首页
社区
课程
招聘
ARTeam: Anti Olly Tester 1.0, by me
发表于: 2006-8-25 01:32 4250

ARTeam: Anti Olly Tester 1.0, by me

2006-8-25 01:32
4250
Anti Olly Tester 1.0
--------------------
This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.

Detects Debugging programs through different methods all connected to the execution environment.

    * Method 1: see if one of the currently running processes' Windows name is blacklisted or not
    * Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
    * Method 3: tests the processes paths and see if it is blacklisted
    * Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklist
      of process and words
    * Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has one
      blacklisted word
    * Method 6: test export directory of the running processes, if there's something connected with Olly.
    * Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
    * Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any
      contains blacklisted words (either UNICODE or ASCII)

The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.

The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.

The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.

Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".

http://releases.accessroot.com

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (6)
雪    币: 97697
活跃值: (200849)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
2
Good job.
2006-8-25 01:49
0
雪    币: 50
活跃值: (145)
能力值: ( LV12,RANK:290 )
在线值:
发帖
回帖
粉丝
3
i ll see it
2006-8-29 19:13
0
雪    币: 323
活跃值: (589)
能力值: ( LV12,RANK:450 )
在线值:
发帖
回帖
粉丝
4
it works well,thx
2006-10-8 22:47
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
If still detailed have burned well!
2007-2-18 18:29
0
雪    币: 134
活跃值: (84)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
6
thank you.
2007-6-24 09:08
0
雪    币: 278
活跃值: (709)
能力值: ( LV15,RANK:520 )
在线值:
发帖
回帖
粉丝
7
Good Job
2011-6-14 12:19
0
游客
登录 | 注册 方可回帖
返回
//