MemoryWatch v0.1b Plugin
Ziggy 2oo7
Public Domain - Use at your own risk.
Report problems at snd.astalavista.ms
1) History
Version 0.1b 21/04/07 - beta release
2) MemoryWatch Functions.
MemoryWatch supports three main functions:
a) Memory Watch - Watch memory address(es) for a particular value(s). The
memory value can be a dword, word or byte value masked (option) by a
nominated mask value. dword and word values can be in Little Endian (LE) format).
b) Register Watch - watch any or all of the registers eax, ecx, edx, ebx, esp
ebp, esi, edi, eip for a particular value.
c) String Watch - watch the registers for any string which contains the
nominated string value. And/or watch the Ollydbg 'Information Panel' for
referenced strings which contain the nominated string value. All referenced
strings (register or information) can also be logged(option) to the Ollydbg
log.
MemoryWatch(MW) provides functions which allow a debugged app to be
automatically stepped while watching for a particular memory value(s),
register value(s) and/or string value(s). MW can pause when a watch value is
found(option) or log watch events to the Ollydbg log file(option).
The MW stepping can be set as 'step in' (F7), 'step over' (F8) or run (F9) to
hardware/software breakpoints(option). REP instructions are always stepped
over.
Step address limits (lower and upper) can be set(option) so MW will step over
(F8) any instruction outside the address limits. A limit on the number of
steps can also be set(option).
Using the 'step in' function it is possible to single step every app
instruction but this can be very, very... slow. In most cases blindly using
'step in' is impractical except for restricted parts of app code. 'Step over'
can be faster but sometimes this is not enough to find where a particular
memory, register or string value is set. A combination of MW with Olly
software and/or hardware breakpoints can be far more effective.
For example set an Olly SW breakpoint at the point where you want to start
stepping in. Set MW to 'step in' or 'step over' (and Auto Enable). Then start
the app with 'run' (F9). When Olly breaks at the software breakpoint, MW will
take over and start stepping in/over from that point.
It is also possible to establish 'conditional' hardware breakpoints
(execution or memory write/read HW breakpoints). At each hardware breakpoint
MW will check the watches for a match, pause if there is a match(option), log
the event(option) and disable stepping(option) or continue running (F9) the
app. This can be useful if you are wanting to find the app code which is
setting a particular memory address to a particular value.
Masking of memory values can be used to check for particular bits. If the
mask value bit is set to '1' the coresponding memory value bit is ignored
when checking if there is a match.
3) MemoryWatch Performance
As far as possible the MemoryWatch code is written to minimise the stepping
and search time. BUT if you set all the watches, MW stepping will be slower.
4) Installation
Copy Memorywatch.dll to the Ollydbg plugin directory and restart Olly.
5) MemoryWatch Settings - Plugin Controls
Enable - When set MW will check the memory, register and string watches.
F7 Step In, F8 Step Over, At HW Break combo box - Specifies MW stepping
mode. If 'At HW Break' is selected, MW only checks watches at a hardware
break.
Address Limits - If checked 'Step Over' any instruction outside the from-to
address range.
Step Limit - Specify the number of steps before MW stops.
Auto Enable - Enable is set whenever MW is loaded or options are changed.
Disable at Break - If a match is found MW will break and disable any further
stepping.
Pause at Break - When a match is found stop stepping. If F7 or F8 is then
pressed, MW will continue.
Log Events - If a match is found write info to the Olly log file.
6) Memory Watch Settings (4 available)
Enable - need I explain?
Address - memory address to watch.
Data Type - can be dword, word or byte. dword or word. Little Endian(LE)
format can be used.
Value - memory value to check for.
Mask - if set, any bits set in the Mask Value are ignored when checking for a
match.
Mask Bits - shows the memory value bits which will be checked or ignored (x).
7) Register Watch Settings
Enable checkbox - selected registers will be checked/not checked.
Select register and value to be checked (6 Available)
--- means no registers are checked. 'Any' means all registers are checked for
the value.
8) String Watch Settings
Enable checkbox - search for the string (Ascii or Unicode) specified in the
edit box (2 available). The search string can be a subset of the actual
string. Search is always case sensitive.
Log All Strings - all string values (Ascii or Unicode) are logged to the Olly
log file.
Watch Registers - specifies if any strings pointed to by registers are
checked for match.
Watch Information - specifies if strings shown in the Olly 'Information Pane'
are checked for match.
Screen Unicode - specifies whether unicode strings are checked for validity.
If set any unicode strings which are NULL or contain rubbish characters ??
are ignored.
