Many bugfixes and several improvements. Plugin interface is still under development.
I've got rid of a very nasty crash. Maybe half of such crashes happened within the GlobalAlloc(), the remaining were almost unpredictable. Of course, it was buffer overflow, what else?
Debugging engine is now more stable, especilally if one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints on system calls". When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue() and NTDLL.NtQueryInformationProcess(). For example, if CPU is in the exception handler and you set hardware breakpoint, it won't hit! NTDLL.ZwContinue() restores original contents of registers and modifications get lost. Therefore OllyDbg sets temporary INT3 break on ZwContinue() and applies changes to the copy of the context in memory. But sometimes it simply doesn't know that temporary breakpoint is necessary. If process is being debugged, Windows don't call the unhandled exception filter. Instead, it notifies debugger. To pass exception to the filter, OllyDbg intercepts NtQueryInformationProcess(). If handler asks OS whether process is debugged, OllyDbg reports "no". And so on. Well, if this new option is so advantageous, why not to make it default? Because some viruses check for INT3 breakpoints on these APIs.
Sometimes it's necessary to rename the OllyDbg, for example if you investigate a brainless virus that scans process names and hopes to avoid debugger. You rename OllyDbg to, say, notadebugger.exe and... and... and all plugins are missing?! They are statically linked to the DLL named ollydbg.exe. Of course, GetProcAddress() would help, but this makes programming to the nightmare. Therefore when OllyDbg loads plugins, it applies a dirty trick which lets Windows think that the main module is named ollydbg.exe and not notadebugger.exe. This trick works under Windows XP, but I am not sure whether Vista/Win7 use the same internal data structures. Please check.
Hit trace can be saved between the sessions. If code is self-modifiable, use this option with care. When OllyDbg restores hit trace, it sets INT3 breakpoint on every marked command. This may lead to crash of the debugged application.
Due to the invalid handling of prefixes 66, F2 and F3, command search was unable to find SSE commands. This bug is corrected.
Currently I am working on the plugin interface. Plugins will be allowed to set temporary breakpoints and process exceptions. This requires significant changes in the debugging engine and may take another couple of weeks.
发表于 2012-10-5 14:18
