Shub-nigurrath
August 24th, 2006, 12:35
Anti Olly Tester 1.0
--------------------
This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.
Detects Debugging programs through different methods all connected to the execution environment.
* Method 1: see if one of the currently running processes' Windows name is blacklisted or not
* Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
* Method 3: tests the processes paths and see if it is blacklisted
* Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklist
of process and words
* Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has one
blacklisted word
* Method 6: test export directory of the running processes, if there's something connected with Olly.
* Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
* Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any
contains blacklisted words (either UNICODE or ASCII)
The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.
The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.
The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.
Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".
http://releases.accessroot.com
--------------------
This little program is more a POC than a friendly program. It's based on an idea Gabri3l discussed once, to test the environment in which the program is going to run and adapt itself to the conditions it finds.
Well this program is a set of tests performed on the processes running on the system. They are performed on several tools using blacklists but there's a special attention paid to OllyDbg.
Detects Debugging programs through different methods all connected to the execution environment.
* Method 1: see if one of the currently running processes' Windows name is blacklisted or not
* Method 2: Collects the ClassName of each of the active windows and check if it is blacklisted
* Method 3: tests the processes paths and see if it is blacklisted
* Method 4: tests modules (dll) loaded by any active process to see if any is a known plugin or matches a blacklist
of process and words
* Method 5: Opens the install folder where the program is running from and see if any of the files inside that folder has one
blacklisted word
* Method 6: test export directory of the running processes, if there's something connected with Olly.
* Method 7: test VERSION_INFO resource of the running processes to check if any matches a blacklist
* Method 8: test all the other resources (dialog, menus, bitmaps and so on) of the running processes to check if any
contains blacklisted words (either UNICODE or ASCII)
The blacklists are taken from SDProtector and are generic enough to include almost all known RCE tool around.
The result is really interesting and the resulting check is very difficult to overcome: It's very difficult to hide Olly to this type of tests.
The final code is very small, even if written using C. Moreover consider that each test might be performed by parallel recurrent threads and decrypted/encrypted just before and after execution. An exe protected like this might easily become a nightmare, without having a to write a single ASM trick.
Note that this same test is inside the distribution 1.2 of xADT into the test "Find Complex".
http://releases.accessroot.com
