zcc1414

博客园 首页 联系 订阅 管理
OD插件怎么弄 以及 OllySSEH原理

只是笔记而已························大神们直接不要看了

需要文件  : ollydbgvc7.lib   Plugin.h

编译环境  VC6.0即可

#include <windows.h> 
#include "Plugin.h" 
#pragma comment(lib,"ollydbgvc7.lib")

static char g_szPluginName[] = "Hello,world Panda! "; 
static HWND g_hWndMain = NULL; 
static HINSTANCE g_hModule = NULL; 
static char g_szHelloClass[32]; 

static HWND CreateHelloWindow(void); 
LRESULT CALLBACK HelloWndProc( 
							  HWND hWnd, 
							  UINT msg, 
							  WPARAM wParam, 
							  LPARAM lParam); 

BOOL APIENTRY DllMain( 
					  HINSTANCE hModule, 
					  DWORD reason, 
					  LPVOID lpReserved) 
{ 
	if (DLL_PROCESS_ATTACH == reason) 
	{ 
		g_hModule = hModule; 
	} 
	return TRUE; 
} 
extc int _export cdecl ODBG_Plugindata( 
									   char shortname[32]) 
{ 
	strcpy(shortname, g_szPluginName); 
	return PLUGIN_VERSION; 
} 

extc int _export cdecl ODBG_Plugininit( 
									   int ollydbgversion, 
									   HWND hw, 
									   ulong * features) 
{ 
	int nRetCode; 
	
	if(ollydbgversion < PLUGIN_VERSION) 
		return -1; 
	
	g_hWndMain = hw; 
	
	nRetCode = Registerpluginclass( 
		g_szHelloClass, 
		NULL, 
		g_hModule, 
		HelloWndProc); 
	if(nRetCode < 0) 
		return -1; 
	
	Addtolist(0,0,"Hello,World! v1.0"); 
	Addtolist(0,-1," Copyright (C) 2010 Claud"); 
	return 0; 
} 

extc int _export cdecl ODBG_Pluginmenu( 
									   int origin, 
									   char data[4096], 
									   void *item) 
{ 
	if(PM_MAIN == origin) 
	{ 
		strcpy(data,"0 Hello | 1 About"); 
		return 1; 
	} 
	return 0; 
} 

extc void _export cdecl ODBG_Pluginaction( 
										  int origin, 
										  int action, 
										  void *item) 
{ 
	if(PM_MAIN == origin) 
		switch(action) 
	{ 
 case 0: 
	 CreateHelloWindow(); 
	 break; 
 case 1: 
	 MessageBox( 
		 g_hWndMain, 
		 "Writen by Panda", 
		 g_szPluginName, 
		 MB_OK); 
	 break; 
	} 
} 

extc void _export cdecl ODBG_Plugindestroy(void) 
{ 
	Unregisterpluginclass(g_szHelloClass); 
} 

LRESULT CALLBACK HelloWndProc( 
							  HWND hWnd, 
							  UINT msg, 
							  WPARAM wParam, 
							  LPARAM lParam) 
{ 
	RECT rc; 
	PAINTSTRUCT ps; 
	HBRUSH hbr; 
	HDC dc; 
	switch(msg) 
	{ 
	case WM_PAINT: 
		dc=BeginPaint(hWnd,&ps); 
		GetClientRect(hWnd,&rc); 
		hbr=CreateSolidBrush(GetSysColor(COLOR_BTNFACE)); 
		FillRect(dc,&rc,hbr); 
		TextOut(dc,100,60, // new line 
			"Hello,world!",strlen("Hello,world!")); 
		DeleteObject(hbr); 
		EndPaint(hWnd,&ps); 
		break; 
	default: 
		return DefWindowProc(hWnd,msg,wParam,lParam); 
	} 
	return 0; 
} 

static HWND CreateHelloWindow(void) 
{ 
	HWND hw; 
	hw = CreateWindow( 
		g_szHelloClass, 
		"Message", 
		WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU, 
		400,400,300,200, 
		NULL, 
		NULL, 
		(HINSTANCE)Plugingetvalue(VAL_HINST), 
		NULL); 
	ShowWindow(hw,SW_SHOWNORMAL); 
	UpdateWindow(hw); 
	return hw; 
}


              



下面分析一下   OllySSEH   OD插件 原版本为 DLL

将源码变为控制台源码

#include "stdafx.h"
#include <Windows.h>
#include <Tlhelp32.h>

#define IS_CONTAINED(p1,s1,p2,s2)( ( (LPBYTE)(p1) >= (p2) ) && ( (LPBYTE)(p1) +  (s1) ) <= ( (LPBYTE) (p2) + (s2) ) )

#define PluginError -3
#define NOSEH -2
#define ERROR_READING_SEH -1
#define SAFESEH_OFF 0
#define SAFESEH_ON 1


int CheckSafeSEH(LPMODULEENTRY32 lpmoduleentry32)
{
	LPBYTE    lpHead;	
	int       retval = SAFESEH_OFF; //一开始返回没开启 SAFESEH
	DWORD	  i;	

	// Check bounds .. 

	if ( !(lpmoduleentry32->dwSize > sizeof (IMAGE_DOS_HEADER)) ||
		!(lpHead = (LPBYTE)malloc(lpmoduleentry32->dwSize)) )
	{
		return ERROR_READING_SEH;
	}

	// Read Module Headers 

	if ( ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),lpmoduleentry32->modBaseAddr,lpHead,lpmoduleentry32->dwSize,NULL))
	//ReadM(lpHead, module->base, lpmoduleentry32->dwSize, MM_RESTORE | MM_SILENT ) )
	{
		PIMAGE_DOS_HEADER              lpDOSh;
		PIMAGE_NT_HEADERS              lpNTh;
		PIMAGE_DATA_DIRECTORY          lpDD;
		PIMAGE_LOAD_CONFIG_DIRECTORY32 lpLCD;
		DWORD						   *lpHTable;

		// Get NT header 
		lpDOSh = (PIMAGE_DOS_HEADER) lpHead;
		lpNTh  = (PIMAGE_NT_HEADERS) ( (LPBYTE)(lpDOSh) + lpDOSh->e_lfanew );

		if  (!IS_CONTAINED(lpNTh,sizeof(IMAGE_NT_HEADERS),lpHead,lpmoduleentry32->dwSize) )
		{
			free(lpHead);
			return ERROR_READING_SEH;
		}
		
		// Check DllCharacteristics, is SEH enabled for this image?
		if ( lpNTh->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH )
		{
			free(lpHead);
			return NOSEH;
		}

		// Get Data directory 
		lpDD   = (PIMAGE_DATA_DIRECTORY) &lpNTh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG];

		// Check bounds ..
		if (!IS_CONTAINED(lpDD,sizeof(IMAGE_DATA_DIRECTORY),lpHead,lpmoduleentry32->dwSize) )
		{
			free(lpHead);
			return ERROR_READING_SEH;
		}
		
		// Allocate memory for Load Config Directory
		if (! ( lpLCD = (PIMAGE_LOAD_CONFIG_DIRECTORY32 )malloc(sizeof(IMAGE_LOAD_CONFIG_DIRECTORY)) ) )
		{
			//PluginError();
			return PluginError;
		}

		// Read Load Config Directory 
			if (lpDD->VirtualAddress)
			{
				if (ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),lpmoduleentry32->modBaseAddr + lpDD->VirtualAddress,lpLCD,sizeof(IMAGE_LOAD_CONFIG_DIRECTORY),NULL))
					//Readmemory (lpLCD,module->base + lpDD->VirtualAddress,sizeof(IMAGE_LOAD_CONFIG_DIRECTORY), MM_RESTORE | MM_SILENT )  )
				{			

					// Do we have a SEH handler table? ;-)
					if ( lpLCD->SEHandlerTable	)
					{
						// Allocate memory for SEHandler Table
						if (! (lpHTable = (DWORD *) malloc( lpLCD->SEHandlerCount * sizeof(DWORD) ) ) )
						{
							free(lpLCD);
							return PluginError;
						}								

						// Read SEHandler Table
						if ( !ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),(DWORD*)(lpLCD->SEHandlerTable),lpHTable,lpLCD->SEHandlerCount * sizeof(DWORD),NULL))
							//Readmemory (lpHTable,lpLCD->SEHandlerTable,lpLCD->SEHandlerCount * sizeof(DWORD), MM_RESTORE | MM_SILENT ) )
						{	
							free(lpHTable);
							free(lpLCD);
							return ERROR_READING_SEH;
						}

						// Free memory and return success
						retval = SAFESEH_ON;
					}
				}
		}
		free(lpHead);
		free(lpLCD);
	}

	else
	{
		free(lpHead);
		retval = ERROR_READING_SEH;
	}

	return retval;
}

int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,12172);//指定PID就可以扫描运行中的程序的SAFESEH开启情况
	MODULEENTRY32 moduleentry32 = {sizeof(MODULEENTRY32)};

	Module32First(handle,&moduleentry32);
	do 
	{
		if (moduleentry32.modBaseAddr)
		{	
			int flag = CheckSafeSEH(&moduleentry32);
			switch (flag)
			{
			case SAFESEH_ON:
				printf("%ws SAFESEH_ON\n",moduleentry32.szModule);
				break;
			case SAFESEH_OFF:
				printf("%ws SAFESEH_OFF\n",moduleentry32.szModule);
				break;
			case PluginError:
				printf("%ws PluginError\n",moduleentry32.szModule);
				break;
			case NOSEH:
				printf("%ws NOSEH\n",moduleentry32.szModule);
				break;
			case ERROR_READING_SEH:
				printf("%ws ERROR_READING_SEH\n",moduleentry32.szModule);
				break;		
			}
		}
	} while (Module32Next(handle,&moduleentry32));
	return 0;
}

















下面分析一下   OllySSEH   OD插件
posted on 2014-03-10 10:56  zcc1414  阅读(698)  评论(0编辑  收藏  举报