Advertisement
waliedassar

OllyDbg v1.10 LoadDll.hFile Trick

Nov 21st, 2012
502
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.21 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers should save the value of
  4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can close it upon receiving
  5. //the corresponding UNLOAD_DLL_DEBUG_INFO.
  6.  
  7. //OllyDbg v1.10 does not follow this rule and consequently we can easily detect its presence
  8. //simply by trying to acquire exclusive access to the Dll file after FreeLibrary.
  9. //Executable can be found at:
  10. //http://code.google.com/p/ollytlscatch/downloads/detail?name=Olly_LoadDll_Trick.exe
  11. #include "stdafx.h"
  12. #include "windows.h"
  13. #include "stdio.h"
  14. #define IDR_WALIED2                     102
  15. void main()
  16. {
  17.         //For the following code to work, embed any dummy DLL as a resource of TYPE "WALIED"
  18.         //and id of 0x102.
  19.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
  20.     if(h)
  21.     {
  22.         HGLOBAL hG=LoadResource(0,h);
  23.         if(hG)
  24.         {
  25.             void* pDll=LockResource(hG);
  26.             if(pDll)
  27.             {
  28.                 char path[MAX_PATH]={0};
  29.                 GetCurrentDirectory(MAX_PATH,path);
  30.                 unsigned long len=strlen(path);
  31.                 if(path[len-1]!='\\') path[len]='\\';
  32.                 strcat(path,"walied.dll");
  33.                 HANDLE hFile=CreateFile(path,
  34.                                 GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
  35.                                 0,OPEN_EXISTING,0,0);
  36.                 if(hFile==INVALID_HANDLE_VALUE)
  37.                 {
  38.                     hFile=CreateFile(path,
  39.                                         GENERIC_READ|GENERIC_WRITE,
  40.                                         FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
  41.                                         0,CREATE_ALWAYS,0,0);
  42.                 }
  43.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
  44.                 else
  45.                 {
  46.                     unsigned long writ;
  47.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
  48.                     CloseHandle(hFile);
  49.                     FreeLibrary(LoadLibrary(path));
  50.                     hFile=0;
  51.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
  52.                     if(hFile!=INVALID_HANDLE_VALUE)
  53.                     {
  54.                         MessageBox(0,"Expected behavior","waliedassar",0);
  55.                         CloseHandle(hFile);
  56.                     }
  57.                     else
  58.                     {
  59.                         MessageBox(0,"Debugger detected","waliedassar",0);
  60.                     }
  61.                     DeleteFile(path);
  62.                 }
  63.             }
  64.         }
  65.     }
  66. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement