How do I bypass IsDebuggerPresent with OllyDbg?

Asked 26/4, 2012 at 8:53 Answered 5/3, 2016 at 19:12

I don't really understand how to get around IsDebuggerPresent. I think I am supposed to find the registers used for debugging and then set it to 0 to trick IsDebuggerPresent, but I don't know how to do that. I tried searching around Google, and even tried a few solutions but it didn't really work for me. Could someone please explain to me how this should work and how I can bypass this?

Fields answered 26/4, 2012 at 8:53 Comment(1)

did you tried olly plugins like Hide Debugger or Olly Advanced ? these are much easier to use instead of manually modifying the code every time. – Teleplay 16/4, 2017 at 21:34

There are many ways to do it. As you said, it's possible to patch the program's thread block. Here is a tutorial, how to get around IsDebuggerPresent, by simply patching this function so it always returns 0.

1) locate IsDebuggerPresent

OllyDbg 1

In my situation, it is at 7664EFF7, and consist of only three instructions + one RET. It reads the thread block (address is at FS:18), and then locates the byte that says "i am being debugged" and returns it. The returns value is stored in EAX (as for most WINAPI functions). If I modify the function so that at the end it will have EAX = 0, I will have successfully bypassed IsDebuggerPresent.

2) patch it

Now the easiest way to do it is to simply make the function simply do a MOV EAX, 0 instruction and then a RETN:

OllyDbg 2

Note that I also filled the rest of the function with NOPs to avoid changing the size of it. It probably is not necessary, you could also just do MOV EAX, 0 and then just RETN.

Also you should know, that the modification is only valid for one run of the program. When you restart it, it will load a new copy of kernel32.dll (where IsDebuggerPresent is located) with the original function, and you will have to apply the patch again. If you want to make the patch permanent, you need to modify the launching binary and modify/remove the call to this function. But before you do that you also need to make sure that the binary doesn't check itself for modifications.

Everett answered 26/4, 2012 at 10:58 Comment(8)

Is there a way to search the code for "FS"? Also, I see multiple instances of IsDebuggerPresent... Actually, I am not even really sure how can I find FS and the right place to remove it. Everywhere, I see MOV DWORD PTR, e.g. MOV DWORD PTR FS:[0],EAX and MOV EAX,DWORD PTR DS:[13000] – Fields 26/4, 2012 at 12:14

I just found it by following the function calls. Also, I understood that IsDebuggerPresent is usually used to add junk to mess every think up. Should I saving it after changing the EAX=0 and then re-open it, so it doesn't load garbage? I'm not really sure how it works, sorry! – Fields 26/4, 2012 at 12:20

There should only one place, where IsDebuggerPresent is defined, that is inside kernel32.dll. There may be many calls to it, but if you patch the function itself, all the calls will get "0" as a response. You should apply the patch before you run the program, and you need to apply it every time you before you run it. – Everett 26/4, 2012 at 12:24

okay, so I do have to edit the kernel32.dll. I wasn't sure about that. Okay let me do it now! – Fields 26/4, 2012 at 12:44

So I assembled and then saved it as an executable and then replaced my System32\KernelBase.dll and SysWOW64\KernelBase.dll yet when I open my ollydebug, and check if it's change, it's not. Why is that? – Fields 26/4, 2012 at 13:12

Don't modify the files. Load your program in Olly, make the changes in memory only, then run the program. – Everett 26/4, 2012 at 13:14

@Strawberry: This may have changed in later windows versions, but I remember that after loading a program, before continuing with execution EBX used to point to the TEB (Thread Environment Block @ [[FS:[18]]+30]). On the first line after the follow there was 00 00 01 00, with the 01 being the debug flag. Hope its still there :) – Sturtevant 7/6, 2012 at 16:19

Just a comment warning people. These kind of modifications are terribly easy to detect. Modify the PEB directly so you don't have to modify any code. – Fortalice 22/10, 2016 at 14:20

Inject this code in your process:

mov eax,dword ptr fs:[18]
mov eax,dword ptr ds:[eax+30]
mov byte ptr ds:[eax+2],0

This will patch the PEB.BeingDebugged flag, ensuring IsDebuggerPresent always returns 0

When using x64dbg you can run the dbh command.

Fortalice answered 7/11, 2012 at 16:33 Comment(0)

if you want your application never check it do this:

Press Alt + e or open Executable modules window.
Select C:\WINDOWS\system32\kernel32.dll and press ctrl + N
select IsDebuggerPresent and press enter.
press f2
run the program and wait your program break on this op-code.
press some f8 until come back to your code.
looking up for something like TEST EAX,EAX and after some thing like je jnz and etc, beware the output of IsDebuggerPresent is saved in EAX.
if jump happen on this op-code change it to nop and if doesn't happen change it to jmp.
save your program. if you don't know how to save modifed code in ollyDBG just search it.

Caruso answered 5/3, 2016 at 19:12 Comment(0)

Recommended topics

Hot tags