From Collaborative RCE Tool Library

Jump to: navigation, search

Anti Olly Tester

Tool name: Anti Olly Tester
Rating: 0.0 (0 votes)
Author: Shub-nigurrath                        
Current version: 1.0
Last updated: August 25, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.

Detects Debugging programs through different methods all connected to the execution environment.

* Method 1: see if one of the currently running processes' Windows name is blacklisted or not
* Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
* Method 3: tests the processes paths and see if it is blacklisted
* Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklistof process and words
* Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has oneblacklisted word
* Method 6: test export directory of the running processes, if there's something connected with Olly.
* Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
* Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any contains blacklisted words (either UNICODE or ASCII)

The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.

The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.

The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.

Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".
Related URLs: No related URLs have been submitted for this tool yet

RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)