[Windbg Script] Disabling IsDebuggerPresent()
Years ago I needed to debug an application that just had the binary code with no symbols or source code. To make things even more difficult, I found out the application had some kind of anti-debugger protection.
After analyzing the dead listing of the application using DumpBin I discovered the trick. The application performed some IsDebuggerPresent() calls and, besides, it used inline assembly as a fail-over protection. J
I managed to make the debugger work by changing the application on the memory after attaching the debugger to it.
Then sometime later I decided to create this very simple “just for fun” script that disables IsDebuggerPresent().
Just attach the debugger to the application using IsDebuggerPresent(), and then run the script using the “g” command to continue the execution.
If you want to know what happens when not using the script just attach the debugger to the application using IsDebuggerPresent() and use the "g" command. The IsDebuggerPresent() will detect the debugger and the application may take actions (it's not the case in this sample) reacting to the debugger presence.
Screenshots:
Source code for DISABLE_ISDEBUGGER.TXT:
$$
$$ =============================================================================
$$ Disable the IsDebuggerPresent API, returning always false.
$$ This approach doesn't use breakpoints.
$$
$$ Compatibility: Win32.
$$
$$ Usage: $$>< to run the program.
$$
$$ Requirements: Public symbols.
$$
$$ Roberto Alexis Farah
$$ Blog: https://blogs.msdn.com/debuggingtoolbox/
$$
$$ All my scripts are provided "AS IS" with no warranties, and confer no rights.
$$ =============================================================================
$$
r @$t0 = kernel32!IsDebuggerPresent; eb @$t0+0x9 31 c0 90 90
$$
$$ ========================================
Comments
Anonymous
May 24, 2007
It'd be great if you could give us list of books sitting on your bookshelf. John Robbins himself says you are alpha geek. WOW! I must pray. Pleeeease give me the list of things I should do to gain delta knowledge of what you have.Anonymous
May 24, 2007
Hi Vedala, This is a great idea! I wonder why I didn't think about it before! Books are my greatest source of learning, so, to answer you request I'm going to prepare a blog article just to talk about books. ;-) Thanks.Anonymous
May 25, 2007
Hi Roberto Farah! I use a similar method, and started using it some years ago, too =). However, I don't care about corrupted disasms and just put a ret instruction just after the xor eax, even because the IsDebuggerPresent someday could have a different instruction in its beginning (honestly, I don't believe that, but there's a little chance). There's a reason besides leaving the code readable after the patch? Best regards.Anonymous
May 25, 2007
Hi Wanderley, There's no reason for leaving the code readable after the patch, it was just a personal preference. :) Actually my first approach was to use a breakpoint instead of using a patch, anyway there are several different ways to fool the API and get the same results, like your example above. ThanksAnonymous
May 27, 2007
Great! Looking forward to updating my bookshelf :)Anonymous
April 09, 2012
The comment has been removedAnonymous
April 09, 2012
Hi Bruno, There are other more sofisticated ways to intercept/avoid debuggers. You may want to check books about security/malware or browse the internet for more details on how to intercept debuggers. Roberto