A new Anti-Olly trick.
 Walied (waleedassar) <waliedassar gmail com> |
Tuesday, December 27 2011 00:25.13 CST |
It is a buffer overflow in ollydbg v1.10. It occurs when olly tries to find the .sym file for the being-loaded module.
POC:
http://ollytlscatch.googlecode.com/files/trick.exe
https://docs.google.com/document/d/1T5LPY3qDkxmR1XVgxnsKW42lggS5iSjtQwFXOtNfqMM/edit
Further details:
http://waleedassar.blogspot.com/2011/12/new-ollydbg-anti-debug-trick.html
http://www.virustotal.com/file-scan/report.html?id=97f2c22d3fde1db56aaef4e555e32927d0a0087e7e92d369093ac5ac749e83d9-1324964958
Comments
 PeterFerrie |
Posted: Tuesday, December 27 2011 10:04.17 CST |
|
This bug was known since 2008. I even described it publicly in Virus Bulletin. http://pferrie.host22.com/papers/unpackers21.pdf |
|
 waleedassar |
Posted: Tuesday, December 27 2011 15:42.56 CST |
| It is different from those mentioned in your really wonderful paper. This one is in ollydbg.exe, not dbghelp.dll. | |