PDA

View Full Version : NtGlobalFlagPlugin for ollydbg

blabberer
June 3rd, 2005, 01:33
this plugin helps to log all the debugstrings that are emitted by the windows loader during the initialisation of the process

it can log the tls cllabacks if any and the function that is called during the
initialization

the plugin comes with source and some test samples

the whole story and download is here

hxxp://www.reversing.be/article.php?story=20050527190528983
edit xx to tt
blabberer
June 4th, 2005, 06:18
the plugin has been updated
it can now break on TlsCallbacks as well as Dll init routines

story here
hxxp://www.reversing.be/article.php?story=20050603193932184
edit xx to tt
TQN
June 5th, 2005, 04:20
Does it work with HideDebugger plugin ? On ExeTools forum, I have a discussed about this issue.
blabberer
June 6th, 2005, 07:33
TQN
if you are talking about the thread using tls in olly
then it looks like you are reiterating the same points which were already pointed out to to you in earlier replies by the topic starter
i dont see anything new being pointed out by you

or are you talking about some other thread ?? if yes some pointers would be helpful


here is a log that is generated by this plugin on the test sample that accompanies the package

Log data
Address Message
OllyDbg v1.10
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
Command line plugin v1.10
Written by Oleh Yuschuk
Hide Debugger v1.2.3f
Copyright (c) 2005 by Asterix
NtGlobalFlag Plugin v1.10
Dedicated to oleh yuschuk author of this Debugger
authored by stingduk
and thanks to Detten for cing my asm

File 'C:\Documents and Settings\Administrator\Desktop\NtGlobalFlagv1[1].1\NtGlobalFlagv1.1\te stexe\mytestexe\mytls.exe'
New process with ID 00000B88 created
00401000 Main thread with ID 00000CAC created
00400000 Module C:\Documents and Settings\Administrator\Desktop\NtGlobalFlagv1[1].1\NtGlobalFlagv1.1\te stexe\mytestexe\mytls.exe
10000000 Module C:\Documents and Settings\Administrator\Desktop\NtGlobalFlagv1[1].1\NtGlobalFlagv1.1\te stexe\mytestexe\kernl.dll
77D40000 Module C:\WINDOWS\system32\USER32.dll
77F10000 Module C:\WINDOWS\system32\GDI32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
CRC changed, discarding .udd data
7C901230 System startup breakpoint
Hide Debugger <Failed to apply protection against TerminateProcess>
7C946E68 Debug string: [b88,cac] LDR: Real INIT LIST for process C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;NtGlobalFlagv1[1].1&#92;NtGlobalFlagv1.1&#92;te stexe&#92;mytestexe&#92;mytls.exe pid 2952 0xb88
7C946E68 Debug string: [b88,cac] C:&#92;WINDOWS&#92;system32&#92;GDI32.dll init routine 77F163CA
7C946E68 Debug string: [b88,cac] C:&#92;WINDOWS&#92;system32&#92;USER32.dll init routine 77D50EB9
7C946E68 Debug string: [b88,cac] C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;NtGlobalFlagv1[1].1&#92;NtGlobalFlagv1.1&#92;te stexe&#92;mytestexe&#92;kernl.dll init routine 10001000
7C946E68 Debug string: [b88,cac] LDR: GDI32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 77F163CA
7C946E68 Debug string: [b88,cac] LDR: USER32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 77D50EB9
7C946E68 Debug string: [b88,cac] LDR: kernl.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 10001000
7C946E68 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 0040403E CallBacks 00404000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00402000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 0040201B
00401000 Program entry point
<---------------- snip ----------------------->
7C946E68 Debug string: LDR: Refcount msvcrt.dll (1)
7C946E68 Debug string: LDR: Refcount ADVAPI32.dll (1)
7C946E68 Debug string: LDR: Refcount RPCRT4.dll (1)
7C946E68 Debug string: LDR: Refcount ADVAPI32.dll (2)
7C946E68 Debug string: [b88,eac] LDR: Real INIT LIST for process C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;NtGlobalFlagv1[1].1&#92;NtGlobalFlagv1.1&#92;te stexe&#92;mytestexe&#92;mytls.exe pid 2952 0xb88
7C946E68 Debug string: [b88,eac] C:&#92;WINDOWS&#92;system32&#92;msvcrt.dll init routine 77C1F2A1
7C946E68 Debug string: [b88,eac] C:&#92;WINDOWS&#92;system32&#92;RPCRT4.dll init routine 77E76284
7C946E68 Debug string: [b88,eac] C:&#92;WINDOWS&#92;system32&#92;ADVAPI32.dll init routine 77DD70D4
7C946E68 Debug string: [b88,eac] C:&#92;WINDOWS&#92;system32&#92;uxtheme.dll init routine 5AD71626
7C946E68 Debug string: [b88,eac] LDR: msvcrt.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException

<----------------------- snip ------------------------------>
7C946E68 Debug string: - Calling init routine at 5AD71626
7C946E68 Debug string: LDR: LdrLoadDll, loading uxtheme.dll from C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;NtGlobalFlagv1[1].1&#92;NtGlobalFlagv1.1&#92;te stexe&#92;mytestexe;C:&#92;WINDOWS&#92;system32;C:&#92;WINDOWS&#92;system;C:&#92;WINDOWS;.;C:&#92; WINDOWS&#92;system32;C:&#92;WINDOWS;C:&#92;WINDOWS&#92;Sys
7C946E68 Debug string: LDR: Refcount msvcrt.dll (2)
7C946E68 Debug string: LDR: Refcount ADVAPI32.dll (3)
7C946E68 Debug string: LDR: Refcount RPCRT4.dll (2)
7C946E68 Debug string: LDR: Refcount ADVAPI32.dll (4)
7C946E68 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 0040403E CallBacks 00404000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00402000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 0040201B
7C946E68 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 0040403E CallBacks 00404000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00402000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 0040201B
Thread 00000EAC terminated, exit code 0
7C946E68 Debug string: LDR: PID: 0xb88 finished - '"C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;NtGlobalFlagv1[1].1&#92;NtGlobalFlagv1.1&#92;te stexe&#92;mytestexe&#92;mytls.exe"'
7C946E68 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 0040403E CallBacks 00404000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00402000
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 0040201B
77E70000 Module C:&#92;WINDOWS&#92;system32&#92;RPCRT4.dll
Process terminated, exit code 0
TQN
June 8th, 2005, 19:42
Hi oh me anon !
I take some time to test your plugin, and it not work with two my machine: WinXP sp1 and Win2K Test Server. It shows the message box: "strings are not equal" and Assemble dialog shows at 77F708b6 with command: "jnz 77F8083C"
Regards,
TQN
blabberer
June 9th, 2005, 05:53
well i tested it in winxp-sp1 ,winxp ,winxp -sp2 ,w2k all four service packs

i think you have disassemble in lower case option selected in
options --> debugging options--disasm (not on by default)
so StrCmpN from shlwapi.h is throwing that messagebox
as it is comparing with "JNZ " not "jnz "
may be you could confirm if that is the problem
TQN
June 9th, 2005, 10:20
Hi oh me anon !
Yes, the problem is disassemble lowercase. If I uncheck the "Disassemble in lowercase" checkbox, your plugin run fine.
blabberer
June 9th, 2005, 13:10
thanks for confirmation TQN
so it runs well along with HideDebuggerPlugin active i assume from your comment
probably ill try to add strtoupper() or nest one more compare in between
to avoid this
thanks for testing
TQN
June 9th, 2005, 22:04
Hi oh me anon !
I take a look into your source code. Good source code ! You call StrCmpN function at 2 point. You can change the call to StrCmpN function to strnicmp function in C RTL, and you can remove the include of ShlWapi. I don't have C++Builder/BCC and I lazy to recompile it with VS.
Good plugin !
Regards,
TQN
TQN
June 10th, 2005, 04:40
I made the change from StrCmpN to strnicmp, create VS .NET project and recompile it. All things OK ! But I found a small bug. I think it will not occur in BCC++ compiler, but happen with VC++. Two variable: int breakontlscallback and int breakondllinitrout was not initialized at startup, so they will have random values. I change them to:
int breakontlscallback = 0;
int breakondllinitrout = 0;
Thank for your plugin !
blabberer
June 11th, 2005, 06:50
thanks its nice to know the source compiles wtihout problems in other compilers too