hello,

i 'm struggling to hook a plugin exported entry in ollydbg. the eproblem -- the module is loaded only when needed and unloaded instantly after execution (imprec). i tried to locate the getprocaddress followed the call into module but there are just two such a places, which only test the export entry presence discarding the address immediately ;(
with help of filemon i located place where plugin is executed (dunno if executed but file is accessed)

0043C9EA FF15 DCE14300 CALL NEAR [DWORD DS:43E1DC] ; kernel32.ResumeThread

which leads to int 2e which olly can't step-in, that may be the reason why it refused to stop at int 3 though i3 triggering was on and i placed bpt at the api start.. anybody would know how to hook to the api? (thanks)

Try the "break on new module" option in the debugging options, and then when the module of interest is loaded and you see it in the executable modules list, double click the module and place a breakpoint on execution of the exported entry. Once the other app calls it, you'll see where it got called from by examing the return address on the stack.

tried this first but it doesn't break, i think the problem is ollydbg lacking ability to go thru interrupt. (maybe i'm mistaked but i guess the plugin is executed during resumethread)

can you pm me a link to the app and where you need to place the bp?

also, did you try a normal olly breakpoint? If so, have you tried using a hardware breakpoint on execution instead ? I found times where olly wouldn't break, but a hardware breakpoint worked.

thanks, the host application is import reconstructor self (h**p://www.mackt.cjb.net), and the dll is own plugin i'm trying to debug -- for certain reason i can't use rundll32 but run imprec is required.

of course i tried as software as hw breakpoint as int3 (int3 handling is enabled), nothing works. my assumption is still that the plugin is executed by ResumeThread && everything inside int 2e is to ollydbg hidden ;-(

I'll have a look-see.

yet i send a sample to simulate plugin's export with place to break.

about the breakpoints iwasn't fully correct in fact i _didn't_ set any sw/hw breaks since it's impossible unless the module is loaded and i'm not able to catch the module in short time is executed. i don't have any further idea.