Recent Blogs Posts

  1. ollydbg 2.x plugin OLLY_LKD

    a small sample plugin for ollydbg 2.01f using windbgs dbgeng functions especially
    local kernel debugging output

    the plugin is at alpha - Z stage and uses ollydbg version 2.01f plugin kit

    and is built by winddk (windows 7 wdk C:\WinDDK\7600.16385.1)

    there is a modification required to plugin.h as follows to
    avoid crashing due to stack unbalance

    (the same source compiled with vs 2010 and unmodified plugin.h
    works ok

    it seems the wdk compiler is behaving differently

    the modification to plugin.h is as follows (added a _cdecl so that stack is cleaned up properly)


    C:\ollydbg2beta\plug201ft\Visual C>fc plugin.h d:\Plugin_Template_For_ODBG_20001_WDK\plugin.h
    Comparing files plugin.h and D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H
    ***** plugin.h

    typedef int MENUFUNC(struct t_table *,wchar_t *,ulong,int);

    ***** D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H

    typedef int _cdecl MENUFUNC(struct t_table *,wchar_t *,ulong,int);

    *****
    C:\ollydbg2beta\plug201ft\Visual C>

    the source is gibberish on top of the template i posted
    earlier for vs2010 at the moment so i am not posting

    refer to kayakers blog about ollydb.lib


    a compiled binary is attached

    any comments/ feedback / sugestions / criticisms are welcome

    to use it
    copy plugin dll to 2.01f version of ollydbg.exe folder

    copy the following windbgs extensions / dlls (6.12 ) to the folder where ollydbg.exe resides

    uext , symsrv , ntsdexts , kext , kdexts , exts , ext , dbghelp , dbgeng


    click the menu

    a getstring dialog will be presented assuming your debugee is msgbox.exe

    if you type in "!process 0 0 msgbox.exe " without the quotes you will be presented with the
    following details


    Code:
    Log data
    Address   Message
              Connected to Windows XP 2600 x86 compatible target at (Thu Sep  6 05:58:23.578 2012 (UTC + 5:30)), ptr64 FALSE
              Symbol search path is:
              SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
              Executable search path is:
              *******************************************************************************
              WARNING: Local kernel debugging requires booting with kernel
              debugging support (/debug or bcdedit -debug on) to work optimally.
              *******************************************************************************
              Windows XP Kernel
              Version 2600
               (Service Pack 3)
               UP
              Free x86 compatible
              Product:
              WinNt
              , suite:
               TerminalServer
               SingleUserTS
              Built by: 2600.xpsp_sp3_gdr.100216-1514
              Machine Name:
              Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
              Debug session time: Thu Sep  6 05:58:23.656 2012 (UTC + 5:30)
              System Uptime: 0 days 17:45:57.225
              PROCESS 86ba98e0
                SessionId: 0  Cid: 0ce8    Peb: 7ffd8000  ParentCid: 0894
                  DirBase: 0f8c0420  ObjectTable: e2a8ea90  HandleCount:  14.
                  Image: msgbox.exe
                  VadRoot 85f24388 Vads 36 Clone 0 Private 104. Modified 0. Locked 0.
                  DeviceMap e30a2340
                  Token                             e172e040
                  ElapsedTime                       00:04:07.015
                  UserTime                          00:00:00.031
                  KernelTime                        00:00:00.000
                  QuotaPoolUsage[PagedPool]         26588
                  QuotaPoolUsage[NonPagedPool]      1440
                  Working Set Sizes (now,min,max)  (583, 50, 345) (2332KB, 200KB, 1380KB)
                  PeakWorkingSetSize                583
                  VirtualSize                       12 Mb
                  PeakVirtualSize                   13 Mb
                  PageFaultCount                    609
                  MemoryPriority                    BACKGROUND
                  BasePriority                      8
                  CommitCharge                      124
                  DebugPort                         85f25ec0
                  Setting context for this process...
    
                                                     
            THREAD 863f7b08  Cid 0ce8.063c  Teb: 7ffdf000 Win32Thread: e4262e10 WAIT: (Executive) KernelMode Non-Alertable
                          a8eb87d4  SynchronizationEvent
                      Not impersonating
                      DeviceMap                 e30a2340
                      Owning Process            0       Image:         <Unknown>
                      Attached Process          86ba98e0       Image:         msgbox.exe
                      Wait Start TickCount      4077495        Ticks: 15786 (0:00:04:06.656)
                      Context Switch Count      92                 LargeStack
                      UserTime                  00:00:00.015
                      KernelTime                00:00:00.000
              *** WARNING: Unable to verify checksum for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
              *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
                      Win32 Start Address msgbox (0x00401000)
                      Start Address kernel32!BaseProcessStartThunk (0x7c810705)
                      Stack Init a8eb9000 Current a8eb8758 Base a8eb9000 Limit a8eb5000 Call 0
                      Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
                      ChildEBP RetAddr
                      a8eb8770 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
                      a8eb877c 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
                      a8eb87a4 80638fc4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
                      a8eb8884 8063a099 nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
                      a8eb88a8 8063a1cb nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
                      a8eb8934 804fcb42 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
                      a8eb8cf4 8053e0a1 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
                      a8eb8d5c 8053e7b1 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
                      a8eb8d5c 00401001 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a8eb8d64)
              WARNING: Stack unwind information not available. Following frames may be wrong.
                      0013fff0 00000000 msgbox+0x1001