using breakpoints in a plugin [Archive] - RCE Messageboard's Regroupment

View Full Version : using breakpoints in a plugin

JH1

January 22nd, 2004, 16:33

Hi,

I am trying to write a simple plugin that logs calls to some of the functions exported by certain dlls. I have got as far as capturing LOAD_DLL_DEBUG_EVENT events in ODBG_Pluginmainloop so I can check to see if the dll contains the function I am interested in via GetProcAddress. I am unsure what to do next...if I set breakpoints, how does my plugin know when they are actually reached? (i.e. couldn't find a call back function). And I don't want the user to have to resume from the breakpoint, i want this to be automatic. Does anyone have any suggestions?

Cheers

JH

psyCK0

January 22nd, 2004, 18:24

In

extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent)

do

EXCEPTION_DEBUG_INFO edi = debugevent->u.Exception;
if(edi.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
// Breakpoint reached

Then unset BP and resume using Sendshortcut ..

Was thinking of incorporationg this functionality in OllyScript,
maybe we could cooperate?

JH1

January 23rd, 2004, 03:23

Thanks for the info, this is exactly what i was after. Didn't look into EXCEPTION_DEBUG_INFO events enough the first time.

I am still getting to grips with the Ollydbg plugin API but I am all for collaboration to produce useful plugins, I'll knock up the dll function logger then post a copy, maybe you can cannibalise some of it for ollyscript.

Cheers

JH

JH1

January 23rd, 2004, 10:24

ok, i have ran into more problems...

i am not so sure how to get the status of the registers at the point which the breakpoint occurs. Once I have identified an EXCEPTION_BREAKPOINT, my pseudocode is as follows:

(thread*) t = Findthread(debugevent->dwThreadId); // locate thread
ulong esp = t->reg.r[REG_ESP]; // get esp
ulong eip = t->reg.r[REG_EIP]; // get eip

Well eip and esp are always wrong. eip is typically something in ntdll.dll (77f8ae5a - the retn from ZwMapViewOfSection) and esp looks like its several stack frames off.

Anyone have any suggestions? Is this a thread issue?

Cheers

JH

psyCK0

January 24th, 2004, 03:53

Try using Findthread(Getcputhreadid());

JH1

January 26th, 2004, 04:10

Ok, i tried that and the same thing happens...if i look at:

debugevent->u.Exception.ExceptionRecord.ExceptionAddress

then this gives me the correct address (i.e. the breakpoint occured where I expected it to), however, getting eip either through Findthread(Getcputhreadid()); or Findthread(debugevent->dwThreadId); always gives me EIP in ntdll.dll. Typically ESP is a few stack frames off.

Any other ideas?

Thanks for your help

JH