phantom.dpr

PhantOm,Ollydbg隐藏调试的辅助插件代码！

library PhantOm;

{ Important note about DLL memory management: ShareMem must be the
  first unit in your library's USES clause AND your project's (select
  Project-View Source) USES clause if your DLL exports any procedures or
  functions that pass strings as parameters or function results. This
  applies to all strings passed to and from your DLL--even those that
  are nested in records and classes. ShareMem is the interface unit to
  the BORLNDMM.DLL shared memory manager, which must be deployed along
  with your DLL. To avoid using BORLNDMM.DLL, pass string information
  using PChar or ShortString parameters. }

//------------------------------------------------------------------------------------------------------------
//{$R *.res}
{$R 'PhantOm.res' 'PhantOm.rc'}


//------------------------------------------------------------------------------------------------------------
//
uses
  Windows,
  Messages,
  SysUtils,
  ShellAPI,
  System,
  Plugin;
  mgPhantOm;

//--------------------------------------------------------------------------------------------------------
//
resourcestring
  PLUGIN_NAME     = 'PhantOm';
  PLUGIN_VER      = '1.20';
  PLUGIN_DEV      = 'Hellsp@wn &Archer';


//--------------------------------------------------------------------------------------------------------
//
const   IDC_BTN_SAVE              = 107 ;

const	  IDC_CHK_HookRDTSC			    = 308 ;
const   IDC_CHK_HideOllyDbgWin    = 312 ;
const   IDC_CHK_HookNtSetContextThread = 304;
const   IDC_CHK_LoadDriver        = 303 ;

const   IDC_CHK_HideFromPEB       = 301 ;
const	  IDC_CHK_ProtectDRx			  = 302 ;
const	  IDC_CHK_PathODStringAndFPUBugs = 305;
const	  IDC_CHK_HookBlockInput		= 306 ;
const	  IDC_CHK_HookGetTickCount	=	307 ;
const	  IDC_CHK_HookGetProcessTimes		 = 309;
const	  IDC_CHK_RemoveEPBreak			= 310 ;
const	  IDC_CHK_CustomHandlerExcept		 = 311;
const	  IDC_CHK_ChangeOllyDbgCaption	 = 313;



//--------------------------------------------------------------------------------------------------------
//
//常用公用函数:
function  mg_GetTickCount():Integer;
var
  lppercount : Int64;
begin
   if( Integer(QueryPerformanceCounter(lppercount)) <> 0 ) then
   begin
      Result := Integer(lppercount);
      g_dwCount := Result;
      Exit;
   end;
   Result := GetTickCount();
   g_dwCount := Result;
end;

function  mg_GetModuleName( {hModule:HMODULE} ):string;
var name:array[0..MAX_PATH] of Char;
begin
  FillChar(name,MAX_PATH + 1 , 0 );
  GetModuleFileName( 0 ,name ,MAX_PATH + 1 );

  Result := name;
end;

function mg_VirtualFree( addr : Pointer ): Pointer;
begin
  Result := VirtualFreeEx(Plugingetvalue(VAL_HPROCESS),addr,$00,MEM_RELEASE );
end;


//--------------------------------------------------------------------------------------------------------
//
function ODBG_Plugindata(name: PChar): Integer; cdecl;
begin
  StrLCopy(name, 'PhantOm',32);//PChar(PLUGIN_NAME), 32); // Name of plugin
  Result := PLUGIN_VERSION;
end;

//--------------------------------------------------------------------------------------------------------
//
function ODBG_Plugininit(ollydbgversion: Integer; hWndOlly: HWND; features: PULONG): Integer; cdecl;
begin

  if (ollydbgversion < PLUGIN_VERSION) then
  begin
    Addtolist(0, 1, 'Only for OllyDbg 1.10');
    Result := -1;
    Exit;
  end;

  if ( Win32MinorVersion <> 2 ) then
  begin
    Addtolist(0, 1, 'Only for Windows 2000/XP/NT');
    Result := -1;
    Exit;
  end;

  //保存句柄:
  g_hwndOlly := hWndOlly;
  Addtolist(0, 1, '');
  Addtolist(0, 1, 'PhantOm plugin %s','1.20');//PLUGIN_VER);
  Addtolist(0, -1, '    by %s','Hellsp@wn &Archer');//PLUGIN_DEV);

  g_strPluginName := ExtractFilePath( mg_GetModuleName( ) );
  g_hmodPlugin := GetModuleHandle( PChar(g_strPluginName) );
  Result := 0;
end;


//--------------------------------------------------------------------------------------------------------
//
function ODBG_Pluginmenu(origin: Integer; pData: PChar; pItem: Pointer): Integer; cdecl;
begin
  case origin of
    PM_MAIN:
      begin
        // Plugin menu in main window
        StrCopy(pData, '0 Options, | 1 About');
        Result := 1;
      end;
  else
    Result := 0; // Any other window
  end;
end;

//--------------------------------------------------------------------------------------------------------
//
function  ODBG_Pausedex(reasonex: Integer; dummy: Integer; reg: p_reg;
                            debugevent: PDebugEvent): Integer; cdecl;
begin
  Result := 0;
end;

//--------------------------------------------------------------------------------------------------------
//
function ODBG_Pluginclose() :Integer;cdecl;
begin
  if( g_bDriverLogon <> False ) then
  begin
    mg_ExitDriver();
  end;

  if( g_bRDTSCLogon <> False ) then
  begin
    mg_ExitRDTSC();
  end;

  mg_VirtualFree(nil);

  Result := 0;
end;

procedure mg_SetOllyCPUCaption(); cdecl;
var
  name :string;
  mode :DWORD;
  byval:Byte;
  addr :Pointer;
begin
  if( g_bChangeOllyCPUCaption = 0 )then
  begin
    addr := Pointer(g_hmodPlugin + $0B3963);
    name := 'o_O';
    WriteProcessMemory(GetCurrentProcess(),
                addr,
                Pointer(name),
                Length(name),
                mode);

    addr  := Pointer(g_hmodOlly + $0B3987);
    byval := $30;
    WriteProcessMemory(GetCurrentProcess(),
                addr,
                @byval, 1 , mode);

    addr  := Pointer(g_hmodOlly + $0C226C);
    byval := $33;
    WriteProcessMemory(GetCurrentProcess(),
                addr,
                @byval, 1 , mode);

    name := 'Phant33';                
    addr := Pointer(g_hmodPlugin + $0B7218);
    WriteProcessMemory(GetCurrentProcess(),
                addr,
                Pointer(name),
                Length(name),
                mode);
    Addtolist( 0 ,-1 , 'Status:Caption changed .');
    g_bChangeOllyCPUCaption := 1;
  end;
end;

procedure mg_SetOllyMainCaption(); cdecl;
begin
  SetWindowText( g_hwndOlly , 'PhantOm' );
end;

procedure ODBG_Pluginmainloop(debugevent: PDebugEvent); cdecl;
begin
  if( (Getstatus() <> STAT_NONE) and ( g_bChangeOllyDbgCaption = 1) ) then
  begin
    mg_SetOllyMainCaption();
    mg_SetOllyCPUCaption();
  end;

  if(  Integer(debugevent) <> 0 )then
  begin
    g_DebugEvent     := debugevent;
    g_dwDbgEventCode := g_DebugEvent.dwDebugEventCode;
    if( g_dwDbgEventCode = 1 )then
    begin
      g_BreakPointTypeAddr := DWORD(g_DebugEvent.CreateProcessInfo.lpBaseOfImage);
      Getbreakpointtype(DWORD(g_DebugEvent.CreateProcessInfo.lpBaseOfImage));

      if( ( g_DebugEvent.RipInfo.dwError = $80000003 ) and
          ( g_BreakPointTypeAddr = DWORD(g_procDbgBreakPoint) ))then
          begin
            mg_ModfiyDbgBreakPoint();
            if( g_bUnkLogon1 = False ) then
            begin
              if( g_bHookGetProcessTimes = 1 ) then
              begin
                mg_ModfiyNtQueryInformationProcess();
              end;

              if( g_bHookBlockInput = 1 ) then
              begin
                mg_ModfiyBlockInput();
              end;

              if( g_bHideFromPEB = 1 ) then
              begin
                //mg_ModfiyBlockInput();
              end;

            end;

          end;
    end;
  end;
end;

//--------------------------------------------------------------------------------------------------------
//
procedure  mg_SaveCheckDlgBtn() ;
var
  iRes : Integer;  //ebx
  ival1 : Integer;
  ival2 : Integer;
  iWin : Integer;  //esi
  iSetContext :Integer;  //ebp

begin
  iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HideOllyDbgWin ),
              BM_GETCHECK,0,0);
  iWin := iRes;          //mov esi,ebx

  iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HookNtSetContextThread ),
              BM_GETCHECK,0,0);
  iSetContext := iRes;     //mov ebp,ebx

  iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_LoadDriver ),
              BM_GETCHECK,0,0);

  if( (iWin = 1) and (iRes = 0) ) then
  begin
    MessageBox( g_hwndOlly ,
    'Hide OllyDbg Windows -> using driver! please turn load driver option on.',
    'Option Warnning !',MB_OK or MB_ICONASTERISK);

    SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HideOllyDbgWin ),
              BM_SETCHECK,0,0);

    Pluginwriteinttoini( HInstance  , 'WINDOWS',0 );
    Exit;
  end;

  if ( (iSetContext = 1) and (iRes = 0) ) then
  begin
    MessageBox( g_hwndOlly ,
    'Hook NtSetContextThread -> using driver! please turn load driver option on.',
    'Option Warnning !',MB_OK or MB_ICONASTERISK);

    SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HookNtSetContextThread ),
              BM_SETCHECK,0,0);

    Pluginwriteinttoini( HInstance  , 'SETCONTEXT',0 );
    Exit;
  end;

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HideFromPEB ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'PEB', iRes);

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HookGetTickCount ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'GETCOUNT', iRes);

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_ProtectDRx ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'DRX', iRes);

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HookNtSetContextThread ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'SETCONTEXT', iRes);
   iSetContext := iRes;     //mov ebp ,ebx

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_PathODStringAndFPUBugs ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'DEBSTRING', iRes);

   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_HookBlockInput ),
              BM_GETCHECK,0,0);
   Pluginwriteinttoini( HInstance , 'BLOCK', iRes);
   
   iRes := SendMessage(GetDlgItem( g_hwndOption , IDC_CHK_ChangeOllyDbgCaption ),
              BM_GETCHECK,0,0);