Jump to content
Tuts 4 You

Another OllyDbg Anti-Debug Trick


waliedassar

Recommended Posts

It is similar to, but different from the one i disclosed in the previous post. The previous one occurs when OllyDbg tries to grab .sym files, but this one occurs when OllyDbg tries to grab .udd files.

vuln2.JPG

Similar to .sym files, .udd files are grabbed for all loaded modules, including dynamically loaded ones, which gives us the chance to use this buffer overflow as an anti-debug method.

To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it.

N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110".

Further details:

http://waleedassar.blogspot.com/2012/01/another-ollydbg-anti-debug-trick.html

A simple demo:

http://ollytlscatch.googlecode.com/files/bug.exe

Source code:

https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...