ollydump.c

ollydbg反汇编器1.09c 部分源代码

// OllyDump 2.21
// Purpose: Dump debuggee process memory

// VERY IMPORTANT NOTICE: COMPILE THIS DLL WITH BYTE ALIGNMENT OF STRUCTURES
// AND UNSIGNED CHAR!

//#define  DEBUG

#define _WIN32_WINNT 0x0400

#include <windows.h>
#include <commctrl.h>

#include <odbg\plugin.h>        // Please change for your environment
#include "resource.h"

HINSTANCE hinst;                // DLL instance
HWND      hwmain;               // Handle of main OllyDbg window
WNDPROC   SecLstDlgProcOrg;         // Original Window Procedure of Section info List Control

char      strCurEIP[TEXTLEN];
char      szFileName[MAX_PATH]={0},szFile[MAX_PATH]={0},szWorkPath[MAX_PATH]={0};
BOOL      blFixSect,blRebuild;
LPBYTE    DbgePath,DbgeName,lpszSectName;
int       iRebMethod;

LRESULT CALLBACK MainDlgProc(HWND, UINT, WPARAM, LPARAM);
LRESULT CALLBACK SecLstDlgProc(HWND, UINT, WPARAM, LPARAM);
LRESULT CALLBACK SecEdtDlgProc(HWND, UINT, WPARAM, LPARAM);
LRESULT CALLBACK OptDlgProc(HWND, UINT, WPARAM, LPARAM);
//LRESULT CALLBACK DatDirDlgProc(HWND, UINT, WPARAM, LPARAM);
BOOL  GetPEInfo(void);
BOOL  SaveDump(HWND);
BOOL  IsValidNumber(char *, int, int);
void  FreeSectInfo(void);
int   FindOEPbySectionHop(int);
DWORD GetCurrentEIP(void);

extern void  SearchImportData(void);
extern void  MakeIID(BYTE *pMemBase, DWORD dwNewSectSize);
extern BOOL  RebuildImport(char *szTargetFile);
extern WORD  GetApiNameOrdinal(char *libname, DWORD ApiAddress, char *ApiName);
extern DWORD rva2offset(DWORD dwRva);
extern DWORD offset2rva(DWORD dwOffset);
extern PIMAGE_SECTION_HEADER rva2section(DWORD dwRva);
extern BYTE RebuildITDeluxe(char *szTargetFile, BYTE byRebuildType);

#define NUM_DEC  1
#define NUM_HEX  2

#define ODP_TRACE_INTO  0
#define ODP_TRACE_OVER  1

#define PNAME   "OllyDump"
#define PVERS   "v2.21.108"
#define ANAME   "Gigapede"

char szODPath[MAX_PATH],szODIni[MAX_PATH],szPluginPath[MAX_PATH],szPluginIni[MAX_PATH],*pdest;
BOOL  SearchAnimation;
BOOL  SearchLog;
DWORD AnimationWait;

typedef struct {
  WORD  woNumOfSect;
  DWORD dwImageBase;
  DWORD dwSizeOfImage;
  DWORD dwAddrOfEP;
  DWORD dwBaseOfCode;
  DWORD dwBaseOfData;
} PEFILEINFO, *LPPEFILEINFO;

typedef struct {
  BYTE  byName[IMAGE_SIZEOF_SHORT_NAME];
  DWORD dwVSize;
  DWORD dwVOffset;
  DWORD dwRSize;
  DWORD dwROffset;
  DWORD dwCharacteristics;
} SECTIONINFO, *LPSECTIONINFO;

PEFILEINFO    PEFileInfo,PEFileInfoWrk;
LPSECTIONINFO lpSectInfo = NULL;
SECTIONINFO   SectInfoWrk;
BOOL TraceFlag = FALSE;

BOOL WINAPI DllEntryPoint(HINSTANCE hi,DWORD reason,LPVOID reserved) {
  if (reason==DLL_PROCESS_ATTACH)
    hinst=hi;                          // Mark plugin instance
  return 1;                            // Report success
};

extc int _export cdecl ODBG_Plugindata(char shortname[32]) {
  strcpy(shortname,PNAME);       // Name of plugin
  return PLUGIN_VERSION;
};

extc int _export cdecl ODBG_Plugininit(int ollydbgversion,HWND hw,ulong *features) {
  if(ollydbgversion<PLUGIN_VERSION) {
    return -1;
  }
  hwmain=hw;

  GetModuleFileName(NULL, szODPath, MAX_PATH);
  pdest = strrchr(szODPath, '\\');
  pdest[1] = '\0';
  wsprintf(szODIni,"%sollydbg.ini",szODPath);
  GetPrivateProfileString("History","Plugin path",szODPath,szPluginPath,sizeof(szPluginPath),szODIni);
  wsprintf(szPluginIni,"%s\\%s.ini",szPluginPath,PNAME);
  SearchAnimation = GetPrivateProfileInt("OPTIONS", "Search Animation",  0, szPluginIni);
  SearchLog       = GetPrivateProfileInt("OPTIONS", "Search Log"      ,  0, szPluginIni);
  AnimationWait   = GetPrivateProfileInt("OPTIONS", "Animation Wait"  , 60, szPluginIni);

  Addtolist(0, 0,PNAME " " PVERS "  by " ANAME);
  return 0;
};

extc int _export cdecl ODBG_Pluginmenu(int origin,char data[4096],void *item) {
  switch (origin) {
  case PM_MAIN: // Plugin menu in main window
    strcpy(data,
           "0 &Dump debugged process|"
           "1 Find OEP by Section Hop (Trace &into),"
           "2 Find OEP by Section Hop (Trace &over)|"
           "50 Options|"
           "63 &About"
          );
    return 1;
  case PM_DISASM:
    if(Getstatus() == STAT_NONE) {
      return 0;
    }
    strcpy(data,"0 &Dump debugged process");
    return 1;
  default:
    break; // Any other window
  };
  return 0; // Window not supported by plugin
};

extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item) {
  int id;
  char buf[TEXTLEN];

  switch(origin) {
  case PM_MAIN:
  case PM_DISASM:
    switch (action) {
    case 0:
      if(Getstatus() == STAT_NONE) {
        MessageBox(hwmain,"No process to dump!!",PNAME,MB_OK);
        return;
      }
      if(lpSectInfo) {
        FreeSectInfo();
      }
      GetPEInfo();
      id = DialogBox(hinst,MAKEINTRESOURCE(IDD_OLLYDUMP),hwmain,(DLGPROC)MainDlgProc);
      if(id == IDOK) {
        SaveDump(hwmain);
      }
      FreeSectInfo();

      break;
    case 1:
      if(Getstatus() == STAT_NONE) {
        MessageBox(hwmain,"No process to monitor!!",PNAME,MB_OK);
        return;
      }
      FindOEPbySectionHop(0);
      break;
    case 2:
      if(Getstatus() == STAT_NONE) {
        MessageBox(hwmain,"No process to monitor!!",PNAME,MB_OK);
        return;
      }
      FindOEPbySectionHop(1);
      break;
    case 50:
      id = DialogBox(hinst,MAKEINTRESOURCE(IDD_OPTIONS),hwmain,(DLGPROC)OptDlgProc);
      if(id == IDOK) {
        wsprintf(buf,"%d",SearchAnimation);
        WritePrivateProfileString("OPTIONS", "Search Animation", buf, szPluginIni);
        wsprintf(buf,"%d",AnimationWait);
        WritePrivateProfileString("OPTIONS", "Animation Wait"  , buf, szPluginIni);
        wsprintf(buf,"%d",SearchLog);
        WritePrivateProfileString("OPTIONS", "Search Log"  , buf, szPluginIni);
      }
      break;
    case 63:
      // Menu item "About", displays plugin info.
      MessageBox(hwmain,
                 PNAME" "PVERS
                 "\n    "
                 "by "ANAME"  ",
                 "About "PNAME,
                 MB_OK|MB_ICONINFORMATION);
      break;
    default:
      break;
    }
  }
}

extc void _export cdecl ODBG_Pluginreset(void) {
  if(lpSectInfo) {
    FreeSectInfo();
    lpSectInfo = NULL;
    Addtolist(0,-1,"==%s DEBUG== in ODBG_Pluginreset  Free allocated memory lpSectInfo",PNAME);
  }
  return;
}

extc int _export cdecl ODBG_Pluginclose(void) {
  if(lpSectInfo) {
    FreeSectInfo();
    lpSectInfo = NULL;
    Addtolist(0,-1,"==%s DEBUG== in ODBG_Pluginclose  Free allocated memory lpSectInfo",PNAME);
  }
  return 0;
}

extc void _export cdecl ODBG_Plugindestroy(void) {
  if(lpSectInfo) {
    FreeSectInfo();
    lpSectInfo = NULL;
  }
  return;
}

extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent) {
  t_thread  *pthread;
  t_status  status;

  if(TraceFlag) {
    status = Getstatus();
    if(status == STAT_STOPPED) {
      pthread = Findthread(Getcputhreadid());
      if(!pthread) {
        return;
      }
      if(pthread->reg.ip > PEFileInfo.dwImageBase && pthread->reg.ip < PEFileInfo.dwSizeOfImage) {
        if(PEFileInfo.dwAddrOfEP + PEFileInfo.dwImageBase != pthread->reg.ip) {
          Addtolist(0,-1,"EntryPoint is %X and Original Entry Point may be %X",PEFileInfo.dwAddrOfEP,pthread->reg.ip);
          TraceFlag = FALSE;
        }
      }
    }
  }
}

BOOL GetPEInfo(void)
{
  int i;
  char msg[TEXTLEN];
  HANDLE hFile,hHeap;
  PIMAGE_DOS_HEADER idosh;
  PIMAGE_NT_HEADERS ipeh;
  PIMAGE_SECTION_HEADER isech;
  LPBYTE fbuf;
  DWORD dwFsiz,dwRsiz;

  DbgePath = (char*)Plugingetvalue(VAL_EXEFILENAME);
  DbgeName = strrchr(DbgePath,'\\');
  memset(szWorkPath,0,sizeof(szWorkPath));
  strncpy(szWorkPath,DbgePath,(DbgeName-DbgePath));
  DbgeName++;

  // Read Debuggee
  hFile = CreateFile(DbgePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  if(hFile == INVALID_HANDLE_VALUE) {
    wsprintf(msg,"Cannot Create File %s",DbgePath);
    MessageBox(hwmain,msg,PNAME,MB_OK);
    return FALSE;
  }
  dwFsiz = GetFileSize(hFile,NULL);
  hHeap = HeapCreate(HEAP_NO_SERIALIZE,1,0);
  fbuf = (char *)HeapAlloc(hHeap, 0, dwFsiz);
  if(ReadFile(hFile,fbuf,dwFsiz,&dwRsiz,NULL) == 0) {
    MessageBox(hwmain,"Can\'t Read File ",PNAME" Error!",MB_OK|MB_ICONEXCLAMATION);
    CloseHandle(hFile);
    HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
    return FALSE;
  }
  CloseHandle(hFile);

  // Get PE Header info
  idosh = (PIMAGE_DOS_HEADER)fbuf;
  if(idosh->e_magic != IMAGE_DOS_SIGNATURE) {
    MessageBox(hwmain,"Bad DOS Signature!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
    HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
    return FALSE;
  }
  ipeh = (PIMAGE_NT_HEADERS)(fbuf + idosh->e_lfanew);
  if(ipeh->Signature != IMAGE_NT_SIGNATURE) {
    MessageBox(hwmain,"Bad PE Signature!!",PNAME,MB_OK | MB_ICONEXCLAMATION);
    HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
    return FALSE;
  }
  PEFileInfo.woNumOfSect   = ipeh->FileHeader.NumberOfSections;
  PEFileInfo.dwImageBase   = ipeh->OptionalHeader.ImageBase;
  PEFileInfo.dwSizeOfImage = ipeh->OptionalHeader.SizeOfImage;
  PEFileInfo.dwBaseOfCode  = ipeh->OptionalHeader.BaseOfCode ;
  PEFileInfo.dwBaseOfData  = ipeh->OptionalHeader.BaseOfData ;
  PEFileInfo.dwAddrOfEP    = ipeh->OptionalHeader.AddressOfEntryPoint;

  lpSectInfo = (LPSECTIONINFO)malloc(sizeof(SECTIONINFO)*(PEFileInfo.woNumOfSect+1));
  ZeroMemory(lpSectInfo,sizeof(SECTIONINFO)*(PEFileInfo.woNumOfSect+1));
  isech = IMAGE_FIRST_SECTION(ipeh);
  for(i=0; i<(int)PEFileInfo.woNumOfSect; i++) {
    strcpy((lpSectInfo+i)->byName,(isech+i)->Name);
    (lpSectInfo+i)->dwVSize            = (isech+i)->Misc.VirtualSize;
    (lpSectInfo+i)->dwVOffset          = (isech+i)->VirtualAddress;
    (lpSectInfo+i)->dwRSize            = (isech+i)->SizeOfRawData;
    (lpSectInfo+i)->dwROffset          = (isech+i)->PointerToRawData;
    (lpSectInfo+i)->dwCharacteristics  = (isech+i)->Characteristics;
  }
  HeapFree(hHeap,HEAP_NO_SERIALIZE,fbuf);
  return TRUE;
}

void FreeSectInfo(void)
{
  if(lpSectInfo) {
    free(lpSectInfo);
  }
  lpSectInfo = NULL;
}

int FindOEPbySectionHop(int tracemode)
{
  int i;
  DWORD out0,out1,in0,in1,curEIP,curSectVA1,curSectVA2;
  t_reg reg;

  Deleteruntrace();
  TraceFlag = TRUE;
  // Clear Section Info buffer
  if(lpSectInfo) {
    FreeSectInfo();
  }

  // Get PE file header value
  GetPEInfo();
  curEIP = GetCurrentEIP();
  Addtolist(0,-1,"EP:%X  ImageBase:%X  SizeOfImage:%X  Current EIP:%X",PEFileInfo.dwAddrOfEP,PEFileInfo.dwImageBase,PEFileInfo.dwSizeOfImage,curEIP);

  // Search a section the Entry Point belongs
  out0 = out1 = 0;
  for(i=0; i<PEFileInfo.woNumOfSect; i++) {
//Addtolist(0,-1,"Sect%02d : %8X - %8X",i,lpSectInfo[i].dwVOffset,lpSectInfo[i].dwVOffset+lpSectInfo[i].dwVSize-1);
    curSectVA1 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
    curSectVA2 = curSectVA1 + lpSectInfo[i].dwVSize;
    if(curEIP >= curSectVA1 && curEIP < curSectVA2) {
      out0 = lpSectInfo[i].dwVOffset + PEFileInfo.dwImageBase;
      out1 = out0 + lpSectInfo[i].dwVSize - 1;
      break;
    }
  }
  if(out0 != 0 && out1 > out0) {
    Settracecondition(NULL,0,0,0,out0,out1);
    Addtolist(0,-1,"Current EIP\(%08X\) is in Section%02d  %08X - %08X",curEIP,i,curSectVA1,curSectVA2);
    Addtolist(0,-1,"Trace Condition set out0:%X  out1:%X",out0,out1);
  }
  else {
    in0 = lpSectInfo[0].dwVOffset + PEFileInfo.dwImageBase;
    in1 = lpSectInfo[PEFileInfo.woNumOfSect-1].dwVOffset + lpSectInfo[PEFileInfo.woNumOfSect-1].dwVSize + PEFileInfo.dwImageBase;
    Settracecondition(NULL,0,in0,in1,0,0);
    Addtolist(0,-1,"Current EIP\(%08X\) is out of Debuggee image",curEIP);
    Addtolist(0,-1,"Trace Condition set in0:%X  in1:%X",in0,in1);
  }
  Startruntrace(&reg);
  switch(tracemode) {
  case ODP_TRACE_INTO:
    Sendshortcut(PM_MAIN,0,WM_KEYDOWN,1,0,VK_F11); // Trace into
    break;
  case ODP_TRACE_OVER: