Some days ago I released my second plugin for OllyDbg2, Hyde. This plugin is designed to hide OllyDbg2 from the Debugee, yet allow normal usage of Apis for finding other windows and processes.
Also (with reversing in mind) the patch options can be saved to file (as Patch-sets) for easy reloading..
For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file "ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.
Included in the archive as an example is a Patch-Set for V(M)Protect 1.93 ..
As OllyDbg2 is still beta, no direct patching of OllyDbg2 strings or code is done, as that would just lead to too much hassle. Better to wait until final release for that, so all patches are done just to Apis.
In the first version these things are patched:
PEB.IsDebugged
PEB.NtGlobalFlag
PEB.HeapFlags
NtQueryInformationProcess
NtQuerySystemInformation
NtSetInformationThread
FindWindowA
FindWindowW
FindWindowExA
FindWindowExW
EnumWindows
Process32NextW
OutputDebugStringA
OutputDebugStringW
NtQueryObject
GetTickCount
NtOpenProcess
BlockInput
NtClose
GetStartupInfo
Suggestions are welcome, however please note that OllyDbg2 is not detectable by a lot of the old tricks, so please check
Example: ESI = -1 on startup no longer works as detection, no BPX left on EP ..
发表于 2011-9-20 13:30
发表于 2011-9-20 14:05
