Description

IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malware to complexify the reverse engineering because it will take different paths in the program's flow when the malware is analyzed in a user-mode debugger such as OllyDbg.

Syntax

BOOL WINAPI IsDebuggerPresent(void);

Parameters

This function has no parameters.

Return value

If the current process is running in the context of a debugger, the return value is nonzero.

If the current process is not running in the context of a debugger, the return value is zero.

Bypass IsDebuggerPresent

OllyDbg plugins

You can use OllyDbg plugins:

• HideOD
• OllyAdvanced

Patching

Modify the value of registers while running the malware

Go to the Names window (Ctrl+N) into OllyDbg and find the "IsDebuggerPresent" function. Right click on it and select "Find references" In our example, the function is called once. Click on it and set a breakpoint (F2) Run the malware (F9). It will stop at the breakpoint, where the "IsDebuggerPresent" function is called. Step over (F8) to get the returned value of the function (saved into the EAX register) Right click on the EAX register to modify its value

Permanently patch the malware

Another way consists in permanently patch the malware so that it won't have the opportunity to jump to the end of the program if IsDebuggerPresent returns a positive value. To do so, go to the function's call, select the line where the JUMP is taken, right click on it and select "Assemble", or just press "Space":

Then update the value to NOP. Press "Assemble" and then "Cancel":

To save the modifications to disk, right click in the disassembler pane and select Copy to executable > All modifications:

Then select "Copy All":

In the new window, right click and select "Save file":

On Windows, the fc command can show the differences:

Comments