IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

/*
 * IsDebuggerPresent Example
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: https://osandamalith.wordpress.com	
 */

#include <windows.h>

int main() {	
	MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]

FS is a special kind of segment register which contains pointers to Windows kernel data structures related to the current Process/Thread. FS:[18] is the pointer to the TIB structure. Thread Information Block is also known as the Thread Environment Block. It describes the state of the thread.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686708(v=vs.85).aspx
Let’s explore the TEB structure using a WinDBG.

As you can see 0x30 is a pointer to the PEB structure which is the Process Information Block. https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx It contains process information as the name describes. So MOV EAX,DWORD PTR DS:[EAX+30] will move the address of the PEB.

This is how the PEB Structure looks like.

MOVZX EAX,BYTE PTR DS:[EAX+2] will move the BeingDebugged bit with zero extend to EAX.
If we check the BeingDebugged bit in this context you can it’s set to 1, meaning the program is being currently debugged.

I hope you understand the logic behind the IsDebuggerPresent API. Here’s an example using FASM that I have coded to check for a debugger. Instead of this API you could code using inline assembly in C/C++ applications to check for the BeingDebugged bit.


Here’s an example using C in which I first the address of the PEB using the ZwQueryInformationProcess kernel API and then check for the BeingDebugged bit. The API describes using ProcessBasicInformation as the ProcessInformationClass we can retrieve a pointer to a PEB structure.

NTSTATUS WINAPI ZwQueryInformationProcess(
  _In_      HANDLE           ProcessHandle,
  _In_      PROCESSINFOCLASS ProcessInformationClass,
  _Out_     PVOID            ProcessInformation,
  _In_      ULONG            ProcessInformationLength,
  _Out_opt_ PULONG           ReturnLength
);

If you check the documentation you can see that PebBaseAddress is a member of the ProcessBasicInformation structure and it points to the PEB. So we use a pointer to ProcessBasicInformation as the ProcessInformationClass parameter.

typedef struct _PROCESS_BASIC_INFORMATION {
    PVOID Reserved1;
    PPEB PebBaseAddress;
    PVOID Reserved2[2];
    ULONG_PTR UniqueProcessId;
    PVOID Reserved3;
} PROCESS_BASIC_INFORMATION; 

https://msdn.microsoft.com/en-us/library/windows/desktop/ms687420(v=vs.85).aspx
Here’s an example I’ve written using C/C++ to get the BeingDebugged Bit.

You can check out this link to see the Evolution of the PEB over the years in Windows systems. This was created by ReWolf 🙂

There are lots of great articles and resources out there to learn more. Hope to share more of anti-debugging tricks which I have understood and have experimented on my own with examples.

Advertisements

2 thoughts on “IsDebuggerPresent API

  1. Pingback: Debugger Detection Using NtGlobalFlag | Blog of Osanda

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s