Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

OllyDbg Fake ImageName Bug

Found a bug in OllyDbg? Post a report here.
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt

OllyDbg Fake ImageName Bug

Post by walied »

I have recently found a weird behavior in OllyDbg, which can further be used as an anti-debugging / anti-attaching trick. The problem occurs when enumerating the running processes if the "Select a process to attach" dialog box is opened.

The psapi "EnumProcesses" function is called to get the list of process identifiers (PIDs). For each PID, the psapi "EnumProcessModules" and "GetModuleFileNameExA" functions are called to extract the image base and full name of the main executable.

As i have shown in previous posts, the values in PEB.LoaderData can easily be manipulated. In this case i will manipulate only the full name of the main executable to be of an existing but malformed file. Surprisingly, OllyDbg trusts the new file name and starts to extract essential information from it. Information extracted includes MZ signature, optional header values, section table data, etc.

The interesting thing about the forged executable is that it is rejected by the OS loader but still used by OllyDbg.

To create a one-file demo for this bug, i had to embed the malformed executable into the original one as a binary resource.
As you can see in the image below, the number of sections is set to 0xFFFF (malformed executable).
The demo can be found here.
http://ollytlscatch.googlecode.com/file ... _to_me.exe
The virustotal report can be found here.
https://www.virustotal.com/file/2ffe26e ... 329795141/
N.B. This has been tested on OllyDbg v1.10 only.

Another demo, that crashes OllyDbg upon debugging or attaching, has been created. You can find it here.