// This function receives possible keyboard shortcuts from standard OllyDbg // windows. If it recognizes shortcut, it must process it and return 1, // otherwise it returns 0. extc int _export cdecl ODBG_Pluginshortcut( int origin, int ctrl, int alt, int shift, int key, void *item) { t_dump *pd; t_bookmark mark, *pm; // Plugin accepts shortcuts in form Alt+x or Shift+Alt+x, where x is a key // '0'..'9'. Shifted shortcut sets bookmark (only in Disassembler), // non-shifted jumps to bookmark from everywhere. if (ctrl == 0 && alt != 0 && key >= '0' && key <= '9') { if (shift != 0 && origin == PM_DISASM && item != NULL) { // Set new or replace existing bookmark. pd = (t_dump *)item; mark.index = key - '0'; mark.size = 1; mark.type = 0; mark.addr = pd->sel0; Addsorteddata(&(bookmark.data), &mark); if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE); return 1; } // Shortcut recognized else if (shift == 0) { // Jump to existing bookmark (from any window). pm = Findsorteddata(&(bookmark.data), key - '0'); if (pm == NULL) Flash("Undefined bookmark"); else Setcpu(0, pm->addr, 0, 0, CPU_ASMHIST | CPU_ASMCENTER | CPU_ASMFOCUS); return 1; // Shortcut recognized }; }; return 0; // Shortcut not recognized };
// OllyDbg restores data from .udd file. If record belongs to plugin, it must // process record and return 1, otherwise it must return 0 to pass record to // other plugins. Note that module descriptor pointed to by pmod can be // incomplete, i.e. does not necessarily contain all informations, especially // that from .udd file. extc int _export cdecl ODBG_Pluginuddrecord(t_module *pmod, int ismainmodule, ulong tag, ulong size, void *data) { t_bookmark mark; if (ismainmodule == 0) return 0; // Bookmarks saved in main file only if (tag != TAG_BOOKMARK) return 0; // Tag is not recognized mark.index = ((ulong *)data)[0]; mark.size = 1; mark.type = 0; mark.addr = ((ulong *)data)[1]; Addsorteddata(&(bookmark.data), &mark); return 1; // Record processed };
// Menu function of Disassembler pane that deletes existing bookmark. static int MMarkTrace(t_table *pt,wchar_t *name,ulong index,int mode) { wchar_t buffer[100]; uchar * codeline; ulong codelinesize; if (mode==MENU_VERIFY) return MENU_NORMAL; // Always available else if (mode==MENU_EXECUTE) { ulong i,j,length, declength; uchar cmd[MAXCMDSIZE],*decode; t_disasm da; t_reg *reg; t_memory *pmem; t_hitlist hitlistitem; Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF); Deletesorteddatarange(&baselist,0,0xFFFFFFFF); for ( i=0; i<memory.sorted.n; i++) { pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block. if ((pmem->type & MEM_GAP)!=0) continue; // Unallocated memory // Check whether it contains executable code. if ((pmem->type & (MEM_CODE|MEM_SFX))==0) continue; // Not a code // iterate through code for ( j=pmem->base; j<=pmem->base +pmem->size; j++) { codeline = Finddecode(j,&codelinesize); if (codeline) if (((*codeline)&DEC_TRACED)==DEC_TRACED){ hitlistitem.index=j; hitlistitem.size=1; hitlistitem.type=0; Addsorteddata(&baselist,&hitlistitem); } } } return MENU_REDRAW; } return MENU_ABSENT; };
ulong CCmdLog::log(ulong id, int code, int type, const wchar *msg) { std::wstring *pmsg = nullptr; void *temp = nullptr; LPLOGGER plog = nullptr; ulong ulNewId = 0; EnterCriticalSection(&m_csShare); if (Issortedinit(&m_Table.sorted) == 0) { if (Createsorteddata ( // Initialize the sorted data &m_Table.sorted, // Descriptor of sorted data sizeof(LOGGER), // Size of single data item 10, // Initial number of allocated items (SORTFUNC *)CCmdLog::SortProc, // Sorting function (DESTFUNC *)CCmdLog::DestProc, // Data destructor 0 ) != 0) { LeaveCriticalSection(&m_csShare); return 0; } } if (id <= 0) { // Add new record .. // Can't add logger any more ... if (m_Table.custommode < MAXINT) { // Find a new id .. while (Findsorteddata(&m_Table.sorted,m_nNextId,0)) ++ m_nNextId; // Initialize a new item ... time_t timer; time(&timer); LOGGER logger = { m_nNextId, 1, type, 0, LOGGER_FLAG_IDLE, timer, code, nullptr }; // Initialize a new string.. (it's suck without c++11) std::wstring *pmsg = new std::wstring(); for (size_t npos = 0; msg[npos]; ++npos) { // We don't support old mac format ... if (msg[npos] == text('\r')) continue; if (msg[npos] == text('\n')) ++logger.rows; pmsg->push_back(msg[npos]); } if (pmsg->back() != text('\n')) { pmsg->push_back(text('\n')); ++logger.rows; } logger.msge = pmsg; // Set the string .... // Add a new item and return it's id .. temp = Addsorteddata(&m_Table.sorted, &logger); plog = reinterpret_cast<LPLOGGER>(temp); if (plog != nullptr) ulNewId = plog->addr; else { ulNewId = 0; delete logger.msge; } // Update the line count .. if (plog) m_Table.custommode += plog->rows; } } else { // Modify existed record . temp = Findsorteddata(&m_Table.sorted, id, 0); if ((plog = reinterpret_cast<LPLOGGER>(temp)) != nullptr) { m_Table.custommode -= plog->rows; // Update the logger .. plog->code = code; plog->type = type; plog->rows = 0; pmsg = reinterpret_cast<std::wstring*>(plog->msge); if (pmsg == nullptr) pmsg = new std::wstring(); else pmsg->clear(); // Clear the message first.. for (size_t npos = 0; msg[npos]; ++npos) { // We don't support old mac format ... if (msg[npos] == text('\r')) continue; if (msg[npos] == text('\n')) ++plog->rows; pmsg->push_back(msg[npos]); } if (pmsg->back() != text('\n')) { pmsg->push_back(text('\n')); ++plog->rows; } plog->msge = pmsg; // Set the string ........ m_Table.custommode += plog->rows; // Return this id . ulNewId = plog->addr; } } LeaveCriticalSection(&m_csShare); // Redrawing the logger window and return .. if (m_Table.offset <= 0) Updatetable(&m_Table, false); else PostMessage(m_Table.hw,WM_VSCROLL,SB_PAGEDOWN,0); return ulNewId; }
void payload() { NTSTATUS ret; HANDLE_DATA handledata = {0}; HANDLE hProcess; HANDLE hDupHandle; PVOID ObjectNameInfo = NULL; PVOID ObjectTypeInfo = NULL; UNICODE_STRING ObjectName; UNICODE_STRING ObjectType; PSYSTEM_HANDLE_INFORMATION pSystemHandleInformation = NULL; ZWQUERYOBJECT ZwQueryObject = NULL; DWORD debugged_pid = 0; DWORD dwSize = 0; DWORD i = 0; if (!(wrapper_ZwQuerySystemInformation (&pSystemHandleInformation))) { return; } /* clear log table */ Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF); ZwQueryObject = (ZWQUERYOBJECT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryObject"); debugged_pid = get_debugged_pid(); for(i=0; i<pSystemHandleInformation->uCount; i++) { if(pSystemHandleInformation->Handles[i].uIdProcess == debugged_pid) { handledata.dwHandle = pSystemHandleInformation->Handles[i].Handle; hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pSystemHandleInformation->Handles[i].uIdProcess); if(hProcess == INVALID_HANDLE_VALUE) exit(0); if(DuplicateHandle(hProcess, (HANDLE)handledata.dwHandle, GetCurrentProcess(), &hDupHandle, 0, 0, 0) != 0) { ObjectNameInfo = malloc(0x1000); ret = ZwQueryObject(hDupHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &dwSize); if(ret == STATUS_INFO_LENGTH_MISMATCH) { free(ObjectNameInfo); ObjectNameInfo = malloc(dwSize); } ObjectName = *(PUNICODE_STRING)ObjectNameInfo; ObjectTypeInfo = malloc(0x1000); ret = ZwQueryObject(hDupHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &dwSize); if(ret == STATUS_INFO_LENGTH_MISMATCH) { free(ObjectTypeInfo); ObjectTypeInfo = malloc(dwSize); } ObjectType = *(PUNICODE_STRING)ObjectTypeInfo; swprintf(handledata.wType, TEXTLEN, L"%ls", ObjectType.Buffer); swprintf(handledata.wName, TEXTLEN, L"%ls", ObjectName.Buffer); Addsorteddata(&(handletable.sorted), &handledata); } } } free(pSystemHandleInformation); free(ObjectNameInfo); free(ObjectTypeInfo); }
// This optional function receives commands from plugin menu in window of type // origin. Argument action is menu identifier from ODBG_Pluginmenu(). If user // activates automatically created entry in main menu, action is 0. extc void _export cdecl ODBG_Pluginaction(int origin, int action, void *item) { t_bookmark mark, *pb; t_dump *pd; if (origin == PM_MAIN) { switch (action) { case 0: // Menu item "Bookmarks", creates bookmark window. //Createbookmarkwindow(); // Make launcher { t_table *table; t_sorted *sorted; t_patch *patches; t_patch *elem; int i; FILE *f; table = Plugingetvalue(VAL_PATCHES); sorted = &table->data; patches = sorted->data; if(patches != NULL) { char *exe_name; char *launcher_name; int exe_name_len; // remove full path and keep exe name exe_name = Plugingetvalue(VAL_EXEFILENAME); exe_name += strlen(exe_name) - 1; while(*exe_name != '\\') --exe_name; ++exe_name; exe_name_len = strlen(exe_name); // create launcher file launcher_name = malloc(exe_name_len + 2); launcher_name[0] = '_'; strcpy(launcher_name + 1, exe_name); CopyFile("launcher.exe", launcher_name, 0); f = fopen(launcher_name, "a"); if(f != NULL) { //void *base_address = Plugingetvalue(VAL_MAINBASE); elem = patches; for(i = 0; i < sorted->n; i++) { fwrite(elem->orig, elem->size, 1, f); fwrite(elem->mod, elem->size, 1, f); fwrite(&elem->addr, sizeof(elem->addr) + sizeof(elem->size), 1, f); ++elem; } fwrite(exe_name, exe_name_len, 1, f); fwrite(&exe_name_len, sizeof(exe_name_len), 1, f); fwrite(&sorted->n, sizeof(sorted->n), 1, f); fwrite(SIG, sizeof(SIG) - 1, 1, f); fclose(f); } free(launcher_name); } } break; case 1: // Menu item "About", displays plugin info. If you write your own code, // please replace with own copyright! MessageBox(hwmain, "Bookmark plugin v1.10\n" "(demonstration of plugin capabilities)\n" "Copyright (C) 2001-2004 Oleh Yuschuk & Piérrot", "Bookmark plugin", MB_OK | MB_ICONINFORMATION); break; default: break; }; } else if (origin == PM_DISASM) { pd = (t_dump *)item; if (action >= 0 && action < 10) // Insert bookmark { mark.index = action; mark.size = 1; mark.type = 0; mark.addr = pd->sel0; Addsorteddata(&(bookmark.data), &mark); if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE); } else if (action >= 10 && action < 20) // Delete bookmark { pb = (t_bookmark *)Findsorteddata(&(bookmark.data), action - 10); if (pb != NULL) { Deletesorteddata(&(bookmark.data), action - 10); if (bookmark.hw != NULL) InvalidateRect(bookmark.hw, NULL, FALSE); }; } else if (action >= 20 && action < 30) //Go to bookmark { pb = (t_bookmark *)Findsorteddata(&(bookmark.data), action - 20); if (pb != NULL) { Setcpu(0, pb->addr, 0, 0, CPU_ASMHIST | CPU_ASMCENTER | CPU_ASMFOCUS); }; }; }; };
static int MCompareTrace(t_table *pt,wchar_t *name,ulong index,int mode) { wchar_t buffer[100]; uchar * codeline; ulong codelinesize; if (mode==MENU_VERIFY) return MENU_NORMAL; // Always available else if (mode==MENU_EXECUTE) { ulong i,j,length, declength; uchar cmd[MAXCMDSIZE],*decode; t_disasm da; t_reg *reg; void * result; t_memory *pmem; t_hitlist hitlistitem; Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF); for ( i=0; i<memory.sorted.n; i++) { pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block. if ((pmem->type & MEM_GAP)!=0) continue; // Unallocated memory // Check whether it contains executable code. if ((pmem->type & (MEM_CODE|MEM_SFX))==0) continue; // Not a code // iterate through code for ( j=pmem->base; j<=pmem->base +pmem->size; j++) { codeline = Finddecode(j,&codelinesize); if (codeline) if (((*codeline)&DEC_TRACED)==DEC_TRACED){ result = Findsorteddata(&baselist,j,0); //Addtolist(result,DRAW_NORMAL,L"sorted"); if(!result){ length=Readmemory(cmd,j,MAXCMDSIZE,MM_SILENT|MM_PARTIAL); if (length==0) Addtolist(j,DRAW_NORMAL,L"Readmemory returned zero!"); decode=Finddecode(j,&declength); if (decode!=NULL && declength<length) decode=NULL; length=Disasm(cmd,length,j,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,NULL,NULL); if (length==0) Addtolist(j,DRAW_NORMAL,L"Disasm returned zero!"); StrcopyW(hitlistitem.decodedinstruction,TEXTLEN,da.result); hitlistitem.index=j; hitlistitem.size=1; hitlistitem.type=0; Addsorteddata(&(hitlisttable.sorted),&hitlistitem); } } } } if (hitlisttable.hw==NULL){ // Create table window. Third parameter (ncolumn) is the number of // visible columns in the newly created window (ignored if appearance is // restored from the initialization file). If it's lower than the total // number of columns, remaining columns are initially invisible. Fourth // parameter is the name of icon - as OllyDbg resource. Createtablewindow(&hitlisttable,0,hitlisttable.bar.nbar,NULL, L"ICO_PLUGIN",PLUGINNAME); } else Activatetablewindow(&hitlisttable); return MENU_REDRAW; } return MENU_ABSENT; };