IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

/*
 * IsDebuggerPresent Example
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: http://osandamalith.wordpress.com	
 */

#include <windows.h>

int main() {	
	MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

View post on imgur.com

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]

FS is a special kind of segment register which contains pointers to Windows kernel data structures related to the current Process/Thread. FS:[18] is the pointer to the TIB structure. Thread Information Block is also known as the Thread Environment Block. It describes the state of the thread.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686708(v=vs.85).aspx
Let’s explore the TEB structure using a WinDBG.

View post on imgur.com

As you can see 0x30 is a pointer to the PEB structure which is the Process Information Block. https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx It contains process information as the name describes. So MOV EAX,DWORD PTR DS:[EAX+30] will move the address of the PEB.

View post on imgur.com


This is how the PEB Structure looks like.

View post on imgur.com

MOVZX EAX,BYTE PTR DS:[EAX+2] will move the BeingDebugged bit with zero extend to EAX.
If we check the BeingDebugged bit in this context you can it’s set to 1, meaning the program is being currently debugged.

View post on imgur.com

I hope you understand the logic behind the IsDebuggerPresent API. Here’s an example using FASM that I have coded to check for a debugger. Instead of this API you could code using inline assembly in C/C++ applications to check for the BeingDebugged bit.

format pe gui 4.0
entry start
; »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
; Title: Checking if the process is being debugged by a ring3 debugger
; using the PEB's BeingDebugged bit.
;
; Website: http://osandamalith.wordpress.com
; Author: Osanda Malith Jayathissa (@OsandaMalith)
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
include 'win32a.inc'
;======================================
section '.data' data readable writeable
;======================================
Title db "Status",0
Found db "Debugger Found",0
NotFound db "Debuger Not Found",0
; =======================================
section '.text' code readable executable
;========================================
start:
mov eax, [fs:0x18] ; Pointer to TEB Structure
mov eax, [eax + 0x30] ; Pointer to PEB Structure
movzx eax, byte [eax + 2]; BeingDebugged bit
cmp eax, TRUE
je found
push 0x30
push Title
push NotFound
push 0
call [MessageBox]
jmp exit
found:
push 0x10
push Title
push Found
push 0
call [MessageBox]
exit:
push 0
call [ExitProcess]
; ===============================================
section '.idata' import data readable
; ===============================================
library kernel32,'kernel32.dll',\
User32,'user32.dll'
import kernel32,\
ExitProcess,'ExitProcess'
import User32,\
MessageBox,'MessageBoxA'

Here’s an example using C in which I first the address of the PEB using the ZwQueryInformationProcess kernel API and then check for the BeingDebugged bit. The API describes using ProcessBasicInformation as the ProcessInformationClass we can retrieve a pointer to a PEB structure.

NTSTATUS WINAPI ZwQueryInformationProcess(
  _In_      HANDLE           ProcessHandle,
  _In_      PROCESSINFOCLASS ProcessInformationClass,
  _Out_     PVOID            ProcessInformation,
  _In_      ULONG            ProcessInformationLength,
  _Out_opt_ PULONG           ReturnLength
);

If you check the documentation you can see that PebBaseAddress is a member of the ProcessBasicInformation structure and it points to the PEB. So we use a pointer to ProcessBasicInformation as the ProcessInformationClass parameter.

typedef struct _PROCESS_BASIC_INFORMATION {
    PVOID Reserved1;
    PPEB PebBaseAddress;
    PVOID Reserved2[2];
    ULONG_PTR UniqueProcessId;
    PVOID Reserved3;
} PROCESS_BASIC_INFORMATION; 

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687420(v=vs.85).aspx
Here’s an example I’ve written using C/C++ to get the BeingDebugged Bit.

#include <Winternl.h>
#include <Windows.h>
#include <tchar.h>
/*
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://OsandaMalith.wordpress.com
* Using ZwQueryInformationProcess we get the PEB Address and
* then we check the BeingDebugged bit to determine the process is being debugged or not.
*/
int main() {
typedef unsigned long(__stdcall *pfnZwQueryInformationProcess)
(
IN HANDLE,
IN unsigned int,
OUT PVOID,
IN ULONG,
OUT PULONG
);
pfnZwQueryInformationProcess ZwQueryInfoProcess = NULL;
HMODULE hNtDll = LoadLibrary(_T("ntdll.dll"));
if (hNtDll == NULL) { }
ZwQueryInfoProcess = (pfnZwQueryInformationProcess) GetProcAddress(hNtDll,
"ZwQueryInformationProcess");
if (ZwQueryInfoProcess == NULL) { }
unsigned long status;
DWORD pid = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
PROCESS_BASIC_INFORMATION pbi;
status = ZwQueryInfoProcess(hProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi),
NULL);
PPEB peb_addr = pbi.PebBaseAddress;
DWORD ptr = pbi.PebBaseAddress;
ptr|=0x2;
DWORD *temp = ptr;
MessageBox(0, *temp & 1 ? "Debugger found" : "Debugger not found","Status",0x30);
return 0;
}

view raw
BeingDebugged.c
hosted with ❤ by GitHub

View post on imgur.com

You can check out this link to see the Evolution of the PEB over the years in Windows systems. This was created by ReWolf 🙂
http://blog.rewolf.pl/blog/wp-content/uploads/2013/03/peb_evolution.png

There are lots of great articles and resources out there to learn more. Hope to share more of anti-debugging tricks which I have understood and have experimented on my own with examples.

3 thoughts on “IsDebuggerPresent API

Leave a Reply