Avoiding protection detection

Battlefield 3’s beta made its debut launch this week. Great little game that shows promise. I, being the curious type wanted to peek at some of the extras it came bundled with. One of the extras was this mumble / teamspeak knockoff program called Sonar.  While single stepping though in WinDBG (giving immunity a break) it kept terminating the process. To my (non) surprise, the culprit was our oh so favorite API IsDebuggerPresent. I thought I’d talk a little about how it works and how to avoid it.

You see when a process is being debugged, certain flags are set in the PEB / TEB (thread environment block / process environment block). The offset 0x30 of the TEB  structure determines true or false if a process is being debugged. The API returns the value of the 3rd byte in the PEB There are other ways of determining how, but this is how the IsDebuggerPresent api works.

How do we get around it? Well, easiest way is to just patch around it. IsDebuggerPresent() is a Boolean switch returning true if the flag is set and false if it isnt. Just make it always return 0 or false. An alternative to this would be to modify he processes TEB / PEB struct to that the value at offset 0x30 always equates to false with a patch. Wow that was easy.  We’ll get into the dirtier tricks employed by software devs later such as checking timing, our good friend the RDTSC instruction and CheckRemoteDebugger api functions later. For now, we can bypass the easy ones.



On an unrelated note, I want one of these just because.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.