This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.
When the process is being debugged the NtGlobalFlag is set to 0x70.
If we examine the API in a debugger we can see that it uses FS[30] segment register which is the linear address of Process Environment Block (PEB) and then reach the offset 0x68 which is the NtGlobalFlag.
Here’s a simple implementation of this in FASM.
format pe gui 4.0
entry start
; »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
; Title: Checking if the process is being debugged by a ring3 debugger
; using the PEB's NtGlobalFlag.
;
; Website: http://osandamalith.wordpress.com
; Author: Osanda Malith Jayathissa (@OsandaMalith)
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
include 'win32a.inc'
;======================================
section '.data' data readable writeable
;======================================
Title db "Status",0
Found db "Debugger Found",0
NotFound db "Debuger Not Found",0
; =======================================
section '.text' code readable executable
;========================================
start:
mov eax, [fs:0x18] ; Pointer to TEB Structure
mov eax, [eax + 0x30] ; Pointer to PEB Structure
movzx eax, byte [eax + 68h]; BeingDebugged bit
cmp eax, 70h
je found
push 0x30
push Title
push NotFound
push 0
call [MessageBox]
jmp exit
found:
push 0x10
push Title
push Found
push 0
call [MessageBox]
exit:
push 0
call [ExitProcess]
; ===============================================
section '.idata' import data readable
; ===============================================
library kernel32,'kernel32.dll',\
User32,'user32.dll'
import kernel32,\
ExitProcess,'ExitProcess'
import User32,\
MessageBox,'MessageBoxA'
Here’s another way coded in C in which we first take the address of the PEB structure and then get the address to the NtGlobalFlag using “ZwQueryInformationProcess” kernel mode API.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
#include <Winternl.h> #include <Windows.h> #include <tchar.h> #include <stdio.h> /* * Author: Osanda Malith Jayathissa (@OsandaMalith) * Website: http://OsandaMalith.wordpress.com * Using ZwQueryInformationProcess we get the PEB Address and * then we check the NtGlobalFlag to determine the process is being debugged or not. */ int main() { typedef unsigned long(__stdcall *pfnZwQueryInformationProcess) ( IN HANDLE, IN unsigned int, OUT PVOID, IN ULONG, OUT PULONG ); pfnZwQueryInformationProcess ZwQueryInfoProcess = NULL; HMODULE hNtDll = LoadLibrary(_T("ntdll.dll")); if (hNtDll == NULL) { } ZwQueryInfoProcess = (pfnZwQueryInformationProcess) GetProcAddress(hNtDll, "ZwQueryInformationProcess"); if (ZwQueryInfoProcess == NULL) { } unsigned long status; DWORD pid = GetCurrentProcessId(); HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); PROCESS_BASIC_INFORMATION pbi; status = ZwQueryInfoProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); PPEB peb_addr = pbi.PebBaseAddress; DWORD ptr = pbi.PebBaseAddress; ptr|=104; DWORD *temp = ptr; MessageBox(0, *temp ? "Debugger found" : "Debugger not found","Status",0x30); return 0; } |
You can check my github repository (will update soon with more): https://github.com/OsandaMalith/Anti-Debug/
In 64-bit systems the implementation would be as follow. Thanks to b3mb4m for mentioning in the comments.
The NtGlobalFlag is located at PEB+0xbc. When the process is being debugged the value is 0x70 as usual.
The assembly implementation would be like this.
Here’s an simple example using inline assembly.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
#include <Windows.h> /* * Author: Osanda Malith Jayathissa (@OsandaMalith) * Website: http://OsandaMalith.wordpress.com * 64-bit implementation for NtGlobalFlag using inline asm. */ int NtGlobalFlag64(){ asm ( ".intel_syntax noprefix;" "xor rax, rax;" "mov rbx, qword ptr gs:[0x60];" "mov eax, dword ptr [rbx + 0xbc];" ); } int main(){ MessageBox(NULL, NtGlobalFlag64() ? "Debugger Detected!" : "No Debugger Found" , "Status", 0x30); } |
I did try same thing with inline assembly before, but there has little differents between 32bit and 64bit operation systems.
“The NtGlobalFlag field exists at offset 0x68 in the Process Environment Block
on the 32-bit versions of Windows, and at offset 0xBC on the 64-bit versions of
Windows. The value in that field is zero by default.”(‘The “Ultimate” Anti-Debugging Referance’ by P.Ferrie’)
My approach for this(for 32&64 bits),
https://github.com/b3mb4m/PythonVIRUS/blob/master/BombermansLAB/Assembly-PEB-Detections/ASM-C/NtGlobalFlag.h
Good to see some raw assembly resources for it, regards 🙂
Yes thanks 🙂 I checked your code. But it seems to be wrong.
“mov ebx,[fs:0x30];”
“mov al, [eax+0x10bc];”
You move the wrong segment register. In 64 bit it’s gs:[0x60] and it should be a qword, mov rbx, qword ptr gs:[0x60]. Also notice you move the value into ebx and then you move [eax+0x10bc] into al, actually it should be mov eax, dword ptr [rbx + 0xbc].
The correct implementation would be:
xor rax, rax
mov rbx, qword ptr gs:[0x60]
mov eax, dword ptr [rbx + 0xbc]
Yea can be true, i did not test 64bit version.Coz im usually using them into a shellcode and its working because of wow64 😛
wow64 means Windows 32-bit on Windows 64-bit it runs 32-bit applications 🙂