Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   OllyDbg long process Module debug Vulnerability (https://forum.exetools.com/showthread.php?t=7181)

elephant 03-20-2005 21:13
OllyDbg long process Module debug Vulnerability
 
OllyDbg will crash if a target process loads a module that contains a long name with more of 200 characters. This could be used for antidebugging purposes.

This vulnerability has been discovered by ATmaCA. Here is the original advisory from Securityfocus:

hxxp://www.securityfocus.com/archive/1/393747/2005-03-17/2005-03-23/0

Quote:
Vendor:
Oleh Yuschuk

Application:
OllyDbg
http://home.t-online.de/home/Ollydbg/

Introduction:
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®.
Emphasis on binary code analysis makes it particularly useful in cases where source
is unavailable.

Affected Versions:
1.10 (final version) and prior versions.

Overview:
In OllyDbg, if a target process loads modules that contains long name
(greater than around 200 bytes), OllyDbg will be crashed.

This hole can be used for an anti-debug method for OllyDbg.


Vendor Status:
No vendor response.

Discovery:
ATmaCA
atmaca atmacasoft com
www.atmacasoft.com
www.spyinstructors.com
Credit to Kozan

POC:
Debug this program with OllyDbg,
when the program runs, a folder that named "olly hole" will be
created on desktop and a long named dll will be created in
this folder. then it will load this and finally
olly debug will be crashed.

http://www.atmacasoft.com/exp/OllyHole.exe

kp_ 04-04-2005 21:49
anti debugging trick:
"hey, reverser, don't load my program into the debugger as it carries a backdoor in its filename and i hack into your machine" :)


All times are GMT +8. The time now is 16:16.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX