int MalwareExtractor::Initialize()
{
m_thread = Findthread(Getcputhreadid());
if (m_thread == NULL) {
m_error_code = ME_ERROR_NOTHREAD;
return -1;
}
m_module = Findmodule(m_thread->reg.ip);
m_imagecopy = new uchar[m_module->size];
if (m_imagecopy == NULL) {
m_error_code = ME_ERROR_MEMALLOC;
return -1;
}
if (Readmemory(m_imagecopy, m_module->base, m_module->size, MM_RESTORE) == 0) {
m_error_code = ME_ERROR_MEMREAD;
return -1;
}
this->BackupModuleRanges();
m_running = 1;
return 0;
}
module_t* module_info(int* err)
{
HANDLE hFile, hMapping, hProcess;
HMODULE* modules;
LPVOID pMapping;
PIMAGE_DOS_HEADER dos;
PIMAGE_NT_HEADERS nt;
PIMAGE_SECTION_HEADER sh;
ULONG needed, cntr, cbase, csize;
TCHAR buffer[TEXTLEN];
t_module* dbg_mod;
module_t* info = (module_t*)malloc(sizeof(module_t));
if (g_Config->applytodebuggee)
{
info->name = (TCHAR*)Plugingetvalue(VAL_EXEFILENAME);
hProcess = (HANDLE)Plugingetvalue(VAL_HPROCESS);
EnumProcessModules(hProcess, NULL, 0, &needed);
modules = malloc(needed);
EnumProcessModules(hProcess, modules, needed, &needed);
needed /= sizeof(HMODULE);
for (cntr = 0, info->base = 0; cntr < needed; cntr++)
{
GetModuleFileNameEx(hProcess, modules[cntr], buffer, TEXTLEN);
if (!strcmp(info->name, buffer))
{
info->base = (ULONG)modules[cntr];
break;
}
}
free(modules);
if (!info->base)
{
*err = MODULE_BASE_NOT_FOUND;
free(info);
return info;
}
}
else
{
Getdisassemblerrange(&cbase, &csize);
dbg_mod = Findmodule(cbase);
if (dbg_mod)
{
info->base = (ULONG)dbg_mod->base;
info->name = (TCHAR*)&dbg_mod->path;
}
else
{
*err = MODULE_OUT_OF_RANGE;
free(info);
return info;
}
}
hFile = CreateFile(info->name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, 0);
if (hMapping)
{
pMapping = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
if (pMapping)
{
dos = (PIMAGE_DOS_HEADER)pMapping;
nt = (PIMAGE_NT_HEADERS)((ULONG)dos + dos->e_lfanew);
info->nseg = nt->FileHeader.NumberOfSections + 1;
info->segments = (PULONG)malloc(info->nseg * sizeof(ULONG));
sh = IMAGE_FIRST_SECTION(nt);
info->segments[0] = 0;
for (cntr = 1; cntr < info->nseg; cntr++)
{
info->segments[cntr] = sh->VirtualAddress;
sh++;
}
UnmapViewOfFile(pMapping);
CloseHandle(hMapping);
CloseHandle(hFile);
*err = MODULE_SUCCESS;
}
else
{
CloseHandle(hMapping);
CloseHandle(hFile);
*err = MODULE_FILE_MAPPING_FAILURE;
free(info);
}
}
else
{
CloseHandle(hFile);
*err = MODULE_FILE_MAPPING_FAILURE;
free(info);
}
}
else
{
*err = MODULE_FILE_SHARING_VIOLATION;
free(info);
}
return info;
}
void __declspec(dllexport) __cdecl ODBG_Pluginaction (int Orig, int Action, void *pItem)
{
t_dump *pX86Dasm=NULL;
t_module *pModule=NULL;
pX86Dasm=( t_dump *)pItem;
pModule=Findmodule(pX86Dasm->addr);
switch (Orig)
{
case PM_DISASM:
switch (Action)
{
case 0:
XXX(pItem,0);
break;
case 1:
XXX(pItem,"*");
break;
case 2:
XXX(pItem,"-");
break;
case 3:
XXX(pItem,",WORD PTR");
break;
case 4:
XXX(pItem,"BYTE PTR");
break;
case 5:
XXX(pItem,"DWORD PTR");
break;
case 6:
MessageBox(g_hMainOllyWnd,
"OllyEye Plug-in\n\n"
"Copyright (C) 2008 Jospeh Moti www.websense.com \nThanks to Kobi Pariente",
"About OllyEye Plug-in",
MB_OK | MB_ICONINFORMATION);
break;
}
break;
default:
break;
}
}