Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: ollydbg 2.x plugin OLLY_LKD

  1. #1
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15

    ollydbg 2.x plugin OLLY_LKD

    a small sample plugin for ollydbg 2.01f using windbgs dbgeng functions especially
    local kernel debugging output

    the plugin is at alpha - Z stage and uses ollydbg version 2.01f plugin kit

    and is built by winddk (windows 7 wdk C:\WinDDK\7600.16385.1)

    there is a modification required to plugin.h as follows to
    avoid crashing due to stack unbalance

    (the same source compiled with vs 2010 and unmodified plugin.h
    works ok

    it seems the wdk compiler is behaving differently

    the modification to plugin.h is as follows (added a _cdecl so that stack is cleaned up properly)


    C:\ollydbg2beta\plug201ft\Visual C>fc plugin.h d:\Plugin_Template_For_ODBG_20001_WDK\plugin.h
    Comparing files plugin.h and D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H
    ***** plugin.h

    typedef int MENUFUNC(struct t_table *,wchar_t *,ulong,int);

    ***** D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H

    typedef int _cdecl MENUFUNC(struct t_table *,wchar_t *,ulong,int);

    *****
    C:\ollydbg2beta\plug201ft\Visual C>

    the source is gibberish on top of the template i posted
    earlier for vs2010 at the moment so i am not posting

    refer to kayakers blog about ollydb.lib


    a compiled binary is attached

    any comments/ feedback / sugestions / criticisms are welcome

    to use it
    copy plugin dll to 2.01f version of ollydbg.exe folder

    copy the following windbgs extensions / dlls (6.12 ) to the folder where ollydbg.exe resides

    uext , symsrv , ntsdexts , kext , kdexts , exts , ext , dbghelp , dbgeng


    click the menu

    a getstring dialog will be presented assuming your debugee is msgbox.exe

    if you type in "!process 0 0 msgbox.exe " without the quotes you will be presented with the
    following details


    [code]

    Log data
    Address Message
    Connected to Windows XP 2600 x86 compatible target at (Thu Sep 6 05:58:23.578 2012 (UTC + 5:30)), ptr64 FALSE
    Symbol search path is:
    SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    *******************************************************************************
    WARNING: Local kernel debugging requires booting with kernel
    debugging support (/debug or bcdedit -debug on) to work optimally.
    *******************************************************************************
    Windows XP Kernel
    Version 2600
    (Service Pack 3)
    UP
    Free x86 compatible
    Product:
    WinNt
    , suite:
    TerminalServer
    SingleUserTS
    Built by: 2600.xpsp_sp3_gdr.100216-1514
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
    Debug session time: Thu Sep 6 05:58:23.656 2012 (UTC + 5:30)
    System Uptime: 0 days 17:45:57.225
    PROCESS 86ba98e0
    SessionId: 0 Cid: 0ce8 Peb: 7ffd8000 ParentCid: 0894
    DirBase: 0f8c0420 ObjectTable: e2a8ea90 HandleCount: 14.
    Image: msgbox.exe
    VadRoot 85f24388 Vads 36 Clone 0 Private 104. Modified 0. Locked 0.
    DeviceMap e30a2340
    Token e172e040
    ElapsedTime 00:04:07.015
    UserTime 00:00:00.031
    KernelTime 00:00:00.000
    QuotaPoolUsage[PagedPool] 26588
    QuotaPoolUsage[NonPagedPool] 1440
    Working Set Sizes (now,min,max) (583, 50, 345) (2332KB, 200KB, 1380KB)
    PeakWorkingSetSize 583
    VirtualSize 12 Mb
    PeakVirtualSize 13 Mb
    PageFaultCount 609
    MemoryPriority BACKGROUND
    BasePriority 8
    CommitCharge 124
    DebugPort 85f25ec0
    Setting context for this process...


    THREAD 863f7b08 Cid 0ce8.063c Teb: 7ffdf000 Win32Thread: e4262e10 WAIT: (Executive) KernelMode Non-Alertable
    a8eb87d4 SynchronizationEvent
    Not impersonating
    DeviceMap e30a2340
    Owning Process 0 Image: <Unknown>
    Attached Process 86ba98e0 Image: msgbox.exe
    Wait Start TickCount 4077495 Ticks: 15786 (0:00:04:06.656)
    Context Switch Count 92 LargeStack
    UserTime 00:00:00.015
    KernelTime 00:00:00.000
    *** WARNING: Unable to verify checksum for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
    *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
    Win32 Start Address msgbox (0x00401000)
    Start Address kernel32!BaseProcessStartThunk (0x7c810705)
    Stack Init a8eb9000 Current a8eb8758 Base a8eb9000 Limit a8eb5000 Call 0
    Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
    ChildEBP RetAddr
    a8eb8770 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
    a8eb877c 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
    a8eb87a4 80638fc4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
    a8eb8884 8063a099 nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
    a8eb88a8 8063a1cb nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
    a8eb8934 804fcb42 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
    a8eb8cf4 8053e0a1 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
    a8eb8d5c 8053e7b1 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
    a8eb8d5c 00401001 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a8eb8d64)
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0013fff0 00000000 msgbox+0x1001

    refer to last post for attachemnt
    Last edited by blabberer; September 15th, 2012 at 16:32. Reason: modified plugin attached in last reply

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    WTF is this, a WinOlly mutant? This just isn't right. It's an abhorrent grotesque transmogrification that goes against the laws of nature. You should be ashamed of yourself!

    I love it

    So, I'm still having some issues with your 3-eyed fish creation. The usual Windbg "NT symbols are incorrect, please fix symbols" error.

    I've tried things like
    !sym noisy
    .symfix
    .reload /f nt
    and gotten a new pdb placed into an Ollydbg/sym directory by the MS symserver, but no joy yet.

    Still working on getting the symbols set up right, but other than that it's pretty cool. One suggestion/request pretty please - a command line window that stays open so you can enter multiple commands without having to reopen the plugin menu.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    the devil maker is pleased to hear that you love the devil and has created a semi permanent gremlin that wont stay open always but
    can be accessed via key board shortcut the gremlin also remembers your old orders for devilizing buggy hells via drop down box

    this also now has a one time init and one time exit so that it stops blabbering the same old dialog with every invocation of abracadabra

    have fun devilizing the unbuggable

    bear in mind windbg works fine with one centralized _NT_SYMBOL_PATH and its associated cache
    if you find symbol problems you should never ever make other caches in any debugee folder / sys32 folder / dll folder / exe folder / sys forlder and other folders first make sure it recognizes your _NT_SYMBOL_PATH and downloads all the crap to the DownStream Cache Folder associated with _NT_SYMBOL_PATH

    in your case i assume you haven.t copied the windbg extensions and dlls to your ollydbg folder so you are facing symbol problems

    first delete all other caches except the SRV*<cache folder>* of _NT_SYMBOL_PATH

    copy SYMSRV.dll / dbgeng.dll / dbghelp.dll / ext.dll / kext.dll / kdexts.dll/ ntsdexts.dll / uext.dll/ etc to the ollydbg folder from windbg installation like i posted earlier and your symbol problems should be gone

    .symfix etc work only if you have latest symsrv.dll in path

    now copy the attached plugin to ollydbg dir start ollydbg and hit

    alt+f1 (yep i stole the shortcut from ollydbg 1.10 commandline plugin )

    now type !gflag +sls on a blank ollydbg window and start a process

    all the loader snaps (the work of ntglobalflag plugin of ollydbg 1.10 should happen like below )


    Code:
    Log data
    Address   Message
              New NtGlobalFlag contents: 0x00004002
                  sls - Show Loader Snaps
                  otl - Maintain a list of objects for each type
    
              File 'C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe'
              New process (ID 00000C98) created
    00401000  Main thread (ID 00000BB4) created
    00400000  Module C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
                Different PE Data Directory in file and in memory (antivirus?)
                Import table: file (00002010,0000003C), memory (00002F78,0000003C)
    64D00000  Module C:\Program Files\Alwil Software\Avast5\snxhk.dll
    77F10000  Module C:\WINDOWS\system32\GDI32.dll
                PDB file: 'F:\symbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb'
    7C800000  Module C:\WINDOWS\system32\kernel32.dll
                PDB file: 'F:\symbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb'
    7C900000  Module C:\WINDOWS\system32\ntdll.dll
                PDB file: 'F:\symbols\ntdll.pdb\6992F4DAF4B144068D78669D6CB5D2072\ntdll.pdb'
    7E410000  Module C:\WINDOWS\system32\user32.dll
                PDB file: 'F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb'
              Debug string: LDR: LdrLoadDll, loading ShimEng.dll from
              Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\system32\ShimEng.dll
              Debug string: LDR: ShimEng.dll bound to ntdll.dll
              Debug string: LDR: ShimEng.dll has stale binding to ntdll.dll
              Debug string: LDR: Stale Bind ntdll.dll from ShimEng.dll
              Debug string: LDR: ShimEng.dll bound to KERNEL32.dll
              Debug string: LDR: ShimEng.dll has stale binding to KERNEL32.dll
              Debug string: LDR: Stale Bind KERNEL32.dll from ShimEng.dll
              Debug string: LDR: LdrGetProcedureAddress by
              Debug string: NAME - SE_InstallBeforeInit
              Debug string: LDR: LdrGetProcedureAddress by

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    this plugin now can display the user call stack

    type in "ustk" in the box without quotes

    this plugin now automatically sets the process context to that of debugeee

    so you dont have to do .process /p /r debugee eproc

    and can view debugee relevent data directly

    plugin now identifies and alias eproc as EPEOCESS of Debugee peocess

    suppose msgbox is debuggee

    doing u 401002 will display the disassembly of msgbox.exe

    you can supply the alias eproc in place of DebugeeEprocess
    like

    dt nt!_eprocess eproc or using alias interpreter viz ${$eproc}

    my odbg 2.01f contains the following extensions from windbg version 6.12 folder

    Folder PATH listing

    C:.
    dbgeng.dll
    dbghelp.dll
    ext.dll
    exts.dll
    kdexts.dll
    kext.dll
    msgbox.exe < debugee
    msgbox.pdb <debugees pdb
    ntsdexts.dll
    ollydbg.exe
    ollydbg.ini
    OLLY_LKD.dll <plugin
    symsrv.dll
    uext.dll

    No subfolders exist



    Code:
    Log data
    Address   Message
             ustk
               # ChildEBP RetAddr  Args to Child
              00 0013fcdc 7c918f21 00160000 40000068 00000032 ntdll!_SEH_prolog+0x34
              01 0013ff10 7e42890d 00160000 40000068 00000032 ntdll!RtlAllocateHeap+0xe64
              02 0013ff24 7e428927 00000032 00000000 ffffffff user32!UserRtlAllocMem+0x16
              03 0013ff3c 7e466433 00000000 00403019 ffffffff user32!MBToWCSEx+0x75
              04 0013ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x2d
              05 0013ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b
              06 0013ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45
              07 0013fff0 00000000 00401000 00000000 78746341 msgbox!start+0x13
    
             !process eproc 0
              PROCESS 85d35030  SessionId: 0  Cid: 0b98    Peb: 7ffd9000  ParentCid: 08e8  
                  DirBase: 0fb40440  ObjectTable: e2f79008  HandleCount:  14.
                  Image: msgbox.exe
    
    
                 +0x084 UniqueProcessId : 0x00000b98 Void            dt nt!_eprocess -y uni eproc 
                 +0x174 ImageFileName : [16]  "msgbox.exe"           dt nt!_eprocess -y ima eproc 
    
               lm 
              start    end        module name
              00400000 00404000   msgbox     (deferred)
              64d00000 64d3c000   snxhk      (deferred)
              76390000 763ad000   IMM32      (deferred)
              77dd0000 77e6b000   ADVAPI32   (deferred)
              77e70000 77f02000   RPCRT4     (deferred)
              77f10000 77f59000   GDI32      (deferred)
              77fe0000 77ff1000   Secur32    (deferred)
              7c800000 7c8f6000   kernel32   (deferred)
              7c900000 7c9b2000   ntdll      (deferred)
              7e410000 7e4a1000   user32     (deferred)
              804d7000 806cf980   nt         (pdb symbols)          f:\symbols\ntkrnlpa.pdb\4BF71966DA15428C9532FDC1F6886F571\ntkrnlpa.pdb
    
    ustk
    
               # ChildEBP RetAddr  Args to Child
              00 0013fcdc 7c918f21 00160000 40000068 00000032 ntdll!_SEH_prolog+0x34
              01 0013ff10 7e42890d 00160000 40000068 00000032 ntdll!RtlAllocateHeap+0xe64
              02 0013ff24 7e428927 00000032 00000000 ffffffff user32!UserRtlAllocMem+0x16
              03 0013ff3c 7e466433 00000000 00403019 ffffffff user32!MBToWCSEx+0x75
              04 0013ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x2d
              05 0013ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b
              06 0013ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45
              07 0013fff0 00000000 00401000 00000000 78746341 msgbox!start+0x13
    Last edited by blabberer; October 6th, 2012 at 21:34. Reason: posted a newer version compiled against 2.01g download from later post

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    did anyone of you chain this ollydbg with a windbg ?

    i mean load load ollydbg into windbg and load a debugee in ollydbg ?

    it seem the plugins are never loaded if ollydbg is debugged by windbg

    trying with default unmodified ollydbg and default unmodified visual c bookmark plugin

    also keeps the plugin tab grayed out

    i cant see a load Call to BookMark plugin

    loading ollydbg on ollydbg shows the plugin tab

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    I don't seem to have that problem. Plugin gets loaded OK with Olly under Windbg:

    ModLoad: 01f20000 01f30000 C:\RCE\OllyDbg2\plugins\Bookmarkc.dll

    I noticed something funky with this Olly, it self-extracts UPX files and stops at the OEP rather than the packer EP. You have to uncheck the 'Unpack SFX modules automatically' option if you want it to break on unpacking code. I don't know what it would do with a malware that uses a fake upx stub and does something nasty during unpacking, something to be aware of.

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    found some time to check but i get an uhm

    can you retry with this olly_lkd plugin

    windbg ->ollydbg with ollylkd plugin->some lmn debuggee in ollydbg

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Uhm (to use the same technical computer terminology), same results. If I put all those Winny files in the main Olly directory (except for having separate plugin and project directories), the plugin gets loaded OK under Windbg (6.12.0002.633 x86 on XPsp3).

    I do have one problem though, a crash caused by the plugin on closing Olly, either alone or under Windbg. Doesn't matter whether a debugee is loaded or the LKD window is displayed.

    Both the Olly built-in crash dump or Windbg point to the same instruction, a c0000005 error at the start of ODBG2_Pluginclose

    .text:10001985 ODBG2_Pluginclose proc
    .text:10001985 A1 84 43 00 10 mov eax, dword_10004384
    .text:1000198A 8B 08 mov ecx, [eax] // Faulting instruction


    Btw, a weird thing, I use VS2010 and initially named my plugin dll entry point as "DllEntryPoint", as the bookmark plugin example does. I then dutifully saved the HINSTANCE hdllinst for later use in creating a dialog box. The dialog box was never created and I tracked it down to the fact that "DllEntryPoint" was never called and HINSTANCE never saved. I then changed the name to "DllMain" and it was properly compiled and handled.

    If you google around you'll see there are weird differences between "DllEntryPoint" and "DllMain" as used with different compilers. So if someone isn't getting what they expect from the plugin dll entry point, they might want to check this out. Sometimes wysiwyg isn't!

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    uhm (to stress the technical validity and correctness of interpretation)

    putting the olly_lkd into a seperate plugin folder makes it load
    it doesnt load if i dump the plugin file into main ollydir
    dbghelp tries to load decem.dll (IA64 Disassembler dll module and all is haywire from there ) ollydbg doesnt come near this plugin at all with windbg
    and plugin in main ollydbg dir actually i had the cmkd.dll extension which had _except_4 (vista+ api) after removing it i find dbghelp is now trying to load Decem.dll and on failure whatever

    yep i saw the Dllmain weirdness too in an earlier plugin (iirc in the prefast clean vc 2010 symbol loader source i changed it from DllEntryPoint to DllMain) but in ollylkd since i am not using hdllinst i am not bitten by it yet
    though i will change it

    Code:
    0:001> x OLLY_LKD!hdllinst
    10004364 OLLY_LKD!hdllinst = 0x00000000
    0:001> ? poi (OLLY_LKD!hdllinst)
    Evaluate expression: 0 = 00000000
    0:001> x OLLY_LKD!*dll*
    1000141c OLLY_LKD!_pDefaultRawDllMain = 0x00000000
    1000438c OLLY_LKD!__rawdllmain_called = 0n0
    10004364 OLLY_LKD!hdllinst = 0x00000000
    10004040 OLLY_LKD!__native_dllmain_reason = 0xffffffff
    100046c0 OLLY_LKD!_pRawDllMain = 0x00000000
    10002541 OLLY_LKD!DllMain (void *, unsigned long, void *)
    10001cc0 OLLY_LKD!__DllMainCRTStartup (void *, unsigned long, void *)
    10001f21 OLLY_LKD!_DllMainCRTStartup (void *, unsigned long, void *)
    0:001> uf OLLY_LKD!DllMain
    OLLY_LKD!DllMain [d:\5359\minkernel\crts\crtw32\startup\dllmain.c @ 50]:  <------------ this gets compiled if you have DllEntryPoint()
       50 10002541 33c0            xor     eax,eax
       55 10002543 40              inc     eax
       56 10002544 c20c00          ret     0Ch
    yep there is a crash on close
    Code:
    OllyDbg version:    2.01.00 beta 2
    Exception code:     C0000005
    Parameters:         00000000 00000000
    Exception address:  10001992
    Executable module:  C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\OLLY_LKD.dll
    that is why i wanted to see what windbg shows

    and it shows i dont have an interface to release

    0:000> r
    eax=00000000 ebx=00000000 ecx=01bf0000 edx=005bf67c esi=004099f8 edi=0013ef5c
    eip=10001992 esp=0013db68 ebp=0013eef4 iopl=0 nv up ei pl nz na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206

    > 175: status = g_ControlUser->Release();

    OLLY_LKD!ODBG2_Pluginclose+0x5:
    10001992 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????

    thanks for testing and providing feedback

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Aha (terminus technicus), now we're getting somewhere.

    I see what you mean. It looks like Olly uses a short form of its plugin directory path that Windbg borks on. If you put a plugin, any plugin even bookmark, in the main Olly directory and point your plugin directory to say
    C:\Ollydbg - without the trailing backslash
    it will be stored in the ollydbg.ini file as:
    Plugin directory=.

    i.e., the path is described internally as just a dot, or the main Olly directory, which only Olly understands.

    When Windbg gets involved it must try to resolve this path itself, and can't, and doesn't load the plugin.

    If however you add a trailing backslash to the root plugin directory:
    C:\Ollydbg\
    it will be stored in the ollydbg.ini file as:
    Plugin directory=.\

    And for some reason Windbg handles this OK and the plugin loads. Weird.

  11. #11
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    woot (spellarum hexitechum)

    i see

    still i don't understand why some dll that is in the path is pulled up and on failure UnInit is called

    nice to know some one else can see the a haze and me ain't made mad

  12. #12
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Like you I also get an odd series of Windbg dlls loaded when it fails to find/load the plugin.

    When correct, the sequence is DBGHELP.DLL -> bookmark.dll, and that's it, everything runs OK.

    When incorrect, bookmark.dll is never loaded but instead you get loaded in order:
    DBGHELP.DLL -> adplusext, dbgeng, dbgeng (yes twice), decem, srcsrv, symbolcheck, symsrv

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    attached a version compiled against ollydbg version 201g released 4th oct

    hopefully the crash on close should be gone

    and both user session and kernel session should operate side by side and should be appreciably faster
    than earlier version

    also tested with 6.2.9200.16384 drop of windbg dlls

    does anyone find any use case for this contraption ?

    i see tuts4you also hosts a copy of this plugin (teddy if you read this update the file)

    olly_lkd compiled for version 2.01g released 4th oct 2012 attached below

  14. #14
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Quote Originally Posted by blabberer View Post
    does anyone find any use case for this contraption ?
    Out of curiousity, in general what commands are supported and which aren't? Several of the !bang commands I've tried seem to work OK, but some of the built in commands may or may not work.

    For example, r(register), e(edit) and ~(thread) don't seem to work. t(trace) doesn't work, not too surprisingly I guess.
    k(stack), you had to make ustk, which is good because Olly doesn't seem to have the old Stack window yet.

    Is it because these are meant to act directly on the debugee therefore can't be used unless your plugin intervenes? And yet something like lm or dd work because they aren't intrusive to the debugee or act more on a system level?

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    Quote Originally Posted by Kayaker View Post
    Out of curiousity, in general what commands are supported and which aren't?
    in theory whatever is documented to work from LKD Should Work Without Flaw

    it is what is documented not to work is what i am trying to defy

    so you wanted ~* you got it

    though ollydbg has inbuilt support for threads



    but some of the built in commands may or may not work.
    what does the ambiguous statement mean
    it either works or it doesn't

    Code:
    switch (result)
    case success:
    what did work for you and is it documented to work ?  
    case black magic:
    what did work for you and it is documented not to work :) 
    case failure:
    what didn't work for you that is documented to work :) 
    case all_else:
    put all your esoteric blah blah here

    I guess. k(stack), you had to make ustk,
    oh you now have a more generic kb i got rid of ustk lets stick to windbg terminology
    not create new devils

    Inbuilt Livekd creates a snap shot of system and works on it as you are well aware so i just let windbg (ie dbgeng) do all the work on behalf of me .

    for DebugEng my plugin is windbg's LKD in this case

    for user mode case i take a convoluted route to attach to an already debugged debuggee (NON_INVASIVE_ATTACH)
    (ollydbg debugging a debuggee and possibly paused so hopefully state remains stable over several snapshots)
    and try to grab the underlying @#$% more rigorous testing and feedback might get me a bit more motivated

    Code:
    Log data
    Address   Message
              .  0  Id: f48.f44 Suspend: 1 Teb: 7ffdf000 Unfrozen        <--------------------        ~* 
                    Start: msgbox!start (00401000)
                    Priority: 0  Priority class: 32  Affinity: 1
    
               # ChildEBP RetAddr  Args to Child
              00 0013fb1c 7c940442 7ffdf000 7ffd7000 00000000 ntdll!DbgBreakPoint+0x1
              01 0013fc94 7c9210af 0013fd30 7c900000 0013fce0 ntdll!LdrpInitializeProcess+0xffa               <------------------------ kb not ustk
              02 0013fd1c 7c90e457 0013fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183
              03 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7
    
    
              **** NT ACTIVE PROCESS DUMP **** <---------------------- process 0 0
              PROCESS 86dc69c8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
                  DirBase: 002f4000  ObjectTable: e1000d18  HandleCount: 2635.
                  Image: System
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
              PROCESS 85efbb78  SessionId: 0  Cid: 0f24   Peb: 7ffde000  ParentCid: 0e88
                  DirBase: 0fc40340  ObjectTable: e43f0fb8  HandleCount: 183.
                  Image: ollydbg.exe
              PROCESS 8609c178  SessionId: 0  Cid: 0f48    Peb: 7ffd7000  ParentCid: 0f24
                  DirBase: 0fc40380  ObjectTable: e19f28b8  HandleCount:   5.
                  Image: msgbox.exe
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
              PROCESS 8609c178  SessionId: 0  Cid: 0f48    Peb: 7ffd7000  ParentCid: 0f24     <------------------- process eproc 17 (ollydbg debuging msgbox)
                  DirBase: 0fc40380  ObjectTable: e19f28b8  HandleCount:   5.
                  Image: msgbox.exe
                  VadRoot 860e2b40 Vads 24 Clone 0 Private 45. Modified 0. Locked 0.
                  DeviceMap e2a52ce0
                  Token                             e139dcf8
                  ElapsedTime                       00:01:13.890
                  UserTime                          00:00:00.015
                  KernelTime                        00:00:00.000
                  QuotaPoolUsage[PagedPool]         13588
                  QuotaPoolUsage[NonPagedPool]      960
                  Working Set Sizes (now,min,max)  (385, 50, 345) (1540KB, 200KB, 1380KB)
                  PeakWorkingSetSize                385
                  VirtualSize                       6 Mb
                  PeakVirtualSize                   6 Mb
                  PageFaultCount                    380
                  MemoryPriority                    BACKGROUND
                  BasePriority                      8
                  CommitCharge                      65
                  DebugPort                         8602b178
                  Setting context for this process...
    
                                                     
            THREAD 85ed4da8  Cid 0f48.0f44  Teb: 7ffdf000 Win32Thread: 00000000 WAIT
              : (Executive) KernelMode Non-Alertable
              SuspendCount 1
                          a88b97d4  SynchronizationEvent
                      Not impersonating
                      DeviceMap                 e2a52ce0
                      Owning Process            0       Image:         <Unknown>
                      Attached Process          8609c178       Image:         msgbox.exe
                      Wait Start TickCount      173262         Ticks: 975 (0:00:00:15.234)
                      Context Switch Count      44
                      UserTime                  00:00:00.000
                      KernelTime                00:00:00.000
                      Win32 Start Address msgbox!start (0x00401000)
                      Start Address kernel32!BaseProcessStartThunk (0x7c810705)
                      Stack Init a88ba000 Current a88b9758 Base a88ba000 Limit a88b7000 Call 0
                      Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
              GetContextState failed, 0x80004001
              Unable to get current machine context, HRESULT 0x80004001
                      ChildEBP RetAddr  Args to Child
                      a88b9770 80500cf0 85ed4e18 85ed4da8 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
                      a88b977c 804f9d72 00000000 85ed4da8 a88b97cc nt!KiSwapThread+0x46 (FPO: [0,0,0])
                      a88b97a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
                      a88b9884 8063a099 8609c178 00000000 a88b98bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
                      a88b98a8 8063a1cb a88b98bc 00000001 a88b9d64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
                      a88b9934 804fcb42 a88b9d10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
                      a88b9cf4 8053e0a1 a88b9d10 00000000 a88b9d64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
                      a88b9d5c 8053e7b1 0013fc94 7c90120f badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
                      a88b9d5c 7c90120f 0013fc94 7c90120f badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a88b9d64)
                      0013fb1c 7c940442 7ffdf000 7ffd7000 00000000 ntdll!DbgBreakPoint+0x1
               (FPO: [0,0,0])
                      0013fc94 7c9210af 0013fd30 7c900000 0013fce0 ntdll!LdrpInitializeProcess+0xffa (FPO: [Non-Fpo])  <--------------- kb results match
                      0013fd1c 7c90e457 0013fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183 (FPO: [Non-Fpo])
                      00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7
    Attached Files Attached Files
    Last edited by blabberer; October 8th, 2012 at 00:12.

Similar Threads

  1. winapihelp plugin for ollydbg 1.10
    By blabberer in forum Blogs Forum
    Replies: 27
    Last Post: August 21st, 2013, 18:39
  2. How to install plugin for ollydbg 2.x.x?
    By blueflycn in forum The Newbie Forum
    Replies: 4
    Last Post: January 29th, 2013, 01:36
  3. TLSCatch An ollydbg plugin to catch Tlscallbacks easily.
    By walied in forum OllyDbg Support Forums
    Replies: 2
    Last Post: November 3rd, 2010, 21:15
  4. ollydbg plugin list
    By muxum in forum Plugins (General)
    Replies: 4
    Last Post: February 19th, 2006, 19:28
  5. hooking a plugin export entry in ollydbg?
    By _Servil_ in forum Plugins (General)
    Replies: 6
    Last Post: November 20th, 2002, 22:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •