Vulnerability in Microsoft Windows XP Dbghelp.dll(version 5.x) has been exploited by malwares to thwart debugging by researchers. The Dbghelp.dll is the Windows Image Helper dynamic linking library. This dll was being used by almost all the debuggers and disassemblers. The code that reads export function name fails to check the function name length before moving the data into the stack.
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
6 comments:
Well, I've got an impression that the issue has already been discussed like two years ago?
http://forum.tuts4you.com/index.php?showtopic=16445
If so, I don't see much point in recycling the existing and pretty much known information ;)
@j00ru//vx thanks for the link..
Still most debuggers are using the vulnerable dll and thats why I have posted this blog...
It has been posted to help others know the actual trick what malwares are using...
@+F001!sh: Yeah, that's certainly true. I have had much fun finding a couple more or less MED impact security flaws in the DbgHelp library:
http://j00ru.vexillium.org/?p=405
When it comes to ollydbg 1.1 though, it is currently distributed with the 6.8.4.0 version, not vulnerable to the described issue ;)
@j00ru//vx yeah you are right.
The latest olly comes with dll version 6.x.
But unfortunately most of us are still using the older version only..
Thanks @j00ru//vx..
Nice one. Thanks a lot for sharing the efforts.
Hi,
Any chance you still got the sample?
Post a Comment