Showing posts with label writing. Show all posts
Showing posts with label writing. Show all posts

Thursday, September 21, 2017

Tips for writing Ollydbg plugins

Tips for writing Ollydbg plugins


As a part of my masters thesis project I developed an ollydbg plugin which serves as a front-end to my system. While developing it Ive had some problems figuring out how to use certain things since documentation is somewhat lacking. In this post Ill write some tips which can be helpful to people who are developing their first ollydbg plugin (or people who would like to develop ollydbg plugins).

 First step

As a first step you should visit this site and download plugin development kit (PDK). You can see some information on the site, such as what youll find in PDK and some rules about writing plugin.

Working environment setting

Ive developed plugin using visual studio 2012, so Ill write how to set visual studio to be able to write plugins. Ollydbg is implemented as a dll so to create ollydbg plugin you have to create win32 dll in visual studio. To do that follow these actions: FILE -> New -> Project -> Visual C++ -> Win32 -> Win32 Console Application. In the application wizard choose next and then under application type choose DLL.

One of the rules ollydbg sets up is that default character type has to be set to unsigned character. That is achieved by adding /J option to the command like arguments. To do that right click on project and choose Properties -> Configuration Properties -> C/C++ -> Command Line. Under Additional Options add /J.
Ollydbg library and header need to be added to the project to be able to use them. You can do this by right clicking on project and choose Properties -> Configuration Properties -> Linker -> General and under Additional Library Directories add path to the header and under Properties -> Configuration Properties -> Input -> Additional Dependancies add Ollydbg.lib.


Ive had problems with .lib file which comes with PDK. When I tried to build project I got unresolved external symbols error. This is fixed by creating new .lib file from .def file. But in this case .def file is wrong as well and it has to be modified. To make it correct, open .def file in a text editor and remove all _ prefixes. Then create new .lib file by executing lib.exe /DEF:Ollydbg.def (lib.exe can be started from Visual Studio Command Prompt).

Plugin functions

There is a .hlp file that comes with PDK, inside is a description of functions and structures available to use within ollydbg plugins. I will describe some functions which I used to create my plugin.

Callback functions

Functions which name starts with ODBG_ prefix are callback functions.  They are used to:
  • perform data initialization at the plugin start,
  • free resources when ollydbg is closed, 
  • define plugin menu and its interaction,
  • perform some functionality when debugged application is paused.
Short review of some functions (see functions declaration in header file):
  • ODBG_Plugindata - every plugin must have this function, its functionality is to provide plugins name and return plugin version,
  • ODBG_Plugininit - another function which every plugin must have, its called during startup and it should be used to  perform all one-time initialization
  • ODBG_Plugindestroy - called at the exit, all resources allocated should be freed here
  • ODBG_Pluginreset - called when user opens new or restarts current application, structures and variable should be reset to initial state here
  • ODBG_Paused - ollydbg calls this function every time when debugged application is paused, it is a good place to perform some modification or check whether certain condition is met.
I suggest to go through example plugins which come with PDK to see how these functions are used.

Disassembly functions

I will describe functions which I used for disassembly. Basic function for disassembly is
Disasm(char *src, ulong srcsize, ulong srcip, char *srcdec, t_disasm *disasm, int disasmmode, ulong threadid).
Its parameters are:
  • src - buffer which contains raw data which needs to be dissasembled,
  • srcip - size of src buffer,
  • srcsize - address of instruction to disassemble, if you call Disasm from ODBG_Paused fucntion you can get this value from t_reg structure,
  • srcdec - instruction description, its best to provide DEC_UNKNOWN or NULL value here (you can see all values in a header file, they are prefixed by DEC_),
  • disasm - structure which saves the results of disassembly,
  • disasmmode - what should be disassembled, values can be seen in header file with DISASM_ prefix,
  • threadid - thread id in which disassembling is occurring, NULL can be provided for current thread.
 To get raw data for disassembly Readcommand instruction has to be used:
Readcommand(ulong ip, char *cmd)

Its parameters are:
  • ip - size of src buffer,
  • cmd - buffer which contains raw data which needs to be dissasembled.
Its return value is a size of read buffer (its usually going to be MAXCMDSIZE), which you can then forward to Disasm function.

I suggest studying t_disasm structure in a header file since all disassembly results are saved in this structure and t_reg structure which holds information about current state of debugged application.


download file now

Read more »
Posted by at
Labels: , , , ,
Subscribe to: Posts (Atom)