Anti Debugging unleashed series # Part 1
This is the first in the series of anti debugging tricks. I will discuss the various anti debugging tricks one by one in my further posts:
I will start with the most basic ones.
The first one in the race is the PEB.BeingDebugged flag.
PEB refers to Process Environment Block, and it contains the information regarding the Environment and various parameters of a process. fs:[0x30] always points to PEB. The structure of PEB can be seen using the following command in windbg:
0:000> dt _PEB
+0×000 InheritedAddressSpace : UChar
+0×001 ReadImageFileExecOptions : UChar
+0×002 BeingDebugged : UChar
+0×003 SpareBool : Uchar
For a process that is being debugged, note the peb.BeingDebugged flag below in windbg:
!peb
PEB at 7ffda000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00400000
Ldr 00261ea0
Hence, a program using the anti debugging techniques can use this flag to know whether the program is being debugged or not.
The api IsDebuggerPresent() in kernel32.dll checks this flag to determine the presence of the debugger.
This check can be easily bypassed by patching the PEB.BeingDebugged flag to 0.
Ch33r5 !!!
some body help me about haking