About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
waleedassar
's Blog
Created: Monday, February 6 2012 22:47.47 CST
Modified: Monday, February 6 2012 23:26.30 CST
Direct Link, View / Make / Edit Comments
OllyDbg v1.10 And Hardware Breakpoints
Author:
waleedassar
# Views:
128
While playing with OllyDbg v1.10, i came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.
At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.
Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.
On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.
N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.
An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe
Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html
Created: Tuesday, January 31 2012 05:33.39 CST
Direct Link, View / Make / Edit Comments
Yet Another Anti-Debug Trick
Author:
waleedassar
# Views:
347
I have recently come up with a new anti-debug trick, which can be useful only if the "Break on new thread" option is set. The trick has been tried on OllyDbg v1.10 and Immunity Debugger v1.83 in WOW64, Windows 7. Actually, i am not sure if someone else has already found it.
In any affected debugger, if CREATE_THREAD_DEBUG_EVENT is received and the "Break on new thread" option is set, the debugger places an int3 software breakpoint on the lpStartAddress. There is a narrow time window between setting the int3 software breakpoint and recovering the original byte and this is what we are going to exploit.
N.B. The next few lines are only for demonstration. More complicated methods may evolve out of them.
Having two threads in an application, the first thread does almost nothing and the second one checks the first byte of the first thread's entrypoint, we can simply detect the debugger. See the image below.
The demo can be found here.
http://ollytlscatch.googlecode.com/files/demo.exe
You can also find its source code here.
https://docs.google.com/document/d/1kd-Fw110lbK9h-i6Jc2fs57LUjdU2sYji97XCLTTawE/edit
An XP-compatible demo can be found here.
http://ollytlscatch.googlecode.com/files/demo_xp.exe
You can find its source code here.
https://docs.google.com/document/d/1G-6VSCrqM9KI_t82kPTGdo05cmaqyoVZG23o304Pk_o/edit
Created: Friday, January 13 2012 20:38.30 CST
Modified: Friday, January 13 2012 20:57.09 CST
Direct Link, View / Make / Edit Comments
An OllyDbg Bug Disables Software Breakpoints
Author:
waleedassar
# Views:
523
I have found a new bug in OllyDbg v1.10. The bug is triggered when the BaseAddress value is changed in the LDR_MODULE structure for the main executable. Any subsequent DLL loading forces Olly to call the psapi "EnumProcessModules" function in order to update the module list, and since the psapi "EnumProcessModules" function traverses and reads from the LDR_MODULE linked list, the new (fake) base address will definitely be returned.
A simple application was written to test this bug. See the image below.
Here is how the source code above looks in olly.
If some breakpoints are set after the troublesome code and OllyDbg is left to run, an error message shows up once we step over the "LoadLibrary" function call and none of the breakpoints are hit.
The problem is that OllyDbg trusts the data retrieved from the psapi "EnumProcessModules" function call and tries to update data related to the main executable, including software breakpoints. At this point, all software breakpoints are deleted since OllyDbg thinks their addresses are no longer valid. Actually they are, but this is how it goes in OllyDbg v1.10.
N.B Software breakpoints outside the main executable e.g. in ntdll.dll are not affected by this bug.
A demo here
https://docs.google.com/document/d/1BoG_WoFR2-fgSlEHkLF9YZmEhJEmQHzRch7b7nWNzSE/edit
Original topic
http://waleedassar.blogspot.com/2012/01/ollydbg-bug-disables-software.html
Created: Sunday, January 1 2012 23:38.56 CST
Modified: Monday, January 2 2012 01:00.09 CST
Direct Link, View / Make / Edit Comments
Another OllyDbg Anti-Debug Trick
Author:
waleedassar
# Views:
960
It is similar to, but different from the one i disclosed in the previous post. The previous one occurs when OllyDbg tries to grab .sym files, but this one occurs when OllyDbg tries to grab .udd files.
Similar to .sym files, .udd files are grabbed for all loaded modules, including dynamically loaded ones, which gives us the chance to use this buffer overflow as an anti-debug method.
To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it.
N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110".
Further details:
http://waleedassar.blogspot.com/2012/01/another-ollydbg-anti-debug-trick.html
A simple demo:
http://ollytlscatch.googlecode.com/files/bug.exe
Source code:
https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit
Created: Tuesday, December 27 2011 00:25.13 CST
Direct Link, View / Make / Edit Comments
A new Anti-Olly trick.
Author:
waleedassar
# Views:
1005
It is a buffer overflow in ollydbg v1.10. It occurs when olly tries to find the .sym file for the being-loaded module.
POC:
http://ollytlscatch.googlecode.com/files/trick.exe
https://docs.google.com/document/d/1T5LPY3qDkxmR1XVgxnsKW42lggS5iSjtQwFXOtNfqMM/edit
Further details:
http://waleedassar.blogspot.com/2011/12/new-ollydbg-anti-debug-trick.html
http://www.virustotal.com/file-scan/report.html?id=97f2c22d3fde1db56aaef4e555e32927d0a0087e7e92d369093ac5ac749e83d9-1324964958
Archived Entries for waleedassar
Subject
# Views
Created On
ICanAttach, a plugin to bypass anti-attaching tricks.
1423
Tuesday, December 13 2011
Ollydbg TLSCatch to catch tls callbacks easily.
3421
Saturday, October 30 2010
svchost from A to zinc part5
3393
Wednesday, September 8 2010
svchost from A to zinc part4
3440
Monday, September 6 2010
svchost from A to Zinc part3
3124
Saturday, September 4 2010
svchost from A to Zinc part2
2315
Saturday, September 4 2010
svchost from A to Zinc
1556
Friday, September 3 2010
PE import tables scanner
2161
Friday, September 3 2010
Active in Last 5 Minutes
Kosoy
There are
28,227
total registered users.
Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17
Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr
Recent Blog Entries
cmathieu
Feb/07
Hacker Carnival
waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...
waleedassar
Jan/31
Yet Another Anti-Debug Trick
RolfRolles
Jan/22
Finding Bugs in VMs with a ...
waleedassar
Jan/13
An OllyDbg Bug Disables Sof...
More ...
Recent Blog Comments
waleedassar
on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr
on:
Feb/07
OllyDbg v1.10 And Hardware ...
NirIzr
on:
Feb/05
Yet Another Anti-Debug Trick
trolotou
on:
Feb/05
Doudoune Moncler -Pennies F...
waleedassar
on:
Feb/01
Yet Another Anti-Debug Trick
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}