I don't really understand how to get around IsDebuggerPresent. I think I am supposed to find the registers used for debugging and then set it to 0 to trick IsDebuggerPresent, but I don't know how to do that. I tried searching around Google, and even tried a few solutions but it didn't really work for me. Could someone please explain to me how this should work and how I can bypass this?
There are many ways to do it. As you said, it's possible to patch the program's thread block. Here is a tutorial, how to get around IsDebuggerPresent, by simply patching this function so it always returns 0.
1) locate IsDebuggerPresent
In my situation, it is at 7664EFF7, and consist of only three instructions + one RET. It reads the thread block (address is at FS:18), and then locates the byte that says "i am being debugged" and returns it. The returns value is stored in EAX (as for most WINAPI functions). If I modify the function so that at the end it will have EAX = 0, I will have successfully bypassed IsDebuggerPresent.
2) patch it
Now the easiest way to do it is to simply make the function simply do a MOV EAX, 0 instruction and then a RETN:
Note that I also filled the rest of the function with NOPs to avoid changing the size of it. It probably is not necessary, you could also just do MOV EAX, 0 and then just RETN.
Also you should know, that the modification is only valid for one run of the program. When you restart it, it will load a new copy of kernel32.dll (where IsDebuggerPresent is located) with the original function, and you will have to apply the patch again. If you want to make the patch permanent, you need to modify the launching binary and modify/remove the call to this function. But before you do that you also need to make sure that the binary doesn't check itself for modifications.
Inject this code in your process:
mov eax,dword ptr fs:[18]
mov eax,dword ptr ds:[eax+30]
mov byte ptr ds:[eax+2],0
This will patch the PEB.BeingDebugged flag, ensuring IsDebuggerPresent always returns 0
When using x64dbg you can run the dbh command.
if you want your application never check it do this:
- Press
Alt + eor openExecutable moduleswindow. - Select
C:\WINDOWS\system32\kernel32.dlland pressctrl + N - select
IsDebuggerPresentand press enter. - press
f2 - run the program and wait your program break on this op-code.
- press some
f8until come back to your code. - looking up for something like
TEST EAX,EAXand after some thing likejejnzand etc, be careful the output ofIsDebuggerPresentis saved inEAX. - if jump happen on this op-code change it to
nopand if doesn't happen change it tojmp. - save your program. if you don't know how to save modifed code in ollyDBG just search it.
来源:https://stackoverflow.com/questions/10330147/how-do-i-bypass-isdebuggerpresent-with-ollydbg