Exetools  

Go Back   Exetools > General > Community Tools
Reload this Page OllyDBG v2.xx plugin - OllyExt
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-24-2013, 01:47
sendersu sendersu is offline
VIP
  
Join Date: Oct 2010
Posts: 1,305
Rept. Given: 337
Rept. Rcvd 237 Times in 127 Posts
Thanks Given: 340
Thanks Rcvd at 652 Times in 357 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
@author
have you seen this interesting piece of code?
http://pastebin.com/6kbt1Vka

did you already have it inside the Ext the tool?
Reply With Quote
  #2  
Old 10-24-2013, 02:36
memcpy memcpy is offline
Friend
  
Join Date: Nov 2011
Posts: 22
Rept. Given: 6
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
memcpy Reputation: 10
This pastebin is irrelevant, it's for Kernel debugger detection. Olly is usermode debugger. You don't have to add this mate.
Reply With Quote
The Following User Gave Reputation+1 to memcpy For This Useful Post:
sendersu (10-24-2013)
  #3  
Old 12-07-2013, 18:12
s0me0n3 s0me0n3 is offline
Family
  
Join Date: Mar 2012
Posts: 134
Rept. Given: 42
Rept. Rcvd 95 Times in 33 Posts
Thanks Given: 16
Thanks Rcvd at 43 Times in 28 Posts
s0me0n3 Reputation: 95
Quote:
Originally Posted by sendersu View Post
@author
have you seen this interesting piece of code?
http://pastebin.com/6kbt1Vka

did you already have it inside the Ext the tool?
Quote:
Originally Posted by memcpy View Post
This pastebin is irrelevant, it's for Kernel debugger detection. Olly is usermode debugger. You don't have to add this mate.
I have to disagree from what I can see on the pastebin stuff:

Quote:
//On the other hand, if KdPitchDebugger is set to false, a check for the "SeDebugPrivilege"
//privilege is conducted, a sign of presence of Kernel and/or UserMode debugger(s).
and

Quote:
else
{
printf("Kernel Debugger present\r\n");
if(retValue != 0xC0000022) printf("UserMode Debugger present as well\r\n");
}
}
Tell me where I am wrong.
Reply With Quote
  #4  
Old 12-09-2013, 03:52
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
  
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
I've a test code for this and it's relevant only in some rare circumstances. The user mode debugger can be detected only if a kernel mode debugger is installed, running and the program debugged under the user mode debugger. I've never seen this protection in any protector but I can implement it in no time This will be done in the next release...

Quote:
Originally Posted by s0me0n3 View Post
I have to disagree from what I can see on the pastebin stuff:



and



Tell me where I am wrong.
Reply With Quote
  #5  
Old 12-14-2013, 03:59
qkumba qkumba is offline
Friend
  
Join Date: Nov 2011
Posts: 14
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
qkumba Reputation: 4
Quote:
Originally Posted by ferrit.rce View Post
I've a test code for this and it's relevant only in some rare circumstances. The user mode debugger can be detected only if a kernel mode debugger is installed, running and the program debugged under the user mode debugger. I've never seen this protection in any protector but I can implement it in no time This will be done in the next release...
That's not even quite true. It's not detecting any user-mode debugger. It's detecting that a kernel debugger is running and that the process has the SeDebugPrivilege, which is completely independent of any user-mode debugger.

It's not a reliable detection method.
Reply With Quote
Reply

Tags
anti-anti-debug, anti-debug, ollydbg, ollyext, plugin

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
DEF plugin for OllyDbg 2.XX wilson bibe Community Tools 2 07-22-2014 09:01


All times are GMT +8. The time now is 12:04.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )