OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18]

Posted: September 20, 2008 in RE Tools, StrongOD v0.18 [2008.09.18]

OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18]

OllyDBG v1.10 plugin – StrongOD v0.18
Temptress Moon Shadow by sea [CUG]
================================================== ==================
[2008.09.18 v0.18]
1, to repair the Ctrl G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own

HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

////////////////////////////////////////////////// ///////////

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)

Od plug-in will be on the plugin directory, run the original od, and then shut down
Ollydbg.ini found in the [Plugin StrongOD] items
Change their look
DriverName – driver file name, the object of equipment
DriverKey – and the key driver of communication
HideWindow – whether hidden window for a hidden, 0 for not hide
HideProcess – whether hidden od process for a hidden, 0 for not hide
ProtectProcess – whether hidden to protect the process of Od, for the protection of 1, 0 for failing to protect

5 above, there is no interface option, you can set your favorite way, if the election does not KernalMode, then the top 5 option null and void

Phant0m driver and the driver compared to the following advantages:

1, in support of a number of OD, can support up to 100 OD, and phant0m only support an OD
2, CloseHandle to close the handle the wrong time to return to STATUS_INVALID_HANDLE, instead of STATUS_SUCCESS
3, xp over the use of NtQueryInformationProcess (hProcess, ProcessDebugObjectHandle ,…) and NtQueryInformationProcess (hProcess, ProcessDebugFlags ,…) anti-debugging
4, OD process ntdll.dll some of the functions (such as: NtOpenProcess) was inline hook when the blue screen

The following are no special note are the original OD add a plug-in plug-in StrongOD operate:

Ollydbg.ini in the first [Plugin StrongOD] the following HideWindow, ProtectProcess into the value of 1, the value of KernelMode turned into a preserve:

1, Themida / WinLicense

Plug-in option to set a minimum

Original run OD, included in the main program Themida v1.9.9.0, stopped at the entrance after the removal of all breakpoints, Shift + F9 up-and-run
2, ExeCryptor v2.4.1

Plug-in option to set a minimum

Original run OD, set up break point on break point in the system to stop
ExeCryptor v2.4.1 included in the main program, stopped at the breakpoint system, according to Alt + B, remove the breakpoint EP
And then Shift + F9, you can
3, TTProtect v1.05 DEMO

Plug-in option to set a minimum

Original run OD, loading TTProtect v1.05 DEMO main program, Shift + F9
4, VMProtect v1.65.2

vmp v1.65 added to the xp system under the OD of the new anti,Plug-in option to set a minimum

Original run OD, loading VMProtect v1.65.2 main program, Shift + F9
  1. kienmanowar says:

    New Upgrade : StrongOD 0.20 !!Make your OllyDbg Strong!

    This plug-in provides three kinds of ways to initiate the process:

    1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
    2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

    Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:

    1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
    2, the operating system mode operations (SeTcbPrivilege)

    If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

    3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

    The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

    Download here:

  2. kienmanowar says:

    OllyDBG v1.10 plugin – StrongOD.v0.2.1.267.By. Hai Temptress Moon Shadow [CUG] [20090107]
    OllyDBG v1.10 plugin – StrongOD v0.2.1
    by sea Temptress Moon Shadow [CUG]
    ================================================== ==================
    [2009.01.07 v0.2.1.267]
    1, amended to deal with export and import table table bug
    2, amended to deal with re-positioning table bug
    3, repair Skip Some Expection when elected under paragraph F2 memory breakpoints can not break under normal bug

    [2009.01.06 v0.2.1.262]
    1, an increase Attach window Mouse Wheel support
    2, rewrite od processing module code

    [2008.12.30 v0.2.1.252]
    1, repair drive BUG

    [2008.12.25 v0.2.1.235]
    1, to repair a PAGE_GUARD use of anti
    2, repair Skip Some Expection time can not be elected under paragraph F2 memory breakpoints
    3, due to the specificity of PAGE_GUARD can not be perfect to deal with PAGE_GUARD under od breakpoint BUG, recommended as much as possible not to under paragraph F2 memory breakpoints
    4, to strengthen the process of protection to prevent copying ring3 under the handle to open the process od
    5, drive many small bug fix
    6, an updated version of its

  3. kienmanowar says:

    [2009.01.11 v0.2.2.275]
    1, an increase option to delete the entry points breakpoint
    2, increase options tls interruption in the entrance (if any) must be elected Kill Pe Bug
    3, increase options interruption in ring3 into the first line of code (whether or not achieved, to be determined)
    4, the configuration file to increase OrdFirst, the decision of the Export mfc42 function is priority number or the name of the priority
    5, repair the bug re-positioning table
    6, Attach a window into the mouse wheel WM_VSCROLL news

  4. kienmanowar says:

    OllyDBG v1.10 plugin – StrongOD.v0.2.3.299.By. Sea Temptress Moon Shadow [CUG] [20090203]
    [2009.01.14 v0.2.3.299]
    1, increased number of memory window fast switching shortcut keys alt +1 ~ alt +5
    2, an increase related to the switch stack window ebp register or not associated in any register, shortcut keys alt +1 ~ alt +3
    3, the addition of a shortcut bar at the bottom, with the fast-switching button, Option which can be lifted to create the fast-track column,
    If you create can be used after the Alt + R to show hidden shortcut bar
    4, at the bottom of the shortcut bar is created, fast switching does not affect the function of the above (no button can use shortcut keys to switch)

    [2009.01.14 v0.2.2.292]
    1, to repair some small bug analytic PE
    2, repair, memory breakpoints to determine a small bug

  5. kienmanowar says:

    [2009.02.10 v0.2.3.314]
    1, restoration of the 2003 sp1 blue screen bug (thank cxh852456)
    2, enhanced shortcut compatibility, easy to support a modified version of the OD

    [2009.02.10 v0.2.3.305]
    1, repair, several small BUG
    2, and enhance functionality attach
    3, repair of a BUG

    [2009.02.04 v0.2.3.301]
    1, at the bottom of the shortcut bar to hide automatically records
    2, the bottom window status bar shows the status of Memory
    3, repair, drivers do not load bug

  6. kienmanowar says:

    [2010.01.08 v0.2.9.561]
    1, the command line to increase Attach and Detach two functions, pid is 10 hex
    2, remove alt + 1 ~ 9 are functions of nop
    3, driver hide the window algorithm optimization
    4, increase compatibility, remove the file handle to the function off
    5, repair, several small BUG

    [2009.11.26 v0.2.8.478]
    1, turn off the OD do not need to handle (some dll handles are locked od)
    2, optimize cpu dump window function
    3, mem window data retention (Conservation M2-M5)
    4, increase the dump windows shortcut keys (CTRL + B search dump out the window, you can use shortcuts, quick switch to the cpu dump window)
    5, optimizing start-up speed

    [2009.10.28 v0.2.7.433]
    1, win7, 2003 under repair anti_anti attach function
    2, win7 privileged instructions under the filter
    3, drive traffic encryption
    4, increase the shortcut keys ctrl + d, set to focus on the cmdbar
    5, repair, several small BUG
    6, cmdbar interface little changed
    ////////////////////////////////////////////////// ///////////

    Download here:


  7. Everything is very open with a very clear clarification of the challenges.
    It was definitely informative. Your site is very useful.
    Thanks for sharing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.