#define STRICT // Avoids some type mismatches #include <windows.h> #include <stdio.h> #include "plugin.h" extern char string[TEXTLEN]; // defined in cmdexec.c typedef enum _PROCESSINFOCLASS { ProcessDebugFlags=31 // From ntddk.h } PROCESSINFOCLASS; typedef DWORD (NTAPI *NTSETINFORMATIONPROCESS)( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, IN PVOID ProcessInformation, IN ULONG ProcessInformationLength ); int Childdbg(char *answer,ulong parm) { char buf[TEXTLEN]={0}; int DebugFlag; HMODULE hNtdll; NTSETINFORMATIONPROCESS ntsetinfproc; strncpy(buf,string,(TEXTLEN-1)); if(strnicmp(buf,"0",1)==0) { if((hNtdll = LoadLibrary("ntdll.dll")) == NULL) { Addtolist(0,1,"loadlib failed in command childdbg"); return GetLastError(); } if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL) { Addtolist(0,1,"GetProcAddress failed in command childdbg"); return GetLastError(); } DebugFlag = 0; ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag)); Addtolist(0,1,"hello Childdbg Disabled"); } else if(strnicmp(buf,"1",1)==0) { if((hNtdll = LoadLibrary("ntdll.dll")) == NULL) { Addtolist(0,1,"loadlib failed in command childdbg"); return GetLastError(); } if((ntsetinfproc = (NTSETINFORMATIONPROCESS) GetProcAddress(hNtdll,"NtSetInformationProcess")) == NULL) { Addtolist(0,1,"GetProcAddress failed in command childdbg"); return GetLastError(); } DebugFlag = 1; ntsetinfproc((PVOID)Plugingetvalue(VAL_HPROCESS),ProcessDebugFlags,&DebugFlag,sizeof(DebugFlag)); Addtolist(0,1,"hello Childdbg Enabled"); } else { Addtolist(0,1,"use \"childdbg 0 to Disable or childdbg 1 to Enable\" "); } return 0; }
// This function is called each time OllyDbg passes main Windows loop. When // debugged application stops, bring command line window in foreground. extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent) { t_status status; // existing declaration in orignal src // additional declarations and code as follows for childdbg command DWORD Eventcode; DWORD dwIdle; DWORD postres = 0; DEBUG_EVENT debev; DEBUGACTIVEPROCESSSTOP dbgactprocstop; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE hThread; HANDLE hProcess; char scratch[0X200] = {0}; char savebyte[0x20] = {0}; char reprocmem[0x20] = {0}; char wriprocmem[4] = {0xeb,0xfe,0,0}; if(debugevent !=0) { debev = *debugevent; Eventcode = debev.dwDebugEventCode; if((Eventcode == CREATE_PROCESS_DEBUG_EVENT)) { if(debev.dwProcessId != (DWORD) Plugingetvalue(VAL_PROCESSID)) { dbgactprocstop = (DEBUGACTIVEPROCESSSTOP) GetProcAddress((LoadLibrary("kernel32.dll")),"DebugActiveProcessStop"); if(!dbgactprocstop) { MessageBox(0,"DebugActiveProcessStop Is Not Available Needs Xp And Above","CHILDDBG",MB_OK); return; } hThread = OpenThread(THREAD_ALL_ACCESS,FALSE,debev.dwThreadId); if(!hThread) { MessageBox(0,"OpenThreadFailed","CHILDDBG",MB_OK); return; } SuspendThread(hThread); hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,debev.dwProcessId); if(!hProcess) { MessageBox(0,"OpenProcessFailed","CHILDDBG",MB_OK); return; } if((ReadProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,reprocmem,4,0)) == 0) { MessageBox(0,"ReadProcMem Failed","CHILDDBG",0); return; } memcpy(savebyte,reprocmem,0x1f); // this child will spin infinite on resume if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,wriprocmem,2,0)) == 0) { MessageBox(0,"WriteProcMemFailed Before Resume","CHILDDBG",MB_OK); return; } ResumeThread(hThread); sprintf(scratch,"ollydbg -p %d",debev.dwProcessId); // detach for reattaching with new ollydbg dbgactprocstop(debev.dwProcessId); ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi) ); // reattaching if((CreateProcess( NULL,scratch,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi ))== 0) { MessageBox(0,"Reattaching Failed :(","CHILDDBG",MB_OK); return; } dwIdle = WaitForInputIdle(pi.hProcess,INFINITE); if(dwIdle == 0xffffffff) { Addtolist(0,1,"Wait Failed with %d",GetLastError()); return; } SuspendThread(hThread); if((WriteProcessMemory(hProcess,debev.u.CreateProcessInfo.lpStartAddress,savebyte,2,0)) == 0) { MessageBox(0,"WriteProcMem Failed :( after Arraching","CHILDDBG",MB_OK); return; } while(postres == 0) { Sleep(300); postres = PostThreadMessage((DWORD)pi.dwThreadId,WM_KEYDOWN,VK_F12,0); } MessageBox(0,"Attached Again if this msgbox shows up at ntdll_dbgbreak do\n" "Alt+E -> Follow Entry and set a break before dismissing this\n","CHILDDBG",MB_OK); ResumeThread(hThread); CloseHandle(hThread); CloseHandle(hProcess); Addtolist(0,1,"called from cdbg"); } } }; // end of additional code for childdbg // existing code in orignal src for pluginmainloop if (hwcmd!=NULL) { status=Getstatus(); if (status==STAT_NONE || status==STAT_RUNNING) poponstop=1; else if (poponstop!=0 && (status==STAT_STOPPED || status==STAT_FINISHED)) { SetForegroundWindow(hwcmd); SetFocus(hwbox); poponstop=0; }; }; };
Log data Address Message OllyDbg v1.10 Bookmarks sample plugin v1.06 (plugin demo) Copyright (C) 2001, 2002 Oleh Yuschuk Command line plugin v1.10 Written by Oleh Yuschuk File 'F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe' New process with ID 000006F8 created 00401000 Main thread with ID 00000D74 created 00400000 Module F:\modified_cmdline_plugin\modified_cmdline_plugin_date2442007\ModifiedCommandLinePluginWithChildDbg\TargetPracticeSample\CreateProcessfurther.exe 77D40000 Module C:\WINDOWS\system32\USER32.DLL 77F10000 Module C:\WINDOWS\system32\GDI32.dll 7C800000 Module C:\WINDOWS\system32\kernel32.dll 7C900000 Module C:\WINDOWS\system32\ntdll.dll 00401000 Program entry point hello Childdbg Enabled <------------------------- 77DD0000 Module C:\WINDOWS\system32\ADVAPI32.DLL called from cdbg Event 00000003 from different process (ID 00000D04) <----------------- hello Childdbg Disabled <----------------------------- 77E70000 Module C:\WINDOWS\system32\RPCRT4.dll 5AD70000 Module C:\WINDOWS\system32\uxtheme.dll 77C10000 Module C:\WINDOWS\system32\msvcrt.dll Process terminated, exit code 1
There are 31,316 total registered users.
[+] expand