i put the dll and the folder i386 in my plugin folder, and in the ollydbg folder, and when i try to put a memory breakpoint on execution a error appear.

OLLYBONE ABORT:Kernel driver load returned staus 2

and fail

Any have this problem?

Thanks
Ricardo Narvaja

Hi Ricardo. It seems to work for me. I put the the dll and the sys file in my plugin directory and worked fine. Olly stopped at OEP.
To test it I removed all other plugins and only left the olybone plugin. I tested it with a UPX packed target. I used the original Olly.

Sorry my mistake. I forgot to remove hardware breakpoint I set previously. I still had one set at oep. It did not work for me as well

when you put the break on execute in a section , in M window you have the same error than i?

Ricardo

it work for me now, i put the content of the i386 folder in the olly folder and works perfect

Thanks for teh author
Ricardo

Ok. I will try this as well. Thanks for the tip

yes the program stop in the oep perfect but i canīt continue running the program, i quit the break on execute and pres f9 and the program terminate, is possible continue executing?

Ricardo

@@Ricardo Narvaja



option ->Exception->single-step break (uncheck)

but unchecked the program stop but when i press f9 or shift + f9 terminate and donīt run.

Ricardo

yes, i try again and work perfect without this mark thanks

Ricardo

will be useful if the break on execute can be removed from the right click menu of CPU window, and is not necesary enter to M window, the are program how asprotect execute a RETN in the first section is needed enter to M for remove, next trace enter again to M for put again, go till oep, and enter to M again for remove.

why canīt remove from the right click menu in cpu window.

Ricardo Narvaja

Doesn't work for me, either i put them in plugin folder or in olly folder. It always shows an error "Kernel driver load returned staus 2 " or shutdown windows with blue screen. I am using windows XP home SP2

look for the plugins installed put in a olly without plugins and try, if work, add the plugins one by one for look who is the incompatible plugin, some users tell me ollybone work only if you have ollydbg in C (i donīt know if this is true or not, try changing olly to C)

Ricardo

thanks Ricardo for the information, however it still doesn't work with original olly, no plugins but ollybone, and path C:\1.

Regards.

Hi

I've had that problem too. There is something peculiar about the InstDriver routine that is used. This is the common driver installation routine the rootkit guys seem to like to use for POC code. I've also had problems running FU rootkit, which uses the same routine, it gives an ImagePath error as well. To use/test it I've had to port the code over to my own driver framework which uses a slightly different installation procedure.

Try this - DELETE the registry entry for

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ollybone]

You can also delete, if you want,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OLLYBONE]

THEN try running the ollybone plugin again, from wherever you have the default plugin path.

Afterwards, there probably WON'T be a registry entry for the driver (even though there normally *should* be). When you first install Ollybone it seems to generate an incorrect ImagePath to the driver, and you're stuck forever afterwards unless you delete the registry entry. Manually changing the ImagePath doesn't seem to help. It may work if you have the dll in a "plugin" directory and the sys driver in the main OllyDbg directory, the *first* time it's installed, but it shouldn't have to work that way, that's why I think there's a fault in the code. Either way, Ollybone should hopefully run OK after this.

Kayaker

I had such error with my limited user account. After run olly under administrator account( login to admin, not "run as" ) all runs fine.

OLLYBONE bug:

when you put a BPM ON EXECUTE in a program with dlls loaded in lower parts of memory than the exe, OLLYBONE confuse and tell the message he cannot put BPM ON EXECUTE out of the main module, and you are putting the BPM in the main module of the exe.

look the image the grayed is the main section of the exe, and have 2 dlls in lower part of the memory this confuse ollybone, the plugin read the dlls and look for the minimum address and supose is the exe in this address.

For this reason ollybone can be easily fooled only loading a dll in lower part of the memory than the exe.

Ricardo Narvaja

For those that have problem with BSOD. I found this on authors site: