Jump to content
Tuts 4 You

malware causing ollydbg to crash at start


frank_boldewin

Recommended Posts

frank_boldewin

hey guys,

i'm currently investigating a spear phishing malware. (sorry, can't share this malware)

even with all protection plugins like latest strongod, phant0m etc... it crashes immediately after loading the executable into ollydbg.exe

i found out, that the problem is caused, because of illegal export directory entries of the PE file.

see attachment.

if i fix the "number of names" to "0" olly loads the file without problems and unpacking works well, after bypassing several antidump, antidebug ... tricks.

anyone has seen this anti-olly trick before and if yes, is there a plugin for a it, which hardens olly against this trick?

cheers,

frank

post-50654-010236700 1287057657_thumb.pn

Link to comment
frank_boldewin

ok, you are right. when i load a newer dbghelp.dll into the ollydir and load the malware it doesn't crash any longer.

thanx for the hint. i've never came across this antiolly trick before. :)

Link to comment

ok, you are right. when i load a newer dbghelp.dll into the ollydir and load the malware it doesn't crash any longer.

thanx for the hint. i've never came across this antiolly trick before. :)

Lots of tricks exist for OllyDbg. See for example:
/>http://tuts4you.com/download.php?view.2277
/>http://tuts4you.com/download.php?view.2544
/>http://tuts4you.com/download.php?view.2702

The plug-ins have many more vulnerabilities, too.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...