You may have noticed the ghosted 'Heap' option under the 'View' menu in OllyDBG. The feature is available only under Windows 95 based OSes and is supposed to display a list of allocated memory blocks. The Olly Heap Vis plug-in was written to provide this functionality and more on all modern Windows OSes such as Windows 2000, XP and 2003. The OllyDbg Heap Vis plug-in exposes the following functionality:

- View Heaps
- Search Heaps
- Jump to Heap Chunk
- Create Heap Visualization

More information, screenshots and source code are available in the bundled archive hosted at:

http://www.idefense.com/iia/labs-software.jsp#olly_heap_vis ("http://www.idefense.com/iia/labs-software.jsp#olly_heap_vis")

hey pedram it kinda freezes on my ollydbg
w2k-sp4 ??
also in a clean unzipped dir with only this plugin and default cmdline plugin it executes the debugee not every debugee i mean it doesnt execute iczelions tut-02 but i have some antidebugged samples that i coded it executes them yeah i have the source but still i thought it would be good to whine first before looking further

ok some update it was continously executing the thread so i used task manager to kill the debugee and my jit ollydbg popped up on the kill

here is the call stack

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012E154 77EBA812 KERNEL32.77EBB49C KERNEL32.77EBA80D 0012E150
0012E184 10001C48 <JMP.&KERNEL32.CreateToolhelp32Snapshot> olly_hea.10001C43 0012E180
0012E188 00000001 Flags = TH32CS_SNAPHEAPLIST
0012E18C 0000012C ProcessID = 12C
0012E1E8 0049664B Includes olly_hea.10001C48 OLLYDBG.00496649 0012E200
0012E204 0043420F OLLYDBG.004965E4 OLLYDBG.0043420A 0012E200
0012F4F4 77E13EB0 Includes OLLYDBG.0043420F USER32.77E13EAD 0012F4F0
0012F514 77E1401A ? USER32.77E13E98 USER32.77E14015 0012F510
0012F518 004323D4 Arg1 = 004323D4
0012F51C 004801C0 Arg2 = 004801C0
0012F520 00000111 Arg3 = 00000111
0012F524 0000E0C0 Arg4 = 0000E0C0
0012F528 00000000 Arg5 = 00000000
0012F5A0 77E192DA USER32.77E13F12 USER32.77E192D5 0012F59C
0012F5AC 00439442 <JMP.&USER32.DispatchMessageA> OLLYDBG.0043943D 0012FF88
0012F5B0 0012F5C0 pMsg = WM_COMMAND hw = 4801C0 ("OllyDbg - mytls.exe" Notify =
0012FF8C 004AD357 Includes OLLYDBG.00439442 OLLYDBG.004AD354 0012FF88

sorry for that unaligned dispaly may be you can copy paste to not pad and format it

any way it was looping on this seh handler
Log data, item 1156
Address=77EBB531
Message=Access violation in KERNEL32 ignored on request


the seh chain

SEH chain of main thread
Address SE handler
0012F58C USER32.77E61D49
0012FFB0 OLLYDBG.004A44B8
0012FFE0 KERNEL32.77EA13FD


if i shift f7 or f8 or f9 it loops out that ignored on request

the offending call seems to be ollyheap
Includes olly_hea.10001C48

well it is primary and run of the mill analysis at first sight
so if some thing is wrong from my end i am sorry

ok it seems heap32next Creates thread

77F9E76A E8 C2FA0000 CALL ntdll.RtlCreateUserThread

77F9E77C E8 3BE0FEFF CALL ntdll.ZwSetInformationThread

77F9E7AD E8 1D44FEFF CALL ntdll.ZwResumeThread

and this notification is caught by my dll

during DLL_THREAD_ATTACH
and it executes the code inside that it seems

hope i am right

here is the call stack of your dll loaded on ollydbg over ollydbg
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012E118 77F9E7B2 ? ntdll.ZwResumeThread ntdll.RtlQueryProcessDebugIn
0012E160 77EBAAE5 ? ntdll.RtlQueryProcessDebugInformation KERNEL32.77EBAADF
0012E164 00000360 Arg1 = 00000360
0012E168 00000014 Arg2 = 00000014
0012E16C 000000E0 Arg3 = 000000E0
0012E184 10001DB7 <JMP.&KERNEL32.Heap32Next> olly_hea.10001DB2 0012E180
0012E188 03EF0000 pHeapentry = 03EF0000
0012E1E8 0049664B Includes olly_hea.10001DB7 OLLYDBG.00496649
0012E204 0043420F OLLYDBG.004965E4 OLLYDBG.0043420A
0012E208 00000000 Arg1 = 00000000
0012E20C 0000E080 Arg2 = 0000E080
0012E210 00000000 Arg3 = 00000000
0012F4F4 77E13EB0 OLLYDBG.004323D4 USER32.77E13EAD 0012F4F0
0012F4F8 001B0250 Arg1 = 001B0250
0012F4FC 00000111 Arg2 = 00000111
0012F500 0000E080 Arg3 = 0000E080
0012F504 00000000 Arg4 = 00000000
0012F514 77E1401A ? USER32.77E13E98 USER32.77E14015 0012F510
0012F518 004323D4 Arg1 = 004323D4
0012F51C 001B0250 Arg2 = 001B0250
0012F520 00000111 Arg3 = 00000111
0012F524 0000E080 Arg4 = 0000E080
0012F528 00000000 Arg5 = 00000000
0012F5A0 77E192DA USER32.77E13F12 USER32.77E192D5 0012F59C
0012F5AC 00439442 <JMP.&USER32.DispatchMessageA> OLLYDBG.0043943D 0012FF88
0012F5B0 0012F5C0 pMsg = WM_COMMAND hw = 1B0250 ("OllyDbg - mytls.exe" Notify
0012FF8C 004AD357 Includes OLLYDBG.00439442 OLLYDBG.004AD354 0012FF88

oh me anon,

Thanks for the QA testing. Weird as I have never come across this. Anyone else seeing this issue? The only time I've had a problem is when the heap is corrupted, which can be expected as the plug-in relies on the Heap32xxx() API. In a future version I will move away from the API.

The issue could be OS related as within the OllyDbg help file you can find the following excerpt regarding heap enumeration:

"This API is not implemented on Windows NT and hangs OllyDbg on Windows 2000..."

However in my testing I never came across this issue with my plugin (win2k is not my primary platform however). Please drop me an e-mail directly with an example file that is causing issues so I can look into this further.

pedram.amini [at] gmail

Thanks again.

It hang on my machine: WinXP sp1 and Win2K Test server.

Why forum said: Access denied when I choosed Edit my post !!!
Hi pedram !
Your plugin somtime hang or crash on my machine when I click Create Heap Visualization.
With your source code, I rebuild your plugin, debug it, and I think I found the bug. The bug occurs in the Browsefilename (or olly_browse_filename function which you redefined). The char array "char filename[MAX_PATH]" was not initialized and contained garbage data. After I change it to:
"char filename[MAX_PATH] = { 0 }; ", the bug fixed.
Regards,
TQN

TQN (and oh me anon),

Thank you both for the bug reports. I've fixed the "official" release:

http://www.idefense.com/iia/labs-software.jsp#olly_heap_vis ("http://www.idefense.com/iia/labs-software.jsp#olly_heap_vis")

-pedram

you mean for regular process not for exotic processes dont you ??
yep works for regular procs
digraph heap_vis
{
graph
[
label = "Heap Vis",
fontname = "courier",
ratio = "compress",
];