hey guys,

i'm currently investigating a spear phishing malware. (sorry, can't share this malware)

even with all protection plugins like latest strongod, phant0m etc... it crashes immediately after loading the executable into ollydbg.exe

i found out, that the problem is caused, because of illegal export directory entries of the PE file.

see attachment.

if i fix the "number of names" to "0" olly loads the file without problems and unpacking works well, after bypassing several antidump, antidebug ... tricks.

anyone has seen this anti-olly trick before and if yes, is there a plugin for a it, which hardens olly against this trick?

cheers,

frank

http://forum.tuts4you.com/index.php?showtopic=24063

/>http://forum.tuts4you.com/index.php?showtopic=24063

no, this is not the dbghelp bug.

http://forum.tuts4you.com/index.php?showtopic=16445

isnt?

ok, you are right. when i load a newer dbghelp.dll into the ollydir and load the malware it doesn't crash any longer.

thanx for the hint. i've never came across this antiolly trick before.

ok, you are right. when i load a newer dbghelp.dll into the ollydir and load the malware it doesn't crash any longer.

thanx for the hint. i've never came across this antiolly trick before.

Lots of tricks exist for OllyDbg. See for example:
/>http://tuts4you.com/download.php?view.2277
/>http://tuts4you.com/download.php?view.2544
/>http://tuts4you.com/download.php?view.2702

The plug-ins have many more vulnerabilities, too.