MA 1: IsDebuggerPresent

This article is the next logical step up from lesson 10. DLL injection.

Sometimes programs will try and detect if a debugger is debugging their program, and act differently! Either not opening at all, throwing an error, or silently changing functionality to make themselves look less suspicious… In the following code we have implemented the most simple debugger check and will not continue if we detect a debugger.

Code:

IDA:

When we attach x64dbg the debugger is detected!

So, somewhere in this program lies the secret to how this happens

What is IsDebuggerPresent?

A tiny function inside kernel32.dll that reads a single byte and returns it. Its entire body is roughly:

mov   rax, gs:[60h]        ; get pointer to PEB
movzx eax, byte ptr [rax+2]; read the BeingDebugged byte
ret                        ; return it in eax (0 = no debugger, 1 = debugger)

Three things going on:

  1. The PEB (Process Environment Block) is a struct Windows maintains for every running process. It holds metadata about the process, module list, command line, debugger state, etc.
  2. gs:[60h] is where Windows tells you the PEB lives on x64. The CPU’s GS segment register is set up by Windows so that reading gs:[60h] gives you the PEB’s address.
  3. +2 is the offset within the PEB of a single-byte field called BeingDebugged. Windows sets this to 1 when a debugger attaches, 0 otherwise.

How it gets called from our .exe:

.idata is a list of slots your code calls through. Each slot sits at a fixed address in your exe and holds a pointer to a function in an external DLL (kernel32, user32, ntdll, etc). Windows fills in those pointers at startup, so your code doesn’t need to know where each DLL is loaded.

So, if that’s all it is, then we can easily bypass it using x64dbg!

Using strings I first searched for ‘No Debugger Allowed!’ and quicky found the memory address that prints this to the terminal, from there I knew that we were testing if eax = 1, to see if there was an attached debugger and quickly I could see this comparison was done just before the print.

To intercept this one, simply change eax to 0. So ’no debugger is present’ and there we have it! No pesky debugger attached to our perfectly un debugged exe.

another way to bypass this, with a patch would be to change the JE to a JMP (so the jump is always taken to the enter the password dialogue)