Olly Plugins

Author: David Zimmer
Date: 10.22.10 - 6:22pm

So i have been fighting with my hit trace plugin today. First let me say i really hate plugin development..it is such a long ass process to compile, install, restart host, launch plugin, configure plugin, launch process, examine results.

I have literally been at it all day!

So it turns out this plugin has been broken from the start it seems. when you are inside the ODBG_Pluginmainloop inside an EXCEPTION_BREAKPOINT handler, calls like this give you stale data

   t_thread *th = Findthread(threadId);
   t_reg tr;
   tr =  th->reg; 
   return tr.r[REG_EAX];
Thats fun to know. I tried all kinds of stuff like trying to make it redraw all the panels and what not. Finally i looked at ollyscript source and found what he did..

   t_thread* t;
   t = Findthread(Getcputhreadid());
   CONTEXT context; 
   context.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL ;
   GetThreadContext(t->thread, &context);

	case REG_EAX: return context.Eax;
I guess i dont quite get why the olly api fails here. It must be because you are in an exception event and i just missed the memo. Sucks to be me. this was a very long painful debugging session. :(

actually in hindsight..i bet if i had set a timer and then run my handling code outside of the Pluginmainloop after like a 30ms delay everything would have been fine.

Turns out the hunch about using a timer to let Pluginmainloop return corrected the problem. This way I can go back to using Expression to eval complex expressions over the simple version i cooked up that explicitly used my own GetRegister routine. Will post a link when complete.

The update was all for adding a ascii string dumper feature to it. the things you find when you turn over rocks eghh...

Updates added:
  • ascii dump feature (prefix expression with A)
  • hexdump feature to log data (prefix exp with H, and number - H8 would specify hexdump and log 8 chars)
  • log output to file
  • support multiple trace expressions per breakpoint
  • allows you to log a comment with trace data (either from gui or disasm)
  • edit saved hittrace breakpoints
  • view hit count stats

Download: OllyHittrace.zip

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 21 + 13 = ? followed by the letter: C 

About Me
More Blogs
Main Site
Posts: (year)
2024 (1)
     vbdec backstory
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     vb6 API and call backs
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation