OllyDbg Plugins: Modified PDK

OllyDbg Plugins

MD5 Sum: 9B128C7DC1D7749DE262947990B190FC

Last updated on Nov 30, -1.

Alex Clarke

Description This is a mirror of the modified PDK from Alex Clarke that is hosted on OllyDbg.de under the "what's new" page. I came across it when I was searching for a reason as to why OllyDbg's PDK doesn't correctly export Attachtoactiveprocess(). Alex's modified PDK does export that routine among other changes he made, outlined here in his original e-mail to Oleh:

----- snip snip -----


Firstly congratulations and thanks for OllyDbg - it's incredibly good. I've been playing with the SDK using C++ for a plugin. I've made a few modifications that make the SDK header work better when using it in C++ code in (at least) a couple of newer C++ compilers (namely Borland C++ builder v1 and Visual Studio.net). They also remove various errors/warnings and the need for unsigned characters (when compiling .cpp's) or forcing byte packing (any source file). Finally I've got intellisense working with the SDK (the code hints in VisC).

Here's how the edits work:

Firstly, forcing compilation with 'chars unsigned as default' (when used from a .cpp file) is not as much of a problem when using the SDK from genuine C++ (i.e. when compiling a file with a .cpp extension). The ANSI standard prohibits implicit casting between signed char *, unsigned char * and char *. Since you've explicitly declared all the necessarily unsigned char params/returns, Visual C++.net causes an error if this is attempted regardless of the compiler switch setting. Borland C++ builder (v1 - using the older ANSI rules) warns about mixing types, but I'm pretty sure later versions will kick them out. I appreciate that there is a problem with sign extension when using the implied conversions, but this doesn't appear as if it will be a problem in your API.

You don't need to compile with 'byte packing' anymore (when using plugin.h from either a .c or .cpp) - pushing/popping the packing for definitions for the necessary structures and 'envelopes' should be sufficient (the bookmark plugin is fine from both compilers).

I've noticed that you return an enum in the Getstatus API. I've had a number of problems with sending enums out of C++Builder, the reason being that they are treated as bytes rather than longs if only small values are defined for the type. I don't think that returning them will be any problem, but you may get problems with builder if they are passed into the routines. As a cautionary measure I have added the #pragmas to declare your enums as longs (i'm guessing borland C++ compiler supports this but don't know for sure). It should allow safe enumeration of several of the sets of defines if desired.

Intellisense didn't work. This is because it makes globally declared type info available, but not global function prototypes unless they are in a namespace or the code body is declared in the project somewhere. I've put a namepace 'ODBG' around (just) the function declarations, and a 'using namespace ODBG' command to make it behave exactly as before when the functions are not called in the global scope, but if you stick ODBG:: in front of a function call you'll get a hint. Also I've tidied up the extern "C"'s (should make older versions of intelisense / newer versions of builder give more readable hints).

Afterthought: Thrown in a header #ifdef block to stop cyclic includes too.

Find attached the modified header, the import lib produced for builder and the def file/import lib for vc7. The libs may work in different versions of the respective compilers. VS.net didn't like the VC50 one, but builder seemed to be fine with the borland one (sending mine for the sake of completion).

Hope that's useful.

AL :)

Alex Clarke

----- snip snip -----

