IsDebuggerPresent

From aldeid
Jump to navigation Jump to search

Description

IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malware to complexify the reverse engineering because it will take different paths in the program's flow when the malware is analyzed in a user-mode debugger such as OllyDbg.

IsDebuggerPresent-example.png

Syntax

BOOL WINAPI IsDebuggerPresent(void);

Parameters

This function has no parameters.

Return value

If the current process is running in the context of a debugger, the return value is nonzero.

If the current process is not running in the context of a debugger, the return value is zero.

Bypass IsDebuggerPresent

OllyDbg plugins

You can use OllyDbg plugins:

Patching

Modify the value of registers while running the malware

IsDebuggerPresent-001.png
  1. Go to the Names window (Ctrl+N) into OllyDbg and
  2. find the "IsDebuggerPresent" function. Right click on it and select "Find references"
  3. In our example, the function is called once. Click on it and set a breakpoint (F2)
  4. Run the malware (F9). It will stop at the breakpoint, where the "IsDebuggerPresent" function is called. Step over (F8) to get the returned value of the function (saved into the EAX register)
  5. Right click on the EAX register to modify its value

Permanently patch the malware

Another way consists in permanently patch the malware so that it won't have the opportunity to jump to the end of the program if IsDebuggerPresent returns a positive value. To do so, go to the function's call, select the line where the JUMP is taken, right click on it and select "Assemble", or just press "Space":

IsDebuggerPresent-patching-OO1.png

Then update the value to NOP. Press "Assemble" and then "Cancel":

IsDebuggerPresent-patching-OO2.png

To save the modifications to disk, right click in the disassembler pane and select Copy to executable > All modifications:

IsDebuggerPresent-patching-OO3.png

Then select "Copy All":

IsDebuggerPresent-patching-OO4.png

In the new window, right click and select "Save file":

IsDebuggerPresent-patching-OO5.png

On Windows, the fc command can show the differences:

Fc-compare.png

Comments

blog comments powered by Disqus