Friday, 20 October 2017

Anti Reverse Engineering Mechanism and its Bypass - Part-1 - IsDebuggerPresent()

It is possible to understand the workflow and behaviour of the application by using a hooking the application to a debugger. To ensure that someone cannot perform these kind of activities anti-reverse engineering mechanism are being used. In these series of blog posts we will see what are the various kinds of anti reverse engineering mechanism that are available and how we can bypass those mechanism and patch those applications.


This function is used to check if a debugger is attached to a current process that is running. Lets see a simple code that can be used to implement this api call.

So if you run this code without any debugger attached it would return a value 0

 and if you attach a debugger to executable and use it , then it would return 1.

Let us load the process in our Debugger and find how the code works internally

Now we will examine the disassembled code of the API call IsDebuggerPresent()

So what is basically happening over here ?
But before that let us have a look at the PEB data structure

1st line MOV EAX,DWORD PTR FS:[18] moves the address of the running kernel specific running process to EAX register
2nd line MOV EAX,DWORD PTR DS:[EAX+30] moves the address of the PEB block to EAX register
3rd line MOVZX EAX,BYTE PTR DS:[EAX+2] moves the value from the member BeingDebugged from the PEB data structure which is the 3rd Byte in the  struct _PEB to EAX register

Patching for Bypass

 We can patch this by replacing the value at DS:[EAX+2] by 0