Sorted data

Many kinds of internal OllyDbg data consist of homogenous items that have start address and non-zero size, and do not overlap with each other. A good example is the table of memory blocks. INT3 breakpoints may be treated as items occupying 1 byte in the memory space of the debugged program. Threads exist in the address space of  thread identifiers and also occupy 1 address of this space. Data items usually can be displayed in some window and sorted using some criterium. A set of such elements is called sorted data.

OllyDbg implements a powerful set of functions that allow easy operations with sorted data, like initilaization, adding or replacing of elements, removing of elements or address ranges, sorting, search and so on. OllyDbg automatically allocates new memory for sorted data if necessary. Sorted data is excellently scalable. In one (rather uncommon) case, while analysing a 70-Mb code section of VB program, OllyDbg gathered 1.5 Gb of register prediction data!

Internally, data is always sorted by address. This allows for simple and extremely fast binary search. Adding new data is, of course, not so easy and may take significant time. Weighted binary trees may look more suitable, but in our case data is read much more frequently than added to the table. If you sort data by method other than increasing addresses, OllyDbg creates additional array of indexes pointing to data items, but their order in memory remains unchanged.

By default, data is kept in a single contiguous memory block. When data overflows, OllyDbg allocates another block, usually twice as large, and copies existing data there. If data items are large or numerous, adding new elements or deleting existing results in moving large chunks of memory. Also, reallocation of large data buffers may lead to the excessive memory fragmentation. To prevent this, use indexed data (SDM_INDEXED). Indexing usually pays only if total data size exceeds 3-5 Mb.

This strategy has one significant drawback. API functions that search for the sorting data items return pointers to the found items in the data buffer. Therefore each API call that adds, removes or replaces items in the same sorted data invalidates all received pointers.

If flag SDM_NOSIZE is not set, elements of sorted data must begin with the standard 12-byte header:

typedef struct t_sorthdr {             // Header of sorted data item
  ulong          addr;                 // Base address of the entry
  ulong          size;                 // Size of the entry
  ulong          type;                 // Type and address extension, TY_xxx
} t_sorthdr;

Please don't mix the size specified in this header and the size of the element of sorted data. They belong to different address spaces! Size in header is the size of piece of virtual address space described by sorted data and usually belongs to debugged program. Physical size of the element is the size of memory ocuppied by element in the OllyDbg's memory. All elements have the same physical size necessary to fit all the characteristics and descriptions of the described object; size in the header is simply one (albeit most important) of the object's characteristics and may be different for each object.

Plugins are not allowed to change addr and size directly. If these parameters must be changed, create temporary copy of the item, delete item and add copy to the data. (If new and old versions overlap, just add new item and it will replace the previous). Keep in mind that in both cases old item will be passed to destructor function.

32-bit address addr can be extended by another 8 least significant bits (for example, when you need many records associated with the single memory address).
They are kept in the field TY_AEXTMASK of the type. If extended addressing is active, size of all items in the sorted data is forced to 1 (that is, only exact address matches count). To create such data, specify SDM_EXTADDR. An example of the sorted data that uses extended addressing is the list of names.

Four other bits in the type are reserved for the internal purposes:

TY_NEW Indicates that item is new. Add new items with TY_NEW set and call Unmarknewsorteddata() to declare all existing items as "old"
TY_CONFIRMED Used to delete multiple scattered data items at once. Mark items that should remain in the data as TY_CONFIRMED and clear this flag in items that must be deleted. Confirmsorteddata() gives you the fast way to clear or set this bit in all data items. Deletenonconfirmedsorteddata() deletes all items where bit is cleared and clears it in remaining items
TY_EXTADDR Extended address (TY_AEXTMASK) is used
TY_SELECTED Reserved for multiple selection (may be implemented in one of the future OllyDbg versions)

Plugins are free to use remaining type bits for any purposes.

If you add new item to the sorted data and it overlaps, fully or partially, with one or more existing items, all overlapping items will be deleted. Note that each time an item is deleted - implicitly or on explicit request - OllyDbg calls an optional destructor function associated with the sorted data.

There is a special kind of sorted data called autoarrangeable. Autoarrangeable data assumes that address of the element is simply its 0-based ordinal number in the data array and size occupied by the element in address space is always 1. In other words, it 
works as a list of items numbered 0, 1, 2... Even in this case, elements must begin with valid t_sorthdr. Data is declared as autoarrangeable if its sorting function is set to AUTOARRANGE. Unlike for standard data, insertion of item with existing address does not replace this item. Instead, all items with address equal or exceeding given will be moved one step up and automatically renumerated. To replace item in the autoarrangeable data, either delete existing and insert new one, or (faster way) get pointer to the item and modify it directly.

If size is always 1 and type is not necessary, you may reduce memory requirements by declaring sorted data as SDM_NOSIZE. In this case, size of the header is reduced to a single doubleword:

typedef struct t_sorthdr_nosize {      // Header of item w/o size and type
  ulong          addr;                 // Base address of the entry
} t_sorthdr_nosize;

Each sorted data has a version. Data version increments by 1 each time the data is changed. This allows for easy implementation of small cache: if version is not 0 and is not changed, previously fetched data is still valid. In any imaginable application, wraparound of 32-bit variable is impossible. Of course, this works only if data is changed using API functions. If you access data item by pointer and use data caching, set version to 0.

There are many sorted data collections defined by OllyDbg that can be accessed by plugins. However, plugins should avoid tampering with this data directly, as this may influence OllyDbg stability:

t_sorted premod - preliminary module data
t_table module - loaded modules (DLLs)
t_sorted aqueue - modules that are not yet analysed
t_table thread - active threads
t_table memory - allocated memory blocks
t_table win  - list of windows
t_table bpoint - INT3 breakpoints
t_table bpmem - memory breakpoints
t_sorted bppage - memory pages with changed attributes
t_table bphard - hardware breakpoints
t_table watch - watch expressions
t_table patch - list of patches from previous runs
t_sorted procdata - descriptions of analyzed procedures
t_table source - list of source files
t_table srccode - source code

To create your own table of sorted data, allocate data descriptor (structure of type t_sorted) and initialize it to 0, then call Createsorteddata() to initialize table and allocate data buffers. After initialization, you can use all sorted data functions to change or retrieve data. Do not modify items of data descriptor directly, this may lead to severe data integrity problems!

In the OllyDbg 1.xx it was possible to extract or walk data items by casting the storage to the type of the element, like in this example:

t_memory *pmem;
pmem=(t_memory *);
for (i=0; i<; i++,pmem++) {
   // some actions

This is no longer allowed in the version 2.xx. Always use Find...() or Get...() instead, these functions are fast!

API functions:

int Createsorteddata(t_sorted *sd,ulong itemsize,int nexp,SORTFUNC *sortfunc,DESTFUNC *destfunc,int mode);
void Destroysorteddata(t_sorted *sd);
void Deletesorteddata(t_sorted *sd,ulong addr,ulong subaddr);
int Deletesorteddatarange(t_sorted *sd,ulong addr0,ulong addr1);
void * Addsorteddata(t_sorted *sd,void *item);
int Replacesorteddatarange(t_sorted *sd,void *data,int n,ulong addr0,ulong addr1);
void Renumeratesorteddata(t_sorted *sd);
int Confirmsorteddata(t_sorted *sd,int confirm);
int Deletenonconfirmedsorteddata(t_sorted *sd);
void Unmarknewsorteddata(t_sorted *sd);
void * Findsorteddata(t_sorted *sd,ulong addr,ulong subaddr);
void * Findsorteddatarange(t_sorted *sd,ulong addr0,ulong addr1);
int Findsortedindexrange(t_sorted *sd,ulong addr0,ulong addr1);
void * Getsortedbyindex(t_sorted *sd,int index);
void * Getsortedbyselection(t_sorted *sd,int index);
int Sortsorteddata(t_sorted *sd,int sort);
int Issortedinit(t_sorted *sd);


// Layout of the data item.
typedef struct t_custom {
  // Standard sorted data items begin with t_sorthdr.
  ulong          addr;                 // Base address of the entry
  ulong          size;                 // Size of the entry
  ulong          type;                 // Type and address extension, TY_xxx
  // Place your custom fields here.
  int            customdata;           // Custom data
} t_custom;

// Destructor of t_custom, called each time the data item is deleted.
void Customdestfunc(t_sorthdr *sh) {
  t_custom *pcustom;
  if (sh==NULL) return;                // Error in input, must not happen
  pcustom=(t_custom *)sh;
  Addtolist(pcustom->addr,DRAW_HILITE,L"Deleting customdata=%i",pcustom->customdata);

int Playwithsorteddata(void) {
  t_sorted sd;
  t_custom custom,*pcustom;
  // Local variable sd is filled with garbage and must be cleared.
  // Let's assume that usually we need not more than 100 items
  if (
    return -1;                         // Low memory?

  // Add item.
  // This call will succeed.
  // Add another item.
  // This call will succeed. But, as second item overlaps with the first, first
  // item will be passed to the Customdestfunc() and then removed from the data.
  // Search for data item at address 1020 will succeed because item 2 occupies
  // address range 1010..1029:
  pcustom=(t_custom *)Findsorteddata(&sd,1020,0);
  if (pcustom!=NULL)
    Addtolist(pcustom->addr,DRAW_HILITE,L"Found customdata=%i",pcustom->customdata);
  // We no longer need sorted data, free allocated resources.

See also: