![]() ![]() ![]() Since the debugger has attached to the process, Windows also creates another thread that executes a breakpoint on behalf of the debugger. This has the unintended consequence of resuming the process. Part of that work includes inserting into the process a thread which gathers information about the process. On Windows 2000 and later, it calls into the ntdll RtlQueryProcessDebugInformation() function, which performs the majority of the work. This function was introduced to the Windows NT-line in Windows 2000, though it existed as far back as Windows 95 in a separate DLL. The bug relates to the use of the kernel32 CreateToolhelp32Snapshot() function on a suspended process. However, there is a bug that causes it to crash immediately on Windows 2000. Its code is very good and does not seem to have any obvious vulnerabilities. It supports plug-ins, but so far there are none that hide the presence of the debugger. Zeta Debugger is a lesser-known user-mode debugger with a graphical user interface. The others are identical to the OllyDbg versions, and thus contain the same bugs. ![]() IsDebugPresent is a port of an earlier version, which only sets the debuggee’s PEB->BeingDebugged to zero. The authors have not responded to the report.ĭespite being based on OllyDbg, only four of the OllyDbg anti-detection plug-ins have been ported to Immunity Debugger: HideDebugger, HideOD, IsDebugPresent and PhantOm. The authors of Immunity Debugger released version 1.70 more than 60 days after the report was submitted to them. ![]() The Export Address Table Entries and Base Relocation Directory Size bugs affect all versions of Immunity Debugger, including 1.70. The mitigating factor for the relocation table problem is the fact that it requires a file size of greater than one gigabyte, because Immunity Debugger reads the relocation data directly from the file. On certain platforms, this can result in the execution of arbitrary code. If the value of the Base Relocation Directory Size field is 0x3FFFFFFE or larger, then Immunity Debugger will parse relocations from unallocated heap memory. If the value of the Export Address Table Entries field is 0x40000000 or larger, then Immunity Debugger will start overwriting memory until a crash occurs. This can result in an integer overflow and memory corruption. Immunity Debugger fails to check the values of the Export Address Table Entries field and the Base Relocation Directory Size field prior to performing some arithmetic on them. Such files are still loaded in Immunity Debugger, but in each case the entry point’s breakpoint is not set. Zero is a legal starting value for EXE files and allows execution of the MZ header. Like OllyDbg, Immunity Debugger does not properly support files whose entry point is zero. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |