Optional plugin callback function, receives notifications on relatively infrequent events that may be of interest to plugin.
void ODBG2_Pluginnotify(int code,void *data,ulong parm1,ulong parm2);
Parameters:
code
(in)
Notification code, one of the constants PN_xxx. See
detailed explanation below
data
(in)
Pointer to the internal OllyDbg structure associated with this
notification or
NULL
parm1
(in)
First parameter
parm2
(in) Second
parameter
Return values:
None
ODBG2_Pluginnotify() may receive following notifications:
code | data | parm1 | parm2 | Comments |
PN_NEWPROC | NULL | Process ID | 0 | OllyDbg starts new process. This notification is sent while processing CREATE_PROCESS_DEBUG_EVENT |
PN_ENDPROC | NULL | Process ID | Exit code | Debugged process terminated but is still in the memory. This notification is sent while processing EXIT_PROCESS_DEBUG_EVENT |
PN_NEWTHR | t_thread * | Thread ID | 0 | New thread is created and about to start. This notification is sent while processing CREATE_PROCESS_DEBUG_EVENT (main thread) or CREATE_THREAD_DEBUG_EVENT before thread begins to execute in user mode. Note that thread may be temporary (created by Windows to pause debugged application). Such threads have t_thread.ordinal set to 0 |
PN_ENDTHR | t_thread * | Thread ID | Exit code | Thread terminated, but related data is still in the OllyDbg tables. This notification is never sent for the last thread that remains active when process terminates (PN_ENDPROC) |
PN_PREMOD | t_premod * | 0 | 0 | New module is reported by Windows (CREATE_PROCESS_DEBUG_EVENT, LOAD_DLL_DEBUG_EVENT), reported by .NET debugging API, or hidden module is detected by OllyDbg. Module may still be missing in the memory and OllyDbg may be unable to restore breakpoints or analyse code. Therefore it adds it to the table of preliminary modules (premod) and if necessary, sets single-step trap and postpones module processing till the next debug event. Most probably, notification PN_NEWMOD will follow |
PN_NEWMOD | t_module * | 0 | 0 | Module is already in the memory and OllyDbg has attempted to restore .udd data. (If module is self-extractable, restoration may be postponed till module is extracted). PN_NEWMOD may be missing if DLL fails to initialize |
PN_ENDMOD | t_module * | 0 | 0 | Module is removed from the memory or is about to be removed. Plugin receives this notification when module-related data is saved to the .udd file but is not yet removed from the OllyDbg tables. PN_ENDMOD may be missing if DLL fails to initialize |
PN_STATUS | NULL | Status | 0 | Debuggee's execution status has changed. parm1 contains new status (enumeration of type t_status). This notification comes when debugging engine is in the stable state and plugins are allowed to use all available API functions |
PN_RUN | t_status * | Pass flag | 0 | User requests to continue execution. data points to the requested status (for example, STAT_RUNNING if all threads should run at full speed). Plugin can change this value. parm1 is the same as the parameter pass in the call to Run() |
PN_REMOVE | NULL | Address | Size | OllyDbg removes analysis data from the memory range parm1 .. parm1+parm2 (the last byte is not included). This notification is sent, for example, when user modifies memory contents or starts new analysis, but not when module or memory block is removed from the memory |
See also: