ollydbg 2.x plugin OLLY_LKD [Archive] - RCE Messageboard's Regroupment

View Full Version : ollydbg 2.x plugin OLLY_LKD

blabberer

September 5th, 2012, 22:42

a small sample plugin for ollydbg 2.01f using windbgs dbgeng functions especially
local kernel debugging output

the plugin is at alpha - Z

stage and uses ollydbg version 2.01f plugin kit

and is built by winddk (windows 7 wdk C:\WinDDK\7600.16385.1)

there is a modification required to plugin.h as follows to
avoid crashing due to stack unbalance

(the same source compiled with vs 2010 and unmodified plugin.h
works ok

it seems the wdk compiler is behaving differently

the modification to plugin.h is as follows (added a _cdecl so that stack is cleaned up properly)

C:\ollydbg2beta\plug201ft\Visual C>fc plugin.h d:\Plugin_Template_For_ODBG_20001_WDK\plugin.h
Comparing files plugin.h and D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H
***** plugin.h

typedef int MENUFUNC(struct t_table *,wchar_t *,ulong,int);

***** D:\PLUGIN_TEMPLATE_FOR_ODBG_20001_WDK\PLUGIN.H

typedef int _cdecl MENUFUNC(struct t_table *,wchar_t *,ulong,int);

*****
C:\ollydbg2beta\plug201ft\Visual C>

the source is gibberish on top of the template i posted
earlier for vs2010 at the moment so i am not posting

refer to kayakers blog about ollydb.lib

a compiled binary is attached

any comments/ feedback / sugestions / criticisms are welcome

to use it
copy plugin dll to 2.01f version of ollydbg.exe folder

copy the following windbgs extensions / dlls (6.12 ) to the folder where ollydbg.exe resides

uext , symsrv , ntsdexts , kext , kdexts , exts , ext , dbghelp , dbgeng

click the menu

a getstring dialog will be presented assuming your debugee is msgbox.exe

if you type in "!process 0 0 msgbox.exe " without the quotes you will be presented with the
following details

[CODE]

Log data
Address Message
Connected to Windows XP 2600 x86 compatible target at (Thu Sep 6 05:58:23.578 2012 (UTC + 5:30)), ptr64 FALSE
Symbol search path is:
SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel
Version 2600
(Service Pack 3)
UP
Free x86 compatible
Product:
WinNt
, suite:
TerminalServer
SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100216-1514
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Thu Sep 6 05:58:23.656 2012 (UTC + 5:30)
System Uptime: 0 days 17:45:57.225
PROCESS 86ba98e0
SessionId: 0 Cid: 0ce8 Peb: 7ffd8000 ParentCid: 0894
DirBase: 0f8c0420 ObjectTable: e2a8ea90 HandleCount: 14.
Image: msgbox.exe
VadRoot 85f24388 Vads 36 Clone 0 Private 104. Modified 0. Locked 0.
DeviceMap e30a2340
Token e172e040
ElapsedTime 00:04:07.015
UserTime 00:00:00.031
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 26588
QuotaPoolUsage[NonPagedPool] 1440
Working Set Sizes (now,min,max) (583, 50, 345) (2332KB, 200KB, 1380KB)
PeakWorkingSetSize 583
VirtualSize 12 Mb
PeakVirtualSize 13 Mb
PageFaultCount 609
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 124
DebugPort 85f25ec0
Setting context for this process...

THREAD 863f7b08 Cid 0ce8.063c Teb: 7ffdf000 Win32Thread: e4262e10 WAIT: (Executive) KernelMode Non-Alertable
a8eb87d4 SynchronizationEvent
Not impersonating
DeviceMap e30a2340
Owning Process 0 Image: <Unknown>
Attached Process 86ba98e0 Image: msgbox.exe
Wait Start TickCount 4077495 Ticks: 15786 (0:00:04:06.656)
Context Switch Count 92 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.000
*** WARNING: Unable to verify checksum for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe
Win32 Start Address msgbox (0x00401000)
Start Address kernel32!BaseProcessStartThunk (0x7c810705)
Stack Init a8eb9000 Current a8eb8758 Base a8eb9000 Limit a8eb5000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
a8eb8770 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
a8eb877c 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
a8eb87a4 80638fc4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
a8eb8884 8063a099 nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
a8eb88a8 8063a1cb nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
a8eb8934 804fcb42 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
a8eb8cf4 8053e0a1 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
a8eb8d5c 8053e7b1 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
a8eb8d5c 00401001 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a8eb8d64)
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fff0 00000000 msgbox+0x1001

refer to last post for attachemnt

Kayaker

September 7th, 2012, 07:46

WTF is this, a WinOlly mutant? This just isn't right. It's an abhorrent grotesque transmogrification that goes against the laws of nature. You should be ashamed of yourself!

I love it

So, I'm still having some issues with your 3-eyed fish creation. The usual Windbg "NT symbols are incorrect, please fix symbols" error.

I've tried things like
!sym noisy
.symfix
.reload /f nt
and gotten a new pdb placed into an Ollydbg/sym directory by the MS symserver, but no joy yet.

Still working on getting the symbols set up right, but other than that it's pretty cool. One suggestion/request pretty please - a command line window that stays open so you can enter multiple commands without having to reopen the plugin menu.

blabberer

September 7th, 2012, 13:14

the devil maker is pleased to hear that you love the devil and has created a semi permanent gremlin that wont stay open always but
can be accessed via key board shortcut the gremlin also remembers your old orders for devilizing buggy hells via drop down box

this also now has a one time init and one time exit so that it stops blabbering the same old dialog with every invocation of abracadabra

have fun devilizing the unbuggable

bear in mind windbg works fine with one centralized _NT_SYMBOL_PATH and its associated cache
if you find symbol problems you should never ever make other caches in any debugee folder / sys32 folder / dll folder / exe folder / sys forlder and other folders first make sure it recognizes your _NT_SYMBOL_PATH and downloads all the crap to the DownStream Cache Folder associated with _NT_SYMBOL_PATH

in your case i assume you haven.t copied the windbg extensions and dlls to your ollydbg folder so you are facing symbol problems

first delete all other caches except the SRV*<cache folder>* of _NT_SYMBOL_PATH

copy SYMSRV.dll / dbgeng.dll / dbghelp.dll / ext.dll / kext.dll / kdexts.dll/ ntsdexts.dll / uext.dll/ etc to the ollydbg folder from windbg installation like i posted earlier and your symbol problems should be gone

.symfix etc work only if you have latest symsrv.dll in path

now copy the attached plugin to ollydbg dir start ollydbg and hit

alt+f1 (yep i stole the shortcut from ollydbg 1.10 commandline plugin

)

now type !gflag +sls on a blank ollydbg window and start a process

all the loader snaps (the work of ntglobalflag plugin of ollydbg 1.10 should happen like below )

Code:





Log data

Address   Message

          New NtGlobalFlag contents: 0x00004002

              sls - Show Loader Snaps

              otl - Maintain a list of objects for each type



          File 'C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe'

          New process (ID 00000C98) created

00401000  Main thread (ID 00000BB4) created

00400000  Module C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\msgbox.exe

            Different PE Data Directory in file and in memory (antivirus?)

            Import table: file (00002010,0000003C), memory (00002F78,0000003C)

64D00000  Module C:\Program Files\Alwil Software\Avast5\snxhk.dll

77F10000  Module C:\WINDOWS\system32\GDI32.dll

            PDB file: 'F:\symbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb'

7C800000  Module C:\WINDOWS\system32\kernel32.dll

            PDB file: 'F:\symbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb'

7C900000  Module C:\WINDOWS\system32\ntdll.dll

            PDB file: 'F:\symbols\ntdll.pdb\6992F4DAF4B144068D78669D6CB5D2072\ntdll.pdb'

7E410000  Module C:\WINDOWS\system32\user32.dll

            PDB file: 'F:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb'

          Debug string: LDR: LdrLoadDll, loading ShimEng.dll from

          Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\system32\ShimEng.dll

          Debug string: LDR: ShimEng.dll bound to ntdll.dll

          Debug string: LDR: ShimEng.dll has stale binding to ntdll.dll

          Debug string: LDR: Stale Bind ntdll.dll from ShimEng.dll

          Debug string: LDR: ShimEng.dll bound to KERNEL32.dll

          Debug string: LDR: ShimEng.dll has stale binding to KERNEL32.dll

          Debug string: LDR: Stale Bind KERNEL32.dll from ShimEng.dll

          Debug string: LDR: LdrGetProcedureAddress by

          Debug string: NAME - SE_InstallBeforeInit

          Debug string: LDR: LdrGetProcedureAddress by

blabberer

September 15th, 2012, 16:23

this plugin now can display the user call stack

type in "ustk" in the box without quotes

this plugin now automatically sets the process context to that of debugeee

so you dont have to do .process /p /r debugee eproc

and can view debugee relevent data directly

plugin now identifies and alias eproc as EPEOCESS of Debugee peocess

suppose msgbox is debuggee

doing u 401002 will display the disassembly of msgbox.exe

you can supply the alias eproc in place of DebugeeEprocess
like

dt nt!_eprocess eproc or using alias interpreter viz ${$eproc}

my odbg 2.01f contains the following extensions from windbg version 6.12 folder

Folder PATH listing

C:.
dbgeng.dll
dbghelp.dll
ext.dll
exts.dll
kdexts.dll
kext.dll
msgbox.exe < debugee
msgbox.pdb <debugees pdb
ntsdexts.dll
ollydbg.exe
ollydbg.ini
OLLY_LKD.dll <plugin
symsrv.dll
uext.dll

No subfolders exist

Code:





Log data

Address   Message

         ustk

           # ChildEBP RetAddr  Args to Child

          00 0013fcdc 7c918f21 00160000 40000068 00000032 ntdll!_SEH_prolog+0x34

          01 0013ff10 7e42890d 00160000 40000068 00000032 ntdll!RtlAllocateHeap+0xe64

          02 0013ff24 7e428927 00000032 00000000 ffffffff user32!UserRtlAllocMem+0x16

          03 0013ff3c 7e466433 00000000 00403019 ffffffff user32!MBToWCSEx+0x75

          04 0013ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x2d

          05 0013ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b

          06 0013ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45

          07 0013fff0 00000000 00401000 00000000 78746341 msgbox!start+0x13



         !process eproc 0

          PROCESS 85d35030  SessionId: 0  Cid: 0b98    Peb: 7ffd9000  ParentCid: 08e8  

              DirBase: 0fb40440  ObjectTable: e2f79008  HandleCount:  14.

              Image: msgbox.exe





             +0x084 UniqueProcessId : 0x00000b98 Void            dt nt!_eprocess -y uni eproc 

             +0x174 ImageFileName : [16]  "msgbox.exe"           dt nt!_eprocess -y ima eproc 



           lm 

          start    end        module name

          00400000 00404000   msgbox     (deferred)

          64d00000 64d3c000   snxhk      (deferred)

          76390000 763ad000   IMM32      (deferred)

          77dd0000 77e6b000   ADVAPI32   (deferred)

          77e70000 77f02000   RPCRT4     (deferred)

          77f10000 77f59000   GDI32      (deferred)

          77fe0000 77ff1000   Secur32    (deferred)

          7c800000 7c8f6000   kernel32   (deferred)

          7c900000 7c9b2000   ntdll      (deferred)

          7e410000 7e4a1000   user32     (deferred)

          804d7000 806cf980   nt         (pdb symbols)          f:\symbols\ntkrnlpa.pdb\4BF71966DA15428C9532FDC1F6886F571\ntkrnlpa.pdb



ustk



           # ChildEBP RetAddr  Args to Child

          00 0013fcdc 7c918f21 00160000 40000068 00000032 ntdll!_SEH_prolog+0x34

          01 0013ff10 7e42890d 00160000 40000068 00000032 ntdll!RtlAllocateHeap+0xe64

          02 0013ff24 7e428927 00000032 00000000 ffffffff user32!UserRtlAllocMem+0x16

          03 0013ff3c 7e466433 00000000 00403019 ffffffff user32!MBToWCSEx+0x75

          04 0013ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x2d

          05 0013ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b

          06 0013ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45

          07 0013fff0 00000000 00401000 00000000 78746341 msgbox!start+0x13

blabberer

September 22nd, 2012, 01:22

did anyone of you chain this ollydbg with a windbg ?

i mean load load ollydbg into windbg and load a debugee in ollydbg ?

it seem the plugins are never loaded if ollydbg is debugged by windbg

trying with default unmodified ollydbg and default unmodified visual c bookmark plugin

also keeps the plugin tab grayed out

i cant see a load Call to BookMark plugin

loading ollydbg on ollydbg shows the plugin tab

Kayaker

September 22nd, 2012, 11:11

I don't seem to have that problem. Plugin gets loaded OK with Olly under Windbg:

ModLoad: 01f20000 01f30000 C:\RCE\OllyDbg2\plugins\Bookmarkc.dll

I noticed something funky with this Olly, it self-extracts UPX files and stops at the OEP rather than the packer EP. You have to uncheck the 'Unpack SFX modules automatically' option if you want it to break on unpacking code. I don't know what it would do with a malware that uses a fake upx stub and does something nasty during unpacking, something to be aware of.

blabberer

September 27th, 2012, 13:55

found some time to check but i get an uhm

can you retry with this olly_lkd plugin

windbg ->ollydbg with ollylkd plugin->some lmn debuggee in ollydbg

Kayaker

September 27th, 2012, 17:12

Uhm (to use the same technical computer terminology), same results. If I put all those Winny files in the main Olly directory (except for having separate plugin and project directories), the plugin gets loaded OK under Windbg (6.12.0002.633 x86 on XPsp3).

I do have one problem though, a crash caused by the plugin on closing Olly, either alone or under Windbg. Doesn't matter whether a debugee is loaded or the LKD window is displayed.

Both the Olly built-in crash dump or Windbg point to the same instruction, a c0000005 error at the start of ODBG2_Pluginclose

.text:10001985 ODBG2_Pluginclose proc
.text:10001985 A1 84 43 00 10 mov eax, dword_10004384
.text:1000198A 8B 08 mov ecx, [eax] // Faulting instruction

Btw, a weird thing, I use VS2010 and initially named my plugin dll entry point as "DllEntryPoint", as the bookmark plugin example does. I then dutifully saved the HINSTANCE hdllinst for later use in creating a dialog box. The dialog box was never created and I tracked it down to the fact that "DllEntryPoint" was never called and HINSTANCE never saved. I then changed the name to "DllMain" and it was properly compiled and handled.

If you google around you'll see there are weird differences between "DllEntryPoint" and "DllMain" as used with different compilers. So if someone isn't getting what they expect from the plugin dll entry point, they might want to check this out. Sometimes wysiwyg isn't!

blabberer

September 28th, 2012, 02:02

uhm (to stress the technical validity and correctness of interpretation)

putting the olly_lkd into a seperate plugin folder makes it load
it doesnt load if i dump the plugin file into main ollydir
dbghelp tries to load decem.dll (IA64 Disassembler dll module and all is haywire from there

) ollydbg doesnt come near this plugin at all with windbg
and plugin in main ollydbg dir actually i had the cmkd.dll extension which had _except_4 (vista+ api) after removing it i find dbghelp is now trying to load Decem.dll and on failure whatever

yep i saw the Dllmain weirdness too in an earlier plugin (iirc in the prefast clean vc 2010 symbol loader source i changed it from DllEntryPoint to DllMain) but in ollylkd since i am not using hdllinst i am not bitten by it yet
though i will change it

Code:



0:001> x OLLY_LKD!hdllinst

10004364 OLLY_LKD!hdllinst = 0x00000000

0:001> ? poi (OLLY_LKD!hdllinst)

Evaluate expression: 0 = 00000000

0:001> x OLLY_LKD!*dll*

1000141c OLLY_LKD!_pDefaultRawDllMain = 0x00000000

1000438c OLLY_LKD!__rawdllmain_called = 0n0

10004364 OLLY_LKD!hdllinst = 0x00000000

10004040 OLLY_LKD!__native_dllmain_reason = 0xffffffff

100046c0 OLLY_LKD!_pRawDllMain = 0x00000000

10002541 OLLY_LKD!DllMain (void *, unsigned long, void *)

10001cc0 OLLY_LKD!__DllMainCRTStartup (void *, unsigned long, void *)

10001f21 OLLY_LKD!_DllMainCRTStartup (void *, unsigned long, void *)

0:001> uf OLLY_LKD!DllMain

OLLY_LKD!DllMain [d:\5359\minkernel\crts\crtw32\startup\dllmain.c @ 50]:  <------------ this gets compiled if you have DllEntryPoint()

   50 10002541 33c0            xor     eax,eax

   55 10002543 40              inc     eax

   56 10002544 c20c00          ret     0Ch

yep there is a crash on close

Code:



OllyDbg version:    2.01.00 beta 2

Exception code:     C0000005

Parameters:         00000000 00000000

Exception address:  10001992

Executable module:  C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201ft\OLLY_LKD.dll

that is why i wanted to see what windbg shows

and it shows i dont have an interface to release

0:000> r
eax=00000000 ebx=00000000 ecx=01bf0000 edx=005bf67c esi=004099f8 edi=0013ef5c
eip=10001992 esp=0013db68 ebp=0013eef4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206

> 175: status = g_ControlUser->Release();

OLLY_LKD!ODBG2_Pluginclose+0x5:
10001992 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????

thanks for testing and providing feedback

Kayaker

September 28th, 2012, 10:31

Aha (terminus technicus), now we're getting somewhere.

I see what you mean. It looks like Olly uses a short form of its plugin directory path that Windbg borks on. If you put a plugin, any plugin even bookmark, in the main Olly directory and point your plugin directory to say
C:\Ollydbg - without the trailing backslash
it will be stored in the ollydbg.ini file as:
Plugin directory=.

i.e., the path is described internally as just a dot, or the main Olly directory, which only Olly understands.

When Windbg gets involved it must try to resolve this path itself, and can't, and doesn't load the plugin.

If however you add a trailing backslash to the root plugin directory:
C:\Ollydbg\
it will be stored in the ollydbg.ini file as:
Plugin directory=.\

And for some reason Windbg handles this OK and the plugin loads. Weird.

blabberer

September 28th, 2012, 23:20

woot (spellarum hexitechum)

i see

still i don't understand why some dll that is in the path is pulled up and on failure UnInit is called

nice to know some one else can see the a haze and me ain't made mad

Kayaker

September 29th, 2012, 00:08

Like you I also get an odd series of Windbg dlls loaded when it fails to find/load the plugin.

When correct, the sequence is DBGHELP.DLL -> bookmark.dll, and that's it, everything runs OK.

When incorrect, bookmark.dll is never loaded but instead you get loaded in order:
DBGHELP.DLL -> adplusext, dbgeng, dbgeng (yes twice), decem, srcsrv, symbolcheck, symsrv

blabberer

October 6th, 2012, 21:50

attached a version compiled against ollydbg version 201g released 4th oct

hopefully the crash on close should be gone

and both user session and kernel session should operate side by side and should be appreciably faster
than earlier version

also tested with 6.2.9200.16384 drop of windbg dlls

does anyone find any use case for this contraption ?

i see tuts4you also hosts a copy of this plugin (teddy if you read this update the file)

olly_lkd compiled for version 2.01g released 4th oct 2012 attached below

Kayaker

October 7th, 2012, 22:21

Quote:

[Originally Posted by blabberer;93356]does anyone find any use case for this contraption ?

Out of curiousity, in general what commands are supported and which aren't? Several of the !bang commands I've tried seem to work OK, but some of the built in commands may or may not work.

For example, r(register), e(edit) and ~(thread) don't seem to work. t(trace) doesn't work, not too surprisingly I guess.
k(stack), you had to make ustk, which is good because Olly doesn't seem to have the old Stack window yet.

Is it because these are meant to act directly on the debugee therefore can't be used unless your plugin intervenes? And yet something like lm or dd work because they aren't intrusive to the debugee or act more on a system level?

blabberer

October 8th, 2012, 00:04

Quote:

[Originally Posted by Kayaker;93360]Out of curiousity, in general what commands are supported and which aren't?

in theory whatever is documented to work from LKD Should Work Without Flaw

it is what is documented not to work is what i am trying to defy

so you wanted ~* you got it

though ollydbg has inbuilt support for threads

Quote:

but some of the built in commands may or may not work.

what does the ambiguous statement mean
it either works or it doesn't

Code:





switch (result)

case success:

what did work for you and is it documented to work ?  

case black magic:

what did work for you and it is documented not to work  

case failure:

what didn't work for you that is documented to work  

case all_else:

put all your esoteric blah blah here

Quote:

I guess. k(stack), you had to make ustk,

oh you now have a more generic kb i got rid of ustk lets stick to windbg terminology
not create new devils

Inbuilt Livekd creates a snap shot of system and works on it as you are well aware so i just let windbg (ie dbgeng) do all the work on behalf of me .

for DebugEng my plugin is windbg's LKD in this case

for user mode case i take a convoluted route to attach to an already debugged debuggee (NON_INVASIVE_ATTACH)
(ollydbg debugging a debuggee and possibly paused so hopefully state remains stable over several snapshots)
and try to grab the underlying @#$% more rigorous testing and feedback might get me a bit more motivated

Code:





Log data

Address   Message

          .  0  Id: f48.f44 Suspend: 1 Teb: 7ffdf000 Unfrozen        <--------------------        ~* 

                Start: msgbox!start (00401000)

                Priority: 0  Priority class: 32  Affinity: 1



           # ChildEBP RetAddr  Args to Child

          00 0013fb1c 7c940442 7ffdf000 7ffd7000 00000000 ntdll!DbgBreakPoint+0x1

          01 0013fc94 7c9210af 0013fd30 7c900000 0013fce0 ntdll!LdrpInitializeProcess+0xffa               <------------------------ kb not ustk

          02 0013fd1c 7c90e457 0013fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183

          03 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7





          **** NT ACTIVE PROCESS DUMP **** <---------------------- process 0 0

          PROCESS 86dc69c8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000

              DirBase: 002f4000  ObjectTable: e1000d18  HandleCount: 2635.

              Image: System

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

          PROCESS 85efbb78  SessionId: 0  Cid: 0f24   Peb: 7ffde000  ParentCid: 0e88

              DirBase: 0fc40340  ObjectTable: e43f0fb8  HandleCount: 183.

              Image: ollydbg.exe

          PROCESS 8609c178  SessionId: 0  Cid: 0f48    Peb: 7ffd7000  ParentCid: 0f24

              DirBase: 0fc40380  ObjectTable: e19f28b8  HandleCount:   5.

              Image: msgbox.exe

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



          PROCESS 8609c178  SessionId: 0  Cid: 0f48    Peb: 7ffd7000  ParentCid: 0f24     <------------------- process eproc 17 (ollydbg debuging msgbox)

              DirBase: 0fc40380  ObjectTable: e19f28b8  HandleCount:   5.

              Image: msgbox.exe

              VadRoot 860e2b40 Vads 24 Clone 0 Private 45. Modified 0. Locked 0.

              DeviceMap e2a52ce0

              Token                             e139dcf8

              ElapsedTime                       00:01:13.890

              UserTime                          00:00:00.015

              KernelTime                        00:00:00.000

              QuotaPoolUsage[PagedPool]         13588

              QuotaPoolUsage[NonPagedPool]      960

              Working Set Sizes (now,min,max)  (385, 50, 345) (1540KB, 200KB, 1380KB)

              PeakWorkingSetSize                385

              VirtualSize                       6 Mb

              PeakVirtualSize                   6 Mb

              PageFaultCount                    380

              MemoryPriority                    BACKGROUND

              BasePriority                      8

              CommitCharge                      65

              DebugPort                         8602b178

              Setting context for this process...



                                                 

        THREAD 85ed4da8  Cid 0f48.0f44  Teb: 7ffdf000 Win32Thread: 00000000 WAIT

          : (Executive) KernelMode Non-Alertable

          SuspendCount 1

                      a88b97d4  SynchronizationEvent

                  Not impersonating

                  DeviceMap                 e2a52ce0

                  Owning Process            0       Image:         <Unknown>

                  Attached Process          8609c178       Image:         msgbox.exe

                  Wait Start TickCount      173262         Ticks: 975 (0:00:00:15.234)

                  Context Switch Count      44

                  UserTime                  00:00:00.000

                  KernelTime                00:00:00.000

                  Win32 Start Address msgbox!start (0x00401000)

                  Start Address kernel32!BaseProcessStartThunk (0x7c810705)

                  Stack Init a88ba000 Current a88b9758 Base a88ba000 Limit a88b7000 Call 0

                  Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

          GetContextState failed, 0x80004001

          Unable to get current machine context, HRESULT 0x80004001

                  ChildEBP RetAddr  Args to Child

                  a88b9770 80500cf0 85ed4e18 85ed4da8 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])

                  a88b977c 804f9d72 00000000 85ed4da8 a88b97cc nt!KiSwapThread+0x46 (FPO: [0,0,0])

                  a88b97a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])

                  a88b9884 8063a099 8609c178 00000000 a88b98bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])

                  a88b98a8 8063a1cb a88b98bc 00000001 a88b9d64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])

                  a88b9934 804fcb42 a88b9d10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])

                  a88b9cf4 8053e0a1 a88b9d10 00000000 a88b9d64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])

                  a88b9d5c 8053e7b1 0013fc94 7c90120f badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])

                  a88b9d5c 7c90120f 0013fc94 7c90120f badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a88b9d64)

                  0013fb1c 7c940442 7ffdf000 7ffd7000 00000000 ntdll!DbgBreakPoint+0x1

           (FPO: [0,0,0])

                  0013fc94 7c9210af 0013fd30 7c900000 0013fce0 ntdll!LdrpInitializeProcess+0xffa (FPO: [Non-Fpo])  <--------------- kb results match

                  0013fd1c 7c90e457 0013fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183 (FPO: [Non-Fpo])

                  00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7

Kayaker

October 8th, 2012, 05:07

OK, now I get it. If it ain't going to work in livekd, it ain't going to work without black magic in the plugin. Fair enough.

Here's some feedback then, not that I'm deliberately trying to break it...

Successful attempt at writing to memory with LiveKD.exe. Fresh snapshot with msgbox.exe paused at msgbox dialog:

Code:

 

0: kd> !process 0 5 msgbox.exe



PROCESS 8984c020  SessionId: 0  Cid: 08a0    Peb: 7ffd9000  ParentCid: 0184

    Image: msgbox.exe

    THREAD 8980d730  Cid 08a0.0e1c  Teb: 7ffdf000 Win32Thread: e12a2a48 WAIT



0: kd> .process 8984c020

Implicit process is now 8984c020



0: kd> dd 401000

00401000  0068006a 



0: kd> eb 401000 90 90



0: kd> dd 401000

00401000  00689090

Attempt at doing same with plugin:

Code:

 

switch (result)

    case success:

       various;

       

    case black magic:

        working on it.. 



    case failure:

        Alt-F1

         eb 401000 90 90

 

        Log data, item 0

         Message =                       ^ Memory access error in 'eb 401000 90 90'

         break;

case all_else:

One thing I noticed with both LiveKD or OllyLKD vs real debugging session with WinDbg:
You can change process context with .process (automatic to debugee with OllyLKD). A command like !peb will reflect that context.

However, the command
!process -1 0
which is supposed to show the current process points to a fake out. For OllyLKD that command returns Ollydbg.exe as the current process, even though other commands work as if the debugee is the current process.

blabberer

October 8th, 2012, 13:20

i have a nagging doubt that you are misinterpreting LiveKD

so to be on same platform as i am do this

in the physical host pc where you installed windbg (not vm not second machine not cable connection not 1394)
run msgbox.exe
open a command prompt in the same machine
cd to windbg installation folder
type kd -kl
now do what you did earlier and compare if they match what you posted

Here's some feedback then, not that I'm deliberately trying to break it...
sure go ahead and break it black and blue

if it aint
ready to be tortured then it cant even be called beta version

One thing I noticed with both LiveKD or OllyLKD vs real debugging session with WinDbg:
You can change process context with .process (automatic to debugee with OllyLKD). A command like !peb will reflect that context.

However, the command
!process -1 0
which is supposed to show the current process points to a fake out. For OllyLKD that command returns Ollydbg.exe as the current process, even though other commands work as if the debugee is the current process.

complete spoiler

Kayaker

October 8th, 2012, 13:50

Actually I'm misinterpreting what you used for live kernel debugging. I was using LiveKD from Sysinternals, not Windbg kd -kl directly.

http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

There's a subtle difference between the two when issuing the 'eb' command. You're right, kd gives the same error message as the plugin, but LiveKD doesn't.

If you modify bytes with LiveKD it "appears" that the bytes have been changed. However if you check those bytes with kd or Softice, they actually appear *not* to have been changed, even though LiveKD leads you to believe the opposite.

In that case I'll use kd -kl for all future tests, /my bad

blabberer

October 8th, 2012, 14:26

Quote:

[Originally Posted by Kayaker;93367]Actually I'm misinterpreting what you used for live kernel debugging. I was using LiveKD from Sysinternals, not Windbg kd -kl directly.

i see i havent used that in ages iirc i read code was added to that LiveKd by KenJohnson and/or mathieu suiche for handling some hyper-v things
have you poked around that ?

oh the byte modification looks like bogus in that LiveKd

i changed the msgbox return to spin infinite (eb fe) and then clicked ok to close the msgbox if the modification were written to image i should have a
ghost msgbox in taskmanager as i stopped executing exitprocess

after writing to be double sure i attached windbg to msgbox.exe checked again and i dont see the mod

and sure enough my bp at Exitprocess hits like nothing ever happened

dump it

use kd -kl

Code:







F:\windbg\LiveKd>livekd.exe



LiveKd v5.0 - Execute kd/windbg on a live system

Sysinternals - www.sysinternals.com

Copyright (C) 2000-2010 Mark Russinovich and Ken Johnson



Launching f:\windbg\kd.exe:



Microsoft (R) Windows Debugger Version 6.12.0002.633 X86

Copyright (c) Microsoft Corporation. All rights reserved.





Loading Dump File [C:\WINDOWS\livekd.dmp]

Kernel Complete Dump File: Full address space is available



Comment: 'LiveKD live system view'

Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols



Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.100216-1514

Machine Name:

Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040

Debug session time: Sun Feb 13 08:04:57.897 17420 (UTC + 5:30)

System Uptime: 0 days 9:34:52.658

WARNING: Process directory table base 0FC80300 doesn't match CR3 0FC80380

WARNING: Process directory table base 0FC80300 doesn't match CR3 0FC80380

Loading Kernel Symbols

...............................................................

................................................................

.........

Loading User Symbols

............

Loading unloaded module list

..................

!process 0 5 msgbox.exe

*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS



PROCESS 869a4ba8  SessionId: 0  Cid: 0f8c    Peb: 7ffdd000  ParentCid: 0188

    DirBase: 0fc80320  ObjectTable: e3e44208  HandleCount:  21.

    Image: msgbox.exe

    VadRoot 85fcb1f0 Vads 45 Clone 0 Private 124. Modified 0. Locked 0.

    DeviceMap e2ed5c08

    Token                             e36cfcf8

    ElapsedTime                       00:00:04.359

    UserTime                          00:00:00.015

    KernelTime                        00:00:00.000

    QuotaPoolUsage[PagedPool]         31764

    QuotaPoolUsage[NonPagedPool]      1800

    Working Set Sizes (now,min,max)  (570, 50, 345) (2280KB, 200KB, 1380KB)

    PeakWorkingSetSize                570

    VirtualSize                       16 Mb

    PeakVirtualSize                   16 Mb

    PageFaultCount                    621

    MemoryPriority                    BACKGROUND

    BasePriority                      8

    CommitCharge                      155



        THREAD 860848f8  Cid 0f8c.099c  Teb: 7ffdf000 Win32Thread: e3795008 WAIT





kd> .process 869a4ba8

Implicit process is now 869a4ba8

kd> u 401000

00401000 6a00            push    0

00401002 6800304000      push    403000h

00401007 6819304000      push    403019h

0040100c 6a00            push    0

0040100e e807000000      call    0040101a

00401013 6a00            push    0

00401015 e806000000      call    00401020

0040101a ff2508204000    jmp     dword ptr ds:[402008h]

kd> eb 401013 0xeb 0xfe

kd> u 401000

00401000 6a00            push    0

00401002 6800304000      push    403000h

00401007 6819304000      push    403019h

0040100c 6a00            push    0

0040100e e807000000      call    0040101a

00401013 ebfe            jmp     00401013              <----------------------------------- mod

00401015 e806000000      call    00401020            <---------------- if mod is ok this shouldn't fire in attached windbg but mod is bogus

0040101a ff2508204000    jmp     dword ptr ds:[402008h]

kd>









Microsoft (R) Windows Debugger Version 6.12.0002.633 X86

Copyright (c) Microsoft Corporation. All rights reserved.



*** wait with pending attach

Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is: 

ModLoad: 00400000 00404000   C:\Documents and Settings\Admin\My Documents\ollydbg2beta\odbg201g\odbg201g\msgbox.exe

ModLoad: 7c900000 7c9b2000   C:\WINDOWS\system32\ntdll.dll

ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll

ModLoad: 64d00000 64d3c000   C:\Program Files\Alwil Software\Avast5\snxhk.dll

ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\user32.dll

ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll

ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL

ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll

ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll

ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll

ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\apphelp.dll

ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime

ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\ole32.dll

(f8c.bf4): Break instruction exception - code 80000003 (first chance)

eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c90120e esp=003dffcc ebp=003dfff4 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246

ntdll!DbgBreakPoint:

7c90120e cc              int     3

0:001> ~*kb



   0  Id: f8c.99c Suspend: 1 Teb: 7ffdf000 Unfrozen

ChildEBP RetAddr  Args to Child              

0013fa74 7e419418 7e42770a 00000000 00000000 ntdll!KiFastSystemCallRet

0013faac 7e4249c4 00270204 00000000 00000001 user32!NtUserWaitMessage+0xc

0013fad4 7e43a956 7e410000 00163fa0 00000000 user32!InternalDialogBox+0xd0

0013fd94 7e43a2bc 0013fef0 00000000 ffffffff user32!SoftModalMessageBox+0x938

0013fee4 7e4663fd 0013fef0 00000028 00000000 user32!MessageBoxWorker+0x2ba

0013ff3c 7e4664a2 00000000 00163f20 00163f60 user32!MessageBoxTimeoutW+0x7a

0013ff70 7e450877 00000000 00403019 00403000 user32!MessageBoxTimeoutA+0x9c

0013ff90 7e45082f 00000000 00403019 00403000 user32!MessageBoxExA+0x1b

0013ffac 00401013 00000000 00403019 00403000 user32!MessageBoxA+0x45

0013fff0 00000000 00401000 00000000 78746341 msgbox!start+0x13 [msgbox.asm @ 18]



#  1  Id: f8c.bf4 Suspend: 1 Teb: 7ffde000 Unfrozen

ChildEBP RetAddr  Args to Child              

003dffc8 7c951e40 00000005 00000004 00000001 ntdll!DbgBreakPoint

003dfff4 00000000 00000000 00000000 00000000 ntdll!DbgUiRemoteBreakin+0x2d

0:001> u 401000

msgbox!start [msgbox.asm @ 17]:

00401000 6a00            push    0

00401002 6800304000      push    offset msgbox!MsgCaption (00403000)

00401007 6819304000      push    offset msgbox!MsgBoxText (00403019)

0040100c 6a00            push    0

0040100e e807000000      call    msgbox!MessageBoxA (0040101a)

00401013 6a00            push    0

00401015 e806000000      call    msgbox!ExitProcess (00401020)

msgbox!MessageBoxA:

0040101a ff2508204000    jmp     dword ptr [msgbox!_imp__MessageBoxA (00402008)]

0:001> g

(f8c.75c): Break instruction exception - code 80000003 (first chance)

eax=7ffdd000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c90120e esp=003dffcc ebp=003dfff4 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246

ntdll!DbgBreakPoint:

7c90120e cc              int     3

0:001> bp 401015

0:001> bl

 0 e 00401015     0001 (0001)  0:**** msgbox!start+0x15

0:001> g

Breakpoint 0 hit

eax=00000001 ebx=7ffdd000 ecx=7c91005d edx=00040002 esi=00330035 edi=00340037

eip=00401015 esp=0013ffc0 ebp=0013fff0 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

msgbox!start+0x15:

00401015 e806000000      call    msgbox!ExitProcess (00401020)

0:000> dd esp

0013ffc0  00000000 7c817077 00340037 00330035

0013ffd0  7ffdd000 80544c7d 0013ffc8 860848f8

0013ffe0  ffffffff 7c839ad8 7c817080 00000000

0013fff0  00000000 00000000 00401000 00000000

00140000  78746341 00000020 00000001 0000249c

00140010  000000c4 00000000 00000020 00000000

00140020  00000014 00000001 00000006 00000034

00140030  00000114 00000001 00000000 00000000

blabberer

October 8th, 2012, 14:45

oh for fun and "fit" try this in olly_lkd

.process /p /r
!vtop 0 401013
!db <phys addr>
!eb <phys addr>

and watch your msgbox in ollydbg cpu window
try clicking ok on msg box and watch cpu
pause ollydbg and watch eip and disassembly

blabberer

October 13th, 2012, 16:36

hey does some one have some experience with this IEnumString custom source

and please no atl wtl stl or zython that drank boost no weird <>cEnum>< <> Enum *<>> **ppv

plain old simple win32 or a smattering of understandable com only if possible

all iam trying to do is a google style edit box i have successfully come to a point where i can use ACL_Multi

but i cant piece anything more than this

if someone can take the posted code and implement a custom source inside it that would be great (custom source shouldn't be stuck with predefined arrays )

what i look for is if the user types in !p the edit box should show !psr , !peb , !process etc shouldnt autocomplete unless selected
and on being tabbed should fill the edit control with the next choice (exactly like windbg command window )

the following code works and it auto suggests the file paths
the commented out additems and insertitem seem to work too

most of the com things have been lifted from here
http://msdn.microsoft.com/en-us/library/windows/desktop/hh127437%28v=vs.85%29.aspx
it is vague on custom source part

Code:





#include <stdio.h>

#include <windows.h>

#include <commctrl.h>

#include <Shlwapi.h>

#include <Objbase.h>

#include <Shldisp.h>

#include <ShlGuid.h>

#include <Shlobj.h>

HWND WINAPI CreateComboEx(void);

HWND			CBhwnd;

BOOL WINAPI AddItems(HWND hwndCB)

{

	COMBOBOXEXITEM cbei;

	int iCnt;

	typedef struct 

	{

		LPTSTR pszText;

	} ITEMINFO, *PITEMINFO;

	ITEMINFO IInf[ ] = 

	{

		{  "first"}, 

		{  "second"},

		{  "third"},

		{  "fourth"},

		{  "fifth"},

		{  "sixth"},

		{  "seventh"},

		{  "eighth"},

		{  "ninth"},

		{  "tenth"},

		{  "eleventh"},

		{  "twelfth"},

		{  "thirteenth"},

		{  "fourteenth"},

		{  "fifteenth"}

	};

	cbei.mask = CBEIF_TEXT;

	for(iCnt=0;iCnt<15;iCnt++)

	{        

		cbei.iItem          = iCnt;

		cbei.pszText        = IInf[iCnt].pszText;

		cbei.cchTextMax     = sizeof(IInf[iCnt].pszText);

		if(SendMessage(hwndCB,CBEM_INSERTITEM,0,(LPARAM)&cbei) == -1)

			return FALSE;

	}   

	SetWindowPos(hwndCB,NULL,0,0,630,100,SWP_NOACTIVATE);

	return TRUE; 

}

BOOL WINAPI InsertItem(HWND hwndCB)

{

	COMBOBOXEXITEM cbei;

	cbei.mask = CBEIF_TEXT;

	cbei.iItem          =  0;

	cbei.pszText        = "fluffy";

	cbei.cchTextMax		= sizeof("fluffy";

	if(SendMessage(hwndCB,CBEM_INSERTITEM,0,(LPARAM)&cbei) == -1)

		return FALSE;

	SetWindowPos(hwndCB,NULL,0,0,620,100,SWP_NOACTIVATE);

	return TRUE; 

}

LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)

{

	switch(msg)

	{

	case WM_CLOSE:

		DestroyWindow(hwnd);

		break;

	case WM_COMMAND:

		//InsertItem(CBhwnd);

		break;

	case WM_NOTIFY:

		break;

	case WM_DESTROY:

		PostQuitMessage(0);

		break;

	default:

		return DefWindowProc(hwnd, msg, wParam, lParam);

	}

	return 0;

}

int WINAPI	WinMain (

	HINSTANCE hInstance,

	HINSTANCE hPrevInstance,

	LPSTR lpCmdLine, 

	int nCmdShow

	)

{

	WNDCLASSEX		wc;

	MSG				Msg;

	HWND			g_hwndMain;

	wc.cbSize		 = sizeof(WNDCLASSEX);

	wc.style		 = 0;

	wc.lpfnWndProc	 = WndProc;

	wc.cbClsExtra	 = 0;

	wc.cbWndExtra	 = 0;

	wc.hInstance	 = hInstance;

	wc.hIcon		 = LoadIcon(NULL, IDI_APPLICATION);

	wc.hCursor		 = LoadCursor(NULL, IDC_ARROW);

	wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);

	wc.lpszMenuName  = NULL;

	wc.lpszClassName = "OllyLkdPluginClass";

	wc.hIconSm		 = LoadIcon(NULL, IDI_APPLICATION);

	if(!RegisterClassEx(&wc))

	{

		MessageBox(

			NULL,

			"Window Registration Failed!",

			"Error!",

			MB_ICONEXCLAMATION | MB_OK

			);

		return 0;

	}

	g_hwndMain = CreateWindowEx(

		WS_EX_CLIENTEDGE,

		"OllyLkdPluginClass",

		"OLLY_LKD_INPUT_WINDOW",

		WS_OVERLAPPEDWINDOW ,

		CW_USEDEFAULT,

		CW_USEDEFAULT,

		640,

		60,

		NULL,

		NULL,

		hInstance,

		NULL

		);

	if (g_hwndMain == NULL)

	{

		MessageBox(

			NULL,

			"Window Creation Failed!",

			"Error!",

			MB_ICONEXCLAMATION | MB_OK

			);

		return 0;

	}

	ShowWindow(

		g_hwndMain,

		nCmdShow

		);

	UpdateWindow(

		g_hwndMain

		);

	INITCOMMONCONTROLSEX icex;

	icex.dwSize = sizeof(INITCOMMONCONTROLSEX);

	icex.dwICC = ICC_USEREX_CLASSES;

	InitCommonControlsEx(&icex);

	CBhwnd = CreateWindowEx(

		0,

		WC_COMBOBOXEX, 

		NULL,

		WS_BORDER | WS_VISIBLE | WS_CHILD | CBS_DROPDOWN | CBS_SORT,                  

		0,      

		0,      

		620,      

		100,    

		g_hwndMain,

		NULL,

		hInstance,

		NULL);

	if (CBhwnd == NULL)

	{

		MessageBox(

			NULL,

			"Window Creation Failed!",

			"Error!",

			MB_ICONEXCLAMATION | MB_OK

			);

		return 0;

	}

	ShowWindow(

		CBhwnd,

		SW_SHOWDEFAULT

		);

	UpdateWindow(

		CBhwnd

		);

	AddItems(CBhwnd);

	CoInitialize(NULL);

	IAutoComplete	*pac;

	IUnknown		*punkSource;

	HRESULT			status;

	IACList2		*pal2;

	IObjMgr			*pom;

	if (( status = CoCreateInstance(

		CLSID_AutoComplete,

		NULL,

		CLSCTX_INPROC_SERVER,

		IID_PPV_ARGS(&pac))) != S_OK) {

			MessageBox(NULL,"error","COC_acompl",NULL);

	}

	if((status  = CoCreateInstance(

		CLSID_ACLMulti, 

		NULL,

		CLSCTX_INPROC_SERVER,

		IID_PPV_ARGS(&pom)) ) !=S_OK) {

			MessageBox(NULL,"error","COC_CLSID_ACLMulti",NULL);

	}

	if (( status = CoCreateInstance(

		CLSID_ACListISF,

		NULL,

		CLSCTX_INPROC_SERVER,

		IID_PPV_ARGS(&punkSource))) != S_OK) {

			MessageBox(NULL,"error","COC_ACListISF",NULL);

	}

	if (( status =  punkSource->QueryInterface(

		IID_PPV_ARGS(&pal2)) ) == S_OK) {

			pal2->SetOptions(ACLO_FILESYSONLY);

			pal2->Release();

	}

	pom->Append(punkSource);	

	HWND cbeditcontrol = (HWND)SendMessage(CBhwnd,CBEM_GETEDITCONTROL,0,0);

	if (( status = pac->Init(

		cbeditcontrol,

		pom,

		NULL,

		NULL

		) ) !=S_OK) {

			MessageBox(NULL,"error","pac2->Init",NULL);

	}

	IAutoComplete2 *pac2;

	if (( status = pac->QueryInterface(

		IID_PPV_ARGS(&pac2)) ) ==S_OK) {

			pac2->SetOptions(ACO_AUTOSUGGEST);

			pac2->Release();

	}



	pac->Release();

	pom->Release();

	punkSource->Release();

	while(GetMessage(&Msg, NULL, 0, 0) > 0)

	{

		TranslateMessage(&Msg);

		DispatchMessage(&Msg);

	}

	return Msg.wParam;

}

built with vs 2010

Code:



@CALL "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" x86

cl /Zi comboboxex.cpp /link /release /debug kernel32.lib user32.lib comctl32.lib shlwapi.lib ole32.lib

pause

an output snap and src also attached
2658

Kayaker

October 15th, 2012, 01:23

That's some crazy ass stuff there. Had a look at it tonight and couldn't quite figure out the custom implementation in pure C. You might have a look at this too, an autocompletion without using IEnumString:

http://msdn.microsoft.com/en-us/magazine/cc301412.aspx

The guy makes a good point:

Quote:

All we're talking about here is searching a list of strings for ones that match what the user typed. How hard could it be to write the code myself? One of the problems with modern programming is that no one wants to write code any more. Don't get me wrong, COM is great. But unless you already have an IEnumString handy, it seems way too much bother for autocompletion.

deepzero

October 16th, 2012, 10:36

nice stuff, i ll give it a shot right now.

Can we have the full sources, though? :S

Also, may i ask where you got your information regarding the ms dbgeng? MSDN documentation is scarce at best...

d.

edit:
ehm...can we have a idiots guide on how to use this?
I booted my XPSP3 vm in kernel debug mode, installed the win7 x86 debugging tools, copied the required dlls over, but absolutely nothing happens when i pluck "!process 0 0 xxx.exe" into that string get form...

Kayaker

October 16th, 2012, 22:50

Blabberer can answer more than me, but one thing is to make sure symbols are loaded correctly, this is what worked for me.

You need to set _NT_SYMBOL_PATH in your system environment variables (Control Panel/System/Advanced/Environment Variable/User variables). This is usually
srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

I find the easiest way to do that is to let SysInternals LiveKD do it automatically. The first time you load it it will set _NT_SYMBOL_PATH and download the basic symbols. You'll get the following folders in C:\Symbols:
ntdll.dll
ntdll.pdb
ntkrnlmp.pdb

While you've got LiveKD open you might as well load some other non-usermode symbols that might come in handy, with the commands
>ld win32k
>ld hal

Now you can close LiveKD.

Open Olly with the plugin and all Windbg files in place, again with a live internet connection to start. Disassemble something like notepad.exe so you'll get a full list of common symbols. There will be a one-time message from MS Internet Symbol Store for permission and you should get all the rest of the symbols such as kernel32, user32, etc. Now you can close the internet connection from your VM if you wish. Any further work will use the symbols from C:\Symbols.

Following this procedure I had no problems with most commands, as we've been discussing above.

blabberer

October 17th, 2012, 01:19

Quote:

[Originally Posted by deepzero;93456]nice stuff, i ll give it a shot right now.

thanks

Quote:

Can we have the full sources, though? :S

do we need sources

Quote:

Also, may i ask where you got your information regarding the ms dbgeng? MSDN documentation is scarce at best...

oh innumerable hours in front of windbg does help a bit to decipher the docs

Quote:

edit:
ehm...can we have a idiots guide on how to use this?
I booted my XPSP3 vm in kernel debug mode, installed the win7 x86 debugging tools, copied the required dlls over, but absolutely nothing happens when i pluck "!process 0 0 xxx.exe" into that string get form...

here is a consoleshot hope it is self explanatory

Code:





C:\>md odbgbetat201g



C:\>cd odbgbetat201g



C:\odbgbetat201g>wget -c http://ollydbg.de/odbg201g.zip



HTTP request sent, awaiting response... 200 OK

Length: 1994529 (1.9M) [application/zip]

Saving to: `odbg201g.zip'



 8% [==>                                    ] 173,495     6.83K/s   in 34s



2012-10-17 10:22:56 (4.97 KB/s) - Connection closed at byte 173495. Retrying.



--2012-10-17 10:22:57--  (try: 2)  http://ollydbg.de/odbg201g.zip

HTTP request sent, awaiting response... 206 Partial Content

Length: 1994529 (1.9M), 1821034 (1.7M) remaining [application/zip]

Saving to: `odbg201g.zip'



100%[+++===================================>] 1,994,529   11.8K/s   in 2m 32s



2012-10-17 10:25:31 (11.7 KB/s) - `odbg201g.zip' saved [1994529/1994529]





C:\odbgbetat201g>"c:\Program Files\7-Zip\7z.exe" x odbg201g.zip -y -oodbg201g



7-Zip 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18



Processing archive: odbg201g.zip



Extracting  ollydbg.exe

Extracting  dbghelp.dll



Everything is Ok



Files: 2

Size:       3593784

Compressed: 1994529



C:\odbgbetat201g>dir /b

odbg201g

odbg201g.zip



C:\odbgbetat201g>cd odbg201g



C:\odbgbetat201g\odbg201g>dir /s



Directory of C:\odbgbetat201g\odbg201g



17/10/2012  11:09    <DIR>          .

17/10/2012  11:09    <DIR>          ..

21/03/2008  03:44         1,061,944 dbghelp.dll

05/10/2012  00:02         2,531,840 ollydbg.exe

               2 File(s)      3,593,784 bytes



     Total Files Listed:

               2 File(s)      3,593,784 bytes

               2 Dir(s)   4,156,252,160 bytes free



C:\odbgbetat201g\odbg201g>del dbghelp.dll



C:\odbgbetat201g\odbg201g>dir /b

ollydbg.exe



C:\odbgbetat201g\odbg201g>copy f:\windbg612dlls\*.* .

f:\windbg612dlls\dbgeng.dll

Overwrite .\dbgeng.dll? (Yes/No/All): a

f:\windbg612dlls\dbghelp.dll

f:\windbg612dlls\ext.dll

f:\windbg612dlls\exts.dll

f:\windbg612dlls\kdexts.dll

f:\windbg612dlls\kext.dll

f:\windbg612dlls\ntsdexts.dll

f:\windbg612dlls\symsrv.dll

f:\windbg612dlls\uext.dll

f:\windbg612dlls\wdfkd.dll

       10 file(s) copied.



C:\odbgbetat201g\odbg201g>md plugins



C:\odbgbetat201g\odbg201g>md udds



C:\odbgbetat201g\odbg201g>copy D:\Plugin_Template_For_ODBG_20001_WDK\alloldfiles

\OLLY_LKD\OLLY_LKD.dll .\plugins\.

        1 file(s) copied.



C:\odbgbetat201g\odbg201g>ollydbg.exe   < -- set plugin and udd dirs in ollydbg option and close ollydbg 



C:\odbgbetat201g\odbg201g>ollydbg.exe  <---- restart for directory changes to take effect



C:\odbgbetat201g\odbg201g>echo Log data   <------------- plugin loaded

Log data



C:\odbgbetat201g\odbg201g>Address   Message

'Address' is not recognized as an internal or external command,

operable program or batch file.



C:\odbgbetat201g\odbg201g>          OllyDbg v2.01 (intermediate version - under

development!)



C:\odbgbetat201g\odbg201g>          Installed plugins:

'Installed' is not recognized as an internal or external command,

operable program or batch file.



C:\odbgbetat201g\odbg201g>            Ollydbg Local Kernel DBG Plugin (version 2

.00.01, file 'C:\odbgbetat201g\odbg201g\plugins\OLLY_LKD.dll')



C:\odbgbetat201g\odbg201g>            Ollydbg Local Kernel DBG Plugin (version 2

.00.01, file 'C:\odbgbetat201g\odbg201g\plugins\OLLY_LKD.dll')

and here is the output

if it is the first time it will take a few minutes for all the symbol resolution
if you do not have some symbols it will connect to net and may try to fetch symbols for every file (this process may take minutes too )

if you think you have a cache that is sufficient for basic uses and you want dbgeng not to spend time trying to retrieve symbols for
all and sundry

and assuming you have a _NT_SYMBOL_PATH environment var set to say SRV*c:\symbols*\http:\\XXXXXXXXXXXXXXX
open a command prompt
cd to ollydbg install directory
type set _NT_SYMBOL_PATH= c:\symbols
(NO SRV** no URL)
dbgeng will use that local cache will not go to internet to fetch useless symbol file which don't exist
and loading will be dramatically (~10X to ~50 X) faster

then from that command prompt do ollydbg.exe YourDebuggee.exe

this way you can have the cake and eat it too

that is the original _NT_SYMBOL_PATH exits as it is for your regular uses
this cmd prompt overrides the environment var for one session (beware if you start anything else from this command prompt they will
have this curtailed environment only)
and no internet rides back and forth by dbgeng

Code:





Log data

Address   Message

          *** WARNING: Unable to verify checksum for C:\odbgbetat201g\odbg201g\ollydbg.exe

          *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\odbgbetat201g\odbg201g\ollydbg.exe -

           # ChildEBP RetAddr  Args to Child

          WARNING: Stack unwind information not available. Following frames may be wrong.

          00 0013fff0 00000000 00401000 00000000 78746341 ollydbg+0x1000

          PROCESS 860efb98  SessionId: 0  Cid: 034c    Peb: 7ffd5000  ParentCid: 0d88

              DirBase: 0fb003c0  ObjectTable: e319efb8  HandleCount:  18.

              Image: ollydbg.exe

              VadRoot 85e5e940 Vads 51 Clone 0 Private 349. Modified 0. Locked 0.

              DeviceMap e2a1e090

              Token                             e309ccf8

              ElapsedTime                       00:02:04.828

              UserTime                          00:00:00.031

              KernelTime                        00:00:00.593

              QuotaPoolUsage[PagedPool]         58636

              QuotaPoolUsage[NonPagedPool]      2040

              Working Set Sizes (now,min,max)  (5211, 50, 345) (20844KB, 200KB, 1380KB)

              PeakWorkingSetSize                5230

              VirtualSize                       28 Mb

              PeakVirtualSize                   36 Mb

              PageFaultCount                    5251

              MemoryPriority                    BACKGROUND

              BasePriority                      8

              CommitCharge                      513

              DebugPort                         86469a60

              Setting context for this process...



                                                 

        THREAD 86095b28  Cid 034c.03e4  Teb: 7ffdf000 Win32Thread: e2f88008 WAIT

          : (Executive) KernelMode Non-Alertable

          SuspendCount 1

                      a895e7d4  SynchronizationEvent

                  Not impersonating

                  DeviceMap                 e2a1e090

                  Owning Process            0       Image:         <Unknown>

                  Attached Process          860efb98       Image:         ollydbg.exe

                  Wait Start TickCount      440343         Ticks: 1444 (0:00:00:22.562)

                  Context Switch Count      186                 LargeStack

                  UserTime                  00:00:00.015

                  KernelTime                00:00:00.000

                  Win32 Start Address ollydbg (0x00401000)

                  Start Address kernel32!BaseProcessStartThunk (0x7c810705)

                  Stack Init a895f000 Current a895e758 Base a895f000 Limit a895b000 Call 0

                  Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

          *** WARNING: Unable to verify checksum for C:\odbgbetat201g\odbg201g\ollydbg.exe

          *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\odbgbetat201g\odbg201g\ollydbg.exe -

                  ChildEBP RetAddr  Args to Child

                  a895e770 80500cf0 86095b98 86095b28 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])

                  a895e77c 804f9d72 00000000 86095b28 a895e7cc nt!KiSwapThread+0x46 (FPO: [0,0,0])

                  a895e7a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])

                  a895e884 8063a099 860efb98 00000000 a895e8bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])

                  a895e8a8 8063a1cb a895e8bc 00000001 a895ed64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])

                  a895e934 804fcb42 a895ed10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])

                  a895ecf4 8053e0a1 a895ed10 00000000 a895ed64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])

                  a895ed5c 8053e03a 0013fff0 00401000 badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])

                  a895eddc 80541e02 f73e8b85 8605caa8 00000000 nt!KiExceptionExit+0x172

                  a895ee40 004e92d9 0000adbc 00000000 00409b60 nt!KiThreadStartup+0x16

          WARNING: Stack unwind information not available. Following frames may be wrong.

                  a895ef2c 7c910435 7c91043e 0013b208 00020024 ollydbg!Ordinal349+0xd82d

                  a895ef60 7c910460 7c980600 7c914049 7c91403c ntdll!RtlAcquirePebLock+0x28 (FPO: [Non-Fpo])

                  a895ef68 7c914049 7c91403c 00000208 0013b2ac ntdll!RtlReleasePebLock+0xf (FPO: [0,0,0])

                  a895ef6c 7c91403c 00000208 0013b2ac 0013b284 ntdll!RtlGetFullPathName_Ustr+0x736 (FPO: [Non-Fpo])

                  7c90e920 00000000 8bfc5557 458b0c5d 0440f708 ntdll!RtlGetFullPathName_Ustr+0x746 (FPO: [Non-Fpo])

blabberer

October 18th, 2012, 05:14

Quote:

[Originally Posted by Kayaker;93437]That's some crazy ass stuff there.
yep under documented vaguely worded crap with half baked / non compiling code samples

Quote:

You might have a look at this too, an autocompletion without using IEnumString:

paul dilascia

i had looked at it earlier but to be frank
1) it is vc6 project wont convert
2) it has resources vs express dont do resources
3) i hate stdafx and all the precompiled shit that accompany it
4)i hate compiling multiple source file for one single tiny wee small example
does one really need 10 files for one fscking edit box ?
5) and ........... and ............... and ............. and ...............

Quote:

The guy makes a good point:

yes i am exactly the kind of guy he describes
i don't want to write code

especially it is gui i tend to run away screaming blue murder

so i conjured up a 87 line single file implementation that almost does what i looked for

Code:





#include <windows.h>

#include <Shlobj.h>

#include <atlbase.h> // for vs express editions use wdk 

#include <atlcom.h>  // set INCLUDE=C:\WinDDK\7600.16385.1\inc\atl71;%INCLUDE%

LRESULT CALLBACK WndProc( HWND hwnd, UINT msg,  WPARAM wParam,  LPARAM lParam ) {

	switch(msg) 

	{

	case WM_CLOSE:

		DestroyWindow(hwnd);

		break;

	case WM_DESTROY:

		PostQuitMessage(0);

		break;

	default:

		return DefWindowProc( hwnd, msg, wParam, lParam );

	}

	return 0;

}

int WINAPI	WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) {

	UNREFERENCED_PARAMETER( lpCmdLine );   // W4 WX

	UNREFERENCED_PARAMETER( hPrevInstance );  // W4 WX

	WNDCLASSEX					wc;

	MSG							Msg;

	HWND						g_hwndMain;

	INITCOMMONCONTROLSEX		icex;

	HWND						CBhwnd;

	IAutoComplete				*pac	= NULL;

	IObjMgr						*pom	= NULL;

	IUnknown					*ppEnum	= NULL;

	IAutoComplete2				*pac2	= NULL;

	wc.cbSize					= sizeof(WNDCLASSEX);

	wc.style					= 0;

	wc.lpfnWndProc				= WndProc;

	wc.cbClsExtra				= 0;

	wc.cbWndExtra				= 0;

	wc.hInstance				= hInstance;

	wc.hIcon					= LoadIcon(NULL, IDI_APPLICATION);

	wc.hCursor					= LoadCursor(NULL, IDC_ARROW);

	wc.hbrBackground			= (HBRUSH)(COLOR_WINDOW+1);

	wc.lpszMenuName				= NULL;

	wc.lpszClassName			= "OllyLkdPluginClass";

	wc.hIconSm					= LoadIcon(NULL, IDI_APPLICATION);

	LPOLESTR					strings[] = 

	{

		L"One",	L"Two",	L"Three", L"Orange", L"orangutan", L"oldBlunder",

		L"Talisman",L"tapdancer", L"foo", L"fsck", L"faa", L"free", NULL

	};

	int arraysize = ((sizeof(strings)-sizeof(ULONG))/sizeof(ULONG));

	RegisterClassEx(&wc);

	g_hwndMain = CreateWindowEx( WS_EX_CLIENTEDGE, "OllyLkdPluginClass", "OLLY_LKD_INPUT_WINDOW",

		WS_OVERLAPPEDWINDOW , CW_USEDEFAULT, CW_USEDEFAULT, 640, 60, NULL, NULL, hInstance, NULL );

	ShowWindow( g_hwndMain, nCmdShow );

	UpdateWindow( g_hwndMain );

	icex.dwSize = sizeof(INITCOMMONCONTROLSEX);

	icex.dwICC = ICC_USEREX_CLASSES;

	InitCommonControlsEx( &icex );

	CBhwnd = CreateWindowEx( 0, WC_COMBOBOXEX, NULL,

		WS_BORDER | WS_VISIBLE | WS_CHILD | CBS_DROPDOWN | CBS_SORT,                  

		0, 0, 620, 100, g_hwndMain, NULL, hInstance, NULL );

	ShowWindow( CBhwnd, SW_SHOWDEFAULT );

	UpdateWindow( CBhwnd );

	CoInitialize( NULL );  //initialise all com objects before using com

	typedef CComEnum<IEnumString, &IID_IEnumString, LPOLESTR, _Copy<LPOLESTR> > CComEnumString; // specialised typedef as defined in ccomenum docs

	class CDummyModule : public CAtlExeModuleT<CDummyModule> {}; // declare a dummy module

	CDummyModule				_Module; // if no module crash at atlXX.c _pmodule->lock()

	CComObject<CComEnumString>	*pes	= NULL;

	CComObject<CComEnumString>::CreateInstance( &pes );  // an instance of ienumstr

	CComPtr<CComEnumString> thEnum(pes);

	pes->Init( &strings[0], &strings[arraysize], NULL, AtlFlagCopy ); //fill the strings

	pes->QueryInterface( __uuidof(IUnknown), (void**)&ppEnum );

	CoCreateInstance( CLSID_AutoComplete, NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARGS(&pac));

	CoCreateInstance( CLSID_ACLMulti, NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARGS(&pom)); //using MULTI sources with IobjManager

	pom->Append(ppEnum); // you can append as many sources as you want

	HWND cbeditcontrol = (HWND)SendMessage(CBhwnd,CBEM_GETEDITCONTROL,0,0);

	pac->Init( cbeditcontrol, pom, NULL, NULL );

	pac->QueryInterface( IID_PPV_ARGS(&pac2));

	pac2->SetOptions(ACO_AUTOSUGGEST);

	pac2->Release();

	pac->Release();

	pom->Release();

	ppEnum->Release();

	while(GetMessage(&Msg, NULL, 0, 0) > 0)	{

		TranslateMessage(&Msg);

		DispatchMessage(&Msg);

	}

	return Msg.wParam;

}

compile it with

Code:



@echo off

del *.exe

del *.obj

del *.pdb

@CALL "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" x86

set INCLUDE=C:\WinDDK\7600.16385.1\inc\atl71;%INCLUDE%

set LIB=C:\WinDDK\7600.16385.1\lib\ATL\i386;%LIB%

cl /Zi /W4 /WX ComboWithIenumStr.cpp /link /release /debug kernel32.lib user32.lib comctl32.lib shlwapi.lib ole32.lib

pause

ComboWithIenumStr.exe

and you have

Kayaker

October 18th, 2012, 07:47

Quote:

[Originally Posted by blabberer;93482]
especially it is gui i tend to run away screaming blue murder

.. have noticed that ..

blabberer

October 18th, 2012, 13:03

ok you guys and gals can compile the source posted 2 threads up in wdk too have BHUN

Code:





:\>dir /b

ComboWithIenumStrWDK.cpp

makefile

preBuild.bat

sources



:\>fc ComboWithIenumStrWDK.cpp %vstestdir%\ComboWithIenumStr.cpp | grep differ

FC: no differences encountered



:\>type sources

TARGETNAME=ComboWithIenumStrWDK

TARGETTYPE=PROGRAM

UMTYPE=windows

UMENTRY=winmain

USE_MSVCRT=1

USE_ATL=1

LINKLIBS=$(SDK_LIB_PATH)\shell32.lib    \

           $(SDK_LIB_PATH)\ole32.lib            \

           $(SDK_LIB_PATH)\oleaut32.lib \

           $(SDK_LIB_PATH)\comctl32.lib \

           $(SDK_LIB_PATH)\uuid.lib

INCLUDES=$(INCLUDES);         \

         $(IFSKIT_INC_PATH);  \

         $(DDK_INC_PATH);     \

         ..\inc

SOURCES=ComboWithIenumStrWDK.cpp\







:\>type preBuild.bat

pushd ..

@call C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinDDK\7600.16385.1\ fre x86 WXP

popd

build -bczg

:\>type makefile

!INCLUDE $(NTMAKEENV)\makefile.def

:\>preBuild.bat



:\>pushd ..

Launching OACR monitor

BUILD: Compile and Link for x86

BUILD: Start time: Thu Oct 18 23:33:40 2012

BUILD: Examining d:\plugin_template_for_odbg_20001_wdk\combowithienumstrwdk dire

ctory for files to compile.

    d:\plugin_template_for_odbg_20001_wdk\combowithienumstrwdk Invalidating OACR

 warning log for 'root:x86fre'

BUILD: Compiling and Linking d:\plugin_template_for_odbg_20001_wdk\combowithienu

mstrwdk directory

Configuring OACR for 'root:x86fre' - <OACR on>

_NT_TARGET_VERSION SET TO WINXP

Compiling - combowithienumstrwdk.cpp

Linking Executable - objfre_wxp_x86\i386\combowithienumstrwdk.exe

BUILD: Finish time: Thu Oct 18 23:33:47 2012

BUILD: Done



    3 files compiled

    1 executable built



:\>dir /b

buildfre_wxp_x86.log

ComboWithIenumStrWDK.cpp

makefile

objfre_wxp_x86

preBuild.bat

sources



:\>objfre_wxp_x86\i386\ComboWithIenumStrWDK.exe



:\>

Ps no returns checking / no error checking / no .............. and this code is Prefast clean and w4 wx clean pffffffffffffffffttttttttttttttttttttt

blabberer

October 30th, 2012, 06:35

all the windbg bang commands visible so far into this contraption do not use ! bang i provide it internally just type p and you should see all the bang commands that start with p like process psr peb etc
but i believe
i am leaking memory / all kinds of double release / double free / release without interface / all that cannot go wrong gone wrong bugs left inside
does someone have time to check this / make it crash / exploit / play no psled games with this contraption and gain system access from guest account using this contraption

well the thread seems to be quiet popular about 1700 views in forum

as far as blog forum posts go so maybe ppl are interested
may be i would get back some feedback

ps edit
if you download this to desktop and run by double clicking it may run but not produce any output because it may use
dbeng / dbghelp / exts.dll from system32 folder
so if you want to see output run it from a folder which has at least windbg 6.12 version dlls and extensions
best run it from windbg installation folder

also reports on if it crashes finely in win7 / vista / win8 / and 2012 whatever versions welcome

Kayaker

October 31st, 2012, 23:31

How did you determine you're leaking memory? As far as I can tell with Process Explorer or Vmmap snapshots, it's behaving as advertised.

blabberer

November 1st, 2012, 10:14

Quote:

[Originally Posted by Kayaker;93577]How did you determine you're leaking memory? As far as I can tell with Process Explorer or Vmmap snapshots, it's behaving as advertised.

haha do you really believe i am capable of determining if i am leaking memory

i just wanted you readers to determine it