0vercl0k/ollydbg2-python 0vercl0k/ollydbg2-python

  • This repository has been archived on 29/Nov/2020
  • Stars
    star
    110
  • Rank 316,770 (Top 7 %)
  • Language
    C++
  • Created over 12 years ago
  • Updated over 10 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/ollydbg2-python
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scripting OllyDBG2 using Python is now possible!

Contents

OllyDbg2-Python ===============

Motivations

Nowadays in the reverse-engineering world, almost everything is scriptable using Python: IDA Pro, WinDbg, ImmunitDebugger, etc. The thing is OllyDbg2 wasn't. The only way to interact with OllyDbg2's API was by creating a C/C++ plugin. But we all know everything is easier in Python, that's the reason why I started this project back in 2012 summer.

Under the hoods

To be able to export OllyDbg2's API to Python (currently Py275), we need two important things:

  1. python-loader: this is an OllyDbg2 plugin that imports the Python engine ; with that plugin you can launch some Python into your debugger
  2. python-bindings-swig: this project builds the connectors you need to poke OllyDbg2's API with Python

The python-loader tries also to enhance user experience by adding a command-line edit bar in order to write easily Python one-liner without loading a script. At the moment, that bar isn't working very well (I'm not a GUI expert at all.), but I will give it a try to build better one.

The python-bindings-swig project is a bit more touchy, it is using SWIG in order to generate the bindings automatically and it seems to work pretty great so far. But SWIG can be sometimes a bit weird to play with, so if I made some mistakes don't hesitate to pull-requests corrections!

Features

I've tried to expose the main features we would like to have when it comes to script a debugger:

  • CPU state inspection: get/set x86 registers, get information about segment selectors
  • memory: read, write in the debuggee memory ; also obtain information about specific memory regions
  • assembler/disassembler: interact with the internal x86 assembler/disassembler
  • breakpoints: easily set/remove software/hardware normal/conditionnal breakpoints wherever you want
  • symbols: try to use Microsoft/OllyDbg2 API to obtain symbols information (like a function name by its address)
  • enhance the disassembly: you can add comments and/or labels easily
  • looking for something in memory: there are also a couple of methods to look for some hexadecimal bytes or instructions in memory, really handy
  • instrument the debugger: ask the debugger to StepInto/StepOver/ExecuteUntilRet in the debuggee
  • etc.

If you want to see real examples, check out the samples/ directory! If you have idea of cool examples to show case the API feel free to contact me.

Building python-loader

You will need Python development files, I'm currently using Python 275.

Building the Python bindings via SWIG

To build the API bindings you will need SWIG and Python 275.

  1. Fetch the last Ollydbg2's development files. Move the plugin.h in the ollydbg2-plugin-development-files/inc/ directory, and the ollydbg.lib in ollydbg2-plugin-development-files/lib/.
  2. Then copy the plugin.h to plugin-swig.h. Here are the things you have to change in the plugin-swig.h file:
  • Some API are declared in the plugin.h file, but in fact they aren't in Ollydbg2's export address table ; so comment them. Here is the list: SetcaseA, SetcaseW, StrcopycaseA, StrcopycaseW, Strnst, StrnstrW, StrcmpW, Div64by32, CRCcalc, Getcpuidfeatures, Maskfpu, Clearfpu.
  • Remove the __cdecl from the stdapi, varapi, oddata, pentry. There is also another one in EMUFUNC's typedef.
  • Remove the const from the oddata declaration (like that you will be able to interact with internal variables) both in plugin.h & plugin-swig.h.
  • Remove the _import keyword from oddata's definition.
  • Rename the Readmemory's first argument into char *buff, add before %pybuffer_mutable_string(char *buf), add after %typemap(in) char *buf;. Do the same thing with the following API:
  • Disasm and its first argument
  • Assembleallforms and its last argument
  • Getanalysercomment and its third argument
  • Getproccomment and its third argument
  • Decodeaddress and its fourth argument
  • Decoderelativeoffset and its third argument
  • Anonymous nested structures aren't supported, so you have to give a name to the unions in the following structure: t_result.
  1. Open the python-bindings-swig project and build the Python bindings.
  2. You're ready to go!
Installation ============

  1. git clone https://github.com/0vercl0k/ollydbg2-python.git

  2. Move all your OllyDbg2 binaries in the ollydbg2-python directory. It should looks like this:

    D:\tmp\ollydbg2-python>ls -la .
total 3572
drw-rw-rw-   8 0vercl0k 0    4096 2013-09-22 16:17 .
drw-rw-rw-   5 0vercl0k 0    4096 2013-09-22 16:13 ..
drw-rw-rw-   7 0vercl0k 0    4096 2013-09-22 16:13 .git
-rw-rw-rw-   1 0vercl0k 0 1061944 2008-03-21 01:44 dbghelp.dll
drw-rw-rw-   2 0vercl0k 0       0 2013-09-22 16:13 ollyapi
-rwxrwxrwx   1 0vercl0k 0 2547200 2012-11-18 21:46 ollydbg.exe
-rw-rw-rw-   1 0vercl0k 0   13705 2013-09-22 16:18 ollydbg.ini
drw-rw-rw-   7 0vercl0k 0    4096 2013-09-22 16:13 ollydbg2-plugin-development-files
drw-rw-rw-   2 0vercl0k 0       0 2013-09-22 16:17 plugins
-rw-rw-rw-   1 0vercl0k 0    2713 2013-09-22 16:13 README.md
drw-rw-rw-  11 0vercl0k 0    4096 2013-09-22 16:13 samples
drw-rw-rw-   2 0vercl0k 0    4096 2013-09-22 16:17 udds

  3. Build the python-loader project in Release mode and check you have a python-loader.dll file in plugins/:

    D:\tmp\ollydbg2-python>ls -la plugins
total 24
drw-rw-rw-  2 0vercl0k 0     0 2013-09-22 16:22 .
drw-rw-rw-  8 0vercl0k 0  4096 2013-09-22 16:17 ..
-rw-rw-rw-  1 0vercl0k 0 18432 2013-09-22 16:22 python-loader.dll

  4. Build the python-buildings-swig project in Release mode, check you have a _python_bindings_swig.pyd file and a python_bindings_swig.py in ollyapi/:

    D:\tmp\ollydbg2-python>ls -la ollyapi
total 1436
drw-rw-rw-  2 0vercl0k 0   4096 2013-09-22 16:26 .
drw-rw-rw-  8 0vercl0k 0   4096 2013-09-22 16:17 ..
[...]
-rw-rw-rw-  1 0vercl0k 0 971776 2013-09-22 14:09 _python_bindings_swig.pyd
-rw-rw-rw-  1 0vercl0k 0 416207 2013-09-22 14:08 python_bindings_swig.py

  5. Now launch ollydbg.exe, and check the log window to see if the python-loader plugin has been successfully loaded.

  6. Script and have fun!

 Known Issues ============

If you encounter any issues please let me know by filling an issue here: https://github.com/0vercl0k/ollydbg2-python/issues. Also try to be explicit, and give me enough details to be able to repro the issue on my machine: OS version, OllyDbg2 configuration, script, etc.

Contributing ============

Feel free to contribute to this project: if you're used to play with Windows' GUI API please help me to make a working bar, if you have idea about cool samples to show case the API send me your ideas, if you want to implement some high level API methods please do! If you have also any comments, remarks I would love to hear them :).

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,804
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,472
star
3

CVE-2021-31166

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Python
824
star
4

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
617
star
5

stuffz

Basically a script thrift shop
C
589
star
6

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
315
star
7

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
306
star
8

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
294
star
9

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
10

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
232
star
11

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
228
star
12

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
217
star
13

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
193
star
14

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
193
star
15

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
148
star
16

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
17

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
121
star
18

sic

Enumerate user mode shared memory mappings on Windows.
C
114
star
19

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
110
star
20

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
110
star
21

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
86
star
22

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
86
star
23

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
84
star
24

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
25

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
66
star
26

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
27

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
57
star
29

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
57
star
30

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
40
star
31

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
32

inject

Yet another Windows DLL injector.
C++
38
star
33

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
32
star
34

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
31
star
35

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
25
star
36

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
21
star
37

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
11
star
38

dbgeng-rs

Rust binding for the dbgeng COM interfaces.
Rust
11
star
39

articles

Mirror of the different PDF articles I wrote
10
star
40

0vercl0k

5
star
41

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
42

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files
Rust
4
star
43

rp2s

3
star
44

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star