the last week i published IsDebuggerPresent()technique which function available in the kernel32.dll library. This function is often used in malware to complexify the reverse engineering because it will take different paths in the program’s flow when the malware is analyzed in a user-mode debugger such as x32dbg and the most widely used anti-debugging method in Windows, Here i will be going through anothor very commen technique that malware authors use it, CheckRemoteDebuggerPresent() from kernel32.dll.
- This Windows API can be used to detect if the calling process is being debugged through any debugger, but also if another process is being debugged.
BOOL CheckRemoteDebuggerPresent( HANDLE hProcess, PBOOL pbDebuggerPresent );
push pbDebuggerPresent_address ---> push the address of a 32 bit variable push Process__handle ---> push the handle to a process ( 1 for the calling process) // call CheckRemoteDebuggerPresent ---> call the API mov eax , pbDebuggerPresent_address ] ---> check the returned result in the variable test eax,eax jne _debuggerfound ----> if not zero, a debugger was found.
BOOL bDebuggerPresent; if (TRUE == CheckRemoteDebuggerPresent(GetCurrentProcess(), &bDebuggerPresent) && TRUE == bDebuggerPresent) ExitProcess(-1);
lea eax, bDebuggerPresent] push eax push -1 ; GetCurrentProcess() call CheckRemoteDebuggerPresent cmp [bDebuggerPresent], 1 jz being_debugged ... being_debugged: push -1 call ExitProcess
lea rdx, [bDebuggerPresent] mov rcx, -1 ; GetCurrentProcess() call CheckRemoteDebuggerPresent cmp [bDebuggerPresent], 1 jz being_debugged ... being_debugged: mov ecx, -1 call ExitProcess
- If this function return 1 —–> Debugger Found!
- If this function return 0 —> Debugger is not Found!
- I will put breakpoint in CheckRemoteDebuggerPresent() function
F9to run sample
f7to enter in this funtion and bypass the trick.
- When i press
F8in function to bypass the trick , i find this function NtQueryInformationProcess() which retrieves information about the specified process. .
- Look at
EAXat register EAX –>
- Look at stack in the value being debugged —>
- Compare the two values
- To bypass this trick must be changed
ffffffff(being debugged) to 0 because any value is not equal
0the sample will terminate itself.
- We notice that line
XOR EAX , EAX—->
- I will click right in line that compare two value —>
- We see call that terminates sample not execute
- Nice to bypass this trick.