prn
January 20th, 2011, 11:37
Analysis OllyDbg 2.01a does not work with Avast 5.1.889. Tested on WinXP SP3.
Has anybody similar experience?
Regards
prn
Has anybody similar experience?
Regards
prn
View Full Version : OllyDbg and Avast
Silkut
January 21st, 2011, 07:29
Hmm do you mean, analysing Avast with OllyDbg or analysing something else while Avast is running ?
In the first case, think anti-debugging features.
In the second case, you should probably check where you downloaded Olly...
In the first case, think anti-debugging features.
In the second case, you should probably check where you downloaded Olly...
prn
January 21st, 2011, 08:51
Quote:
| [Originally Posted by Silkut;89208]Hmm do you mean, analysing Avast with OllyDbg or analysing something else while Avast is running ? In the first case, think anti-debugging features. In the second case, you should probably check where you downloaded Olly... |
Sorry,
second case is valid! On my pc has been running Avast - standard antivirus environment.
Else, if e.g. OllyDbg open itself and debug it, Analysis (Ctrl+A) not works correct - very quickly ends without effect. Then isn't possible display Names, Intermodullar calls, procedure blocks etc. Log window shows error:
Different PE headers in file and in memory
Previous version OllyDbg 2.00 Beta 2 works correct. Maybe it has different functionality.
Regards
prn
Silkut
January 24th, 2011, 07:32
I'm pretty sure it's a defensive system on the debugged application, is your target packed/protected ? What does PEiD and RDG Packer Detector says ?
prn
January 24th, 2011, 08:59
Quote:
| [Originally Posted by Silkut;89241]I'm pretty sure it's a defensive system on the debugged application, is your target packed/protected ? What does PEiD and RDG Packer Detector says ? |
I'm sure, that cause is Avast 5.1.889. Before Avast upgrade was all ok.
Debugged aplication was OllyDbg (OllyDbg opens OllyDbg)- no crypted application.
I have opened OllyDbg 201a by CFF Explorer and by OllyDbg 200 Beta2 and have compared PE header. Unfortunatelly I found no differences :-(
disavowed
January 24th, 2011, 13:48
Contact Avast (http://www.avast.com/support-contacts) and tell them that their software is adversely interfering with a non-malicious program.
prn
January 24th, 2011, 14:41
Quote:
| [Originally Posted by disavowed;89248]Contact Avast (http://www.avast.com/support-contacts) and tell them that their software is adversely interfering with a non-malicious program. |
OK, but first I'd like to know Olly opinion. I wrote him about it, but I have no answer yet.
prn
January 25th, 2011, 07:54
Quote:
| [Originally Posted by disavowed;89248]Contact Avast (http://www.avast.com/support-contacts) and tell them that their software is adversely interfering with a non-malicious program. |
Olly answered me, that problem will be solved in some next OllyDbg :-)
blabberer
January 27th, 2011, 03:01
it is because avast installs a hook and changes the import table entry in peheader
till oleh modifies his parsing routine
you may try disabling avasts behaviour shield
via start -> settings-> controlpanel->addremove->avast->change->next->untick behaviour shield ->next->restart
analysis should work now
Code:
00402F20 49 49 42 20 20 20 00 00 3C 00 00 00 00 00 00 00 IIB ..<.......
00402F30 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 ............. ..
00402F40 20 00 00 00 FF FF FF FF 00 00 00 00 00 00 15 00 ...џџџџ.......
00402F50 00 00 00 00 00 00 53 6E 78 48 6B 5F 49 6E 73 74 ......SnxHk_Inst
00402F60 61 6C 6C 48 6F 6F 6B 00 90 C2 D0 64 00 00 00 00 allHook.Таd....
00402F70 00 00 00 00 00 00 00 00 68 2F 00 00 00 00 00 00 ........h/......
00402F80 FF FF FF FF C8 2F 00 00 68 2F 00 00 5C 20 00 00 џџџџШ/..h/..\ ..
00402F90 00 00 00 00 00 00 00 00 D4 20 00 00 00 20 00 00 ........д ... ..
00402FA0 74 20 00 00 00 00 00 00 00 00 00 00 F0 20 00 00 t ..........№ ..
00402FB0 18 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
00402FC0 00 00 00 00 00 00 00 00 43 3A 5C 50 72 6F 67 72 ........C:\Progr
00402FD0 61 6D 20 46 69 6C 65 73 5C 41 6C 77 69 6C 20 53 am Files\Alwil S
00402FE0 6F 66 74 77 61 72 65 5C 41 76 61 73 74 35 5C 73 oftware\Avast5\s
00402FF0 6E 78 68 6B 2E 64 6C 6C 00 00 00 00 00 00 00 00 nxhk.dll........
Code:
file
00000138 20200000 DD 00002020 ; Import Table address = 2020
0000013C 3C000000 DD 0000003C ; Import Table size = 3C (60.)
memory
00400138 782F0000 DD 00002F78 ; Import Table address = 2F78
0040013C 3C000000 DD 0000003C ; Import Table size = 3C (60.)
till oleh modifies his parsing routine
Code:
CPU Disasm
Address Command Comments
0040FB4C PUSH 1 ; /Arg3 = 1
0040FB4E MOV EDX, DWORD PTR SS:[LOCAL.14] ; |
0040FB51 SUB EDX, 0E0 ; |
0040FB57 PUSH EDX ; |Arg2 = ntdll.KiFastSystemCallRet
0040FB58 MOV ECX, DWORD PTR SS:[LOCAL.37] ; |
0040FB5E PUSH ECX ; |Arg1 = 13FFB0
0040FB5F CALL ollydbg.004AF778 ; \ollydbg.004AF778
0040FB64 ADD ESP, 0C
0040FB67 PUSH 0E0 ; /Arg3 = 0E0
0040FB6C LEA EAX, [LOCAL.1905] ; |
0040FB72 PUSH EAX ; |Arg2 = 0
0040FB73 LEA EDX, [LOCAL.1849] ; |
0040FB79 PUSH EDX ; |Arg1 = ntdll.KiFastSystemCallRet
0040FB7A CALL ollydbg.004AD400 ; \ollydbg.004AD400
0040FB7F ADD ESP, 0C
0040FB82 TEST EAX, EAX
0040FB84 JE SHORT ollydbg.0040FBB7
0040FB86 PUSH OFFSET ollydbg.004D2D3A ; /Format = " Different PE headers in file and in memory"
0040FB8B PUSH 1 ; |Arg2 = 1
0040FB8D PUSH 0 ; |Arg1 = 0
0040FB8F CALL ollydbg.00413A20 ; \ollydbg.00413A20
you may try disabling avasts behaviour shield
via start -> settings-> controlpanel->addremove->avast->change->next->untick behaviour shield ->next->restart
analysis should work now
blabberer
February 23rd, 2011, 10:26
well ollydbg is now avast aware
Log data
Address Message
Analysing ollydbg
Quis custodiet ipsos custodes?
2044 fuzzy procedures
3360 calls to known, 10073 calls to guessed functions
301 switches and cascaded IFs, 1769 loops
Log data
Address Message
Analysing ollydbg
Quis custodiet ipsos custodes?
2044 fuzzy procedures
3360 calls to known, 10073 calls to guessed functions
301 switches and cascaded IFs, 1769 loops
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.