waliedassar

OllyDbg v1.10 LoadDll.hFile Trick

Nov 21st, 2012
265
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers should save the value of
  4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can close it upon receiving
  5. //the corresponding UNLOAD_DLL_DEBUG_INFO.
  6.  
  7. //OllyDbg v1.10 does not follow this rule and consequently we can easily detect its presence
  8. //simply by trying to acquire exclusive access to the Dll file after FreeLibrary.
  9. //Executable can be found at:
  10. //http://code.google.com/p/ollytlscatch/downloads/detail?name=Olly_LoadDll_Trick.exe
  11. #include "stdafx.h"
  12. #include "windows.h"
  13. #include "stdio.h"
  14. #define IDR_WALIED2                     102
  15. void main()
  16. {
  17.         //For the following code to work, embed any dummy DLL as a resource of TYPE "WALIED"
  18.         //and id of 0x102.
  19.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
  20.     if(h)
  21.     {
  22.         HGLOBAL hG=LoadResource(0,h);
  23.         if(hG)
  24.         {
  25.             void* pDll=LockResource(hG);
  26.             if(pDll)
  27.             {
  28.                 char path[MAX_PATH]={0};
  29.                 GetCurrentDirectory(MAX_PATH,path);
  30.                 unsigned long len=strlen(path);
  31.                 if(path[len-1]!='\\') path[len]='\\';
  32.                 strcat(path,"walied.dll");
  33.                 HANDLE hFile=CreateFile(path,
  34.                                 GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
  35.                                 0,OPEN_EXISTING,0,0);
  36.                 if(hFile==INVALID_HANDLE_VALUE)
  37.                 {
  38.                     hFile=CreateFile(path,
  39.                                         GENERIC_READ|GENERIC_WRITE,
  40.                                         FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
  41.                                         0,CREATE_ALWAYS,0,0);
  42.                 }
  43.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
  44.                 else
  45.                 {
  46.                     unsigned long writ;
  47.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
  48.                     CloseHandle(hFile);
  49.                     FreeLibrary(LoadLibrary(path));
  50.                     hFile=0;
  51.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
  52.                     if(hFile!=INVALID_HANDLE_VALUE)
  53.                     {
  54.                         MessageBox(0,"Expected behavior","waliedassar",0);
  55.                         CloseHandle(hFile);
  56.                     }
  57.                     else
  58.                     {
  59.                         MessageBox(0,"Debugger detected","waliedassar",0);
  60.                     }
  61.                     DeleteFile(path);
  62.                 }
  63.             }
  64.         }
  65.     }
  66. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×