How i can get commands of a debugged process ?

[mrousse83]

Hello,

I search how i can get each commands of a debugged process in OllyDbg.

I think i need to use this function : ulong Readcommand(ulong ip,char *cmd);

My program entry point :

004C5C74 > $ 55 PUSH EBP

var
     Commande : string;if Readcommand($004C5C74, PAnsiChar(Commande)) > 0 then
     // success
else
     // error

But when u try it, it's not working

Readcommand return all time 0 !

I need to have : Commande := 'PUSH EBP'

Can you help me ?

Thanks,

Mathieu

Edited April 1, 2011 by mrousse83

[ragdog]

Hi

I have no Experience about Delphi

Readcommand return the size of bytes

Masm:

local cmd [256]:DWORD invoke Readcommand,0040100Ch, addr cmd
 .if eax!=0
 	True
 	.else
      	Fasle
 .endif

or

BYTE szCmd[MAXCMDSIZE]; dwAddr = dwBase + dwOffset;    	nRetCode = Readcommand(dwAddr, (char *)szCmd);
    	PROCESS_ERROR(nRetCode);

[mrousse83]

ragdog, and cmd contains the instruction ?

Thanks

Edited April 1, 2011 by mrousse83

[ragdog]

ragdog, and cmd contains the instruction ?

Thanks

Yes correct

Reads command from the memory of debugged process and restored breakpoints. Returns length of the read code (at most MAXCMDSIZE bytes) or 0 if memory can't be read.

Note: Any access to the memory in different process is extremely time-expensive. As in many cases different parts of OllyDbg access same command several times, Readcommand maintains small 1-command cache significantly improves the wholesave productivity of OllyDbg. If you need to access several compactly placed commands, Readmemory is usually much faster.

ulong Readcommand(ulong ip,char *cmd);

Parameters:

ip - address of the command in the memory space of debugged process. If ip is 0, function invalidates cache and returns 0;

cmd - buffer of length at least MAXCMDSIZE bytes that receives command.

You can all Read about Api Interface in Plugins.hlp of the Pdk package from Olly

[mrousse83]

Thanks for your precisions ragdog.

Do you know why memory can't be read, because Readcommand return all time 0 ?

I need to change memory rights access ?

Mathieu

[GoJonnyGo]

Readcommand does not return the assembler instruction. It does return the opcode of the command.

Maybe you have to use a char array instead of string for this function, not sure.

Edited April 1, 2011 by GoJonnyGo

[mrousse83]

OK !

What functions i need to use for get assembler instruction ?

Thanks,

Mathieu

[BoB]

var
     Commande : string;if Readcommand($004C5C74, PAnsiChar(Commande)) > 0 then
     // success
else
     // error

Ok, firstly you haven't initialized the Commande string in this code. If you are using a string as a buffer you must first give it a size, and it might help to initialize the chars to nulls too.

Secondly, it's a string not a buffer, meaning that it's data starts at 1 not 0. So to reference the data at index 1 it's best to use @Commande[1]

But anyway, code should look more like this:

Var
  Cmd : Array [0 .. MAXCMDSIZE-1] Of Char;
  Len : DWord;
Begin
  FillChar(Cmd, MAXCMDSIZE, 0);
  Len := Readcommand($004C5C74, Cmd);
  If (Len > 0) Then Begin
    // Do further processing ..
  End Else Begin
    // Fail ..
  End;
End;

In Delphi an array of chars is treated as a PAnsiChar, so usage is exactly the same.

Also, you might want to check out my Delphi PDK, which will make your plugin compatible with OllyDbg and Immunity Debugger (including patched OllyDbg editions)
/>http://forum.tuts4you.com/index.php?app=forums&module=forums&section=findpost&pid=121002

Edited April 1, 2011 by BoB

[mrousse83]

Thanks for your help and example BoB, work's fine !

Readcommand return opcode, but i want to get assembler instruction, do you know what functions i need to use for get assembler instruction of a given address ?

Thanks a lot,

Mathieu

[BoB]

Yeah, use this:

Function  Disasm(src: PChar; srcsize: ULONG; srcip: ULONG; srcdec: PChar; disasm: p_disasm; disasmmode: Integer; threadid: ULONG): ULONG; cdecl;

[mrousse83]

OK !

Thanks BoB !

Mathieu