Hi there. I need your help to create file from ODBG_Plugincmd callback. When I use CreateFile API from any other callback function (e.g. Plugininit) - everything works fine.

But when I trying to create file from ODBG_Plugincmd - something going wrong somewhere deep inside CreateFileA...

B.t.w. - it always returns "CREATE_SUCCESS" but file isn't actually created. Instead file named "C" (first letter from FileName parameter) is created inside OllyDbg install directory.

Thanks.

you send your files name in char * cmd param ??
or is it independent of it ??
also do you have an identifier that your plugin recognises and acts on it
or you depend on the . (dot) (thats plugin commandline specifc identifier )
and trying to improve it by adding functions to it ??
i cant visualize why CreateFile should fail

can you post some specific parts of your code ??
i have recompiled commandline plugin source several times adding some specifice boring tasks to it and it didnt misbehave
for example loggin multiple data at one time to log window on specifc conditional breakpoint

int Expression()
origcode
addtolist(myspecific) <--
origcode

now if i pass all these commands to commandline plugin
.? [blah]
.? eip
.? [esp+4]
.? [String [esp+0x0c]
.run

olly would happily record all those on every supposed break

and i know ppl who have tweked this to
print UnicodeString PUNICODE_STRING structure
all three members of it
etc etc

Thanks, oh me anon

1. I'm getting filename from t_module.path (after some modifications with extension of course).

2. Yes, of course I have my own identifier

3. Here is piece of code:

ODBG_Plugincmd proc C uses EBX reason:dword, regtr t_reg, cmdtr char

...
mov EBX, reg
assume EBX: ptr t_reg

invoke Findmodule, &#92;
[EBX].ip

mov ESI, EAX
assume ESI: ptr t_module

lea EDI, [ESI].path ; EDI-> name of debugged module
mov ECX, MAX_PATH
xor AL, AL
cld
repnz scasb

add ECX, 4
mov AL, '.'
std
repnz scasb
m2m dword ptr [EDI+2], '+gol' ; change extension

invoke CreateFileA, &#92;
addr [ESI].path, &#92;
GENERIC_WRITE, &#92;
NULL, &#92;
NULL, &#92;
CREATE_ALWAYS, &#92;
NULL, &#92;
NULL

it returns CREATE_SUCCESS, but file "path&#92;filename.log+" is not actually created. I'm sure, there is no error with "FileName" parameter, I've tried "addr fn", where fn is valid ASCIIZ string declared in data segment - e.g.

.data
fn db "C:&#92;Program Files&#92;DSTU&#92;CTT&#92;CTT.log+",0

- the same effect.

And most important thing - all above constructions work fine from other callback functions (e.g. - ODBG_Pluginaction, ODBG_Plugininit)

Ops... sorry. My fault. But it was really stupid mistake...

I've made little reversing of CreateFileA function and found something interesting - before calling CreateFileW inside CreateFileA (ya, CreateFileA is just a wrapper) it calls ntdll.RtlInitAnsiString. Inside this API it counts lenght of "FileName" parameter using... xor AL,AL rep scasb without cld . As you can see - I don't clear D flag before calling (it sets after
...
mov AL, '.'
std
repnz scasb
...

in my source

Hmm... very interesting... Is it a "ntdll" bug or clearing "D" flag before calling API is documented feature?


p.s. mmm.... sorry again. plz remove topic into heap