Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

How to get base / Olly 1 plugin?

Recommended Posts

LCF-AT

Hi guy,

I have only a short simple question.So I am working on Olly 1 plugin and now I see a problem about how to get the base of the file which was loaded in Olly.Just have seen this now during testing a dll file.So first I tried to use the Plugingetvalue API with VAL_MAINBASE paramter but there I get result 0 back if I have loaded a dll.So where can I catch the given base of the loaded process?On any ODBG export or is there any other Olly API etc?

Thanks

Share this post


Link to post
atom0s

GetModuleHandle should give you the base of what you want. Just pass the proper name.

Also take a look at the 'ODBG_Pluginmainloop' function. The DEBUG_EVENT struct passed to it should contain the various event data that holds info such as  a DLL being loaded, thread being created etc.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms679308(v=vs.85).aspx

Edited by atom0s (see edit history)

Share this post


Link to post
LCF-AT

Hi again,

thanks for answer but isnt what I am looking for.So I need to get recived a filled t_module struct with all datas from the file what was loaded in Olly but to do this I need the base address of the file and then I can use the Olly API Findmodule...

invoke Findmodule,baseaddr

....if I choose a function of my created plugin in Olly then I catch it at ODBG_Pluginaction / PM_MAIN & action X and now there I need to get the base address of the loaded file.I can call Plugingetvalue with VAL_PROCESSNAME to get name of loaded file and using then GetModuleHandle with this I get zero back.So it dosent read it from the process what was loaded in Olly.You know what I mean?

I just wonder why I dont get the base of the loaded file not on any ODBG export automatically.

Any idea?

greetz

Share this post


Link to post
LCF-AT

Hi again,

I got this now....

invoke Getcputhreadid
mov TID, eax
invoke Findthread,TID

Assume	eax:ptr t_thread
push [eax].reg.ip
pop eip
Assume	eax: nothing

...so on that way I can get the actually EIP which I then can use with Findmodule API to read the base of the loaded file.Only problem is if the EIP was set by user to any other location outside of loaded file then I get other EIP & infos.So somehow it should also be possible to get the base of loaded file without to have a address but I cant find something about it in the plugin hlp file. :(

greetz

Share this post


Link to post
ragdog

Hello Lcf

 

You can try out ^_^

void _export cdecl ODBG_Pluginaction( int iOrigin, int iAction, LPVOID lpItem )
{
	t_module *  m;

	if( iOrigin == PM_MAIN )
	{
		switch( iAction )
		{
			case 0:
				m = Findmodule( Plugingetvalue( VAL_MAINBASE ) );
				if( m != NULL )
				{
					dwMainModuleBase = m->codebase;
					dwMainModuleLimit = m->codebase + m->codesize;
				}

 

Edited by ragdog (see edit history)
  • Like 1

Share this post


Link to post
LCF-AT

Hi raggy,

thanks for some code but I told already before its not working to use VAL_MAINBASE if I have a fie loaded a none exe file in Olly so then I get the base of loaddll file and not the main file.Seems to be the same problem like using Olly script command.

Any another idea how to get the base of a loaded none exe file with any Olly plugin API etc?

greetz

Share this post


Link to post
LCF-AT

Hi again,

I found this now out.....

invoke Plugingetvalue,VAL_MODULES

then reading n from t_table * t_sorted
mov esi,[edi].data.n

invoke Getsortedbyselection, n (from 0 - n in loop)

Now I get the t_sortheader / t_module filled...like this...

-------------------------------------------------------------------------
$ ==>    00390000    00400000  ASCII "MZP"        addr_
$+4      00390004    00060000                     size_ 
$+8      00390008    00000004                     type_
$+C      0039000C    00410000  OLLYDBG.00410000
$+10     00390010    00001000
$+14     00390014    00450000  OLLYDBG.00450000
$+18     00390018    00000600
$+1C     0039001C    00000000
$+20     00390020    00000000
$+24     00390024    00000000
$+28     00390028    00410070  OLLYDBG.00410070
$+2C     0039002C    00420000  OLLYDBG.00420000
$+30     00390030    00430000  OLLYDBG.00430000
$+34     00390034    00430000  OLLYDBG.00430000
$+38     00390038    00440000  OLLYDBG.00440000
$+3C     0039003C    0000013B
$+40     00390040    00000000
$+44     00390044    00000000
$+48     00390048    44414F4C
$+4C     0039004C    004C4C44  OLLYDBG.004C4C44
$+50     00390050    575C3A44
$+54     00390054    73416E69
$+58     00390058    6C505C6D
$+5C     0039005C    6E696775
$+60     00390060    74736574
$+64     00390064    414F4C5C
$+68     00390068    4C4C4444
$+6C     0039006C    4558452E
$+70     00390070    00000000

Now I have to check the Name / Path to compare it with the loaded dll file in Olly to check whether it match and if so then I can read the datas also my wanted BASE from that table now.Why so inconvenient?I thought with the Olly plugin APIs xy you would get already anything very easy.All this just to get BASE of a none exe.Really funny.But as I said before its same problem like with Olly script commands. :) By the way,I also found some bugs and missing commands in the plugin.inc too.

PS: Man man man man man du!Muß mer hier alles selber machen oder wat! ;) If anyone has any easier way to get the BASE then just tell me.

greetz

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...