Jump to content
Tuts 4 You

Ollydbg Plugin Plus Masm Source


What

Recommended Posts

Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot.

Edited by What
Link to comment

Much appreciated, kind of in the back of my mind that I might like to have a go at a plugin without anything specific in mind though, and I am lazy. Will be interesting to study. cheers.

Link to comment

Wey What, great share!

I do have a question, maybe you know the answer as i did not have the time to look deeper into the problem,

now the problem is when i open up my olly it works fine, your plugin is loaded, one can sett wanted settings and

it works ok unitl i try to load a target or press terminate button - then it just kills entire process of olly :(

Any clue why its happening, so i dont need to dig to deep to explain it :?

BR, ChupaChu!

Edited by ChupaChu
Link to comment
Great code, thanx for the source and thanx for sharing it.

Yeah it conflicts with Advanced Olly and Phantom, but it still crashed when loading a target for me with no other plugin present and no options checked... is ok tho as it says it is very beta and not complete.

Definately a nice ASM example however :)

Look forward to a new Poison which is working!

Link to comment
  • 2 weeks later...

The problem is that the hook i used to come back and actually hide is the same place that ollyadvanced uses to come back and break on tls. I have found a new place where I can now use a better tech nique to hide the peb, where you change the isdebuggerpresent byte temporarily, change it back, then at the end turn it off again. It fixes all debug bytes, no more having to fix each of the bytes individually, also fixed my problem with ZwQueryProcessInformation by changing the parent process to explorer.exe. New hook seems to work with all plugins too. I left the source code on my computer so I cant release it right now. Have fixes for most things, including closehandle trick. Also looked into using a couple of different plugin procs like mainloop, or whatever it is called, and paused. I think that the paused could be helpful in making sure when you step on PageGuard it will actually raise and exception. Ill release the new code as soon as I can, may be a while though.

Link to comment
  • 2 weeks later...

I updated the code and fixed compatibility problems. I would still call it alpha code, but it works with all plugins I use. Looking into adding driver code with the source code for the rdtsc from pediy. Im not sure what exactly I added to it since the first post. Enumwindows mainly for telock. Cant use ignore invalid handle option with ollyadvanced if you want this one the fix in the plugin to work, ill probably fix that sooner or later. Anyway link is updated.

Edit in: Code updated as 3.2.08

Updates include added Process32Next hook, HeapFlags problem. Anyway if anyone ever reads this because im not bumping the topic, the link has been updated.

Edited by What
Link to comment
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...