread NtQueryObject FindWindow NtOpenProcess Process32First Process32Next ParentProcess GetTickCount timeGetTime QueryPerformanceCounter ZwGetContextThread NtSetContextThread KdDebuggerNotPresent KdDebuggerEnabled NtSetDebugFilterState ProtectDRX HideDRX DbgPrompt CreateThread NtSystemDebugControl Custom ( Write your own ) The currently supported bug fixes are the following:
    Caption change Kill Anti-Attach ( dll integrity check ) Requirements:
    Microsoft Visual C++ 2010 Redistributable Package (x86) OS support:
    Windows XP Windows Server 2003 R2 Windows Server 2008 R2 Windows 7 Windows Server 2012 Windows 8 Windows Server 2012 R2 Windows 8.1 Limitations:
    Because of missing PDK function data ripping is ONLY on 2.01 latest supported If you have any problem just notify me.

    2,923 downloads

    0 comments

    Updated

  3. ZsHBPBar

    An OllyDbg hardware breakpoint bar, something similar to that in LCF-AT's version of OllyDbg.

    40 downloads

    0 comments

    Updated

  4. WinMax

    This is a simple plugin for OllyDbg2 to keep the windows maximized. The plugin support is still in alpha so I have not converted the whole PDK yet, but full Delphi source is included.

    22 downloads

    0 comments

    Submitted

  5. WeakOD

    Hello guys I have written a plugin named WeakOD to help debugging with OllyDBG 2.01h.
    Auto clears debugger bit in PEB on new process creation. Allocate some memory to do small fixes for debugee. Inject DLL, so you can inject a DLL into debugee, to help changing debugee's behavior. Break on DLL, stops on DLL entry point, so you can analysis it, or find out why it's loaded.

    40 downloads

    0 comments

    Submitted

  6. SystemTray

    This simple plugin allows the main Olly2 window to be minimised and hidden, as well as restored from an icon in your system tray.

    24 downloads

    0 comments

    Submitted

  7. SigCreator

    SigCreator is a reproduction of "SigMaker 0.4" for the new OllyDbg version 2.xx.

    SigCreator generates you all needed information for using the selected signature in your code. Furthermore it will give you a list of all occurrences of the signature in the current module.

    Result:
    Sig start // Start-address of signature occurrence Sig end // End-address of signature (both addresses are inclusive) // sizeOfSig = sigEnd - sigStart + 1 Modulebase // Base address of the module Offset // Offset from base address to the signature Signature // Signature in code design Mask // Mask of signature in SigMaker-Style Functions:

    * Scan code for selected signature
    Shows you all occurences of the selected signature.

    * Get unique signature
    Gives you an unique signature next to the selected address.

    Note: SigCreator menu will only appear in the disassembler menu.
    Note: You can copy the results by shortcur "Ctrl+C" or by popup menu.

    57 downloads

    0 comments

    Submitted

  8. Sequential Dumper

    It’s really annoying when you have to deal with the initialization part of a malware, most of the time a malicious executable follows the same alloc/decrypt/jump_to_decrypted_code scheme. So, I decided to write something to ease and automate the initial process investigation of a malware.
    The idea behind the plugin is simple, Sequential Dumper is conceptually able to dump blocks of memory in sequence: it monitors the flow of the malware code trying to dump all the new allocated/decrypted parts in different memory areas containing code of the malware itself.
    A practical example will clarify everything:

    The real malware is obtained after some tedious steps: a runtime allocated buffer is used like a bridge between the original and the real malware. The original malicious file is just used to decrypt a piece of code, and then this particular code will create the real malware replacing the old original file.
    A malware with this behaviour is available at VirusTotal.
    Can I use Sequential Dumper with this kind of malwares? Yes you can, here is the result of the execution with the enabled plugin:

    The left part of the image comes from a folder view, it shows the list of the files created by the plugin at runtime; the right part contains the logged data inside Ollydbg view. There are only two simple cryptic phrases by the plugin inside the log window, it’s pretty minimal in terms of information, but you don’t need anything else because you can understand how the code flow switches from a memory block to another. The first switch has been done from the original file to the block in memory, the other one is the jump back to the real malware. As you can see from the picture there’s a interesting message by Ollydbg “Unload C:\…”: the original malware doesn’t exist anymore, it has been overwritten by something else.
    What kind of files does Sequential Dumper create?
    The listed files are raw dumps taken during the execution of the malware. Every single file has a name starting with “Dump_xx” where the double ‘x’ defines the creation order sequence.
    The last part of the name has two distinct forms, with or without “_on_exit” tag. I prefer to dump a block of memory before and after its execution because a decryption or a simple byte modification could happen in the middle of its code. Take in mind that a single dump will be performed if and only if the memory block has been modified.
    There’s also a checksum algorithm inside the plugin because I wanted to avoid duplicated dumps, if the accessed block of memory was already dumped you’ll see the switch log message only.
    Usage
    Sequential Dumper is a two states plugin: enable or disable. In this first release the menu has two items only, the ‘About’ item and the other one which is used to activate the plugin. It’s not necessary to enable the plugin at the first instruction of the malware, you can activate it whenever you want.
    As you might guess everything relies on Ollydbg trace system, you have to run the debuggee in trace mode otherwise it fails catching a memory switch.
    Ollydbg is not allowed to trace system DLL code by default, but I would suggest you to change this setting. Why? Take a look at 1cd7fe891143415870d1e7cf12100b161d456e777dab23fe7821c53bfed87052 sample:

    The malware uses CallWindowProc to run a snippet from somewhere else, in this specific case the new code resides at 0x3900060. The address is outside the original exe and if you don’t allow Ollydbg to trace into system DLL the plugin won’t catch anything from the *hidden* snippet. I think you can understand why you might need to allow Ollydbg to trace system DLL. It’s not a rule but it might help.
    Final Notes
    Sequential Dumper produces a sort of chronicle of the malware execution. It comes from a simple idea and it was born in few hours so don’t expect too much. Take in mind it’s the very first release and it may be exposed to bug. Just in case don’t hesitate to send a mail with detailed information about the bug.
    The plugin has some limitations but it could be helpful for someone, what do you think?

    41 downloads

    0 comments

    Submitted

  9. ScyllaHide

    ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

    Debugger Hiding:
    PEB - BeingDebugged, NtGlobalFlag, Heap Flags NtSetInformationThread - ThreadHideFromDebugger NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing NtQueryObject - ObjectTypesInformation, ObjectTypeInformation NtYieldExecution NtSetDebugFilterState NtUserBuildHwndList - EnumWindows NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W NtUserQueryWindow NtClose NtCreateThreadEx BlockInput Remove Debug Privileges OutputDebugStringA - OutputDebugStringW Timing Hooks:
    GetTickCount GetTickCount64 GetLocalTime GetSystemTime NtQuerySystemTimeHook NtQueryPerformanceCounter Special functions:
    Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing ! Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware Protecting and Stealthing DRx (Hardware Breakpoints):
    NtGetContextThread NtSetContextThread KiUserExceptionDispatcher (only x86) NtContinue (only x86) Hooks:
    Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

    195 downloads

    0 comments

    Submitted

  10. RenameOD

    Sometimes you may want to rename ollydbg.exe to some thing else like 2llydbg.exe, but if you do that all the plugins would not work. Yes one can modify the import table of each plugin to make it run, but that costs some work.

    Here I provide a plugin to allow this rename operation. Just put aaa_renameod.dll to plugin directory and rename ollydbg to something else like 1234dbg.exe .

    Note: this plugin displays no window nor menu nor button in ollydbg. If you renamed ollydbg.exe and plugins work, then this plugin is working.

    Restriction: to allow each plugin working, this plugin should be the first loaded by ollydbg. So, here I name it to aaa_renameod.dll, If a plugin has a less dictionary order name, rename one of them to keep ordering.

    39 downloads

    0 comments

    Submitted

  11. Playtime

    Playtime is a OllyDbg 2 Plugin which adds LuaJIT for scripting support. The plugin also supports NX breakpoints which are used to break-on-execute.

    We developed this Plugin to go beyond limits with scripting, LuaJIT's FFI library will allow you declare and call C API within Lua, for more information about the FFI library please check the authors website:
    http://luajit.org/ext_ffi.html
    Keep in mind this is a very early stage of the Plugin, we are always looking forward for suggestions and ideas which could help the reverse engineering community.

    Fore more information please check the included Readme.txt and examples in the release.

    49 downloads

    0 comments

    Submitted

  12. OllyTraceGraph

    OllyTraceGraph is a modification made by Jan Beck of OllyGraph by Austyn Krutsinger. It creates a visual compiler graph (VCG) file for OllyDbg 2.01 that is readable by wingraph32, provided by hex-rays.

    38 downloads

    0 comments

    Submitted

  13. OllyTab

    When you have too many windows open in OllyDbg, it is difficult finding the window you want. With OllyTab those windows are organised neatly as tabs within OllyDbg.

    59 downloads

    0 comments

    Submitted

  14. OllySpelunk

    A useful code cave finder for use in OllyDbg.
    Now you can search for more than just a NULL-byte cave. Includes NULL, NOP, INT3, and a custom byte of your choice.

    44 downloads

    0 comments

    Updated

  15. OllySocketTrace

    This plugin is re-written for OllyDbg 2.01. The original version was written by Stephen Fewer for OllyDbg 1.10, OllySocketTrace is a plugin to trace socket operations for the debugged process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

    The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

    45 downloads

    0 comments

    Updated

  16. OllySkin2

    Apply new skins for use with OllyDbg 2.1.

    Installation:
    Copy SkinEngine.dll to OllyDbg directory Copy OllySkin201.dll to OllyDbg Plugin directory Select Skin and hit Apply/Disable skin

    41 downloads

    0 comments

    Submitted

  17. OllySEH

    I used to have such a plugin in Olly 1.10 (OllySSEH) for SEH - BOF exploiting and wrote a basic one for OllyDbg 2.01b2.

    Displays the modules of the loaded target and gives information if the modules have been compiled with "/safeSEH ON" or "/safeSEH OFF" or don't have a SEH at all.

    64 downloads

    0 comments

    Submitted

  18. OllyResourceRefs

    OllyResourceRefs is a plugin for OllyDbg 2.01 that will find possible references to the resource's within the current module being debuged by OllyDbg. This is accomplished find all "push imm" commands where 'imm' is the value of a resource ID. Because some functions may have a constant as a parameter, OllyResourceRefs can only guarantee possible references to the modules resources.
    Copy the plugin to OllyDbg's plugin directory and once you load, or attach, OllyDbg to the module you want to debug, use the plugins menu to find possible references to resources within that module.
    Double clicking on any row in the OllyResourceRefs Log window will bring you to the callers location in the OllyDbg disassembly window.

    46 downloads

    0 comments

    Updated

  19. OllyPlgn

    OllyPlgn is a plugin for OllyDbg 2.xx

    + Menu:

    1. Copy to Clipboard:
    - Code (Masm syntax)
    - Code (Nasm syntax)
    - ASCII string
    - Unicode string
    - Asm array
    - C/C++ array
    - Pascal array
    - BYTE
    - WORD
    - DWORD
    - VA
    - RVA
    - Offset

    2. Tools:
    - Notepad
    - Calculator
    - Hash Tool
    - Import Reconstructor

    3. Set Hardware Breakpoint [ESP]

    48 downloads

    0 comments

    Submitted

  20. OllyPEiD

    Copy OllyPEiD.dll into the Plugins directory. Note: the userdb.txt must be in the same directory as the plugin unless otherwise specified in ollydbg.ini.
    Keep in mind this is an alpha release. I have not fully tested and taken the time to remove all possibility for bugs so there may be a few lingering around.

    51 downloads

    0 comments

    Submitted

  21. OllyMSDN

    This plugin will replace WIN32.HLP with online help from the MSDN website.

    To install:
    Copy OllyMSDN.dll to OllyDbg's or ImmDbg's plugin directory. Start the debugger. If you haven't done so already, go to Help -> Select API help file and select WIN32.HLP as usual. It doesn't need to be the real file, just one named like that. To use:
    When you click on Help -> Open API help file, the MSDN online website will be opened instead. To get help on individual API calls, right-click on the CALL instruction in the CPU pane and click on "Help on symbolic name".

    42 downloads

    0 comments

    Updated

  22. OllyMoreMenu

    This plugin added in Ollydbg menubar gives you access to more menus with your favourite tools for quick-start.

    To install copy this plugin in Olly/plugin Folder:
    add in OllyDbg.ini your tool path for use relative path: [OllyMoreMenu] Toolpath=\Tools\ for add new menu entry go in add menu and add you favourite tools if ok add this plugin new menu's in ollydbg menu bar for quick-start.

    40 downloads

    0 comments

    Submitted

  23. OllyMigrate

    This plugin make it possible to pass debuggee to another debugger without restarting (like VM live migration). Each debuggers have both strong and weak points compared with others.
    We can get only strong point of each debuggers by debuggee migration, e.g. Using OllyDbg to bypass antidebug and detect OEP, after that using Immunity Debugger to fix obfuscated import table.
    Very simple overview:
    OllyMigrate = Debuggee live migration plugin Features:
    Various debuggers supported Migrate debuggee between each debuggers Multi thread and suspended thread aware (running state not required) Migrate software breakpoint settings (keep enabled/disabled status) Migrate selected address of disassemble, memory and stack window Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot) How to use (OllyDbg example):
    Install "same version" plugin to sender(src) and receiver(dst) debuggers. Start sender debugger to add receiver debugger definition.
      Menu > Plugins > OllyMigrate > Options
      Input debugger info
       Path: receiver debugger path (Click [Browse] and select file)
       Tag:  anything is ok (identification only)
       Args: debugger command line argument (usually not need to change)
      Click [Add] and [Save] Open debuggee using sender debugger. Start debugging (e.g. until detect OEP)
      After that switch to another debugger. Paused status is recommended.
       Menu > Plugins > OllyMigrate > Send Debuggee
      Select destination debugger and Click [Migrate] Receiver debugger startup automatically and receive debuggee.
      Continue debugging.

    73 downloads

    0 comments

    Submitted

  24. OllyID

    OllyID scans the loaded module using the same signature database as PEiD. OllyID is compatible with the latest versions of OllyDbg 2.

    Copy OllyID.dll into the Plugins directory. Note: the userdb.txt must be in the same directory as the plugin unless otherwise specified in ollydbg.ini.

    I'd like to hear what the community thinks of this. Ideas and constructive criticism is encourages.

    58 downloads

    0 comments

    Submitted

  25. OllyGraph

    Creates a visual compiler graph (VCG) file for OllyDbg 2.01 that is readable by wingraph32, provided by hex-rays.
     

    47 downloads

    0 comments

    Submitted


×
×
  • Create New...