Collaborative RCE Tool Library - OllyDbg Extensions (including sub-categories)

Tool Added: Virtualized Olly for Win7

Sun, 23 May 2010 20:19:33 GMT

Listed in categories: OllyDbg Custom Versions

Most recent version:

Most recent release date:
May 23, 2010

Description:
Some beloved plugins for Olly stopped working when used with Windows7.
Among these are OllyAdvanced and Conditional Branch Logger just to name two of them.
To overcome this issue, I virtualized Olly and now the plugins are working again :).
You can customize this Olly as usual. Note, that you have to set the Plugins- and UDD-directory when starting it for the first time. Unfortunately there is a small shortcoming - Every part of a plugin that is driver-based is NOT working. This is due to the fact, that drivers cannot be virtualized.
For instance, while everything else in OllyAdvanced is working, it's driver-based Anti-RTDSC is not. But that does not hinder the plugin to work great. The same goes for other plugins that have drivers involved. Sorry for that, virtualization nowadays is pretty good but not perfect.
Also, there may be an issue with non-latin charactersets which I'm unable to confirm because I haven't got a non-latin Windows.

Tool Updated: FullDisasm

Thu, 06 May 2010 21:42:05 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
3.0

Most recent release date:
May 6, 2010

Description:
This plugin replaces the default OllyDbg disassembly routine with an engine which supports MMX, FPU, SSE, SSE2, SSE3, SSSE3, SSE4.1 and SSE4.2, AES , CLMUL instructions and undocumented instructions called "aliases". Displays processor support for these technologies. Allows disassembling globally or only on selected lines in Masm, Nasm ,GoAsm syntax and AT&T Syntax. Available as a plugin for OllyDbg or Immunity Debugger.

Tool Updated: Hide Debugger

Sun, 21 Mar 2010 15:33:00 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.24

Most recent release date:
April 19, 2006

Description:
This plugin hides OllyDbg from many debugger detection tricks.

(source code was released on February 24, 2010, and is now included in the download above)

Tool Updated: Conditional Branch Logger

Sun, 21 Mar 2010 14:25:06 GMT

Listed in categories: Code Coverage Tools, OllyDbg Extensions, Profiler Tools, Tracers

Most recent version:
1.0

Most recent release date:
June 13, 2007

Description:
Conditional Branch Logger is a plugin which gives control and logging capabilities for conditional branch instructions over the full user address space of a process. Useful for execution path analysis and finding differences in code flow as a result of changing inputs or conditions. It is also possible to log conditional jumps in system dlls before the Entry Point of the target is reached. Numerous options are available for fine tuning the logging ranges and manipulating breakpoints.

Tool Updated: SnD Crypto Scanner (Olly/Immunity Plugin)

Fri, 18 Dec 2009 08:35:33 GMT

Listed in categories: Crypto Tools, OllyDbg Extensions

Most recent version:
0.5 (beta)

Most recent release date:
March 30, 2008

Description:
A scanner for crypto signatures as an Olly/Immunity Plugin:

(Following text from the forum thread)
Been coding this for a while and now kinda got bored with it so releasing it as a beta. Sure I'll go back to it again later... just need to do something else now.

Hopefully you will find this useful - the advantage of having it as a plugin means that breakpoints can easily be set where required, and signatures can be located quickly.

Setting Breakpoints:
The buttons try and use a little bit (not much :P) intelligence when setting breakpoints. In the data section, "hardware on access" or "memory access" breakpoints are set on the specific VA referenced. In the code section, a 'hardware on execution' breakpoint is set at the beginning of the disassembled line the referenced dword is on. Hope that makes a little sense :)

Limitations:
Signatures are either made up of dwords or byte sequences. This gives 2 main weaknesses:
- some algorithms use similar dwords, distinguishing between them is not always simple.
- the algorithm finds the first instance of a given dword in a signature. If you have code which has multiple algorithms which use some of the same dwords, the referenced VA will always point to the first instance in the file.

Without doing some in depth analysis, its impossible to determine which algorithm uses a specific instance of a dword. This tool is therefore only going to make analysis a little easier, not do it for you.

Future Development:
Currently the plugin uses the plugin API to get the current file name and then reads it into allocated memory. It does not read memory inside Olly. This means packed files will need to be unpacked and the unpacked instance debugged. In future I plan to give an option to either scan the file or memory (perhaps even a specified memory range).

If you have an idea for development, want to add signatures or just want to tell me how crap this is, please go for it :)

Tool Updated: CodeDoctor

Thu, 12 Nov 2009 16:24:49 GMT

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: Plugins Manager

Tue, 22 Sep 2009 03:09:33 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.2.0.0

Most recent release date:
September 20, 2009

Description:
A simple plugin for OllyDBG 1.10 to manage its other loaded plugins.

Features:
+ Ease of use:
Takes a simple double click to toggle the state of a plugin from Enabled to Disabled. The action can be also achieved
through a drop down menu.

+ Directly compatible with major OllyDBG customized editions:
Directly supported by OllyICE, OllySnD, OllyDRX, DeFixed ...
No need for any patching work (as long as OllyDBG.exe exists)

--------------------------------------------------------------

Tool Updated: MemoryDump

Tue, 11 Aug 2009 10:19:47 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
0.9a

Most recent release date:
August 10, 2009

Description:
Plugin is intended to save/load bytes from momory dump window of the process in
various forms. In the dump window right click and select 'Memory Dump' in the popup menu
pick your choice.

Possible choices are:

- Load Dump
Allows to fill process' memory with data from a file. (Be sure what you are
doing, overwriting the process memory may cause you a lot of trouble.)

- Save Dump
Copies selected bytes from dump into a file.

- Clipboard(Text)
Copies selected bytes from dump into a clipboard (text only).

- Delphi/Pascal Table
Generates table of selected bytes which can be easily used in Delphi/Pascal

- C/C++ Table
Generates table of selected bytes which can be easily used in C/C++

- ASM Table
Generates table of selected bytes which can be easily used in Assembler
(MASM Tested)

- Visual Basic Table
Generates table of selected bytes which can be easily used in Visual Basic

- Range Dump (ALT+R)
Dumps Range of defined bytes by:

- Lenght : Tick End Address/Lenght
- End Address : Untick End Address/Lenght

Xor Dump With: Self-explanatory

Button with [<] symbol enters address of last byte clicked(not selected) in the dump,
it's more convenient than entering addresses manually.

- Xor Selection
Xors Selection and shows dumped data in Olly's window. This window cannot be used
for another byte manipulation with plugin because dump is created in your Win's
temporary folder and not in memory.

- Quick Dump (ALT+Q)
Allows quickly select and dump data, mark the start(SHIFT+1) and the end(SHIFT+2) of
the block in dump window, then just press (ALT+Q).

Tool Updated: OllyBkmrX

Sun, 29 Mar 2009 10:47:36 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.0.0.3

Most recent release date:
March 28, 2009

Description:
Ollydbg bookmarking plugin

Tool Added: AttachExtended

Wed, 04 Mar 2009 20:49:27 GMT

Listed in categories: OllyDbg Extensions

Most recent version:

Most recent release date:
March 4, 2009

Description:
This is a really small plugin that I have written for improving attach feature of OllyDbg.
With this plugin,you can attach to process by identifing its PID directly,not only selecting process list. In addition,you can find PID of process by dragging a small cursor on each window(This can be used on some protection which remove process from process list like GameGuard).

Please let me know about Bugs, and your suggestions for more process attaching options.

Tool Updated: Olly Advanced

Thu, 05 Feb 2009 11:05:43 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.26 Beta 12

Most recent release date:
March 13, 2007

Description:
A very complete selection of anti-debug settings, bugfixes and additional options for OllyDbg. Includes Help file for v1.26 Beta 5.

Tool Updated: PhantOm

Mon, 26 Jan 2009 14:01:18 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.54

Most recent release date:
January 7, 2009

Description:
Plugin (with driver) for hiding OllyDbg from following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

What's new - 1.30
[*] Captions of main and CPU windows can be manually set (CAPTEXT and PRETEXT in OllyDbg's ini-file). By default, they are named "PhantOm" and "o_O".
[*] Fixed some bugs in "custom handler exceptions" feature
[*] Other minor fixes

What's new - 1.26
[*] Fixed bug with loading driver
[*] Fixed bug with memory breakpoints
(Now, when "custom handler exceptions" option is
checked - memory breapoints on access/write will work,
but break-on-access won't work)
[*] Fixed bug with updating plugin (after previous version)

What's new - 1.25
[*] Now you can manually set names of services (HIDENAME and RDTSCNAME)
[*] Fixed some minor bugs
[*] Fixed bug with memory breakpoints

What's new - 1.20
[*] Added own exception handler (C0000005)
[*] Added option to change caption of main OllyDbg window
[*] Added own exception handler (OUTPUT_DEBUG_STRING_EVENT)
[*] Impoved removing of int 3 breakpoint at EP, when pause is set to "system breakpoint"
[*] Added hook for BlockInput (only for Windows XP)
[*] Added own exception handler (C0000094)
[*] Added hide from GetStartupInfo
[*] Fixed bug with plugin options
[*] Added protection from detecting driver

Tool Updated: OllyStepNSearch

Fri, 23 Jan 2009 20:13:58 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
0.6.1

Most recent release date:
November 13, 2006

Description:
This plugin allows you to search for a given text string being referenced by the running code of a program, by automatically stepping through the debugged program and performing this analysis for each executed instruction.

Tool Added: Games Invader

Thu, 22 Jan 2009 15:08:16 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
2.1

Most recent release date:
March 1, 2008

Description:
I coded this plugin to help games hackers working on OllyDbg, it allows you to cheat games with OllyDbg.

+Ability to choose memory types to scan.
+Ability to determine the scanned memory scope.
+Can scan for [Exact values], [Values bigger than x], [Values smaller than x] or [values between x,y] .
+Scanning Algorithm optimized, now it's very fast than the old version.
+Auto update for found values.
+Known bugs fixed.

Tool Updated: OllyHeapTrace

Sun, 02 Nov 2008 05:32:42 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.0

Most recent release date:
February 23, 2008

Description:
OllyHeapTrace is a plugin for OllyDbg (version 1.10) to trace the heap operations being performed by a process. It will monitor heap allocations and frees for multiple heaps, as well as operations such as creating or destroying heaps and reallocations. All parameters as well as return values are recorded and the trace is highlighted with a unique colour for each heap being traced.

The primary purpose of this plugin is to aid in the debugging of heap overflows where you wish to be able to control the heap layout to overwrite a specific structure such as a chunk header, critical section structure or some application specific data. By tracing the heap operations performed during actions you can control (for example opening a connection, sending a packet, closing a connection) you can begin to predict the heap operations and thus control the heap layout.

Tool Added: BlkLabel

Fri, 24 Oct 2008 21:52:17 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.0

Most recent release date:
September 30, 2008

Description:
BlkLabel is a bulk labelling plugIn for OllyDbg.

The objective is to take a Memory Map listing from a compilation and extract all Label-Address (Symbol-Address) pairs from such a (text) file. These are then fed into OllyDbg such that it will display Symbols rather than Memory Addresses. This renders OllyDbg's presentations about as readable as is possible in a Debugging Environment.

The precursor is, of course, the availability of a Memory Map in textual format. Most IDEs (Linkers) should be able to produce that.

This is the link:

http://www.VeronicaChapman.com/OllyDbg/BlkLabel.zip

There is a ReadMe that explains the package. The PlugIn comes with a Help File that explains everything anyway (as far as I can see).

The main PlugIn (BlkLabel.dll) calls a Sub-Plugin (SubLabel.dll). All of the reformatting to support the extraction of Label-Address pairs for a specific Memory Map File Format is contained within SubLabel.dll. Write a different one of those, and you can decipher the Memory Map File of your choice. You just need to create an Export to handle (maybe translate) each Character, and another to decipher each Text Record. BlkLabel itself handles all the rest.

Oh. There's just one small thing. The Source Code is contained in the package, but the PlugIn is written in Clarion ... so I don't know if it will be much use to you but if it is you are welcome to use it.

Tool Updated: Modified Command Line Plugin

Mon, 18 Aug 2008 19:47:40 GMT

Listed in categories: OllyDbg Extensions

Most recent version:

Most recent release date:
April 23, 2007

Description:
Useful new features added to default Cmdline.dll plugin:
LOADDLL - load a dll into the context of the debugee.
LOADPDB - load PDB symbol files into Olly directly from Microsoft server.
LOADPLUGIN - load a plugin dynamically without restarting Olly. Bypasses 32 plugin limit.
PRINT - allows multiple expressions to be output to log window per conditional breakpoint.

Tool Updated: Uhooker

Sat, 02 Aug 2008 11:11:40 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
1.3

Most recent release date:
December 17, 2007

Description:
The Universal Hooker is a tool to intercept execution of programs. It enables the user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory. Requires Python interpreter. Zip file includes the online documentation and script examples, but see author link for latest updates.

Tool Added: AttachAnyway

Thu, 19 Jun 2008 08:55:30 GMT

Listed in categories: OllyDbg Extensions

Most recent version:
0.3

Most recent release date:
September 7, 2005

Description:
AttachAnyway is a PoC OllyDbg plugin designed to show how to remove a process' hook on NtContinue by the anti-debugger-attach method devised by Piotr Bania here:

http://pb.specialised.info/all/anti-dattach.asm

This is not intended to be a universal plugin for all anti-attach methods, just one example of how you can do it. It works by enumerating all processes, searching their virtual memory space for a JMP hook on the NtContinue method, then replacing the jump with the original bytes from a non-hooked process, then calling the OllyDbg Attachtoactiveprocess API.

attach-test.exe is an assembled version of Piotr's anti-dattach.asm you can use to test the plugin with.

Tool Updated: Immunity Debugger

Mon, 02 Jun 2008 14:01:18 GMT

Listed in categories: OllyDbg Custom Versions, Ring 3 Debuggers

Most recent version:
1.6

Most recent release date:
March 27, 2008

Description:
Immunity Debugger is based on OllyDbg.

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

* A debugger with functionality designed specifically for the security industry
* Cuts exploit development time by 50%
* Simple, understandable interfaces
* Robust and powerful scripting language for automating intelligent debugging
* Lightweight and fast debugging to prevent corruption during complex analysis
* Connectivity to fuzzers and exploit development tools