Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

An OllyDbg Bug Disables Software Breakpoints

Found a bug in OllyDbg? Post a report here.
Locked
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

An OllyDbg Bug Disables Software Breakpoints

Post by walied »

I have found a new bug in OllyDbg v1.10. The bug is triggered when the BaseAddress value is changed in the LDR_MODULE structure for the main executable. Any subsequent DLL loading forces Olly to call the psapi "EnumProcessModules" function in order to update the module list, and since the psapi "EnumProcessModules" function traverses and reads from the LDR_MODULE linked list, the new (fake) base address will definitely be returned.

A simple application was written to test this bug. See the image below.
Image

Here is how the source code above looks in olly.

Image

If some breakpoints are set after the troublesome code and OllyDbg is left to run, an error message shows up once we step over the "LoadLibrary" function call and none of the breakpoints are hit.

Image

Image

Image

The problem is that OllyDbg trusts the data retrieved from the psapi "EnumProcessModules" function call and tries to update data related to the main executable, including software breakpoints. At this point, all software breakpoints are deleted since OllyDbg thinks their addresses are no longer valid. Actually they are, but this is how it goes in OllyDbg v1.10.

N.B Software breakpoints outside the main executable e.g. in ntdll.dll are not affected by this bug.

A demo here https://docs.google.com/document/d/1BoG ... WNzSE/edit
Original topic http://waleedassar.blogspot.com/2012/01 ... tware.html
ronnie291983
Member
Posts: 43
Joined: Thu Sep 11, 2008 4:43 am

Post by ronnie291983 »

Nice!! very useful, thanks
Locked