An OllyDbg Bug Disables Software Breakpoints
Posted 14 January 2012 - 04:31 PM
A simple application was written to test this bug. See the image below.
Here is how the source code above looks in olly.
If some breakpoints are set after the troublesome code and OllyDbg is left to run, an error message shows up once we step over the "LoadLibrary" function call and none of the breakpoints are hit.
The problem is that OllyDbg trusts the data retrieved from the psapi "EnumProcessModules" function call and tries to update data related to the main executable, including software breakpoints. At this point, all software breakpoints are deleted since OllyDbg thinks their addresses are no longer valid. Actually they are, but this is how it goes in OllyDbg v1.10.
N.B Software breakpoints outside the main executable e.g. in ntdll.dll are not affected by this bug.
A demo here https://docs.google....h7b7nWNzSE/edit
Original topic http://waleedassar.b...s-software.html
- Mr. eXoDia likes this
Posted 15 January 2012 - 07:07 AM
TPoDT is dead!
Armadillo Version Detector, Inline Helper, Key Generator, Key Analyzer, Environment Variable Finder
Posted 17 January 2012 - 04:44 PM
It might even be possible to choose a page that does not cause the message to appear, making a very stealthy way to run. :-)
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users