Variables

Variables exported by OllyDbg

OllyDbg exports several variables and structures described below. Plugins are not allowed to modify these variables or structures directly.

Disassembler

Name	Declaration	Description
regname	wchar_t * regname[3][NREG]	Names of general purpose registers. regname[0] contains names of 8-bit registers (AL, CL, DL...), regname[1] - names of 16-bit registers (AX, CX, DX...) and regname[2] - 32-bit (EAX, ECX, EDX...)
segname	wchar_t * segname[NREG]	Names of segment registers (ES, CS, SS...). Note that 80x86 architecture defines only registers 0..5
fpuname	wchar_t * fpuname[2][NREG]	Names of the floating point registers in the FPU stack. fpuname[0] contains names in the indexed format (ST(0), ST(1), ST(2)...) and fpuname[1] - direct enumeration (ST0, ST1, ST2...)
mmxname	wchar_t * mmxname[NREG]	Names of the MMX / 3DNow! registers (MM0, MM1, MM2...)
ssename	wchar_t * ssename[NREG]	Names of the SSE registers (XMM0, XMM1, XMM2...)
crname	wchar_t * crname[NREG]	Names of the control registers (CR0, CR1, CR2...)
drname	wchar_t * drname[NREG]	Names of the debug registers (DR0, DR1, DR2...). Note that 80x86 architecture defines only registers 0, 1, 2, 3, 6 and 7
sizename	wchar_t * sizename[17]	Data size keywords, where array index is intrepreted as a data size. Thus, sizename[1] points to the string "BYTE", sizename[2] - "WORD", sizename[10] - "TBYTE" etc.
sizekey	wchar_t * sizekey[17]	Data size directives in Intel format, where array index is intrepreted as a data size. sizekey[1] points to the string "DB", sizekey[2] - "DW", sizekey[16] - "DDQ" etc.
sizeatt	wchar_t * sizeatt[17]	Data size directives in AT&T format, where array index is intrepreted as a data size. sizeatt[1] points to the string ".BYTE", sizeatt[2] - ".WORD", sizeatt[16] - ".DQUAD" etc.

OllyDbg settings

Name	Declaration	Description
ollyfile	wchar_t ollyfile[MAXPATH]	Path to the OllyDbg executable file on the disk
ollydir	wchar_t ollydir[MAXPATH]	Directory that contains running copy of OllyDbg executable on the disk, without backslash on the end
systemdir	wchar_t systemdir[MAXPATH]	System directory as returned by GetSystemDirectory(), without backslash on the end
plugindir	wchar_t plugindir[MAXPATH]	Plugin directory, without backslash on the end
hollyinst	HINSTANCE hollyinst	Current OllyDbg instance
hwollymain	HWND hwollymain	Handle of the main OllyDbg window
hwclient	HWND hwclient	If OllyDbg is running in the MDI mode, this is the handle of the MDI client window. If standard OllyDbg tables are standalone windows, contains NULL
otable	wchar_t ottable[SHORTNAME]	Class of table windows. To facilitate parallel operation of several OllyDbg instances, this class depends on the name of the executable file
cpufeatures	ulong cpufeatures	CPU feature information, contents of register EDX after CPUID is executed with EAX=1. Please refer to the CPU documentation for details. If CPUID is not supported, cpufeatures is 0
ischild	int ischild	1 if this copy of OllyDbg was started by the master OllyDbg to debug child processstarted by the debugged application and 0 otherwise
asciicodepage	int asciicodepage	Code page used to display ASCII dumps. Default code page on English versions of Windows is 1252 (ANSI Latin I). Can be changed in Appearance options
restorewinpos	int restorewinpos	Flag indicating whether position and appearance of the OllyDbg windows must be automatically restored

Description of the debugged application

Name	Declaration	Description
executable	wchar_t executable[MAXPATH]	Path to the main file of the debugged application (usually with extension .exe) on the disk. If OllyDbg debugs DLL, this is the path to the DLL (not to the loaddll.exe!)
arguments	wchar_t arguments[ARGLEN]	Command line passed to the debugged application. Attention, may be rather long!
netdbg	int netdbg	Flag indicating that .NET debugging is active. Currently this option is disabled and netdbg is always 0
rundll	int rundll	OllyDbg was asked to debug a stand-alone DLL. Main module is the loaddll.exe that was automatically launched by the debugger
process	HANDLE process	Handle of the debugged application or NULL
processid	ulong processid	Unique process identifier of the debugged application or 0 if there is no process to debug
mainthreadid	ulong mainthreadid	Thread identifier of the main thread of the debugged application, or 0 if there is no process to debug
run	t_run run	Running status of the debugged application
skipsystembp	int skipsystembp	1 if debugged application is starting and first system breakpoint was not yet hit, and 0 otherwise
debugbreak	ulong debugbreak	Address of DebugBreak() in the address space of the debugged application
dbgbreakpoint	ulong dbgbreakpoint	Address of DbgBreakPoint() in the address space of the debugged application
kiuserexcept	ulong kiuserexcept	Address of KiUserExceptionDispatcher() in the address space of the debugged application
zwcontinue	ulong zwcontinue	Address of ZwContinue() in the address space of the debugged application
uefilter	ulong uefilter	Address of UnhandledExceptionFilter() in the address space of the debugged application
ntqueryinfo	ulong ntqueryinfo	Address of NtQueryInformationProcess() in the address space of the debugged application
corexemain	ulong corexemain	Address of MSCOREE:_CorExeMain() in the address space of the debugged application, defined only for .NET applications
peblock	ulong peblock	Address of PE block in the address space of the debugged application
kusershareddata	ulong kusershareddata	Address of KUSER_SHARED_DATA in the address space of the debugged application
userspacelimit	ulong userspacelimit	Size of the virtual memory available to the debugged application, usually 0x80000000. May be extended to 0xC0000000 on IMAGE_FILE_LARGE_ADDRESS_AWARE systems. Memory above this limit belongs to OS and can't be modified. However, on Windows XP OllyDbg is able to read system memory and even trace the code. (Some antivirus programs put code into the system memory and call it directly from the application in Ring 3 mode)
rtcond	t_rtcond rtcond	Run trace break condition
rtprot	t_rtprot rtprot	Run trace protocolling condition

OllyDbg data tables

Declaration	Item type	Description
t_table module	t_module	List of modules loaded into the memory space of the debugged applicationI
t_table memory	t_memory	List of memory blocks allocated in the memory space of the debugged application
t_table thread	t_thread	List of threads of the debugged application
t_table win	t_window	List of windows created by the debugged application
t_table source	t_source	List of source files
t_table bpoint	t_bpoint	List of INT3 breakpoints set by OllyDbg in the debugged application
t_table bpmem	t_bpmem	List of memory breakpoints set by OllyDbg in the debugged application
t_table bphard	t_bphard	List of hardware breakpoints set by OllyDbg in the debugged application
t_table watch	t_watch	List of watches
t_sorted procdata	t_procdata	List of analysed procedures
t_sorted premod	t_premod	List of modules that are reported by the OS but are not yet loaded into the memory