Hi

I recently downloaded ollydbg from its official website. When I start it. It shows the program's main window and then suddenly it closes.
I ran it in safe mode and I work okay there.

I think It's some kind of process that checks and closes ollydbg.

What I want to know is How can I know which process tries to close ollydbg?


Sincerely
Michael Lopez

Sounds like one of the automatic startup process or driver has anti Olly code:


Option 1: download Process Explorer (SysInternals), sort the process tree in descending order of CPU usage, and, while keeping an eye on it, load Olly. Keep mental note of the programs that come to life when Olly is loaded and unloaded. Kill the suspicious process(es) or drivers until you pinpoint the culprit.

Option 2: Start Windows in Selective Startup (An option of msconfig) and systematically disable all startups, reboot, then see if olly loads. If it does, then enable, one by one, reboot, until you find the culprit. Do a similar exercise with enabling one by one (Or ten by ten) windows drivers.

Lastly, Please post here who is the bastard that closes Olly.

Hi

Thanks for your help

I finally found the progam. It's IDA (Internet Download Accelerator 5.2). I don't know why perhaps it's its protection against cracking.

is there a way to disable this protection in IDA. So to have OllyDBG and IDA running simultaneously?

Sincerely
Michael Lopez

Try one or several plug-ins available in this site to hide Olly.
Particularly the ones that change Olly's name and Olly's window name.

I have the gut feeling that is the way such app detects the presence of the debugger, by scanning the process and windows lists, even if it itself is not being traced by the debugger.

This sucker uses some OutputDebugString trickery on a 4 second timer, see attached picture. Probably other checks occuring on the same or similar timers as well. Output is from the Softice Debug Monitor (also shown in Softice command window). SysInternals DebugView will show the same thing, but is detected as a "debugger" by IDAccel and closed the same way Ollydbg is closed. ZoneAlarm will intercept the closing attempt. Interestingly WinDbg is ignored, so is Softice unless you set a breakpoint apparently. Modifying the file image in memory will quickly give a 'file corrupted' message.

So,...in general is there a way to prevent OutputDebugString vulnerabilities, i.e. have the API *not* be able to detect the presence of a debugger? Or through the more direct approach of

push 40010006h
call RaiseException

Attached a xADT plugin to check for the handling of DBG_PRINTEXCEPTION_C and an Olly plugin to fix it. Read the source of the xADT plugin for more info.

For xADT check http://arteam.accessroot.com/releases/file_info/download1.php?file=xADT_1.2_by_Shub-Nigurrath.rar