waliedassar Posted January 2, 2012 Posted January 2, 2012 It is similar to, but different from the one i disclosed in the previous post. The previous one occurs when OllyDbg tries to grab .sym files, but this one occurs when OllyDbg tries to grab .udd files. Similar to .sym files, .udd files are grabbed for all loaded modules, including dynamically loaded ones, which gives us the chance to use this buffer overflow as an anti-debug method. To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it. N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110". Further details: http://waleedassar.blogspot.com/2012/01/another-ollydbg-anti-debug-trick.html A simple demo: http://ollytlscatch.googlecode.com/files/bug.exe Source code: https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now