Jump to content
Tuts 4 You

Ollydbg Plugin Plus Masm Source


What

Recommended Posts

Posted (edited)

Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot.

Edited by What
Posted

Much appreciated, kind of in the back of my mind that I might like to have a go at a plugin without anything specific in mind though, and I am lazy. Will be interesting to study. cheers.

Posted

Great share ! Thx :)

Posted

Great contribution, thanks man! Always appreciate a share, especially with source!

:)

Posted

Nice share What. Will enjoy having a good look at it.

Cheers!

:drunk:

Posted

conflicts with ollyadvanced

and my olly crashed if the plugin used

Posted (edited)

Wey What, great share!

I do have a question, maybe you know the answer as i did not have the time to look deeper into the problem,

now the problem is when i open up my olly it works fine, your plugin is loaded, one can sett wanted settings and

it works ok unitl i try to load a target or press terminate button - then it just kills entire process of olly :(

Any clue why its happening, so i dont need to dig to deep to explain it :?

BR, ChupaChu!

Edited by ChupaChu
Posted

Try it in a pure Olly. If it works ok then its probably a conflict with another plugin as with GEEK's post.

Posted

Great code, thanx for the source and thanx for sharing it.

Posted
Great code, thanx for the source and thanx for sharing it.

Yeah it conflicts with Advanced Olly and Phantom, but it still crashed when loading a target for me with no other plugin present and no options checked... is ok tho as it says it is very beta and not complete.

Definately a nice ASM example however :)

Look forward to a new Poison which is working!

  • 2 weeks later...
Posted

The problem is that the hook i used to come back and actually hide is the same place that ollyadvanced uses to come back and break on tls. I have found a new place where I can now use a better tech nique to hide the peb, where you change the isdebuggerpresent byte temporarily, change it back, then at the end turn it off again. It fixes all debug bytes, no more having to fix each of the bytes individually, also fixed my problem with ZwQueryProcessInformation by changing the parent process to explorer.exe. New hook seems to work with all plugins too. I left the source code on my computer so I cant release it right now. Have fixes for most things, including closehandle trick. Also looked into using a couple of different plugin procs like mainloop, or whatever it is called, and paused. I think that the paused could be helpful in making sure when you step on PageGuard it will actually raise and exception. Ill release the new code as soon as I can, may be a while though.

Posted

No need to rush things, What, quallity shud always come before quantity ;)

Thanx for a great share once more ;)

BR, ChupaChu!

  • 2 weeks later...
Posted (edited)

I updated the code and fixed compatibility problems. I would still call it alpha code, but it works with all plugins I use. Looking into adding driver code with the source code for the rdtsc from pediy. Im not sure what exactly I added to it since the first post. Enumwindows mainly for telock. Cant use ignore invalid handle option with ollyadvanced if you want this one the fix in the plugin to work, ill probably fix that sooner or later. Anyway link is updated.

Edit in: Code updated as 3.2.08

Updates include added Process32Next hook, HeapFlags problem. Anyway if anyone ever reads this because im not bumping the topic, the link has been updated.

Edited by What
  • 1 year later...
Posted

Good work, mate. I'll add that VMProtect CloseHandle check with DEADC0DE as param ;-)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...