Ollydbg Plugin Plus Masm Source

[What]

Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot.

Edited March 9, 2008 by What

[zako]

Much appreciated, kind of in the back of my mind that I might like to have a go at a plugin without anything specific in mind though, and I am lazy. Will be interesting to study. cheers.

[Ufo-Pu55y]

Great share ! Thx

[Loki]

Great contribution, thanks man! Always appreciate a share, especially with source!

[Fungus]

Nice share What. Will enjoy having a good look at it.

Cheers!

[dR.cARBOn]

really gr8

[GEEK]

conflicts with ollyadvanced

and my olly crashed if the plugin used

[ChupaChu]

Wey What, great share!

I do have a question, maybe you know the answer as i did not have the time to look deeper into the problem,

now the problem is when i open up my olly it works fine, your plugin is loaded, one can sett wanted settings and

it works ok unitl i try to load a target or press terminate button - then it just kills entire process of olly

Any clue why its happening, so i dont need to dig to deep to explain it :?

BR, ChupaChu!

Edited January 18, 2008 by ChupaChu

[Loki]

Try it in a pure Olly. If it works ok then its probably a conflict with another plugin as with GEEK's post.

[zooley]

Great code, thanx for the source and thanx for sharing it.

[Fungus]

Great code, thanx for the source and thanx for sharing it.

Yeah it conflicts with Advanced Olly and Phantom, but it still crashed when loading a target for me with no other plugin present and no options checked... is ok tho as it says it is very beta and not complete.

Definately a nice ASM example however

Look forward to a new Poison which is working!

[What]

The problem is that the hook i used to come back and actually hide is the same place that ollyadvanced uses to come back and break on tls. I have found a new place where I can now use a better tech nique to hide the peb, where you change the isdebuggerpresent byte temporarily, change it back, then at the end turn it off again. It fixes all debug bytes, no more having to fix each of the bytes individually, also fixed my problem with ZwQueryProcessInformation by changing the parent process to explorer.exe. New hook seems to work with all plugins too. I left the source code on my computer so I cant release it right now. Have fixes for most things, including closehandle trick. Also looked into using a couple of different plugin procs like mainloop, or whatever it is called, and paused. I think that the paused could be helpful in making sure when you step on PageGuard it will actually raise and exception. Ill release the new code as soon as I can, may be a while though.

[ChupaChu]

No need to rush things, What, quallity shud always come before quantity

Thanx for a great share once more

BR, ChupaChu!

[Ahmed18]

thx for the Source Code

[What]

I updated the code and fixed compatibility problems. I would still call it alpha code, but it works with all plugins I use. Looking into adding driver code with the source code for the rdtsc from pediy. Im not sure what exactly I added to it since the first post. Enumwindows mainly for telock. Cant use ignore invalid handle option with ollyadvanced if you want this one the fix in the plugin to work, ill probably fix that sooner or later. Anyway link is updated.

Edit in: Code updated as 3.2.08

Updates include added Process32Next hook, HeapFlags problem. Anyway if anyone ever reads this because im not bumping the topic, the link has been updated.

Edited March 9, 2008 by What

[SunBeam]

Good work, mate. I'll add that VMProtect CloseHandle check with DEADC0DE as param ;-)