0vercl0k/ollydbg2-python 0vercl0k/ollydbg2-python

  • This repository has been archived on 29/Nov/2020
  • Stars
    star
    108
  • Rank 314,792 (Top 7 %)
  • Language
    C++
  • Created almost 12 years ago
  • Updated almost 10 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/ollydbg2-python
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scripting OllyDBG2 using Python is now possible!

Contents

OllyDbg2-Python ===============

Motivations

Nowadays in the reverse-engineering world, almost everything is scriptable using Python: IDA Pro, WinDbg, ImmunitDebugger, etc. The thing is OllyDbg2 wasn't. The only way to interact with OllyDbg2's API was by creating a C/C++ plugin. But we all know everything is easier in Python, that's the reason why I started this project back in 2012 summer.

Under the hoods

To be able to export OllyDbg2's API to Python (currently Py275), we need two important things:

  1. python-loader: this is an OllyDbg2 plugin that imports the Python engine ; with that plugin you can launch some Python into your debugger
  2. python-bindings-swig: this project builds the connectors you need to poke OllyDbg2's API with Python

The python-loader tries also to enhance user experience by adding a command-line edit bar in order to write easily Python one-liner without loading a script. At the moment, that bar isn't working very well (I'm not a GUI expert at all.), but I will give it a try to build better one.

The python-bindings-swig project is a bit more touchy, it is using SWIG in order to generate the bindings automatically and it seems to work pretty great so far. But SWIG can be sometimes a bit weird to play with, so if I made some mistakes don't hesitate to pull-requests corrections!

Features

I've tried to expose the main features we would like to have when it comes to script a debugger:

  • CPU state inspection: get/set x86 registers, get information about segment selectors
  • memory: read, write in the debuggee memory ; also obtain information about specific memory regions
  • assembler/disassembler: interact with the internal x86 assembler/disassembler
  • breakpoints: easily set/remove software/hardware normal/conditionnal breakpoints wherever you want
  • symbols: try to use Microsoft/OllyDbg2 API to obtain symbols information (like a function name by its address)
  • enhance the disassembly: you can add comments and/or labels easily
  • looking for something in memory: there are also a couple of methods to look for some hexadecimal bytes or instructions in memory, really handy
  • instrument the debugger: ask the debugger to StepInto/StepOver/ExecuteUntilRet in the debuggee
  • etc.

If you want to see real examples, check out the samples/ directory! If you have idea of cool examples to show case the API feel free to contact me.

Building python-loader

You will need Python development files, I'm currently using Python 275.

Building the Python bindings via SWIG

To build the API bindings you will need SWIG and Python 275.

  1. Fetch the last Ollydbg2's development files. Move the plugin.h in the ollydbg2-plugin-development-files/inc/ directory, and the ollydbg.lib in ollydbg2-plugin-development-files/lib/.
  2. Then copy the plugin.h to plugin-swig.h. Here are the things you have to change in the plugin-swig.h file:
  • Some API are declared in the plugin.h file, but in fact they aren't in Ollydbg2's export address table ; so comment them. Here is the list: SetcaseA, SetcaseW, StrcopycaseA, StrcopycaseW, Strnst, StrnstrW, StrcmpW, Div64by32, CRCcalc, Getcpuidfeatures, Maskfpu, Clearfpu.
  • Remove the __cdecl from the stdapi, varapi, oddata, pentry. There is also another one in EMUFUNC's typedef.
  • Remove the const from the oddata declaration (like that you will be able to interact with internal variables) both in plugin.h & plugin-swig.h.
  • Remove the _import keyword from oddata's definition.
  • Rename the Readmemory's first argument into char *buff, add before %pybuffer_mutable_string(char *buf), add after %typemap(in) char *buf;. Do the same thing with the following API:
  • Disasm and its first argument
  • Assembleallforms and its last argument
  • Getanalysercomment and its third argument
  • Getproccomment and its third argument
  • Decodeaddress and its fourth argument
  • Decoderelativeoffset and its third argument
  • Anonymous nested structures aren't supported, so you have to give a name to the unions in the following structure: t_result.
  1. Open the python-bindings-swig project and build the Python bindings.
  2. You're ready to go!
Installation ============

  1. git clone https://github.com/0vercl0k/ollydbg2-python.git

  2. Move all your OllyDbg2 binaries in the ollydbg2-python directory. It should looks like this:

    D:\tmp\ollydbg2-python>ls -la .
total 3572
drw-rw-rw-   8 0vercl0k 0    4096 2013-09-22 16:17 .
drw-rw-rw-   5 0vercl0k 0    4096 2013-09-22 16:13 ..
drw-rw-rw-   7 0vercl0k 0    4096 2013-09-22 16:13 .git
-rw-rw-rw-   1 0vercl0k 0 1061944 2008-03-21 01:44 dbghelp.dll
drw-rw-rw-   2 0vercl0k 0       0 2013-09-22 16:13 ollyapi
-rwxrwxrwx   1 0vercl0k 0 2547200 2012-11-18 21:46 ollydbg.exe
-rw-rw-rw-   1 0vercl0k 0   13705 2013-09-22 16:18 ollydbg.ini
drw-rw-rw-   7 0vercl0k 0    4096 2013-09-22 16:13 ollydbg2-plugin-development-files
drw-rw-rw-   2 0vercl0k 0       0 2013-09-22 16:17 plugins
-rw-rw-rw-   1 0vercl0k 0    2713 2013-09-22 16:13 README.md
drw-rw-rw-  11 0vercl0k 0    4096 2013-09-22 16:13 samples
drw-rw-rw-   2 0vercl0k 0    4096 2013-09-22 16:17 udds

  3. Build the python-loader project in Release mode and check you have a python-loader.dll file in plugins/:

    D:\tmp\ollydbg2-python>ls -la plugins
total 24
drw-rw-rw-  2 0vercl0k 0     0 2013-09-22 16:22 .
drw-rw-rw-  8 0vercl0k 0  4096 2013-09-22 16:17 ..
-rw-rw-rw-  1 0vercl0k 0 18432 2013-09-22 16:22 python-loader.dll

  4. Build the python-buildings-swig project in Release mode, check you have a _python_bindings_swig.pyd file and a python_bindings_swig.py in ollyapi/:

    D:\tmp\ollydbg2-python>ls -la ollyapi
total 1436
drw-rw-rw-  2 0vercl0k 0   4096 2013-09-22 16:26 .
drw-rw-rw-  8 0vercl0k 0   4096 2013-09-22 16:17 ..
[...]
-rw-rw-rw-  1 0vercl0k 0 971776 2013-09-22 14:09 _python_bindings_swig.pyd
-rw-rw-rw-  1 0vercl0k 0 416207 2013-09-22 14:08 python_bindings_swig.py

  5. Now launch ollydbg.exe, and check the log window to see if the python-loader plugin has been successfully loaded.

  6. Script and have fun!

 Known Issues ============

If you encounter any issues please let me know by filling an issue here: https://github.com/0vercl0k/ollydbg2-python/issues. Also try to be explicit, and give me enough details to be able to repro the issue on my machine: OS version, OllyDbg2 configuration, script, etc.

Contributing ============

Feel free to contribute to this project: if you're used to play with Windows' GUI API please help me to make a working bar, if you have idea about cool samples to show case the API send me your ideas, if you want to implement some high level API methods please do! If you have also any comments, remarks I would love to hear them :).

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,722
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,351
star
3

CVE-2021-31166

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Python
823
star
4

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
615
star
5

stuffz

Basically a script thrift shop
C
584
star
6

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
303
star
7

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
290
star
8

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
286
star
9

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
10

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
227
star
11

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
225
star
12

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
212
star
13

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
181
star
14

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
172
star
15

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
147
star
16

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
17

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
123
star
18

sic

Enumerate user mode shared memory mappings on Windows.
C
112
star
19

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
108
star
20

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
91
star
21

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
84
star
22

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
83
star
23

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
24

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
25

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
60
star
26

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
58
star
27

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
54
star
29

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
41
star
30

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
31

inject

Yet another Windows DLL injector.
C++
33
star
32

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
28
star
33

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
24
star
34

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
24
star
35

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
22
star
36

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
10
star
37

articles

Mirror of the different PDF articles I wrote
10
star
38

0vercl0k

5
star
39

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
40

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
4
star
41

rp2s

3
star
42

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star