Showing posts with label LoaderData. Show all posts
Showing posts with label LoaderData. Show all posts

Tuesday, February 21, 2012

OllyDbg Fake ImageName Bug

I have recently found a weird behavior in OllyDbg, which can further be used as an anti-debugging / anti-attaching trick. The problem occurs when enumerating the running processes if the "Select a process to attach" dialog box is opened.

The psapi "EnumProcesses" function is called to get the list of process identifiers (PIDs). For each PID, the psapi "EnumProcessModules" and "GetModuleFileNameExA" functions are called to extract the image base and full name of the main executable.

As i have shown in previous posts, the values in  PEB.LoaderData can easily be manipulated. In this case i will manipulate only the full name of the main executable to be of an existing but malformed file. Surprisingly, OllyDbg trusts the new file name and starts to extract essential information from it. Information extracted includes MZ signature, optional header values, section table data, etc.

The interesting thing about the forged executable is that it is rejected by the OS loader but still used by OllyDbg.

To create a one-file demo for this bug, i had to embed the malformed executable into the original one as a binary resource.
As you can see in the image below, the number of sections is set to 0xFFFF (malformed executable).
 
The demo can be found here.  The virustotal report can be found here.

N.B. This has been tested on OllyDbg v1.10 only.

Update:
Another demo, that crashes OllyDbg upon debugging or attaching, has been created. You can find it here.

Update:
The source code for the demos above can be found here.

You can follow me on Twitter @waleedassar 

Sunday, December 18, 2011

Debuggers Anti-Attaching Techniques - Part 5

In this post, i will explain another anti-attaching trick. The trick is that if we manipulate the _PEB_LDR_DATA structure pointed to by PEB.LoaderData, we can cause functions like EnumProcessModules and GetModuleFileNameExA to fail.


Consequently, ollydbg would not be able to see the process in the "Select process to attach" dialog box.


You can play with this demo.

N.B. This trick can't be reliably used unless you carefully choose APIs in your application. Try to avoid APIs which read or write to the _PEB_LDR_DATA structure.

Update:
I have made a tiny plugin for OllyDbg v1.10. The plugin enables debugging those applications, which don't show in the "Select process to attach" dialog box. The plugin first checks the integrity of the target process's _PEB_LDR_DATA structure. If a manipulated structure is detected, a new typical one will be created.

The plugin can be downloaded from here and its source code from here.

Update:
Variants of this trick manipulate PEB.LoaderData so that an infinite loop occurs in OllyDbg or any other application which tries to use the "EnumProcessModules" function or the likes. See the image below.
The demo can be found here.

You can follow me on Twitter @waleedassar