Home > MalwareAnalysis > Anti Debugging unleashed series # Part 1

Anti Debugging unleashed series # Part 1

September 26th, 2011 Leave a comment Go to comments

This is the first in the series of anti debugging tricks. I will discuss the various anti debugging tricks one by one in my further posts:


I will start with the most basic ones.


The first one in the race is the PEB.BeingDebugged flag.

PEB refers to Process Environment Block, and it contains the information regarding the Environment and various parameters of a process. fs:[0x30] always points to PEB. The structure of PEB can be seen using the following command in windbg:


0:000> dt _PEB


+0×000 InheritedAddressSpace : UChar

+0×001 ReadImageFileExecOptions : UChar

+0×002 BeingDebugged : UChar

+0×003 SpareBool : Uchar


For a process that is being debugged, note the peb.BeingDebugged flag below in windbg:



PEB at 7ffda000

InheritedAddressSpace: No

ReadImageFileExecOptions: No

BeingDebugged: Yes

ImageBaseAddress: 00400000

Ldr 00261ea0


Hence, a program using the anti debugging techniques can use this flag to know whether the program is being debugged or not.


The api IsDebuggerPresent() in kernel32.dll checks this flag to determine the presence of the debugger.


This check can be easily bypassed by patching the PEB.BeingDebugged flag to 0.


Ch33r5 !!!


  1. October 2nd, 2011 at 12:12 | #1

    some body help me about haking

  1. No trackbacks yet.

Switch to our mobile site