Anti Debugging Techniques

 

a.c

#define _WIN32_WINNT 0x0400

#include <windows.h>

main()

{

int i;

i = IsDebuggerPresent();

if ( i )

MessageBox(0,"debugger present","vm",0);

else

MessageBox(0,"debugger not present","vm",0);

}

 

The Windows API has a simple function IsDebuggerPresent that returns true or 1 if we are running under a debugger, false otherwise. We first run our program through the command prompt and we get a message box that tells us that debugger not present. We then run the same program though three debuggers, OllyDbg, W32dasm and IDA Pro. All three tell us that a debugger is present.

 

If we then a set a break point on the function MessageBoxA in softice. We then run the above program and fall into softice. When we press f12 to continue we get a MessageBox that says debugger not present. Thus this windows function cannot sense softice, it senses all the other debuggers. For some reason known only to Microsoft if we do not create the above macro __WIN32-WINNT the function prototype of the IsDebuggerPresent does not get included.

 

a.c

#include <windows.h>

main()

{

int i;

i = IsDebuggerPresent1();

if ( i )

MessageBox(0,"debugger present","vm",0);

else

MessageBox(0,"debugger not present","vm",0);

}

int IsDebuggerPresent1()

{

__asm

{

mov ebx , fs:[0x18]

mov ebx , [ebx+0x30]

mov eax, 0

mov al , byte ptr [ebx+0x02]

}

}

 

The above program shows us how easy it is to write our own IsDebuggerPresent  function. The fs register at offset 18 points to a structure that is called the Thread Environment Block or TEB. We store this value into the ebx register using fs as the segment. 30 hex bytes from the start of the TEB is another structur PEB or Process Environment Block. We store this value into ebx. Two bytes from the start of this structure is a byte that tells us whether we have a debugger active while our program is running.

 

We first place 0 in the eax register and then move this byte into al which becomes the return value. The TEB and PEB structures are not documented by Microsoft.

 

a.c

main()

{

__asm

{

nop

nop

nop

mov eax, 0

jmp a1

_emit 0xf

a1:

mov eax , 1

nop

}

}