OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Tuesday, February 21 2012 11:08.30 CST

Modified: Tuesday, February 21 2012 22:19.08 CST

Printer Friendly ...

OllyDbg Fake ImageName Bug

Author: waleedassar

# Views: 591

I have recently found a weird behavior in OllyDbg, which can further be used as an anti-debugging / anti-attaching trick. The problem occurs when enumerating the running processes if the "Select a process to attach" dialog box is opened.

The psapi "EnumProcesses" function is called to get the list of process identifiers (PIDs). For each PID, the psapi "EnumProcessModules" and "GetModuleFileNameExA" functions are called to extract the image base and full name of the main executable.

As i have shown in previous posts, the values in PEB.LoaderData can easily be manipulated. In this case i will manipulate only the full name of the main executable to be of an existing but malformed file. Surprisingly, OllyDbg trusts the new file name and starts to extract essential information from it. Information extracted includes MZ signature, optional header values, section table data, etc.

The interesting thing about the forged executable is that it is rejected by the OS loader but still used by OllyDbg.

To create a one-file demo for this bug, i had to embed the malformed executable into the original one as a binary resource.

As you can see in the image below, the number of sections is set to 0xFFFF (malformed executable).

The demo can be found here.
http://ollytlscatch.googlecode.com/files/attach_to_me.exe
The virustotal report can be found here.
https://www.virustotal.com/file/2ffe26ebc652e4021d57c2656a848f83119a07669f8cc54e2849ca36cb3e0b93/analysis/1329795141/
N.B. This has been tested on OllyDbg v1.10 only.

Update:
Another demo, that crashes OllyDbg upon debugging or attaching, has been created. You can find it here.
http://ollytlscatch.googlecode.com/files/Debug_me.exe

There are 28,631 total registered users.

Recently Created Topics
windbg - olly/immunity	May/14
Reverse a WinRAR pac...	May/13
Add comments to resu...	May/10
can we code script ...	May/09
Type Casting Structu...	May/07
How to Reverse Engin...	May/03
Sulley on OS X (10.7)	May/01
Help me guys	May/01
IDA Resource Viewer ...	Apr/28
How do i use plugins...	Apr/27

Recent Forum Posts
windbg - olly/immunity	blowcheck
Help me guys	Olivier
Reverse a WinRAR pac...	NirIzr
windbg - olly/immunity	anonymouse
Reverse a WinRAR pac...	DriEm
Add comments to resu...	phn1x
IDA Resource Viewer ...	DriEm
Add comments to resu...	qiuhan
IDA Resource Viewer ...	waleeda...
IDA Resource Viewer ...	DriEm

Recent Blog Entries
	waleedassar	Apr/20
OllyDbg NumberOfSections Crash
	icegood	Apr/13
Advanced labels plugin for ...
	waleedassar	Mar/31
GetModuleFileNameEx And Inf...
	waleedassar	Mar/31
OllyDbg v1.10 And Wow64
	waleedassar	Mar/29
OllyDbg Resource Table Pars...
More ...

Recent Blog Comments
	raxen on:	Mar/27
Anti-Dumping
	Dallas on:	Mar/22
ChapljaVM Code Obfuscator
	Dallas on:	Mar/22
Hack stuff, get paid
	Dallas on:	Mar/22
Exe Packer TAGGANT system f...
	Dallas on:	Mar/22
Olly2 SystemTray Plugin
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit