首页
社区
课程
招聘
[转帖]OllyDbg 2.01g October 04, 2012 - update
发表于: 2012-10-5 13:31 3438

[转帖]OllyDbg 2.01g October 04, 2012 - update

2012-10-5 13:31
3438
OllyDbg 2.01g
October 04, 2012 - update

Many bugfixes and several improvements. Plugin interface is still under development.

I've got rid of a very nasty crash. Maybe half of such crashes happened within the GlobalAlloc(), the remaining were almost unpredictable. Of course, it was buffer overflow, what else?

Debugging engine is now more stable, especilally if one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints on system calls". When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue() and NTDLL.NtQueryInformationProcess(). For example, if CPU is in the exception handler and you set hardware breakpoint, it won't hit! NTDLL.ZwContinue() restores original contents of registers and modifications get lost. Therefore OllyDbg sets temporary INT3 break on ZwContinue() and applies changes to the copy of the context in memory. But sometimes it simply doesn't know that temporary breakpoint is necessary. If process is being debugged, Windows don't call the unhandled exception filter. Instead, it notifies debugger. To pass exception to the filter, OllyDbg intercepts NtQueryInformationProcess(). If handler asks OS whether process is debugged, OllyDbg reports "no". And so on. Well, if this new option is so advantageous, why not to make it default? Because some viruses check for INT3 breakpoints on these APIs.

Sometimes it's necessary to rename the OllyDbg, for example if you investigate a brainless virus that scans process names and hopes to avoid debugger. You rename OllyDbg to, say, notadebugger.exe and... and... and all plugins are missing?! They are statically linked to the DLL named ollydbg.exe. Of course, GetProcAddress() would help, but this makes programming to the nightmare. Therefore when OllyDbg loads plugins, it applies a dirty trick which lets Windows think that the main module is named ollydbg.exe and not notadebugger.exe. This trick works under Windows XP, but I am not sure whether Vista/Win7 use the same internal data structures. Please check.

Hit trace can be saved between the sessions. If code is self-modifiable, use this option with care. When OllyDbg restores hit trace, it sets INT3 breakpoint on every marked command. This may lead to crash of the debugged application.

Due to the invalid handling of prefixes 66, F2 and F3, command search was unable to find SSE commands. This bug is corrected.

Currently I am working on the plugin interface. Plugins will be allowed to set temporary breakpoints and process exceptions. This requires significant changes in the debugging engine and may take another couple of weeks.

Download
OllyDbg 2.01g
http://www.ollydbg.de/odbg201g.zip

Bookmark plugin
http://www.ollydbg.de/plug201g.zip


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 1
支持
分享
最新回复 (5)
雪    币: 97697
活跃值: (200824)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
2
odbg201g.zip
上传的附件:
2012-10-5 14:31
0
雪    币: 97697
活跃值: (200824)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
3
plug201g.zip
上传的附件:
2012-10-5 15:59
0
雪    币: 36
活跃值: (528)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
谢谢楼主的奉献
2012-10-5 18:20
0
雪    币: 175
活跃值: (2526)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
期待2.0的正式版。
2012-10-5 18:35
0
雪    币: 197
活跃值: (21)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
谢谢楼主,両個都下了。
2012-10-6 09:48
0
游客
登录 | 注册 方可回帖
返回
//