DebugActiveProcessStop Plugin for OllyDbg
==========================
[Stop debug target and let's target running]

Date: 08.12.2004
Author: Teerayoot <Teerayoot@bugsgroup.com>

Download

http://www.intechhosting.com/~access/Teerayoot/Download/DebugActivePro cessStop.zip
("http://www.intechhosting.com/~access/Teerayoot/Download/DebugActiveProcessStop.zip
")

Feature
---------
-Stop Ollydbg debugger and victim still running
usefull when debug critical system process.


Works on
--------
-WindowXp


Installation
------------
-Copy the DebugActiveProcessStop.dll into OllyDbg's plugin directory. Make sure that if you have an entry
named "Plugin Path=" in your ollydbg.ini it points to the directory you just
dropped DebugActiveProcessStop.dll in.


Usage
-----
-when CPU windows open on main thread just click on Stop plugin menu.

Great work Teerayoot! Maybe you can include the source?

Well sorry i understand this is a great job and you have a hard work making programs and plugins but i need say if there are a trouble, sorry.
This plugin only work partially.
If i open a crackme in OLLYDBG and the crackme is paused in the OEP, when i press STOP in the plugin, the crackme try to run and the screen of olly is empty, but the crackme crash in the entry point, and stop in a error, if i have OLLY how JIT opens other OLLY and the crackme is in the EP again sttoped.
For me only plugin works if i make a EB FE infinite loop in the EP, and put RUNNING the crackme looping, next i press STOP in the plugin, and crackme don't report errors, go to pupe, replace EB FE with original bytes and crackme continue running perfect.

Ricardo Narvaja

psyCK0
Great work Teerayoot! Maybe you can include the source?
Well,the source is in Bcb 6.0 and also i using Madkernel
just 2 line of code in Stop command

Anyway ,i already included source can download on first post,may be my plugin can stay on the stubh page


Ricado.
For me when i try to stop on OEP the exception occur because olly set "CC" instruction there and show message box about exception we can click cancel to debug it again.


If want to detach debugged process just Hit F9 and click "Stop" on plugin menu,the target will running well.

well i press F9 and put the program running and nexy press stop in the plugin and the program execute till y press the menu plugin-stop, varios lines, and in this lines maybe the program can detect the debugger and close.
Is not posible the same plugin put the program run and next detach when i press STOP, this was more quickly if i press by hand.

Ricardo Narvaja

Well if I press F9 and put the program running and next I press stop in the plugin, the program execute till I press the menu plugin-stop, various lines, and in this lines maybe the program can detect the debugger and close.
Is not posible the same plugin put the program run and next detach when i press STOP, this was more quickly if i press by hand.

Ricardo Narvaja

Teerayoot can you send me the plugin to put on the Stuph page as I cannot download it from your post (404)

Very sorry Teerayoot, could you check your link ?

I can't load thast file .

Thank.

I already mail to TBD,if he can get it ,i think it will be avail for download in Stuph page.

I can not download it,will you please send me one? jinrs@163.com
Thanks a lot!

My plugin is so lame ,TBD not decide to put on Stuph page maybe because of i using Madkernel .

Just 2 lines of code implement on stop process
Anyway i got real pain when try to get PID from thread id using "ZwQueryInformationThread" ,No succeed(WHO CAN HELP)?.
.
Look USEFULL PLUGIN but Not Powerfull Source included!

Try this locations mate http://www.johnwebsite.com/teerayoot/DebugActiveProcessStop.zip ("http://www.johnwebsite.com/teerayoot/DebugActiveProcessStop.zip")

Hi,

why dont you use the debuggee PID supplied by Ollydbg plugin api?

Plugingetvalue( VAL_PROCESSID) should give you the desired information.

Regards

Ok ,thank q focht.

I re written in pure cpp for small in size & faster download
can be Download at

http://intechhosting.com/~access/forums/?act=Attach&type=post &id=83
("http://intechhosting.com/~access/forums/?act=Attach&type=post&id=83
")



source included.

3ks!I`ll Try