writing a plugin for OllyDbg in Delphi

[pwnium]

Hello everyone , 

I hope you're doing good , I've been searching for a while about how to write a plugin for OllyDbg , with the help of the (plugin api unit) I was able to make a simple plugin that retreives the value of the flag (BeingDebugged) which is used by the function (IsDebuggerPresent) . now the problem is that i still can't change that byte .

The function WriteProcessMemory isn't working , can you give me some help please , here's the full code : 

thanks in advance

library AADebug;

uses
  SysUtils,
  plugin,
  windows,
  Classes;

{$R *.res}

type

  PEB = record
    Reserved1: array [0 .. 1] of Byte;
    BeingDebugged: Byte;
    Reserved2: Byte;
    Reserved3: array [0 .. 1] of Pointer;
    Ldr: Pointer;
    Reserved4: array [0 .. 102] of Byte;
    Reserved5: array [0 .. 51] of Pointer;
    PostProcessInitRoutine: Pointer;
    Reserved6: array [0 .. 127] of Byte;
    Reserved7: Pointer;
    SessionId: ULONG;
  end;

  PROCESS_BASIC_INFORMATION = record
    Reserved1: Pointer;
    PebBaseAddress: Pointer;
    Reserved2: array [0 .. 1] of Pointer;
    UniqueProcessId: cardinal;
    Reserved3: Pointer;
  end;

resourcestring
 PLUGIN_NAME = 'Anti IsDebuggerPresent';

var
 g_hwndOlly: HWND;  // OllyDbg Window Handle
 ProcessBasicInfo : PROCESS_BASIC_INFORMATION;
 Length:cardinal;
 EB : PEB;

function ODBG_Plugininit(ollydbgversion:Integer;hWndOlly:HWND;features:PULONG):Integer;cdecl;
begin
  g_hwndOlly := hWndOlly;
  Addtolist(0, 0, pchar(PLUGIN_NAME));
  Result := 0;
end;

function ODBG_Plugindata(name: PChar): integer; cdecl;
begin
  StrLCopy(name, PChar(PLUGIN_NAME), 32);
  Result := PLUGIN_VERSION;
end;

function NtQueryInformationProcess(ProcessHandle: THANDLE;
                                   ProcessInformationClass: DWORD;
                                   ProcessInformation: Pointer;
                                   ProcessInformationLength:ULONG;
                                   ReturnLength: PULONG): LongInt;
                                   stdcall; external 'ntdll.dll';

procedure Getinfo;
var
  debugee,PID : THandle;
  buffer : byte;
begin
  buffer := $00;
  PID := PluginGetValue(VAL_PROCESSID);
  debugee := OpenProcess(PROCESS_ALL_ACCESS,False,PID);
  NtQueryInformationProcess(debugee,0,@ProcessBasicInfo,sizeof(ProcessBasicInfo),@length);
  readprocessmemory(debugee,ProcessBasicInfo.PebBaseAddress,@EB,sizeof(EB),length);
  writeprocessmemory(debugee,@EB.beingDebugged,@buffer,sizeof(buffer),length);
  messagebox(g_hwndOlly,pchar('BeingDebuggedFlag : '+ inttostr(EB.beingDebugged)),pchar('info'),MB_ICONINFORMATION);
end;


procedure ODBG_Pluginaction(origin:Integer; action:Integer; pItem:Pointer);cdecl;
begin
  if (origin = PM_MAIN) then
  begin
      Getinfo;
    end;
end;

exports
  ODBG_Plugininit    name '_ODBG_Plugininit',
  ODBG_Plugindata    name '_ODBG_Plugindata',
  ODBG_Pluginaction  name '_ODBG_Pluginaction';
begin

end.

 

 

[kao]

You're writing to the wrong address. It should be something like:

WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length);

Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)".
You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.

[pwnium]

1 hour ago, kao said:

You're writing to the wrong address. It should be something like:

WriteProcessMemory(debugee,pointer(dword(ProcessBasicInfo.PebBaseAddress) + 2),@buffer,sizeof(buffer),length);

Since Delphi doesn't have a pretty way to get field offset, I had to hardcode the "2" instead of writing something prettier like "offsetof(PEB, BeingDebugged)".
You could do some of the ugly tricks mentioned here: https://stackoverflow.com/questions/14462103/delphi-offset-of-record-field but to me it's not worth the effort.

works like a charm ! i love you man , it's been three days trying to figure out what was wrong .

once again thank you so much for helping me Mr Kao