About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
waleedassar
's Blog
Created: Friday, January 13 2012 20:38.30 CST
Modified: Friday, January 13 2012 20:57.09 CST
Printer Friendly ...
An OllyDbg Bug Disables Software Breakpoints
Author:
waleedassar
# Views:
995
I have found a new bug in OllyDbg v1.10. The bug is triggered when the BaseAddress value is changed in the LDR_MODULE structure for the main executable. Any subsequent DLL loading forces Olly to call the psapi "EnumProcessModules" function in order to update the module list, and since the psapi "EnumProcessModules" function traverses and reads from the LDR_MODULE linked list, the new (fake) base address will definitely be returned.
A simple application was written to test this bug. See the image below.
Here is how the source code above looks in olly.
If some breakpoints are set after the troublesome code and OllyDbg is left to run, an error message shows up once we step over the "LoadLibrary" function call and none of the breakpoints are hit.
The problem is that OllyDbg trusts the data retrieved from the psapi "EnumProcessModules" function call and tries to update data related to the main executable, including software breakpoints. At this point, all software breakpoints are deleted since OllyDbg thinks their addresses are no longer valid. Actually they are, but this is how it goes in OllyDbg v1.10.
N.B Software breakpoints outside the main executable e.g. in ntdll.dll are not affected by this bug.
A demo here
https://docs.google.com/document/d/1BoG_WoFR2-fgSlEHkLF9YZmEhJEmQHzRch7b7nWNzSE/edit
Original topic
http://waleedassar.blogspot.com/2012/01/ollydbg-bug-disables-software.html
Add New Comment
Comment:
There are
28,631
total registered users.
Recently Created Topics
windbg - olly/immunity
May/14
Reverse a WinRAR pac...
May/13
Add comments to resu...
May/10
can we code script ...
May/09
Type Casting Structu...
May/07
How to Reverse Engin...
May/03
Sulley on OS X (10.7)
May/01
Help me guys
May/01
IDA Resource Viewer ...
Apr/28
How do i use plugins...
Apr/27
Recent Forum Posts
windbg - olly/immunity
blowcheck
Help me guys
Olivier
Reverse a WinRAR pac...
NirIzr
windbg - olly/immunity
anonymouse
Reverse a WinRAR pac...
DriEm
Add comments to resu...
phn1x
IDA Resource Viewer ...
DriEm
Add comments to resu...
qiuhan
IDA Resource Viewer ...
waleeda...
IDA Resource Viewer ...
DriEm
Recent Blog Entries
waleedassar
Apr/20
OllyDbg NumberOfSections Crash
icegood
Apr/13
Advanced labels plugin for ...
waleedassar
Mar/31
GetModuleFileNameEx And Inf...
waleedassar
Mar/31
OllyDbg v1.10 And Wow64
waleedassar
Mar/29
OllyDbg Resource Table Pars...
More ...
Recent Blog Comments
raxen
on:
Mar/27
Anti-Dumping
Dallas
on:
Mar/22
ChapljaVM Code Obfuscator
Dallas
on:
Mar/22
Hack stuff, get paid
Dallas
on:
Mar/22
Exe Packer TAGGANT system f...
Dallas
on:
Mar/22
Olly2 SystemTray Plugin
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}