ulong CCmdLog::clear(void) { m_Table.offset = m_Table.sorted.selected = m_Table.xshift = 0; EnterCriticalSection(&m_csShare); ulong begin = -1, count = 0, end; LPLOGGER plog; m_nNextId = 0; for (int pos = 0; pos < m_Table.sorted.n; ++pos) { plog = reinterpret_cast<LPLOGGER> ( Getsortedbyindex(&m_Table.sorted, pos) ); // logger->addr = pos; if (plog->flag & LOGGER_FLAG_IDLE) { m_Table.custommode -= plog->rows; ++ count; } if (begin == -1) { if (plog->flag & LOGGER_FLAG_IDLE) { begin = plog->addr; } } else { if (plog->flag & LOGGER_FLAG_BUSY) { end = plog->addr; pos -= count + 1; Addtolist(1,1,text("begin: %x, end: %x"),begin,end); Deletesorteddatarange(&m_Table.sorted, begin, end); if (!m_nNextId) m_nNextId = begin; begin = -1; } } } if (begin != -1) { if (!m_nNextId) m_nNextId = begin; end = plog->addr + 1; Deletesorteddatarange(&m_Table.sorted, begin, end); } LeaveCriticalSection(&m_csShare); Updatetable(&m_Table, false); return count; }
// Menu function of Disassembler pane that deletes existing bookmark. static int MMarkTrace(t_table *pt,wchar_t *name,ulong index,int mode) { wchar_t buffer[100]; uchar * codeline; ulong codelinesize; if (mode==MENU_VERIFY) return MENU_NORMAL; // Always available else if (mode==MENU_EXECUTE) { ulong i,j,length, declength; uchar cmd[MAXCMDSIZE],*decode; t_disasm da; t_reg *reg; t_memory *pmem; t_hitlist hitlistitem; Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF); Deletesorteddatarange(&baselist,0,0xFFFFFFFF); for ( i=0; i<memory.sorted.n; i++) { pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block. if ((pmem->type & MEM_GAP)!=0) continue; // Unallocated memory // Check whether it contains executable code. if ((pmem->type & (MEM_CODE|MEM_SFX))==0) continue; // Not a code // iterate through code for ( j=pmem->base; j<=pmem->base +pmem->size; j++) { codeline = Finddecode(j,&codelinesize); if (codeline) if (((*codeline)&DEC_TRACED)==DEC_TRACED){ hitlistitem.index=j; hitlistitem.size=1; hitlistitem.type=0; Addsorteddata(&baselist,&hitlistitem); } } } return MENU_REDRAW; } return MENU_ABSENT; };
void ODBG2_Pluginreset(void) { Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF); }
void payload() { NTSTATUS ret; HANDLE_DATA handledata = {0}; HANDLE hProcess; HANDLE hDupHandle; PVOID ObjectNameInfo = NULL; PVOID ObjectTypeInfo = NULL; UNICODE_STRING ObjectName; UNICODE_STRING ObjectType; PSYSTEM_HANDLE_INFORMATION pSystemHandleInformation = NULL; ZWQUERYOBJECT ZwQueryObject = NULL; DWORD debugged_pid = 0; DWORD dwSize = 0; DWORD i = 0; if (!(wrapper_ZwQuerySystemInformation (&pSystemHandleInformation))) { return; } /* clear log table */ Deletesorteddatarange(&(handletable.sorted), 0x00000000, 0xFFFFFFFF); ZwQueryObject = (ZWQUERYOBJECT)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryObject"); debugged_pid = get_debugged_pid(); for(i=0; i<pSystemHandleInformation->uCount; i++) { if(pSystemHandleInformation->Handles[i].uIdProcess == debugged_pid) { handledata.dwHandle = pSystemHandleInformation->Handles[i].Handle; hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pSystemHandleInformation->Handles[i].uIdProcess); if(hProcess == INVALID_HANDLE_VALUE) exit(0); if(DuplicateHandle(hProcess, (HANDLE)handledata.dwHandle, GetCurrentProcess(), &hDupHandle, 0, 0, 0) != 0) { ObjectNameInfo = malloc(0x1000); ret = ZwQueryObject(hDupHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &dwSize); if(ret == STATUS_INFO_LENGTH_MISMATCH) { free(ObjectNameInfo); ObjectNameInfo = malloc(dwSize); } ObjectName = *(PUNICODE_STRING)ObjectNameInfo; ObjectTypeInfo = malloc(0x1000); ret = ZwQueryObject(hDupHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &dwSize); if(ret == STATUS_INFO_LENGTH_MISMATCH) { free(ObjectTypeInfo); ObjectTypeInfo = malloc(dwSize); } ObjectType = *(PUNICODE_STRING)ObjectTypeInfo; swprintf(handledata.wType, TEXTLEN, L"%ls", ObjectType.Buffer); swprintf(handledata.wName, TEXTLEN, L"%ls", ObjectName.Buffer); Addsorteddata(&(handletable.sorted), &handledata); } } } free(pSystemHandleInformation); free(ObjectNameInfo); free(ObjectTypeInfo); }
// Function is called when user opens new or restarts current application. // Plugin should reset internal variables and data structures to initial state. extc void _export cdecl ODBG_Pluginreset(void) { Deletesorteddatarange(&(bookmark.data), 0, 0xFFFFFFFF); };
// Function is called when user opens new or restarts current application. // Plugin should reset internal variables and data structures to the initial // state. extc void __cdecl ODBG2_Pluginreset(void) { Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF); };
static int MCompareTrace(t_table *pt,wchar_t *name,ulong index,int mode) { wchar_t buffer[100]; uchar * codeline; ulong codelinesize; if (mode==MENU_VERIFY) return MENU_NORMAL; // Always available else if (mode==MENU_EXECUTE) { ulong i,j,length, declength; uchar cmd[MAXCMDSIZE],*decode; t_disasm da; t_reg *reg; void * result; t_memory *pmem; t_hitlist hitlistitem; Deletesorteddatarange(&(hitlisttable.sorted),0,0xFFFFFFFF); for ( i=0; i<memory.sorted.n; i++) { pmem=(t_memory *)Getsortedbyindex(&memory.sorted,i); // Get next memory block. if ((pmem->type & MEM_GAP)!=0) continue; // Unallocated memory // Check whether it contains executable code. if ((pmem->type & (MEM_CODE|MEM_SFX))==0) continue; // Not a code // iterate through code for ( j=pmem->base; j<=pmem->base +pmem->size; j++) { codeline = Finddecode(j,&codelinesize); if (codeline) if (((*codeline)&DEC_TRACED)==DEC_TRACED){ result = Findsorteddata(&baselist,j,0); //Addtolist(result,DRAW_NORMAL,L"sorted"); if(!result){ length=Readmemory(cmd,j,MAXCMDSIZE,MM_SILENT|MM_PARTIAL); if (length==0) Addtolist(j,DRAW_NORMAL,L"Readmemory returned zero!"); decode=Finddecode(j,&declength); if (decode!=NULL && declength<length) decode=NULL; length=Disasm(cmd,length,j,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,NULL,NULL); if (length==0) Addtolist(j,DRAW_NORMAL,L"Disasm returned zero!"); StrcopyW(hitlistitem.decodedinstruction,TEXTLEN,da.result); hitlistitem.index=j; hitlistitem.size=1; hitlistitem.type=0; Addsorteddata(&(hitlisttable.sorted),&hitlistitem); } } } } if (hitlisttable.hw==NULL){ // Create table window. Third parameter (ncolumn) is the number of // visible columns in the newly created window (ignored if appearance is // restored from the initialization file). If it's lower than the total // number of columns, remaining columns are initially invisible. Fourth // parameter is the name of icon - as OllyDbg resource. Createtablewindow(&hitlisttable,0,hitlisttable.bar.nbar,NULL, L"ICO_PLUGIN",PLUGINNAME); } else Activatetablewindow(&hitlisttable); return MENU_REDRAW; } return MENU_ABSENT; };