When we try to open a compiled AutoIT application in a debugger we get this error message.
Letโs try to find the return address from the MessageBoxA API from the stack.
And we can clearly see that AutoIT applications by default when compiled uses the IsDebuggerPresent API as a simple anti debugging trick.
If you look at the IsDebuggerPresent API it works like this:
[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
FS[18] segment register points to the TEB Structure. You can check these links for the TEB structure https://en.wikipedia.org/wiki/Win32_Thread_Information_Block, http://www.nirsoft.net/kernel_struct/vista/TEB.html .
In the TEB structure 0x30 contains the pointer to the PEB structure. In the PEB structure 0x2 is the BeingDebugged bit.
[code highlight=”3″ language=”C”]
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
To bypass this trick of course you could patch the application but patching the PEB structure would be a better choice. But in this case only one check is performed. But in situations where multiple checks are performed it is always better to patch the structure. Donโt forget there are lots of Olly plugins to bypass this simple trick ๐
You could either place a breakpoint in the MOV EAX,DWORD PTR DS:[EAX+30] instruction of the API and follow in dump and patch the bit or as soon you load the application the EBX register points to the PEB structure.
After that you simply change that bit to 0 or just simple fill the whole dword with 0s ๐
After that you can start debugging normally and run the app.
AutoIT executables can be decompiled back to normal AutoIT script using Exe2Aut tool http://domoticx.com/autoit3-decompiler-exe2aut/
assembly is sexy ๐ but I am single ๐ any way I got the value of this article.. you nailed it machan ๐
Thanks a lot bro ๐
Have you seen this recently released obfuscator?
https://www.pelock.com/products/autoit-obfuscator
I guess source code has become more problematic now ๐