OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 10, 2008 17:42 CDT by blake .

Hey guys, I'm trying to hide Olly from IsDebuggerPresent() but I have to rename OllyDbg.exe because this program also uses Proces32 toolhelp functions to search for OllyDbg.exe. So, once I rename Ollydbg.exe the Hide Debugger Plugin gives me an error saying it can't find OllyDbg.exe (thats because I renamed it). Is there a special way to rename OllyDbg so the plugin still works? Anyway, thanks for any help!

cod		August 10, 2008 22:34.52 CDT
You can hook the Process32 functions to remove from list OllyDbg

nicowow		August 11, 2008 17:43.30 CDT
If its only IsDebuggerPresent what you are going against, you can simple patch the function or clear the value that the function looks for: 7C812E03 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] 7C812E09 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 7C812E0C 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2] 7C812E10 C3 RETN

blake		August 11, 2008 23:02.18 CDT
I can't hook it because the program checks if anything been changed and it'll destroy itself once it does. I know I could do a system-wide hook but I'm gonna skip on that. Well, if I modified IsDebuggerPresent() it may detect that I modified it (not sure I'll check after this). But I did run into this sequence: fs:[30]; fs:[2]; I looked at that and it was checking if the IsDebugged was TRUE. What function modifies this value? Anyways, thanks for the replies.

cod		August 12, 2008 08:54.52 CDT
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html Try to apply an hook into process IAT...

pon		August 16, 2008 11:43.14 CDT
u can use another Plugin ,such as HideOD,or others.... if u want to solve this problem manually,just bp Process32Next,and change some code at entry of this api...xor eax,eax;retn... let Process32Next always retn false,it will be ok.

nezumi		August 20, 2008 12:24.07 CDT
use YDbg.

sa7ori		August 20, 2008 12:50.01 CDT
> What function modifies this value? Anyways, thanks for the replies. I believe the kernel changes the BeingDebugged bit in PEB of the target process when it connects the debugger to the debuggee.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit