OllyDbg v1.10 LoadDll.hFile Trick

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers should save the value of
4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can close it upon receiving
5. //the corresponding UNLOAD_DLL_DEBUG_INFO.
6.  
7. //OllyDbg v1.10 does not follow this rule and consequently we can easily detect its presence
8. //simply by trying to acquire exclusive access to the Dll file after FreeLibrary.
9. //Executable can be found at:
10. //http://code.google.com/p/ollytlscatch/downloads/detail?name=Olly_LoadDll_Trick.exe
11. #include "stdafx.h"
12. #include "windows.h"
13. #include "stdio.h"
14. #define IDR_WALIED2                     102
15. void main()
16. {
17.         //For the following code to work, embed any dummy DLL as a resource of TYPE "WALIED"
18.         //and id of 0x102.
19.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
20.     if(h)
21.     {
22.         HGLOBAL hG=LoadResource(0,h);
23.         if(hG)
24.         {
25.             void* pDll=LockResource(hG);
26.             if(pDll)
27.             {
28.                 char path[MAX_PATH]={0};
29.                 GetCurrentDirectory(MAX_PATH,path);
30.                 unsigned long len=strlen(path);
31.                 if(path[len-1]!='\\') path[len]='\\';
32.                 strcat(path,"walied.dll");
33.                 HANDLE hFile=CreateFile(path,
34.                                 GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
35.                                 0,OPEN_EXISTING,0,0);
36.                 if(hFile==INVALID_HANDLE_VALUE)
37.                 {
38.                     hFile=CreateFile(path,
39.                                         GENERIC_READ|GENERIC_WRITE,
40.                                         FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
41.                                         0,CREATE_ALWAYS,0,0);
42.                 }
43.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
44.                 else
45.                 {
46.                     unsigned long writ;
47.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
48.                     CloseHandle(hFile);
49.                     FreeLibrary(LoadLibrary(path));
50.                     hFile=0;
51.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
52.                     if(hFile!=INVALID_HANDLE_VALUE)
53.                     {
54.                         MessageBox(0,"Expected behavior","waliedassar",0);
55.                         CloseHandle(hFile);
56.                     }
57.                     else
58.                     {
59.                         MessageBox(0,"Debugger detected","waliedassar",0);
60.                     }
61.                     DeleteFile(path);
62.                 }
63.             }
64.         }
65.     }
66. }