Bad String Format

Created the Monday 18 March 2019. Updated 1 month, 3 weeks ago.

Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.

For example, the malware may use a string with multiple %s inputs, which OllyDbg is not able to handle correctly. This causes the debugger to crash or behave in an unpredictable manner, making it difficult for the analyst to continue their analysis. This technique can be effective in disrupting the analysis process and making it more difficult for the analyst to understand the malware's capabilities and behavior. However, it is only effective against OllyDbg, and other debuggers may not be affected by this technique.

Technique Identifier

U0104

Technique Tags

Bad string format OllyDbg Debugger evasion String manipulation

Code Snippets

Description

This snippet has been originally published here: http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/

.386
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

    .data
       DbgNotFoundTitle db "Debugger status:",0h
       DbgFoundTitle db "Debugger status:",0h
       DbgNotFoundText db "Debugger not found!",0h
       DbgFoundText db "Debugger found!",0h
       OriginalFileName db "%s%s.exe",0h
    .data?
       filename db 512 dup(?)
    .code

start:

; MASM32 BadStringFormat example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This example takes advantage of OllyDBG not handleing strings properly.
; Code is based on Piotr Bania`s description.
; How does it work? If we name the file %s%s or any other name that has
; %s%s in it`s name OllyDBG will crash.
; How to use this?
; We just check if the file has been renamed.

PUSH 512
PUSH offset filename ;%s%s.exe
PUSH 0
CALL GetModuleFileName

MOV ECX,offset filename
ADD ECX,EAX

  @SeekFileName:
DEC ECX
CMP BYTE PTR[ECX],'\'
JNE @SeekFileName

MOV BYTE PTR[ECX],0
INC ECX

PUSH ECX
PUSH offset OriginalFileName ;%s%s.exe
CALL lstrcmp

TEST EAX,EAX
JNE @DebuggerDetected

PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox

JMP @exit
  @DebuggerDetected:

PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox

  @exit:

PUSH 0
CALL ExitProcess

end start

Detection Rules

                                    rule Detect_OllyDBG_BadFormatTrick: AntiDebug {
    meta: 
        description = "Detect bad format not handled by Ollydbg"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "%s%s.exe" fullword ascii
    condition:   
       $1
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

OpenRCE