Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Plugin for logging file access?

Plugin related discussions.

For plugins, tools and tutorials see <a href="/collaborative/tools/index.php/Category:OllyDbg_Extensions">OllyStuph</a>
Locked
sabbato753
Junior Member
Posts: 12
Joined: Wed May 26, 2010 3:19 pm

Plugin for logging file access?

Post by sabbato753 »

I'm wondering if there's a plugin that would allow me to break on opening a specific filename (names are not in the executable as strings, but are instead computed on runtime).

I've tried using MemoryWatch to break on seeing the ASCII name going through the registers, but it hasn't seemed to work yet, and there are over 500 files loaded before the one I want so hitting F9 for every instance of CreateFileA isn't gonna cut it.

Thank you for any help!
GamingMasteR
Posts: 44
Joined: Fri Oct 05, 2007 1:17 pm
Contact:

Post by GamingMasteR »

Hi,

You can use conditional breakpoint on CreateFileA/CreateFileW .
Conditional jump for CreateFileA:

Code: Select all

STRING [[ESP + 4]] == "XXX"
Conditional jump for CreateFileW:

Code: Select all

UNICODE [[ESP + 4]] == "XXX"
Where XXX is the generated file name (case-insensitive) .

I don't think a real application will use lower-level API to create the file (like NtCreateFile) .

Regards,
GM
Locked