ulong CCmdLog::clear(void)
{
m_Table.offset = m_Table.sorted.selected = m_Table.xshift = 0;
EnterCriticalSection(&m_csShare);
ulong begin = -1, count = 0, end; LPLOGGER plog; m_nNextId = 0;
for (int pos = 0; pos < m_Table.sorted.n; ++pos) {
plog = reinterpret_cast<LPLOGGER> (
Getsortedbyindex(&m_Table.sorted, pos)
); // logger->addr = pos;
if (plog->flag & LOGGER_FLAG_IDLE) {
m_Table.custommode -= plog->rows; ++ count;
}
if (begin == -1) {
if (plog->flag & LOGGER_FLAG_IDLE) {
begin = plog->addr;
}
} else {
if (plog->flag & LOGGER_FLAG_BUSY) {
end = plog->addr; pos -= count + 1;
Addtolist(1,1,text("begin: %x, end: %x"),begin,end);
Deletesorteddatarange(&m_Table.sorted, begin, end);
if (!m_nNextId) m_nNextId = begin; begin = -1;
}
}
} if (begin != -1) {
if (!m_nNextId) m_nNextId = begin; end = plog->addr + 1;
Deletesorteddatarange(&m_Table.sorted, begin, end);
}
LeaveCriticalSection(&m_csShare);
Updatetable(&m_Table, false); return count;
}
// Menu function of Disassembler pane that deletes existing bookmark.
static int MMarkTrace(t_table *pt,wchar_t *name,ulong index,int mode) {
wchar_t buffer[100];
uchar * codeline;
ulong codelinesize;
if (mode==MENU_VERIFY)
return MENU_NORMAL; // Always available
else if (mode==MENU_EXECUTE) {
ulong i,j,length, declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
t_memory *pmem;
t_hitlist hitlistitem;
Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
Deletesorteddatarange(&baselist,0,0xFFFFFFFF);
for ( i=0; i<memory.sorted.n; i++) {
pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block.
if ((pmem->type & MEM_GAP)!=0)
continue; // Unallocated memory
// Check whether it contains executable code.
if ((pmem->type & (MEM_CODE|MEM_SFX))==0)
continue; // Not a code
// iterate through code
for ( j=pmem->base; j<=pmem->base +pmem->size; j++) {
codeline = Finddecode(j,&codelinesize);
if (codeline)
if (((*codeline)&DEC_TRACED)==DEC_TRACED){
hitlistitem.index=j;
hitlistitem.size=1;
hitlistitem.type=0;
Addsorteddata(&baselist,&hitlistitem);
}
}
}
return MENU_REDRAW;
}
return MENU_ABSENT;
};
void ODBG2_Pluginreset(void)
{
Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF);
}
void payload()
{
NTSTATUS ret;
HANDLE_DATA handledata = {0};
HANDLE hProcess;
HANDLE hDupHandle;
PVOID ObjectNameInfo = NULL;
PVOID ObjectTypeInfo = NULL;
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectType;
PSYSTEM_HANDLE_INFORMATION pSystemHandleInformation = NULL;
ZWQUERYOBJECT ZwQueryObject = NULL;
DWORD debugged_pid = 0;
DWORD dwSize = 0;
DWORD i = 0;
if (!(wrapper_ZwQuerySystemInformation (&pSystemHandleInformation))) {
return;
}
/* clear log table */
Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF);
ZwQueryObject = (ZWQUERYOBJECT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryObject");
debugged_pid = get_debugged_pid();
for(i=0; i<pSystemHandleInformation->uCount; i++)
{
if(pSystemHandleInformation->Handles[i].uIdProcess == debugged_pid)
{
handledata.dwHandle = pSystemHandleInformation->Handles[i].Handle;
hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pSystemHandleInformation->Handles[i].uIdProcess);
if(hProcess == INVALID_HANDLE_VALUE)
exit(0);
if(DuplicateHandle(hProcess, (HANDLE)handledata.dwHandle, GetCurrentProcess(), &hDupHandle, 0, 0, 0) != 0)
{
ObjectNameInfo = malloc(0x1000);
ret = ZwQueryObject(hDupHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &dwSize);
if(ret == STATUS_INFO_LENGTH_MISMATCH)
{
free(ObjectNameInfo);
ObjectNameInfo = malloc(dwSize);
}
ObjectName = *(PUNICODE_STRING)ObjectNameInfo;
ObjectTypeInfo = malloc(0x1000);
ret = ZwQueryObject(hDupHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &dwSize);
if(ret == STATUS_INFO_LENGTH_MISMATCH)
{
free(ObjectTypeInfo);
ObjectTypeInfo = malloc(dwSize);
}
ObjectType = *(PUNICODE_STRING)ObjectTypeInfo;
swprintf(handledata.wType, TEXTLEN, L"%ls", ObjectType.Buffer);
swprintf(handledata.wName, TEXTLEN, L"%ls", ObjectName.Buffer);
Addsorteddata(&(handletable.sorted), &handledata);
}
}
}
free(pSystemHandleInformation);
free(ObjectNameInfo);
free(ObjectTypeInfo);
}
// Function is called when user opens new or restarts current application.
// Plugin should reset internal variables and data structures to initial state.
extc void _export cdecl ODBG_Pluginreset(void)
{
Deletesorteddatarange(&(bookmark.data), 0, 0xFFFFFFFF);
};
// Function is called when user opens new or restarts current application.
// Plugin should reset internal variables and data structures to the initial
// state.
extc void __cdecl ODBG2_Pluginreset(void) {
Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
};
static int MCompareTrace(t_table *pt,wchar_t *name,ulong index,int mode) {
wchar_t buffer[100];
uchar * codeline;
ulong codelinesize;
if (mode==MENU_VERIFY)
return MENU_NORMAL; // Always available
else if (mode==MENU_EXECUTE) {
ulong i,j,length, declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
void * result;
t_memory *pmem;
t_hitlist hitlistitem;
Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
for ( i=0; i<memory.sorted.n; i++) {
pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block.
if ((pmem->type & MEM_GAP)!=0)
continue; // Unallocated memory
// Check whether it contains executable code.
if ((pmem->type & (MEM_CODE|MEM_SFX))==0)
continue; // Not a code
// iterate through code
for ( j=pmem->base; j<=pmem->base +pmem->size; j++) {
codeline = Finddecode(j,&codelinesize);
if (codeline)
if (((*codeline)&DEC_TRACED)==DEC_TRACED){
result = Findsorteddata(&baselist,j,0);
//Addtolist(result,DRAW_NORMAL,L"sorted");
if(!result){
length=Readmemory(cmd,j,MAXCMDSIZE,MM_SILENT|MM_PARTIAL);
if (length==0) Addtolist(j,DRAW_NORMAL,L"Readmemory returned zero!");
decode=Finddecode(j,&declength);
if (decode!=NULL && declength<length)
decode=NULL;
length=Disasm(cmd,length,j,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,NULL,NULL);
if (length==0) Addtolist(j,DRAW_NORMAL,L"Disasm returned zero!");
StrcopyW(hitlistitem.decodedinstruction,TEXTLEN,da.result);
hitlistitem.index=j;
hitlistitem.size=1;
hitlistitem.type=0;
Addsorteddata(&(hitlisttable.sorted),&hitlistitem);
}
}
}
}
if (hitlisttable.hw==NULL){
// Create table window. Third parameter (ncolumn) is the number of
// visible columns in the newly created window (ignored if appearance is
// restored from the initialization file). If it's lower than the total
// number of columns, remaining columns are initially invisible. Fourth
// parameter is the name of icon - as OllyDbg resource.
Createtablewindow(&hitlisttable,0,hitlisttable.bar.nbar,NULL, L"ICO_PLUGIN",PLUGINNAME);
}
else
Activatetablewindow(&hitlisttable);
return MENU_REDRAW;
}
return MENU_ABSENT;
};
