Log in

View Full Version : ARTeam: Anti Olly Tester 1.0


Shub-nigurrath
August 24th, 2006, 12:35
Anti Olly Tester 1.0
--------------------
This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.

Detects Debugging programs through different methods all connected to the execution environment.

* Method 1: see if one of the currently running processes' Windows name is blacklisted or not
* Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
* Method 3: tests the processes paths and see if it is blacklisted
* Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklist
of process and words
* Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has one
blacklisted word
* Method 6: test export directory of the running processes, if there's something connected with Olly.
* Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
* Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any
contains blacklisted words (either UNICODE or ASCII)

The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.

The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.

The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.

Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".

http://releases.accessroot.com

dELTA
August 24th, 2006, 16:13
Hehe, yeah, being a real pain in the ass doesn't always have to be that hard.

Shub-nigurrath
August 24th, 2006, 18:53
... indeed I did a little mistake in the initial distribution calling this tool anti_Olly. The program with that name was detecting itself now there's a new distribution called anti_0lly (with a zero), it's the same program anyway, you can rename on your own ..

Harding
September 14th, 2006, 19:50
I took this as a challenge to hide Olly and after some tricks here and there I got anti0lly_tester.exe to stop execute but not show me the "good boy" sign.

This happend after I changed ALOT of bytes in OllyDbg.exe (the test found me on some resource CPU) so I packed the file with UPX 1.24 and now the executing just stops after a few seconds. I guess this is not the wanted behaviour

Maximus
October 4th, 2006, 18:30
I just runned it within Shadow's -it pass all the tests. Same for Olly+Markus plugin.
What is fuzzying me is that a tool forces me to use Shadow's because it somehow detects Olly+Markus in memory (even if I am not debugging the toy).
May I ask what special test might it be that could 'make the difference' between Shadow's and Olly+AdvOlly plug?