[Windbg Script] Disabling IsDebuggerPresent()


Years ago I needed to debug an application that just had the binary code with no symbols or source code. To make things even more difficult, I found out the application had some kind of anti-debugger protection.


After analyzing the dead listing of the application using DumpBin I discovered the trick. The application performed some IsDebuggerPresent() calls and, besides, it used inline assembly as a fail-over protection. J


I managed to make the debugger work by changing the application on the memory after attaching the debugger to it.


Then sometime later I decided to create this very simple β€œjust for fun” script that disables IsDebuggerPresent().


 


Just attach the debugger to the application using IsDebuggerPresent(), and then run the script using the β€œg” command to continue the execution.


 


If you want to know what happens when not using the script just attach the debugger to the application using IsDebuggerPresent() and use the “g” command. The IsDebuggerPresent() will detect the debugger and the application may take actions (it’s not the case in this sample) reacting to the debugger presence.


 


Screenshots:


 


 


 


 


 


 


 


 


 


 


 


Source code for DISABLE_ISDEBUGGER.TXT:


 


$$


$$ =============================================================================


$$ Disable the IsDebuggerPresent API, returning always false.


$$ This approach doesn’t use breakpoints.


$$


$$ Compatibility: Win32.


$$


$$ Usage: $$>< to run the program.


$$


$$ Requirements: Public symbols.


$$


$$ Roberto Alexis Farah


$$ Blog: http://blogs.msdn.com/debuggingtoolbox/


$$


$$ All my scripts are provided “AS IS” with no warranties, and confer no rights.


$$ =============================================================================


$$


r @$t0 = kernel32!IsDebuggerPresent; eb @$t0+0x9 31 c0 90 90


$$


$$ ========================================


 


 


 


Read me.

Comments (7)

  1. Vedala says:

    It’d be great if you could give us list of books sitting on your bookshelf.

    John Robbins himself says you are alpha geek. WOW! I must pray. Pleeeease give me the list of things I should do to gain delta knowledge of what you have.

  2. Hi Vedala,

    This is a great idea! I wonder why I didn’t think about it before! Books are my greatest source of learning, so, to answer you request I’m going to prepare a blog article just to talk about books. πŸ˜‰

    Thanks.

  3. Hi Roberto Farah!

    I use a similar method, and started using it some years ago, too =). However, I don’t care about corrupted disasms and just put a ret instruction just after the xor eax, even because the IsDebuggerPresent someday could have a different instruction in its beginning (honestly, I don’t believe that, but there’s a little chance). There’s a reason besides leaving the code readable after the patch?

    Best regards.

  4. Hi Wanderley,

     There’s no reason for leaving the code readable after the patch, it was just a personal preference. πŸ™‚

     Actually my first approach was to use a breakpoint instead of using a patch, anyway there are several different ways to fool the API and get the same results, like your example above.

    Thanks

  5. Vedala says:

    Great! Looking forward to updating my bookshelf πŸ™‚

  6. Bruno says:

    And how do you fight your own counter measure? Is there any way to disable things like you have done?

  7. rafarah says:

    Hi Bruno,

    There are other more sofisticated ways to intercept/avoid debuggers. You may want to check books about security/malware or browse the internet for more details on how to intercept debuggers.

    Roberto