What Posted January 15, 2008 Posted January 15, 2008 (edited) Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot. Edited March 9, 2008 by What
zako Posted January 16, 2008 Posted January 16, 2008 Much appreciated, kind of in the back of my mind that I might like to have a go at a plugin without anything specific in mind though, and I am lazy. Will be interesting to study. cheers.
Loki Posted January 16, 2008 Posted January 16, 2008 Great contribution, thanks man! Always appreciate a share, especially with source!
Fungus Posted January 16, 2008 Posted January 16, 2008 Nice share What. Will enjoy having a good look at it. Cheers!
GEEK Posted January 18, 2008 Posted January 18, 2008 conflicts with ollyadvancedand my olly crashed if the plugin used
ChupaChu Posted January 18, 2008 Posted January 18, 2008 (edited) Wey What, great share! I do have a question, maybe you know the answer as i did not have the time to look deeper into the problem, now the problem is when i open up my olly it works fine, your plugin is loaded, one can sett wanted settings and it works ok unitl i try to load a target or press terminate button - then it just kills entire process of olly Any clue why its happening, so i dont need to dig to deep to explain it :? BR, ChupaChu! Edited January 18, 2008 by ChupaChu
Loki Posted January 18, 2008 Posted January 18, 2008 Try it in a pure Olly. If it works ok then its probably a conflict with another plugin as with GEEK's post.
zooley Posted January 18, 2008 Posted January 18, 2008 Great code, thanx for the source and thanx for sharing it.
Fungus Posted January 18, 2008 Posted January 18, 2008 Great code, thanx for the source and thanx for sharing it. Yeah it conflicts with Advanced Olly and Phantom, but it still crashed when loading a target for me with no other plugin present and no options checked... is ok tho as it says it is very beta and not complete. Definately a nice ASM example however Look forward to a new Poison which is working!
What Posted January 29, 2008 Author Posted January 29, 2008 The problem is that the hook i used to come back and actually hide is the same place that ollyadvanced uses to come back and break on tls. I have found a new place where I can now use a better tech nique to hide the peb, where you change the isdebuggerpresent byte temporarily, change it back, then at the end turn it off again. It fixes all debug bytes, no more having to fix each of the bytes individually, also fixed my problem with ZwQueryProcessInformation by changing the parent process to explorer.exe. New hook seems to work with all plugins too. I left the source code on my computer so I cant release it right now. Have fixes for most things, including closehandle trick. Also looked into using a couple of different plugin procs like mainloop, or whatever it is called, and paused. I think that the paused could be helpful in making sure when you step on PageGuard it will actually raise and exception. Ill release the new code as soon as I can, may be a while though.
ChupaChu Posted January 30, 2008 Posted January 30, 2008 No need to rush things, What, quallity shud always come before quantity Thanx for a great share once more BR, ChupaChu!
What Posted February 13, 2008 Author Posted February 13, 2008 (edited) I updated the code and fixed compatibility problems. I would still call it alpha code, but it works with all plugins I use. Looking into adding driver code with the source code for the rdtsc from pediy. Im not sure what exactly I added to it since the first post. Enumwindows mainly for telock. Cant use ignore invalid handle option with ollyadvanced if you want this one the fix in the plugin to work, ill probably fix that sooner or later. Anyway link is updated.Edit in: Code updated as 3.2.08Updates include added Process32Next hook, HeapFlags problem. Anyway if anyone ever reads this because im not bumping the topic, the link has been updated. Edited March 9, 2008 by What
SunBeam Posted September 7, 2009 Posted September 7, 2009 Good work, mate. I'll add that VMProtect CloseHandle check with DEADC0DE as param ;-)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now