ARTeam: Anti Olly Tester 1.0, by me-资源下载-看雪-安全社区|安全招聘|kanxue.com

ARTeam: Anti Olly Tester 1.0, by me

发表于: 2006-8-25 01:32 4207

ARTeam: Anti Olly Tester 1.0, by me

Shub-Nigurrath 活跃值

活跃值

2006-8-25 01:32

4207

Anti Olly Tester 1.0
--------------------
This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.

Detects Debugging programs through different methods all connected to the execution environment.

* Method 1: see if one of the currently running processes' Windows name is blacklisted or not
* Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
* Method 3: tests the processes paths and see if it is blacklisted
* Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklist
   of process and words
* Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has one
   blacklisted word
* Method 6: test export directory of the running processes, if there's something connected with Olly.
* Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
* Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any
   contains blacklisted words (either UNICODE or ASCII)

The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.

The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.

The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.

Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".

http://releases.accessroot.com

[课程]Linux pwn 探索篇！

收藏・1

免费・0

支持

分享

最新回复 (6)
linhanshi 雪币： 93908 活跃值： (200199) 能力值： (RANK：10 ) 在线值：发帖 9213 回帖 27805 粉丝 446 关注私信	linhanshi 2 楼 Good job. 2006-8-25 01:49 0
zhaoocn 雪币： 50 活跃值： (145) 能力值： ( LV12，RANK：290 ) 在线值：发帖 9 回帖 348 粉丝 0 关注私信	zhaoocn 7 3 楼 i ll see it 2006-8-29 19:13 0
springkang[DFCG 雪币： 323 活跃值： (589) 能力值： ( LV12，RANK：450 ) 在线值：发帖 21 回帖 256 粉丝 3 关注私信	springkang[DFCG 11 4 楼 it works well,thx 2006-10-8 22:47 0
jiyunyan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 23 粉丝 0 关注私信	jiyunyan 5 楼 If still detailed have burned well！ 2007-2-18 18:29 0
NWMonster 雪币： 134 活跃值： (84) 能力值： ( LV5，RANK：60 ) 在线值：发帖 26 回帖 457 粉丝 8 关注私信	NWMonster 1 6 楼 thank you. 2007-6-24 09:08 0
邓韬雪币： 278 活跃值： (709) 能力值： ( LV15，RANK：520 ) 在线值：发帖 265 回帖 1670 粉丝 1 关注私信	邓韬 9 7 楼 Good Job 2011-6-14 12:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

Shub-Nigurrath

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//