Sunday, January 1, 2012

Another OllyDbg Anti-Debug Trick

It is similar to, but different from the one i disclosed in the previous post. The previous one occurs when OllyDbg tries to grab .sym files, but this one occurs when it tries to grab .udd files.

Similar to .sym files, .udd files are grabbed for all loaded modules, including dynamically loaded ones, which gives us the chance to use this buffer overflow as an anti-debug method.

To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it.


N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110".


Demo:
http://ollytlscatch.googlecode.com/files/bug.exe

Source code:
https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit

Update:
Another less critical bug (buffer overflow) has been found in OllyDbg v1.10. It is triggered upon exit or manually choosing the "Update .udd file now" menu option. If you need its POC, just shoot me a mail.

You can follow me on Twitter @waleedassar 

2 comments:

  1. Hi, nice work
    Can you provide an crackme sample which exploit these two bugs?

    ReplyDelete
  2. http://ollytlscatch.googlecode.com/files/bug.exe

    Just try to use OllyDbg v1.10 to debug this file.



    If your ollydbg installation folder is longer than 41 bytes, ollydbg should crash.

    ReplyDelete