Exetools - Using Thread Local Storage (tls) in Olly

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Using Thread Local Storage (tls) in Olly (https://forum.exetools.com/showthread.php?t=7363)

I'll try to answer but in russian, sorry, maybe someone translate it to English

Quote:

1) after that i never tried it but at that time i saw it was using
WaitForDebugEvent and ContinueDebug event which means it kinda runs a debugger
within debugger

�� ӧ�� ݧѧԧڧߧ� �ڧ��ݧ�٧�� ߧܧ�ڧ� ODBG_Pluginmainloop, �ܧ��ѧ� �ӧ��٧��ӧѧ֧��
�� ܧѧاէ�� ݧѧէ��ߧ�� ҧ��ڧ� �� է֧ۧ��ӧڧ�֧ݧ�ߧ� �ާ֧էݧ֧ߧߧ�, �ԧ��ѧ٧է� �ާ֧էݧ֧ߧߧ֧�
��֧� �� HideDebugger.

Quote:

then open ollydbg along with hidedebugplugin and load a debuggee
when you hit systembreakpoint modify NtGlobalFlag to 72
and run the app
you will see ollydbg wont catch any debug strings but debug mon will
catch all debug string that are passed

��ѧ� �� ֧ҧ� ��ݧѧԧڧ� �٧է֧�� ߧ� ��ڧ�֧�. ��ݧ� �� ާ֧�� ӧ��ߧ�� ҧ��ڧ�� ҧѧۧ�(��ݧѧ�)
Peb.BeingDebugged �� ާ�اߧ� �ߧѧҧݧ�էѧ�� ا� ��֧ܧ�.

hehe asterix you could have used some online translator
translated by this link
http://translation.paralink.com/ (russian --> english online)

Quote:

Almost all plug-ins use function ODBG_Pluginmainloop which is caused
At each debugging event and it really slowly, much more slowly
Than in HideDebugger.

In itself a plug-in here not and. If in this place manually to dump byte (flag)
Peb. BeingDebugged that it is possible to observe the same effect.

yes yes i know many plugins use mainloop and i said no offence in my post just because of it :)

well i have written a prototype code in asm and detten is helping me to convert it into c and make it a plugin to ollydbg will release it soon in biw
so wait :)

Quote:

hehe asterix you could have used some online translator
translated by this link
http://translation.paralink.com/ (russian --> english online)

After online translator nobody will understand me,
now at least it is understandable for russian members ;-)

Quote:

Originally Posted by JuneMouse

well i have written a prototype code in asm and detten is helping me to convert it into c and make it a plugin to ollydbg will release it soon in biw
so wait :)

JuneMouse...
Why convert into C first?
just use the masm SDK for OllyDbg plugins

OllyDbg Plugin SDK 1.08 for MASM32
http://ollydbg.win32asmcommunity.net/stuph/

Looking forward to it either way :)

Quote:

OllyDbg Plugin SDK 1.08 for MASM32

first eviloid hasnt updated it for 1.10 so it misses all those nifty new plugin functions like odbg_plugincmd(),odbg_paused,pausedex etc :)

second he uses macros but hasnt defined them or prototyped them
when i first tried his inc i had hardtime finding what m2m or ctext
macro means there are infinite versions and flavours floating around
of those macros and i instead of concentrating on my coding
has to proof read and debug macros which i feel is kinda absurd

third his sample doesnt assemble throws thousands of errors mainly because of those macros and some other problems

he probably assumes dummies wont need his sdk :)

but also i would learn to code in c btw and understand how porting works in the process :) anyway first beta worked well in w2k and xp without problems but since this hidedebugger plugin decieves the status now i need
have the cake and eat it too :) so i recoded some hacks which works in w2k
need to test it on winxp and also find some reliable way to prevent user intervention :)

JuneMouse

HideDebugger coded on masm ;)

In this "OllyDbg Plugin SDK 1.08 for MASM32" I found some errors.

also it seems xp has suppressed a lot of dbgstring providing them only to checked builds and not to free builds

thier own gflags.exe doesnt let LDR_SHOW_SHOWSNAPS show anything usefull in pre initailaization stage only some debug strings could be shown post initialization stage

the following output is the max that is got by having both imagefile execution options and session manager Globalflag :( in xp ( nosign of LDR messages anywhere

Code:

Log data

Address    Message

           OllyDbg v1.10

           Bookmarks sample plugin v1.06 (plugin demo)

             Copyright (C) 2001, 2002 Oleh Yuschuk

           Command line plugin v1.10

             Written by Oleh Yuschuk

           NtGlobalFlag Plugin v1.10

             

           File 'C:\Documents and Settings\Administrator\Desktop\odbg110\tut02\msgbox.exe'

           New process with ID 000008C0 created

00401000   Main thread with ID 00000D70 created

00400000   Module C:\Documents and Settings\Administrator\Desktop\odbg110\tut02\msgbox.exe

77D40000   Module C:\WINDOWS\system32\USER32.dll

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

7C946E68   Debug string: [8c0,d70] LDR: Real INIT LIST for process C:\Documents and Settings\Administrator\Desktop\odbg110\tut02\msgbox.exe pid 2240 0x8c0

7C946E68   Debug string: [8c0,d70]    C:\WINDOWS\system32\GDI32.dll init routine 77F163CA

7C946E68   Debug string: [8c0,d70]    C:\WINDOWS\system32\USER32.dll init routine 77D50EB9

7C946E68   Debug string: [8c0,d70] LDR: GDI32.dll loaded

7C946E68   Debug string:  - Calling init routine at 77F163CA

7C946E68   Debug string: [8c0,d70] LDR: USER32.dll loaded

7C946E68   Debug string:  - Calling init routine at 77D50EB9

00401000   Program entry point

it w2k this output is voluminous for the same exe

can any one having checked build could verify and tell me if +sls stays enabled and if it outputs a lot of debug strings or not in xp ??

[code]

C:\Program Files\SUPPOR~1>gflags -k +sls
Current Running Kernel Settings are: 00000002
sls - Show Loader Snaps

C:\Program Files\SUPPOR~1>gflags -k
Current Running Kernel Settings are: 00000000 <--- it doesnt stay as it is :(

C:\Program Files\SUPPOR~1>gflags -r
Current Boot Registry Settings are: 00000002
sls - Show Loader Snaps

C:\Program Files\SUPPOR~1>gflags -i msgbox.exe
Current Registry Settings for msgbox.exe executable are: 00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking

C:\Program Files\SUPPOR~1>

Hi asterix !
Sorry for my mistake when I assumed your plugin caused LDR_SNAPS string turn off in OllyDbg. I have found problem. When system loader loading EXE, if Loader Snap turn on, it will use ntdll.DbgPrint to print loader snap strings. The ntdll.DbgPrint will call ntdll.vDbgPrintExWithPrefix function, and in this function, it will check the PEB.BeingDebugged flag. If the flag turn on, it will call ntdll.RtlRaiseException with OUTPUT_DEBUG_STRING_EVENT, and if flag turn of, it will return.

Code:

ntdll.DbgPrint:

77F7093C    50                  push    eax

77F7093D    FF7424 08           push    dword ptr ss:[esp+8]

77F70941    6A 00               push    0

77F70943    6A FF               push    -1

77F70945    68 D240F777         push    ntdll.77F740D2

77F7094A    E8 25ABFEFF         call    ntdll.vDbgPrintExWithPrefix

77F7094F    C3                  ret

....

ntdll.vDbgPrintExWithPrefix:

.......

77F70875    E8 08FFFFFF         call    ntdll._vsnprintf

77F7087A    83C4 10             add     esp, 10

77F7087D    03F0                add     esi, eax

77F7087F    8975 E4             mov     dword ptr ss:[ebp-1C], esi

77F70882    834D FC FF          or      dword ptr ss:[ebp-4], FFFFFFFF

77F70886    3BFB                cmp     edi, ebx

77F70888    0F8C 8DFF0000       jl      ntdll.77F8081B

77F7088E    83FE FF             cmp     esi, -1

77F70891    0F84 97FF0000       je      ntdll.77F8082E

77F70897    8D85 E4FDFFFF       lea     eax, dword ptr ss:[ebp-21C]

77F7089D    8985 DCFDFFFF       mov     dword ptr ss:[ebp-224], eax

77F708A3    66:89B5 D8FDFFFF    mov     word ptr ss:[ebp-228], si

77F708AA    64:A1 18000000      mov     eax, dword ptr fs:[18]  ; CHECK PEB.BeginDebugged here

77F708B0    8B40 30             mov     eax, dword ptr ds:[eax+30]

77F708B3    3858 02             cmp     byte ptr ds:[eax+2], bl

77F708B6    0F85 80FF0000       jnz     ntdll.77F8083C

.....

77F8083C    C785 88FDFFFF 06000>mov     dword ptr ss:[ebp-278], 40010006

77F80846    899D 90FDFFFF       mov     dword ptr ss:[ebp-270], ebx

77F8084C    C785 98FDFFFF 02000>mov     dword ptr ss:[ebp-268], 2

77F80856    899D 8CFDFFFF       mov     dword ptr ss:[ebp-274], ebx

77F8085C    0FB785 D8FDFFFF     movzx   eax, word ptr ss:[ebp-228]

77F80863    40                  inc     eax

77F80864    8985 9CFDFFFF       mov     dword ptr ss:[ebp-264], eax

77F8086A    8B85 DCFDFFFF       mov     eax, dword ptr ss:[ebp-224]

77F80870    8985 A0FDFFFF       mov     dword ptr ss:[ebp-260], eax

77F80876    C745 FC 01000000    mov     dword ptr ss:[ebp-4], 1

77F8087D    8D85 88FDFFFF       lea     eax, dword ptr ss:[ebp-278]

77F80883    50                  push    eax

77F80884    E8 1E08FDFF         call    ntdll.RtlRaiseException

Continue with your great work !
Best regards,
TQN

the plugin along with source and some sample exes have been released

please post comments bug reports to the story

http://www.reversing.be/article.php?story=20050527190528983

thnaks and regards

the plugin has been updated
it is now capable of breaking on TlsCallbacks as well as DllInit Routine on requests

story here
http://www.reversing.be/article.php?story=20050603193932184

thanks andd regards