<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8">
<meta name="generator" content="pdf2htmlEX">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<link rel="stylesheet" href="https://static.pudn.com/base/css/base.min.css">
<link rel="stylesheet" href="https://static.pudn.com/base/css/fancy.min.css">
<link rel="stylesheet" href="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/raw.css">
<script src="https://static.pudn.com/base/js/compatibility.min.js"></script>
<script src="https://static.pudn.com/base/js/pdf2htmlEX.min.js"></script>
<script>
try{
pdf2htmlEX.defaultViewer = new pdf2htmlEX.Viewer({});
}catch(e){}
</script>
<title></title>
</head>
<body>
<div id="sidebar" style="display: none">
<div id="outline">
</div>
</div>
<div id="pf1" class="pf w0 h0" data-page-no="1"><div class="pc pc1 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/bg1.jpg"><div class="t m0 x1 h2 y1 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y3 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y4 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y5 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y6 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y7 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y8 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y9 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 ya ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 yb ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x2 h3 yc ff2 fs1 fc0 sc0 ls1 ws0">OllyDbg<span class="_ _0"> </span><span class="ff3 ls2">插件开发入门</span><span class="ls0"> </span></div><div class="t m0 x3 h4 yd ff2 fs2 fc0 sc0 ls3 ws0">0.11<span class="_ _1"> </span><span class="ff3 ls0">版<span class="ff2"> </span></span></div><div class="t m0 x4 h5 ye ff2 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x5 h6 yf ff3 fs3 fc0 sc0 ls4 ws0">肖梓航(<span class="ff2 ls5">Claud</span><span class="ls0">)<span class="ff2"> </span></span></div><div class="t m0 x4 h5 y10 ff2 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x6 h4 y11 ff2 fs2 fc0 sc0 ls6 ws0">2010<span class="_ _1"> </span><span class="ff3 ls0">年<span class="_ _1"> </span><span class="ff2">2<span class="_ _1"> </span></span>月<span class="ff2"> </span></span></div><div class="t m0 x1 h2 y12 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y13 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y14 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y15 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y16 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y17 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y18 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y19 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1a ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1b ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1c ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1d ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1e ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y1f ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y20 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y21 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h7 y22 ff4 fs0 fc0 sc0 ls7 ws0">E-mail<span class="ff3 ls0">:<span class="ff2 fc1 ls8">iClaudXiao@gmail.com</span><span class="ff2"> </span></span></div><div class="t m0 x1 h7 y23 ff4 fs0 fc0 sc0 ls9 ws0">Website/Blog<span class="ff3 ls0">:<span class="ff2 fc1">http://www<span class="_ _2"></span>.iclaud.net<span class="fc0"> </span></span></span></div><div class="t m0 x1 h7 y24 ff3 fs0 fc0 sc0 ls0 ws0">依据<span class="ff2"> <span class="_ _3"> </span></span><span class="fc1">署名<span class="ff2">—</span>非商业性使用<span class="ff2">—</span>相同方式共享协议<span class="ff2 lsa">3.0</span></span><span class="ff2"> <span class="_ _3"> </span></span>发布<span class="ff2"> </span></div><div class="t m0 x1 h7 y25 ff3 fs0 fc0 sc0 ls0 ws0">文档编号:<span class="ff2 lsb">2010-004 </span></div><div class="t m0 x1 h7 y26 ff3 fs0 fc0 sc0 ls0 ws0">最后更新:<span class="ff2 lsc">2010<span class="_ _4"> </span></span>年<span class="_ _4"> </span><span class="ff2">2<span class="_ _4"> </span></span>月<span class="_ _4"> </span><span class="ff2 lsc">19<span class="_ _4"> </span></span>日<span class="ff2"> </span></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>
</body>
</html>
<div id="pf2" class="pf w0 h0" data-page-no="2"><div class="pc pc2 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/bg2.jpg"><div class="t m0 x1 h8 y27 ff1 fs4 fc0 sc0 ls0 ws0"> </div><div class="t m0 x7 h9 y28 ff5 fs0 fc0 sc0 lsd ws0">1 </div><div class="t m0 x1 h2 y29 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2a ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2b ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x8 h6 y2c ff3 fs3 fc0 sc1 lse ws0">目 <span class="_"> </span> <span class="_"> </span>录<span class="ff5 sc0 ls0"> </span></div><div class="t m0 x1 h2 y2d ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2e ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h7 y2f ff3 fs0 fc0 sc0 ls0 ws0">前言<span class="_ _4"> </span><span class="ff1 lsf">...............................................................................................................................<span class="ls10">...................<span class="_ _5"></span>2 </span></span></div><div class="t m0 x1 h7 y30 ff3 fs0 fc0 sc0 ls0 ws0">一、前期准备<span class="ff1 lsf">...............................................................................................................................<span class="ls11">....<span class="_ _5"></span>3 </span></span></div><div class="t m0 x9 h7 y31 ff3 fs0 fc0 sc0 lsd ws0">1、<span class="ff1 ls12">OllyDbg<span class="_"> </span></span><span class="ls0">插件工作原理<span class="_ _5"></span><span class="ff1 lsf">......................................................................................................<span class="_ _5"></span>3 </span></span></div><div class="t m0 xa h7 y32 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">1</span>)从<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>的角度<span class="_ _5"></span><span class="ff1 lsf">.................................................................................................<span class="_ _5"></span>3 </span></div><div class="t m0 xa h7 y33 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">2</span>)从插件的角度<span class="_ _5"></span><span class="ff1 lsf">.........................................................................................................<span class="_ _5"></span>3 </span></div><div class="t m0 x9 h7 y34 ff3 fs0 fc0 sc0 ls13 ws0">2、学习建议<span class="ff1 lsf">.............................................................................................................................<span class="_ _6"></span>4 </span></div><div class="t m0 x9 h7 y35 ff3 fs0 fc0 sc0 ls14 ws0">3、开发资源与环境<span class="_ _5"></span><span class="ff1 lsf">.................................................................................................................<span class="_ _5"></span>4 </span></div><div class="t m0 x9 h7 y36 ff3 fs0 fc0 sc0 ls13 ws0">4、必要的设置<span class="ff1 lsf">.........................................................................................................................<span class="_ _6"></span>5 </span></div><div class="t m0 xa h7 y37 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">1</span>)<span class="ff1 ls15 ws1">Vi<span class="_ _6"></span>s<span class="_ _5"></span>u<span class="_ _6"></span>a<span class="_ _6"></span>l<span class="_ _6"></span> C<span class="_ _6"></span>+<span class="_ _6"></span>+<span class="_ _6"></span></span>中的设置<span class="_ _7"> </span><span class="ff1 lsf">..............................................................................................<span class="_ _5"></span>5 </span></div><div class="t m0 xa h7 y38 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">2</span>)<span class="ff1 ls16">C++</span>程序中的设置<span class="ff1 lsf">..................................................................................................<span class="_ _5"></span>5 </span></div><div class="t m0 x1 h7 y39 ff3 fs0 fc0 sc0 ls0 ws0">二、常用函数<span class="ff1 lsf">...............................................................................................................................<span class="ls11">....<span class="_ _5"></span>6 </span></span></div><div class="t m0 x9 h7 y3a ff3 fs0 fc0 sc0 ls13 ws0">1、回调函数<span class="ff1 lsf">.............................................................................................................................<span class="_ _6"></span>6 </span></div><div class="t m0 xa h7 y3b ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">1</span>)必须的回调函数<span class="_ _5"></span><span class="ff1 lsf">.....................................................................................................<span class="_ _5"></span>6 </span></div><div class="t m0 xa h7 y3c ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">2</span>)可选的回调函数<span class="_ _5"></span><span class="ff1 lsf">.....................................................................................................<span class="_ _5"></span>8 </span></div><div class="t m0 x9 h7 y3d ff3 fs0 fc0 sc0 ls13 ws0">2、插件函数<span class="ff1 lsf">...........................................................................................................................<span class="_ _6"></span>12 </span></div><div class="t m0 xa h7 y3e ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">1</span>)注册窗口类<span class="_ _5"></span><span class="ff1 lsf">...........................................................................................................<span class="_ _5"></span>12 </span></div><div class="t m0 xa h7 y3f ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">2</span>)<span class="ff1 ls12">.ini<span class="_"> </span></span>文件交互<span class="_ _7"> </span><span class="ff1 lsf">........................................................................................................<span class="_ _5"></span>13 </span></div><div class="t m0 xa h7 y40 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">3</span>)查询系统信息<span class="_ _5"></span><span class="ff1 lsf">.......................................................................................................<span class="_ _5"></span>13 </span></div><div class="t m0 xa h7 y41 ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff1">4</span>)<span class="ff1 ls17">.udd<span class="_"> </span></span>文件交互<span class="_ _5"></span><span class="ff1 lsf">.......................................................................................................<span class="_ _5"></span>14 </span></div><div class="t m0 x9 h7 y42 ff1 fs0 fc0 sc0 ls0 ws0">3<span class="ff3">、其他函数</span><span class="lsf">...........................................................................................................................<span class="_ _6"></span>14 </span></div><div class="t m0 x1 h7 y43 ff3 fs0 fc0 sc0 ls0 ws0">三、实例分析<span class="ff1 lsf">...............................................................................................................................<span class="ls18">..<span class="_ _5"></span>15 </span></span></div><div class="t m0 x9 h7 y44 ff1 fs0 fc0 sc0 ls0 ws0">1<span class="ff3">、</span><span class="ls19">Hello,world<span class="_ _7"> </span>....................................................................................................................<span class="ls1a">...<span class="_ _5"></span>15 </span></span></div><div class="t m0 x9 h7 y45 ff1 fs0 fc0 sc0 ls0 ws0">2<span class="ff3">、</span><span class="lsf">Command<span class="_ _6"></span>........................................................................................................................<span class="_ _5"></span><span class="ls18">..<span class="_ _5"></span>18 </span></span></div><div class="t m0 x9 h7 y46 ff1 fs0 fc0 sc0 ls0 ws0">3<span class="ff3">、</span><span class="lsf">Bookmark<span class="_ _5"></span>.......................................................................................................................<span class="ls1a">...<span class="_ _5"></span>28 </span></span></div><div class="t m0 x1 h7 y47 ff3 fs0 fc0 sc0 ls0 ws0">参考文献<span class="ff1 lsf">...............................................................................................................................<span class="ls16">..........<span class="_ _5"></span>43 </span></span></div><div class="t m0 x1 h2 y48 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y49 ff1 fs0 fc0 sc0 ls0 ws0"> </div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>
<div id="pf3" class="pf w0 h0" data-page-no="3"><div class="pc pc3 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/bg3.jpg"><div class="t m0 x1 h8 y27 ff1 fs4 fc0 sc0 ls0 ws0"> </div><div class="t m0 x7 h9 y28 ff5 fs0 fc0 sc0 lsd ws0">2 </div><div class="t m0 x1 h2 y29 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2a ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h2 y2b ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h6 y4a ff3 fs3 fc0 sc1 lse ws0">前言<span class="ff5 sc0 ls0"> </span></div><div class="t m0 xb h7 y4b ff3 fs0 fc0 sc0 ls0 ws0">我是一个菜鸟,这是毫无疑问的。<span class="ff1"> </span></div><div class="t m0 xb h7 y4c ff3 fs0 fc0 sc0 ls0 ws0">开发<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>插件,<span class="_ _8"></span>大抵不是一件难事。<span class="_ _8"></span>因为网络上没有多少资料——只有<span class="_ _7"> </span><span class="ff1 ls1b">API<span class="_"> </span></span>手册和</div><div class="t m0 x1 h7 y4d ff3 fs0 fc0 sc0 ls0 ws0">两三篇文章而已,但依然有人开发了大量的插件。<span class="ff1"> </span></div><div class="t m0 xb h7 y4e ff3 fs0 fc0 sc0 ls0 ws0">而我却花了不少时间才初窥门径。<span class="ff1"> </span></div><div class="t m0 xb h7 y4f ff3 fs0 fc0 sc0 ls0 ws0">也正因为水平太低,<span class="_ _9"></span>我不得不努力地去理解插件是怎么工作的、<span class="_ _9"></span>去阅读每一个函数、<span class="_ _9"></span>去</div><div class="t m0 x1 h7 y50 ff3 fs0 fc0 sc0 ls0 ws0">分析每一行示例代码、去花费<span class="_ _4"> </span><span class="ff1">N<span class="_"> </span></span>天写一个<span class="_ _4"> </span><span class="ff1 lsf">hello,world</span>。<span class="ff1"> </span></div><div class="t m0 xb h7 y51 ff3 fs0 fc0 sc0 ls0 ws0">为了防止又把它们给忘了,还得记录下来,以便需要的时候查阅。<span class="ff1"> </span></div><div class="t m0 xb h7 y52 ff3 fs0 fc0 sc0 ls0 ws0">再后来,<span class="_ _9"></span>我想,<span class="_ _9"></span>干脆写得更傻瓜一点吧,让其他人不费脑子不费时间地也能学会。<span class="_ _9"></span>于是</div><div class="t m0 x1 h7 y53 ff3 fs0 fc0 sc0 ls0 ws0">就有了这个文档。<span class="ff1"> </span></div><div class="t m0 xb h7 y54 ff3 fs0 fc0 sc0 ls0 ws0">但我的水平实在太低,老实说,除了<span class="_ _4"> </span><span class="ff1 ls1c">hello,world<span class="_"> </span></span>还没写出第二个插件。<span class="ff1"> </span></div><div class="t m0 xb h7 y55 ff3 fs0 fc0 sc0 ls0 ws0">所以这个文档将会随着进一步学习,不定期添加新的内容。<span class="ff1"> </span></div><div class="t m0 xb h7 y56 ff3 fs0 fc0 sc0 ls0 ws0">如果你希望看到后续版本,<span class="_ _9"></span>或者有好的建议,<span class="_ _9"></span>或者发现了错误,<span class="_ _9"></span>或者找不到文章中提到</div><div class="t m0 x1 h7 y57 ff3 fs0 fc0 sc0 ls0 ws0">的资源,或者想骂我太菜,都可以访问下面这个页面:<span class="ff1"> </span></div><div class="t m0 xc h5 y58 ff2 fs0 fc1 sc0 ls7 ws0">http://www<span class="_ _2"></span>.iclaud.net/2010/02/ollydbg_plugin/ </div><div class="t m0 x1 h7 y59 ff3 fs0 fc0 sc0 ls0 ws0">我会尽量保证它的长期可用性。如果它失效了,也可以给我写邮件。<span class="ff2"> </span></div><div class="t m0 xb h5 y5a ff2 fs0 fc0 sc0 ls19 ws2">Just for fun! </div><div class="t m0 xb h5 y5b ff2 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 xb h5 y5c ff2 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 xb h5 y5d ff2 fs0 fc0 sc0 ls1d ws0">Claud </div><div class="t m0 xb h7 y5e ff3 fs0 fc0 sc0 ls0 ws0">(<span class="ff2 ls1e">bughouse</span>、<span class="ff2 ls1f">EricCRC<span class="_ _4"> </span></span>也是俺)<span class="ff2"> </span></div><div class="t m0 xb h5 y5f ff2 fs0 fc0 sc0 ls20 ws0">2010.02 </div><div class="t m0 xb h5 y60 ff2 fs0 fc0 sc0 ls0 ws0"> </div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>
<div id="pf4" class="pf w0 h0" data-page-no="4"><div class="pc pc4 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/bg4.jpg"><div class="t m0 x1 h8 y27 ff1 fs4 fc0 sc0 ls0 ws0"> </div><div class="t m0 x7 h9 y28 ff5 fs0 fc0 sc0 lsd ws0">3 </div><div class="t m0 x1 h2 y29 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m1 xd ha y61 ff6 fs5 fc0 sc0 ls0 ws0">好的开始,是成功的一半。 </div><div class="t m0 x1 h2 y62 ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h6 y4a ff3 fs3 fc0 sc1 ls21 ws0">一、 <span class="_ _a"></span>前期准备<span class="ff5 sc0 ls0"> </span></div><div class="t m0 x1 h4 y63 ff3 fs2 fc0 sc1 ls22 ws0">1、<span class="ff5 sc0 ls23">OllyDbg<span class="_"> </span></span><span class="ls24">插件工作原理 </span></div><div class="t m0 xb h7 y64 ff1 fs0 fc0 sc0 ls12 ws0">OllyDbg<span class="_"> </span><span class="ff3 ls0">是一款优秀的用户态调试工具。<span class="_ _b"></span>它不仅拥有强大的反汇编能力和动态分析能力,</span></div><div class="t m0 x1 h7 y65 ff3 fs0 fc0 sc0 ls0 ws0">还具有良好的扩展结构,允许用户自行开发插件完成特定的工作。<span class="ff1"> </span></div><div class="t m0 xb h7 y66 ff3 fs0 fc0 sc0 ls0 ws0">在开发插件之前,需要大致了解插件在<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>中工作的方式。<span class="ff1"> </span></div><div class="t m0 xb h7 y67 ff3 fs0 fc0 sc0 ls0 ws0">插件以单独的动态链接库<span class="_ _9"></span>(<span class="ff1 ls25">DLL</span>)文件的形式提供给<span class="_ _7"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>使用。<span class="_ _2"></span>在<span class="_ _7"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>主菜单</div><div class="t m0 x1 h7 y68 ff3 fs0 fc0 sc0 ls0 ws0">中,<span class="_ _c"></span>依次选择:<span class="_ _c"></span>选项→界面→目录,<span class="_ _c"></span>就可以看到插件路径。<span class="_ _c"></span>一般情况下,<span class="_ _c"></span>我们在<span class="_ _4"> </span><span class="ff1 ls26">OllyDbg.exe</span></div><div class="t m0 x1 h7 y69 ff3 fs0 fc0 sc0 ls0 ws0">所在目录下建立名为<span class="_ _4"> </span><span class="ff1 lsd">plugin<span class="_"> </span></span>的子目录<span class="_ _2"></span>,并在上述插件路径中填入该子目录的绝对路径。<span class="_ _d"></span>(请</div><div class="t m0 x1 h7 y6a ff3 fs0 fc0 sc0 ls0 ws0">注意,如果这里的值是形如<span class="ff1 lsc">./plugin/</span>的相对路径,插件往往不能正常地工作。<span class="_ _d"></span>)<span class="ff1"> </span></div><div class="t m0 xb h7 y6b ff1 fs0 fc0 sc0 ls12 ws0">OllyDbg<span class="_"> </span><span class="ff3 ls0">与插件是如何交互完成工作的?可以从两个方面来看这个问题。<span class="ff1"> </span></span></div><div class="t m0 x1 h7 y6c ff3 fs0 fc0 sc1 ls0 ws0">(<span class="ff5 sc0">1</span>)从<span class="_ _4"> </span><span class="ff5 sc0 lsc">OllyDbg<span class="_"> </span></span><span class="ls27">的角度</span><span class="ff5 sc0"> </span></div><div class="t m0 xb h7 y6d ff3 fs0 fc0 sc0 ls0 ws0">在<span class="_ _1"> </span><span class="ff1 ls12">OllyDbg<span class="_ _1"> </span></span>的启动过程中,有一步是检查插件路径下是否存在<span class="_ _e"> </span><span class="ff1 ls25">DLL<span class="_ _1"> </span></span>文件。如果存在,</div><div class="t m0 x1 h7 y6e ff3 fs0 fc0 sc0 ls0 ws0">逐一进行如下扫描:<span class="ff1"> </span></div><div class="t m0 xb h7 y6f ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">加载该<span class="_ _4"> </span><span class="ff1 ls25">DLL<span class="_"> </span></span>文件,找到其入口点<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y70 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">通过回调函数,获取插件名称、版本等信息<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y71 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">通过回调函数,对插件进行初始化,包括申请资源、恢复全局参数等<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y72 ff3 fs0 fc0 sc0 ls0 ws0">如果某个<span class="_ _4"> </span><span class="ff1 ls25">DLL<span class="_"> </span></span>文件无法顺利执行这三步,<span class="ff1 ls12">OllyDbg<span class="_"> </span></span>的启动将失败、报错并退出。<span class="ff1"> </span></div><div class="t m0 xb h7 y73 ff1 fs0 fc0 sc0 ls12 ws0">OllyDbg<span class="_ _1"> </span><span class="ff3 ls0">启动以后,会一直维护插件的队列,并在以下情况(但不仅限于这些情况)出</span></div><div class="t m0 x1 h7 y74 ff3 fs0 fc0 sc0 ls0 ws0">现时向该队列发送消息,或者直接调用插件中定义的函数:<span class="ff1"> </span></div><div class="t m0 xb h7 y75 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">用户通过插件菜单或快捷键主动执行插件某功能<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y76 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">正在调试的程序状态发生改变,例如载入、运行、暂停、结束、重启等<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y77 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">系统自身的启动、关闭<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y78 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">系统收到无法识别的消息(比如组合键)<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y79 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">系统在配置文件中发现无法识别的数据<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y7a ff3 fs0 fc0 sc0 ls0 ws0">最后,<span class="_ _9"></span>当<span class="_ _4"> </span><span class="ff1 ls17">OllyDbg<span class="_ _4"> </span></span>被关闭时,还会调用插件中的回调函数,<span class="_ _9"></span>释放插件申请到的资源,<span class="_ _9"></span>并</div><div class="t m0 x1 h7 y7b ff3 fs0 fc0 sc0 ls0 ws0">将需要保存的参数、配置和附加信息分别予以保存。<span class="ff1"> </span></div><div class="t m0 x1 h7 y7c ff3 fs0 fc0 sc1 ls0 ws0">(<span class="ff5 sc0">2</span><span class="ls27">)从插件的角度</span><span class="ff5 sc0"> </span></div><div class="t m0 xb h7 y7d ff3 fs0 fc0 sc0 ls0 ws0">插件的工作可以分为以下几类:<span class="ff1"> </span></div><div class="t m0 xb h7 y7e ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">搜集和整理调试过程中的信息供用户参考</span></span></div><div class="t m0 xe h2 y7f ff1 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 xb h7 y80 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">增加一些辅助信息让调试更加方便<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y81 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">直接参与调试<span class="ff1"> </span></span></span></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>
<div id="pf5" class="pf w0 h0" data-page-no="5"><div class="pc pc5 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/625ddbe2131e9f3c1e0396b4/bg5.jpg"><div class="t m0 x1 h8 y27 ff1 fs4 fc0 sc0 ls0 ws0"> </div><div class="t m0 x7 h9 y28 ff5 fs0 fc0 sc0 lsd ws0">4 </div><div class="t m0 xb h7 y29 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">通过加载脚本程序,将一部分行为自动化<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y2a ff3 fs0 fc0 sc0 ls0 ws0">因此,<span class="_ _9"></span>插件既需要从<span class="_ _4"> </span><span class="ff1 ls17">OllyDbg<span class="_"> </span></span>中获取各种信息,<span class="_ _9"></span>又需要对<span class="_ _4"> </span><span class="ff1 ls17">OllyDbg<span class="_ _10"> </span></span>进行各种操作。<span class="_ _9"></span>插件</div><div class="t m0 x1 h7 y2b ff3 fs0 fc0 sc0 ls0 ws0">通过调用<span class="_ _4"> </span><span class="ff1 ls1a ws3">OllyDbg Plug<span class="_ _2"></span>in <span class="_ _9"></span>API<span class="_"> </span><span class="ff3 ls0 ws0">来做到这些。<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y82 ff3 fs0 fc0 sc0 ls0 ws0">另外,<span class="_ _9"></span>插件也可以有自己的窗口逻辑和功能函数。<span class="_ _9"></span>事实上,<span class="_ _9"></span>我们可以将它看成这样一个</div><div class="t m0 x1 h7 y83 ff1 fs0 fc0 sc0 lsd ws0">W<span class="_ _9"></span>indows<span class="_"> </span><span class="ff3 ls0">程序,<span class="_ _c"></span>它拥有自己的消息循环和窗口过程,<span class="_ _c"></span>但它的启动是由<span class="_ _7"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>发起的,<span class="_ _c"></span>具体</span></div><div class="t m0 x1 h7 y84 ff3 fs0 fc0 sc0 ls0 ws0">功能的实现也通过调用<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>提供的函数来实现。<span class="_ _11"></span>通过本文后面的部分,<span class="_ _11"></span>这一认识将会愈</div><div class="t m0 x1 h7 y85 ff3 fs0 fc0 sc0 ls0 ws0">加清晰。<span class="ff1"> </span></div><div class="t m0 x1 h4 y86 ff3 fs2 fc0 sc1 ls28 ws0">2、学习建议 </div><div class="t m0 xb h7 y87 ff3 fs0 fc0 sc0 ls0 ws0">在学习开发<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>插件的过程中,你也许会用到:<span class="ff1"> </span></div><div class="t m0 xb h7 y88 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">一些<span class="_ _4"> </span><span class="ff1 ls29">Wi<span class="_ _5"></span>n<span class="_ _5"></span>3<span class="_ _5"></span>2<span class="_ _10"> </span></span>窗口程序开发的知识和经验<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y89 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">对<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>功能的基本了解<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y8a ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">简单的汇编语言知识<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y8b ff3 fs0 fc0 sc0 ls0 ws0">现在假定你已经具备了上述能力,下文的叙述将以此为基础。<span class="ff1"> </span></div><div class="t m0 xb h7 y8c ff3 fs0 fc0 sc0 ls0 ws0">如果你已经有了其他软件的插件开发经验,<span class="_ _12"></span>并有一定的英文阅读能力,<span class="_ _12"></span>请扔掉这份文档,</div><div class="t m0 x1 h7 y8d ff3 fs0 fc0 sc0 ls0 ws0">直接阅读<span class="_ _4"> </span><span class="ff1 ls1a ws3">OllyDbg Plug<span class="_ _2"></span>in <span class="_ _9"></span>API<span class="_"> </span><span class="ff3 ls0 ws0">手册和实例源代码。<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y8e ff3 fs0 fc0 sc0 ls0 ws0">反之,<span class="_ _9"></span>建议先阅读本文档,<span class="_ _9"></span>并实际动手操作;然后下载更多的插件源代码,<span class="_ _9"></span>边阅读边查</div><div class="t m0 x1 h7 y8f ff3 fs0 fc0 sc0 ls0 ws0">阅<span class="_ _4"> </span><span class="ff1 ls1b">API<span class="_"> </span></span>手册;最后,动手写自己的插件。<span class="ff1"> </span></div><div class="t m0 x1 h4 y90 ff3 fs2 fc0 sc1 ls2a ws0">3、开发资源与环境 </div><div class="t m0 xb h7 y91 ff3 fs0 fc0 sc0 ls0 ws0">为了开发<span class="_ _4"> </span><span class="ff1 ls17">OllyDbg<span class="_"> </span></span>插件,首先需要获取插件开发包。下载地址是:<span class="ff1"> </span></div><div class="t m0 xf hb y92 ff8 fs0 fc1 sc0 ls1d ws0">http://www<span class="_ _9"></span>.ollydbg.de/plug1<span class="_ _13"></span>10.zip</div><div class="t m0 x10 hb y93 ff8 fs0 fc0 sc0 ls0 ws0"> </div><div class="t m0 x1 h7 y94 ff3 fs0 fc0 sc0 ls0 ws0">这一开发包是针对<span class="_ _4"> </span><span class="ff1 ls2b ws4">OllyDbg 1.10<span class="_ _7"> </span></span>版的。虽然目前<span class="_ _4"> </span><span class="ff1 ls12">OllyDbg<span class="_"> </span></span>最新版是<span class="_ _7"> </span><span class="ff1 lsd">2.0</span>,但作者已经表明,</div><div class="t m0 x1 h7 y95 ff1 fs0 fc0 sc0 ls1a ws0">1.10<span class="_"> </span><span class="ff3 ls0">版是支持自主开发插件的最后一个版本。<span class="ff1"> </span></span></div><div class="t m0 xb h7 y96 ff3 fs0 fc0 sc0 ls0 ws0">在这个开发包中,最重要的文件有三个:<span class="ff1"> </span></div><div class="t m0 xb h7 y97 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff1 ls16">Plugins.hlp <span class="_ _14"> </span></span><span class="ff3">开发文档,详细定义了所有提供的<span class="_ _4"> </span><span class="ff1 ls17">API </span></span></span></div><div class="t m0 xb h7 y98 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff1 ls2c ws5">Plugin.h <span class="_ _15"> </span>API<span class="_ _7"> </span></span><span class="ff3">定义的头文件<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y99 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff1 ls11">Ollydbg.lib <span class="_ _16"> </span></span><span class="ff3">导入库文件<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 y9a ff3 fs0 fc0 sc0 ls0 ws0">此外,作者还提供了两个插件的代码作为示范,一个是命令行插件,一个是书签插件。</div><div class="t m0 x1 h7 y9b ff3 fs0 fc0 sc0 ls0 ws0">我们将在第三部分仔细分析它们。<span class="ff1"> </span></div><div class="t m0 xb h7 y9c ff3 fs0 fc0 sc0 ls0 ws0">接下来考虑开发环境。<span class="ff1"> </span></div><div class="t m0 xb h7 y9d ff1 fs0 fc0 sc0 ls12 ws0">OllyDbg<span class="_"> </span><span class="ff3 ls2d">作者<span class="_ _4"> </span></span><span class="ls2e ws6">Oleh Y<span class="_ _17"></span>uschuk<span class="_ _4"> </span><span class="ff3 ls0 ws0">使用的是<span class="_ _4"> </span></span><span class="ls2f ws7">Borland C++ 5.5<span class="_ _5"></span><span class="ff3 ls0 ws0">。也有<span class="_ _2"></span>人使用<span class="_ _4"> </span><span class="ff1 ls15 ws8">Vi<span class="_ _6"></span>s<span class="_ _5"></span>u<span class="_ _6"></span>a<span class="_ _6"></span>l<span class="_ _6"></span> C<span class="_ _6"></span>+<span class="_ _6"></span>+<span class="_ _6"></span></span>、<span class="ff1 ls17">Delpi</span>、</span></span></span></div><div class="t m0 x1 h7 y9e ff1 fs0 fc0 sc0 ls9 ws0">MASM<span class="_"> </span><span class="ff3 ls0">甚至<span class="_ _4"> </span></span><span class="ls15 ws8">Vi<span class="_ _6"></span>s<span class="_ _5"></span>u<span class="_ _6"></span>a<span class="_ _6"></span>l<span class="_ _6"></span> B<span class="_ _6"></span>a<span class="_ _6"></span>s<span class="_ _6"></span>i<span class="_ _6"></span>c<span class="_ _1"> </span></span><span class="ff3 ls0">进行开发。<span class="ff1"> </span></span></div><div class="t m0 xb h7 y9f ff3 fs0 fc0 sc0 ls0 ws0">这里我们推荐使用<span class="_ _4"> </span><span class="ff1 ls30 ws9">V<span class="_ _13"></span>isual C++ 6.0<span class="_"> </span><span class="ff3 ls0 ws0">进行开发。理由如下:<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 ya0 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff1 lsd wsa">W<span class="_ _9"></span>in32 API<span class="_ _7"> </span><span class="ff3 ls0 ws0">原生地支持<span class="_ _4"> </span><span class="ff1 ls16">C/C++</span>,</span><span class="ls31 wsb">OllyDbg Plugin <span class="_ _9"></span>API<span class="_"> </span><span class="ff3 ls0 ws0">也是以<span class="_ _4"> </span><span class="ff1 ls16">C++</span>形式提供<span class="ff1"> </span></span></span></span></span></div><div class="t m0 xb h7 ya1 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">网络上几乎所有已有的插件,源代码都是基于<span class="_ _4"> </span><span class="ff1 ls30">C/C++</span>的,便于进一步学习<span class="ff1"> </span></span></span></div><div class="t m0 xb h7 ya2 ff7 fs0 fc0 sc0 ls0 ws0">¾<span class="ff8"> <span class="_ _f"> </span><span class="ff3">相比于<span class="_ _4"> </span><span class="ff1 ls11 wsc">Borland C++</span>,<span class="_ _17"></span><span class="ff1 ls15 ws8">Vi<span class="_ _6"></span>s<span class="_ _6"></span>u<span class="_ _5"></span>a<span class="_ _6"></span>l<span class="_ _6"></span> C<span class="_ _6"></span>+<span class="_ _6"></span>+<span class="_ _6"></span><span class="ff3 ls0 ws0">更容易获取,<span class="_ _17"></span>在使用过程中遇到问题,<span class="_ _13"></span>也更容易通</span></span></span></span></div><div class="t m0 x11 h7 ya3 ff3 fs0 fc0 sc0 ls0 ws0">过搜索和询问获得解决<span class="ff1"> </span></div><div class="t m0 xb h7 ya4 ff3 fs0 fc0 sc0 ls0 ws0">需要注意的是,<span class="_ _d"></span>在<span class="_ _7"> </span><span class="ff1 ls2b">plug1<span class="_ _9"></span>10.zip<span class="_"> </span><span class="ff3 ls0">包中提供的<span class="_ _7"> </span></span>Ollydbg.lib<span class="_ _7"> </span><span class="ff3 ls0">是无法直接用于<span class="_ _7"> </span></span><span class="ls16 wsd">V<span class="_ _13"></span>isual C++ 6.0<span class="_"> </span><span class="ff3 ls2d ws0">的,</span></span></span></div><div class="t m0 x1 h7 ya5 ff3 fs0 fc0 sc0 ls0 ws0">原因是每个引出函数前面都多了一个下划线</div><div class="t m0 x12 hc ya6 ff1 fs6 fc0 sc0 ls32 ws0">[2]</div><div class="t m0 x4 h7 ya7 ff3 fs0 fc0 sc0 ls0 ws0">。可以在这里下载到专为<span class="_ _4"> </span><span class="ff1 ls15 wse">Vi<span class="_ _5"></span>s<span class="_ _6"></span>u<span class="_ _6"></span>a<span class="_ _6"></span>l<span class="_ _6"></span> C<span class="_ _6"></span>+<span class="_ _6"></span>+<span class="_ _6"></span> 6<span class="_ _5"></span>.<span class="_ _6"></span>0<span class="_"> </span></span>准备</div><div class="t m0 x1 h7 ya8 ff3 fs0 fc0 sc0 ls0 ws0">的开发包:<span class="ff1"> </span></div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>
