只是笔记而已························大神们直接不要看了
需要文件 : ollydbgvc7.lib Plugin.h
编译环境 VC6.0即可
#include <windows.h>
#include "Plugin.h"
#pragma comment(lib,"ollydbgvc7.lib")
static char g_szPluginName[] = "Hello,world Panda! ";
static HWND g_hWndMain = NULL;
static HINSTANCE g_hModule = NULL;
static char g_szHelloClass[32];
static HWND CreateHelloWindow(void);
LRESULT CALLBACK HelloWndProc(
HWND hWnd,
UINT msg,
WPARAM wParam,
LPARAM lParam);
BOOL APIENTRY DllMain(
HINSTANCE hModule,
DWORD reason,
LPVOID lpReserved)
{
if (DLL_PROCESS_ATTACH == reason)
{
g_hModule = hModule;
}
return TRUE;
}
extc int _export cdecl ODBG_Plugindata(
char shortname[32])
{
strcpy(shortname, g_szPluginName);
return PLUGIN_VERSION;
}
extc int _export cdecl ODBG_Plugininit(
int ollydbgversion,
HWND hw,
ulong * features)
{
int nRetCode;
if(ollydbgversion < PLUGIN_VERSION)
return -1;
g_hWndMain = hw;
nRetCode = Registerpluginclass(
g_szHelloClass,
NULL,
g_hModule,
HelloWndProc);
if(nRetCode < 0)
return -1;
Addtolist(0,0,"Hello,World! v1.0");
Addtolist(0,-1," Copyright (C) 2010 Claud");
return 0;
}
extc int _export cdecl ODBG_Pluginmenu(
int origin,
char data[4096],
void *item)
{
if(PM_MAIN == origin)
{
strcpy(data,"0 Hello | 1 About");
return 1;
}
return 0;
}
extc void _export cdecl ODBG_Pluginaction(
int origin,
int action,
void *item)
{
if(PM_MAIN == origin)
switch(action)
{
case 0:
CreateHelloWindow();
break;
case 1:
MessageBox(
g_hWndMain,
"Writen by Panda",
g_szPluginName,
MB_OK);
break;
}
}
extc void _export cdecl ODBG_Plugindestroy(void)
{
Unregisterpluginclass(g_szHelloClass);
}
LRESULT CALLBACK HelloWndProc(
HWND hWnd,
UINT msg,
WPARAM wParam,
LPARAM lParam)
{
RECT rc;
PAINTSTRUCT ps;
HBRUSH hbr;
HDC dc;
switch(msg)
{
case WM_PAINT:
dc=BeginPaint(hWnd,&ps);
GetClientRect(hWnd,&rc);
hbr=CreateSolidBrush(GetSysColor(COLOR_BTNFACE));
FillRect(dc,&rc,hbr);
TextOut(dc,100,60, // new line
"Hello,world!",strlen("Hello,world!"));
DeleteObject(hbr);
EndPaint(hWnd,&ps);
break;
default:
return DefWindowProc(hWnd,msg,wParam,lParam);
}
return 0;
}
static HWND CreateHelloWindow(void)
{
HWND hw;
hw = CreateWindow(
g_szHelloClass,
"Message",
WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU,
400,400,300,200,
NULL,
NULL,
(HINSTANCE)Plugingetvalue(VAL_HINST),
NULL);
ShowWindow(hw,SW_SHOWNORMAL);
UpdateWindow(hw);
return hw;
} 
下面分析一下 OllySSEH OD插件 原版本为 DLL
将源码变为控制台源码
#include "stdafx.h"
#include <Windows.h>
#include <Tlhelp32.h>
#define IS_CONTAINED(p1,s1,p2,s2)( ( (LPBYTE)(p1) >= (p2) ) && ( (LPBYTE)(p1) + (s1) ) <= ( (LPBYTE) (p2) + (s2) ) )
#define PluginError -3
#define NOSEH -2
#define ERROR_READING_SEH -1
#define SAFESEH_OFF 0
#define SAFESEH_ON 1
int CheckSafeSEH(LPMODULEENTRY32 lpmoduleentry32)
{
LPBYTE lpHead;
int retval = SAFESEH_OFF; //一开始返回没开启 SAFESEH
DWORD i;
// Check bounds ..
if ( !(lpmoduleentry32->dwSize > sizeof (IMAGE_DOS_HEADER)) ||
!(lpHead = (LPBYTE)malloc(lpmoduleentry32->dwSize)) )
{
return ERROR_READING_SEH;
}
// Read Module Headers
if ( ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),lpmoduleentry32->modBaseAddr,lpHead,lpmoduleentry32->dwSize,NULL))
//ReadM(lpHead, module->base, lpmoduleentry32->dwSize, MM_RESTORE | MM_SILENT ) )
{
PIMAGE_DOS_HEADER lpDOSh;
PIMAGE_NT_HEADERS lpNTh;
PIMAGE_DATA_DIRECTORY lpDD;
PIMAGE_LOAD_CONFIG_DIRECTORY32 lpLCD;
DWORD *lpHTable;
// Get NT header
lpDOSh = (PIMAGE_DOS_HEADER) lpHead;
lpNTh = (PIMAGE_NT_HEADERS) ( (LPBYTE)(lpDOSh) + lpDOSh->e_lfanew );
if (!IS_CONTAINED(lpNTh,sizeof(IMAGE_NT_HEADERS),lpHead,lpmoduleentry32->dwSize) )
{
free(lpHead);
return ERROR_READING_SEH;
}
// Check DllCharacteristics, is SEH enabled for this image?
if ( lpNTh->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH )
{
free(lpHead);
return NOSEH;
}
// Get Data directory
lpDD = (PIMAGE_DATA_DIRECTORY) &lpNTh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG];
// Check bounds ..
if (!IS_CONTAINED(lpDD,sizeof(IMAGE_DATA_DIRECTORY),lpHead,lpmoduleentry32->dwSize) )
{
free(lpHead);
return ERROR_READING_SEH;
}
// Allocate memory for Load Config Directory
if (! ( lpLCD = (PIMAGE_LOAD_CONFIG_DIRECTORY32 )malloc(sizeof(IMAGE_LOAD_CONFIG_DIRECTORY)) ) )
{
//PluginError();
return PluginError;
}
// Read Load Config Directory
if (lpDD->VirtualAddress)
{
if (ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),lpmoduleentry32->modBaseAddr + lpDD->VirtualAddress,lpLCD,sizeof(IMAGE_LOAD_CONFIG_DIRECTORY),NULL))
//Readmemory (lpLCD,module->base + lpDD->VirtualAddress,sizeof(IMAGE_LOAD_CONFIG_DIRECTORY), MM_RESTORE | MM_SILENT ) )
{
// Do we have a SEH handler table? ;-)
if ( lpLCD->SEHandlerTable )
{
// Allocate memory for SEHandler Table
if (! (lpHTable = (DWORD *) malloc( lpLCD->SEHandlerCount * sizeof(DWORD) ) ) )
{
free(lpLCD);
return PluginError;
}
// Read SEHandler Table
if ( !ReadProcessMemory(OpenProcess(PROCESS_VM_READ ,NULL,lpmoduleentry32->th32ProcessID),(DWORD*)(lpLCD->SEHandlerTable),lpHTable,lpLCD->SEHandlerCount * sizeof(DWORD),NULL))
//Readmemory (lpHTable,lpLCD->SEHandlerTable,lpLCD->SEHandlerCount * sizeof(DWORD), MM_RESTORE | MM_SILENT ) )
{
free(lpHTable);
free(lpLCD);
return ERROR_READING_SEH;
}
// Free memory and return success
retval = SAFESEH_ON;
}
}
}
free(lpHead);
free(lpLCD);
}
else
{
free(lpHead);
retval = ERROR_READING_SEH;
}
return retval;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,12172);//指定PID就可以扫描运行中的程序的SAFESEH开启情况
MODULEENTRY32 moduleentry32 = {sizeof(MODULEENTRY32)};
Module32First(handle,&moduleentry32);
do
{
if (moduleentry32.modBaseAddr)
{
int flag = CheckSafeSEH(&moduleentry32);
switch (flag)
{
case SAFESEH_ON:
printf("%ws SAFESEH_ON
",moduleentry32.szModule);
break;
case SAFESEH_OFF:
printf("%ws SAFESEH_OFF
",moduleentry32.szModule);
break;
case PluginError:
printf("%ws PluginError
",moduleentry32.szModule);
break;
case NOSEH:
printf("%ws NOSEH
",moduleentry32.szModule);
break;
case ERROR_READING_SEH:
printf("%ws ERROR_READING_SEH
",moduleentry32.szModule);
break;
}
}
} while (Module32Next(handle,&moduleentry32));
return 0;
}
下面分析一下 OllySSEH OD插件