bypassing isDebuggerPresent WITHOUT changing mem
2009. 1. 28. 16:38
If you change the JE, you are modding the program code, and it no doubt detects this with a CRC routine of some sort. Also, if you wait until the code returns, and then change the value in eax, you are once again "modding" the code in a way because you are setting a breakpoint in the code.
The safest and most effective way to modify IsDebuggerPresent detection is to edit the Program's thread block. This is easy in OllyDbg. You can do this before the program even starts to run, after Olly loads it.
NOTE THIS example works for Windows 2000 / XP.
Open your program in OllyDbg. Note the value of the FS register. On my 2000 system, it's 7FFDE000. Go to the hex dump window in Olly (at the bottom) and right click and say Go To->Expression and type in this value.
Now, at FS[30], which would be 7FFDE030 on my machine (30 bytes in ) there is another address, this points to the program's thread environment block (TEB). Select this address in the window by clicking and selecting it, then right click and say "Follow DWORD in dump". This address by the way in my 2000 system is 7FFDF000.
Now, 3 bytes in you will see a 01. This is telling windows the program is being debugged. Change it to a zero by selecting it, and just start typing in zero, zero. Olly brings up the memory edit window, after entering the zeros just push ok and now you are hidden from the IsDebuggerPresent detector, and you didn't modify or edit any program memory or API memory. In fact, the program hasn't even started yet.
-nt20
The safest and most effective way to modify IsDebuggerPresent detection is to edit the Program's thread block. This is easy in OllyDbg. You can do this before the program even starts to run, after Olly loads it.
NOTE THIS example works for Windows 2000 / XP.
Open your program in OllyDbg. Note the value of the FS register. On my 2000 system, it's 7FFDE000. Go to the hex dump window in Olly (at the bottom) and right click and say Go To->Expression and type in this value.
Now, at FS[30], which would be 7FFDE030 on my machine (30 bytes in ) there is another address, this points to the program's thread environment block (TEB). Select this address in the window by clicking and selecting it, then right click and say "Follow DWORD in dump". This address by the way in my 2000 system is 7FFDF000.
Now, 3 bytes in you will see a 01. This is telling windows the program is being debugged. Change it to a zero by selecting it, and just start typing in zero, zero. Olly brings up the memory edit window, after entering the zeros just push ok and now you are hidden from the IsDebuggerPresent detector, and you didn't modify or edit any program memory or API memory. In fact, the program hasn't even started yet.
-nt20
- 출처 - http://www.woodmann.com/forum/archive/index.php/t-5875.html
'Reversing' 카테고리의 다른 글
ARM assembly를 공부합시다. (0) | 2011.10.03 |
---|---|
Protection ID (0) | 2011.05.11 |
Vmware detection by vmware I/O port (0) | 2011.04.18 |
TightVNC portable (0) | 2010.09.08 |
7.7 ddos 바이너리 대충 분석 (2) | 2009.08.06 |
The best text for Reverse Engineering (0) | 2009.06.23 |
Reversing for Newbies (written by Lena) (0) | 2009.03.27 |
some instruction (0) | 2009.02.11 |