OD Cause Analysis and Countermeasures

Author: tangjiutao

It is annoying to automatically exit when the OD is loaded into the program, and exit before debugging is started. How is this good. The beginner may have encountered this problem. How can this problem be solved? Although there are sporadic introductions on the Internet, they are not comprehensive. Here are some of my summary, hoping to help beginners.
(For example, if the Peid and FI shells cannot be found, the OD will exit as soon as it is loaded. This is probably the protection of VMProtect (virtual machine protection). You can use EXEinfo to find out some versions of VMP, if this prompt is displayed, it is even more certain that "A debugger has been found running in your system. please, unload it from memory and restart your program ".)
1. Try replacing several OD values, such as OllyICE, Shadow, and enhanced version.
2. Using Additional methods to load programs, files --> attaching can solve many problems.
3. In the OD directory, replace the 475 K DbgHelp. dll file with the DbgHelp. dll file of nearly 1 MB. The 475K has an overflow vulnerability, which is critical.
4. Use the StrongOD plug-in (try StrongOD + OD of the original version). This article is critical.
5. Select CreateAsRestrict in StrongOD.
6. Try to run the bp ExitProcess command to see if any clue can be found.
7. Change the driver name in ollydbg. ini. You do not need to modify the modified version OD.
DriverName-driver file name, device object name
DriverKey-the key used to communicate with the driver
HideWindow-Indicates whether to hide a window. 1 indicates hiding, and 0 indicates not hiding.
HideProcess-Indicates whether to hide the od process. 1 indicates hiding, and 0 indicates not hiding.
ProtectProcess-Indicates whether to hide and protect Od processes. 1 indicates protection, and 0 indicates protection.
8. Change the OD form class name. If you use the modified version, it is generally changed. You do not need to change it yourself.
The method is as follows:
Main form Class Name:
Reference:
VA: 004B7218
Offset: 000B6018
Subform class names:
Reference:
VA: 004B565B ~ 004B568A
Offset: 000B445B ~ 000B448A
Changed to any one. You can use GetWindow to detect the event.
9. manually modify the value of "Number of function names" in the program "export table". Try it again if the above method is not used.
Method: Use "LordPE" to open the PE program to be edited, and then select [Directory]> [export table corresponding ".. "button], reduce the value of" Number of function names "by 1, and click" save. To look better, you can also reduce the values of "number of functions" and "Number of function names" by 1 and save them, with the same effect.
Explanation: Generally, EXE does not add "export table". If it is added, the exported API function should be provided. When we open this type of PE Program (EXE version), we will find that it has an "export table", but there is no export API function in the "export table. At the same time, the values of "number of functions" and "Number of function names" are 1 larger than those set by the original PE program (for example: the "export table" List of the EXE version displays 0 exported API functions. The shell sets the value of "number of functions" and "Number of function names" to 1; the exported API functions 0 x D are displayed in the "export table" List of the DLL version. The shell sets the values of the "number of functions" and "Number of function names" to 0 x e .). So we will reduce it by 1 and it will be OK. The Modified PE program can run normally without any impact.

This is just my summary. It is feasible to attach and replace DBGHELP. DLL, use the StrongOD plug-in, and modify the number of exported table function names, which can solve some problems. Of course, these methods may not be comprehensive.

Explanation of the reason for ANTI-OD:
In summary, the TLS callback function is executed before the entry point and the ANTI-OD operation is performed.
For details, see TLS data initialization and TLS callback functions are executed before the entry point. That is to say, TLS is the place where the program starts to run. Therefore, ANTI-OD code can be prevented here, detects and disables OD.
Solution:
By default, the OllyDbg loader will be paused at the entry point. You should configure the OllyDbg to interrupt the loader before the TLS callback is called.
You can choose "option-> debug option-> event-> first interrupted on-> system breakpoint" to set the actual loader code that is interrupted in ntdll. dll. After this setting, the OllyDbg will interrupt the ntdll that is located in the TLS callback execution! Ntdll before LdrpRunInitializeRoutines! _ LdrpInitializeProcess (), which can be interrupted and tracked in the callback routine. For example, if a memory access breakpoint is set on the. text code segment of the memory image, the data can be disconnected from the TLS callback function.

For more TLS content, see my two blog posts:
Analysis of TLS callback function, Anti-od principle: html "> http://hi.baidu.com/tjt999/blog/item...808f7eff1.html
TLS callback function, Anti-od instance: http://hi.baidu.com/tjt999/blog/item...f359bf7f3.html

For more anti-debugging knowledge, see the art of shelling and my
The principle and examples of various anti-debugging technology: http://bbs.pediy.com/showthread.php? T = 106143
If you need to communicate, enter the group: 1684360

Example code: for the program, see the attachment and use the OD test in the original version. Refer to the code of a prawns.
. 386
. Model flat, stdcall
Option casemap: none
Include windows. inc
Include user32.inc
Include kernel32.inc
Includelib user32.lib
Includelib kernel32.lib

. Data?
DwTLS_Index dd?

OPTION DOTNAME
; Define a TLS Section
. Tls SEGMENT
TLS_Start LABEL DWORD
Dd 0100 h dup ("slt .")
TLS_End LABEL DWORD
. Tls ENDS
OPTION NODOTNAME

. Data
TLS_CallBackStart dd TlsCallBack0
TLS_CallBackEnd dd 0
SzTitle db "Hello TLS", 0
SzInTls db "I'm in TLS", 0
SzInNormal db "I am in normal code", 0
SzClassName db "ollydbg"; OD Class Name
Note that the structure must be declared as PUBLIC to connect the connector to the specified position,
Second, the structure name must be _ tls_uesd, which is a rule of Microsoft. The same is true for the location name introduced by the compiler.
PUBLIC _ tls_used
_ Tls_used IMAGE_TLS_DIRECTORY <TLS_Start, TLS_End, dwTLS_Index, TLS_CallBackStart, 0,?>

. Code
; **************************************** ***********************
; TLS callback function
TlsCallBack0 proc Dllhandle: LPVOID, dwReason: DWORD, lpvReserved: LPVOID
Mov eax, dwReason; conditions for determining the occurrence of dwReason
Cmp eax, DLL_PROCESS_ATTACH; called during loading
Jnz ExitTlsCallBack0
Invoke FindWindow, addr szClassName, NULL; detection by Class Name
. If eax; find
Invoke SendMessage, eax, WM_CLOSE, NULL, NULL
. Endif
Invoke MessageBox, NULL, addr szInTls, addr szTitle, MB_ OK
Mov dword ptr [TLS_Start], 0
Xor eax, eax
Inc eax
ExitTlsCallBack0:
Ret
TlsCallBack0 ENDP
; **************************************** ************************
Start:
Invoke MessageBox, NULL, addr szInNormal, addr szTitle, MB_ OK
Invoke ExitProcess, 1
End Start