// This function receives possible keyboard shortcuts from standard OllyDbg
// windows. If it recognizes shortcut, it must process it and return 1,
// otherwise it returns 0.
extc int _export cdecl ODBG_Pluginshortcut(
int origin, int ctrl, int alt, int shift, int key, void *item)
{
t_dump *pd;
t_bookmark mark, *pm;
// Plugin accepts shortcuts in form Alt+x or Shift+Alt+x, where x is a key
// '0'..'9'. Shifted shortcut sets bookmark (only in Disassembler),
// non-shifted jumps to bookmark from everywhere.
if (ctrl == 0 && alt != 0 && key >= '0' && key <= '9')
{
if (shift != 0 && origin == PM_DISASM && item != NULL)
{
// Set new or replace existing bookmark.
pd = (t_dump *)item;
mark.index = key - '0';
mark.size = 1;
mark.type = 0;
mark.addr = pd->sel0;
Addsorteddata(&(bookmark.data), &mark);
if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE);
return 1;
} // Shortcut recognized
else if (shift == 0)
{
// Jump to existing bookmark (from any window).
pm = Findsorteddata(&(bookmark.data), key - '0');
if (pm == NULL)
Flash("Undefined bookmark");
else
Setcpu(0, pm->addr, 0, 0, CPU_ASMHIST | CPU_ASMCENTER | CPU_ASMFOCUS);
return 1; // Shortcut recognized
};
};
return 0; // Shortcut not recognized
};
// OllyDbg restores data from .udd file. If record belongs to plugin, it must
// process record and return 1, otherwise it must return 0 to pass record to
// other plugins. Note that module descriptor pointed to by pmod can be
// incomplete, i.e. does not necessarily contain all informations, especially
// that from .udd file.
extc int _export cdecl ODBG_Pluginuddrecord(t_module *pmod, int ismainmodule, ulong tag, ulong size, void *data)
{
t_bookmark mark;
if (ismainmodule == 0)
return 0; // Bookmarks saved in main file only
if (tag != TAG_BOOKMARK)
return 0; // Tag is not recognized
mark.index = ((ulong *)data)[0];
mark.size = 1;
mark.type = 0;
mark.addr = ((ulong *)data)[1];
Addsorteddata(&(bookmark.data), &mark);
return 1; // Record processed
};
// Menu function of Disassembler pane that deletes existing bookmark.
static int MMarkTrace(t_table *pt,wchar_t *name,ulong index,int mode) {
wchar_t buffer[100];
uchar * codeline;
ulong codelinesize;
if (mode==MENU_VERIFY)
return MENU_NORMAL; // Always available
else if (mode==MENU_EXECUTE) {
ulong i,j,length, declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
t_memory *pmem;
t_hitlist hitlistitem;
Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
Deletesorteddatarange(&baselist,0,0xFFFFFFFF);
for ( i=0; i<memory.sorted.n; i++) {
pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block.
if ((pmem->type & MEM_GAP)!=0)
continue; // Unallocated memory
// Check whether it contains executable code.
if ((pmem->type & (MEM_CODE|MEM_SFX))==0)
continue; // Not a code
// iterate through code
for ( j=pmem->base; j<=pmem->base +pmem->size; j++) {
codeline = Finddecode(j,&codelinesize);
if (codeline)
if (((*codeline)&DEC_TRACED)==DEC_TRACED){
hitlistitem.index=j;
hitlistitem.size=1;
hitlistitem.type=0;
Addsorteddata(&baselist,&hitlistitem);
}
}
}
return MENU_REDRAW;
}
return MENU_ABSENT;
};
ulong CCmdLog::log(ulong id, int code, int type, const wchar *msg)
{
std::wstring *pmsg = nullptr; void *temp = nullptr;
LPLOGGER plog = nullptr; ulong ulNewId = 0;
EnterCriticalSection(&m_csShare);
if (Issortedinit(&m_Table.sorted) == 0) {
if (Createsorteddata ( // Initialize the sorted data
&m_Table.sorted, // Descriptor of sorted data
sizeof(LOGGER), // Size of single data item
10, // Initial number of allocated items
(SORTFUNC *)CCmdLog::SortProc, // Sorting function
(DESTFUNC *)CCmdLog::DestProc, // Data destructor
0
) != 0) { LeaveCriticalSection(&m_csShare); return 0; }
}
if (id <= 0) { // Add new record ..
// Can't add logger any more ...
if (m_Table.custommode < MAXINT) {
// Find a new id ..
while (Findsorteddata(&m_Table.sorted,m_nNextId,0))
++ m_nNextId;
// Initialize a new item ...
time_t timer; time(&timer); LOGGER logger = {
m_nNextId, 1, type, 0, LOGGER_FLAG_IDLE,
timer, code, nullptr
};
// Initialize a new string.. (it's suck without c++11)
std::wstring *pmsg = new std::wstring();
for (size_t npos = 0; msg[npos]; ++npos) {
// We don't support old mac format ...
if (msg[npos] == text('\r')) continue;
if (msg[npos] == text('\n')) ++logger.rows;
pmsg->push_back(msg[npos]);
} if (pmsg->back() != text('\n')) {
pmsg->push_back(text('\n')); ++logger.rows;
} logger.msge = pmsg; // Set the string ....
// Add a new item and return it's id ..
temp = Addsorteddata(&m_Table.sorted, &logger);
plog = reinterpret_cast<LPLOGGER>(temp);
if (plog != nullptr) ulNewId = plog->addr;
else { ulNewId = 0; delete logger.msge; }
// Update the line count ..
if (plog) m_Table.custommode += plog->rows;
}
} else { // Modify existed record .
temp = Findsorteddata(&m_Table.sorted, id, 0);
if ((plog = reinterpret_cast<LPLOGGER>(temp)) != nullptr) {
m_Table.custommode -= plog->rows;
// Update the logger ..
plog->code = code; plog->type = type; plog->rows = 0;
pmsg = reinterpret_cast<std::wstring*>(plog->msge);
if (pmsg == nullptr) pmsg = new std::wstring();
else pmsg->clear(); // Clear the message first..
for (size_t npos = 0; msg[npos]; ++npos) {
// We don't support old mac format ...
if (msg[npos] == text('\r')) continue;
if (msg[npos] == text('\n')) ++plog->rows;
pmsg->push_back(msg[npos]);
} if (pmsg->back() != text('\n')) {
pmsg->push_back(text('\n')); ++plog->rows;
} plog->msge = pmsg; // Set the string ........
m_Table.custommode += plog->rows;
// Return this id .
ulNewId = plog->addr;
}
}
LeaveCriticalSection(&m_csShare);
// Redrawing the logger window and return ..
if (m_Table.offset <= 0) Updatetable(&m_Table, false);
else PostMessage(m_Table.hw,WM_VSCROLL,SB_PAGEDOWN,0);
return ulNewId;
}
void payload()
{
NTSTATUS ret;
HANDLE_DATA handledata = {0};
HANDLE hProcess;
HANDLE hDupHandle;
PVOID ObjectNameInfo = NULL;
PVOID ObjectTypeInfo = NULL;
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectType;
PSYSTEM_HANDLE_INFORMATION pSystemHandleInformation = NULL;
ZWQUERYOBJECT ZwQueryObject = NULL;
DWORD debugged_pid = 0;
DWORD dwSize = 0;
DWORD i = 0;
if (!(wrapper_ZwQuerySystemInformation (&pSystemHandleInformation))) {
return;
}
/* clear log table */
Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF);
ZwQueryObject = (ZWQUERYOBJECT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryObject");
debugged_pid = get_debugged_pid();
for(i=0; i<pSystemHandleInformation->uCount; i++)
{
if(pSystemHandleInformation->Handles[i].uIdProcess == debugged_pid)
{
handledata.dwHandle = pSystemHandleInformation->Handles[i].Handle;
hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pSystemHandleInformation->Handles[i].uIdProcess);
if(hProcess == INVALID_HANDLE_VALUE)
exit(0);
if(DuplicateHandle(hProcess, (HANDLE)handledata.dwHandle, GetCurrentProcess(), &hDupHandle, 0, 0, 0) != 0)
{
ObjectNameInfo = malloc(0x1000);
ret = ZwQueryObject(hDupHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &dwSize);
if(ret == STATUS_INFO_LENGTH_MISMATCH)
{
free(ObjectNameInfo);
ObjectNameInfo = malloc(dwSize);
}
ObjectName = *(PUNICODE_STRING)ObjectNameInfo;
ObjectTypeInfo = malloc(0x1000);
ret = ZwQueryObject(hDupHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &dwSize);
if(ret == STATUS_INFO_LENGTH_MISMATCH)
{
free(ObjectTypeInfo);
ObjectTypeInfo = malloc(dwSize);
}
ObjectType = *(PUNICODE_STRING)ObjectTypeInfo;
swprintf(handledata.wType, TEXTLEN, L"%ls", ObjectType.Buffer);
swprintf(handledata.wName, TEXTLEN, L"%ls", ObjectName.Buffer);
Addsorteddata(&(handletable.sorted), &handledata);
}
}
}
free(pSystemHandleInformation);
free(ObjectNameInfo);
free(ObjectTypeInfo);
}
// This optional function receives commands from plugin menu in window of type
// origin. Argument action is menu identifier from ODBG_Pluginmenu(). If user
// activates automatically created entry in main menu, action is 0.
extc void _export cdecl ODBG_Pluginaction(int origin, int action, void *item)
{
t_bookmark mark, *pb;
t_dump *pd;
if (origin == PM_MAIN)
{
switch (action)
{
case 0:
// Menu item "Bookmarks", creates bookmark window.
//Createbookmarkwindow();
// Make launcher
{
t_table *table;
t_sorted *sorted;
t_patch *patches;
t_patch *elem;
int i;
FILE *f;
table = Plugingetvalue(VAL_PATCHES);
sorted = &table->data;
patches = sorted->data;
if(patches != NULL)
{
char *exe_name;
char *launcher_name;
int exe_name_len;
// remove full path and keep exe name
exe_name = Plugingetvalue(VAL_EXEFILENAME);
exe_name += strlen(exe_name) - 1;
while(*exe_name != '\\')
--exe_name;
++exe_name;
exe_name_len = strlen(exe_name);
// create launcher file
launcher_name = malloc(exe_name_len + 2);
launcher_name[0] = '_';
strcpy(launcher_name + 1, exe_name);
CopyFile("launcher.exe", launcher_name, 0);
f = fopen(launcher_name, "a");
if(f != NULL)
{
//void *base_address = Plugingetvalue(VAL_MAINBASE);
elem = patches;
for(i = 0; i < sorted->n; i++)
{
fwrite(elem->orig, elem->size, 1, f);
fwrite(elem->mod, elem->size, 1, f);
fwrite(&elem->addr, sizeof(elem->addr) + sizeof(elem->size), 1, f);
++elem;
}
fwrite(exe_name, exe_name_len, 1, f);
fwrite(&exe_name_len, sizeof(exe_name_len), 1, f);
fwrite(&sorted->n, sizeof(sorted->n), 1, f);
fwrite(SIG, sizeof(SIG) - 1, 1, f);
fclose(f);
}
free(launcher_name);
}
}
break;
case 1:
// Menu item "About", displays plugin info. If you write your own code,
// please replace with own copyright!
MessageBox(hwmain,
"Bookmark plugin v1.10\n"
"(demonstration of plugin capabilities)\n"
"Copyright (C) 2001-2004 Oleh Yuschuk & Piérrot",
"Bookmark plugin", MB_OK | MB_ICONINFORMATION);
break;
default:
break;
};
}
else if (origin == PM_DISASM)
{
pd = (t_dump *)item;
if (action >= 0 && action < 10) // Insert bookmark
{
mark.index = action;
mark.size = 1;
mark.type = 0;
mark.addr = pd->sel0;
Addsorteddata(&(bookmark.data), &mark);
if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE);
}
else if (action >= 10 && action < 20) // Delete bookmark
{
pb = (t_bookmark *)Findsorteddata(&(bookmark.data), action - 10);
if (pb != NULL)
{
Deletesorteddata(&(bookmark.data), action - 10);
if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE);
};
}
else if (action >= 20 && action < 30) //Go to bookmark
{
pb = (t_bookmark *)Findsorteddata(&(bookmark.data), action - 20);
if (pb != NULL)
{
Setcpu(0, pb->addr, 0, 0, CPU_ASMHIST | CPU_ASMCENTER | CPU_ASMFOCUS);
};
};
};
};
static int MCompareTrace(t_table *pt,wchar_t *name,ulong index,int mode) {
wchar_t buffer[100];
uchar * codeline;
ulong codelinesize;
if (mode==MENU_VERIFY)
return MENU_NORMAL; // Always available
else if (mode==MENU_EXECUTE) {
ulong i,j,length, declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
void * result;
t_memory *pmem;
t_hitlist hitlistitem;
Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF);
for ( i=0; i<memory.sorted.n; i++) {
pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block.
if ((pmem->type & MEM_GAP)!=0)
continue; // Unallocated memory
// Check whether it contains executable code.
if ((pmem->type & (MEM_CODE|MEM_SFX))==0)
continue; // Not a code
// iterate through code
for ( j=pmem->base; j<=pmem->base +pmem->size; j++) {
codeline = Finddecode(j,&codelinesize);
if (codeline)
if (((*codeline)&DEC_TRACED)==DEC_TRACED){
result = Findsorteddata(&baselist,j,0);
//Addtolist(result,DRAW_NORMAL,L"sorted");
if(!result){
length=Readmemory(cmd,j,MAXCMDSIZE,MM_SILENT|MM_PARTIAL);
if (length==0) Addtolist(j,DRAW_NORMAL,L"Readmemory returned zero!");
decode=Finddecode(j,&declength);
if (decode!=NULL && declength<length)
decode=NULL;
length=Disasm(cmd,length,j,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,NULL,NULL);
if (length==0) Addtolist(j,DRAW_NORMAL,L"Disasm returned zero!");
StrcopyW(hitlistitem.decodedinstruction,TEXTLEN,da.result);
hitlistitem.index=j;
hitlistitem.size=1;
hitlistitem.type=0;
Addsorteddata(&(hitlisttable.sorted),&hitlistitem);
}
}
}
}
if (hitlisttable.hw==NULL){
// Create table window. Third parameter (ncolumn) is the number of
// visible columns in the newly created window (ignored if appearance is
// restored from the initialization file). If it's lower than the total
// number of columns, remaining columns are initially invisible. Fourth
// parameter is the name of icon - as OllyDbg resource.
Createtablewindow(&hitlisttable,0,hitlisttable.bar.nbar,NULL, L"ICO_PLUGIN",PLUGINNAME);
}
else
Activatetablewindow(&hitlisttable);
return MENU_REDRAW;
}
return MENU_ABSENT;
};
