honoka How do I cheat? Reputation: 1
Joined: 06 Jun 2016 Posts: 2
|
Posted: Mon Jun 06, 2016 12:40 am Post subject: [Plugin] WatchExpression CE Plugin |
|
|
WatchExpression CE Plugin by Honoka
Download : https : //github. com/pyj23 23/CEWatchExpres sionPlugin/releases
This plugin hooks CE's debug event. it captures registers which are needed by your custom expression and log them to list control. My original focus is hooking function's return address but I extended my think so the plugin can hook any expression. if you're debugging x86 process and want to hook function's return address, use this expression [ebp+4]
Beginners guide
1. Execute CE.
2. Go to "Settings" -> "Plugins"
3. Click "Add new" and add WatchExpression plugin.
4. Enable plugin by clicking check box.
5. Open process to debug.
6. Go to "Memory View" and go to address to hook
7. Click mouse right button and select "Watch expression"(or press shortcut "CTRL+W")
8. Customise your expression and choose data type.
9. Press start button.
10. Enjoy debugging!
Features
- All debugger methods are supported(VEH, Windows, Kernelmode)
- All breakpoint mothods are supported(Hardware BP, Software BP, Page exceptions BP)
- Multiple watcher windows at single breakpoint
- Using CE symbol is allowed.(Userdefined symbol, DLL name, DLL exported functions, just address and etc..)
Limitations
- The plugin works on only CE 6.5+(Debugevent callback is not implemented under 6.5 version.)
- The plugin is for only x64 "system".(Using on x86 processes is possible.)
- You can use only "hexadecimal constant" on your expression.
Registers supported on expression
rax, eax, ax, ah, al
rbx, ebx, bx, bh, bl
rcx, ecx, cx, ch, cl
rdx, edx, dx, dh, dl
rsi, esi, si, sil
rdi, edi, di, dil
rbp, ebp, bp, bpl
rsp, esp, sp, spl
r8, r8d, r8w, r8b
r9, r9d, r9w, r9b
..
..
..
r15, r15d, r15w, r15b
rip, eip
cs, ss, ds, es, fs, gs
eflags
dr0, dr1, dr2, dr3, dr6, dr7
Operators supported on expression(Almost of them are based on C language)
High priority
qword[Exp], dword[Exp], word[Exp], byte[Exp], [Exp] : Pointer operators
qword(Exp), dword(Exp), word(Exp), byte(Exp), bool(Exp), (Exp) : Casting operators
+, -, ~, ! : Unary operators
*, /, % : Multiplicative operators
+, - : Additive operators
<<, >> : Shift operators
<, <=, >, >=: Compare operators
==, != : Equality operators
& : Bit and
^ : Bit xor
| : Bit or
&& : Logic and
|| : Logic or
Low priority
Select data type you want to hook
- Integer
- Opcode *Use this when hooking function return addresses or vtable values.
- Float, Double
- String
- Array of bytes
Last edited by honoka on Sun Mar 03, 2019 11:33 am; edited 1 time in total |
|