OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 9, 2005 12:42 CDT by dwarkeeper .

hi,

I am trying to figure out how to disable access violations due to isdeubbggerpresent and other such violations, I am new to this any help and direction would be helpful.

thanks

Piotr		August 9, 2005 13:02.53 CDT
Hi, First of all i don't know what do you mean by "how to disable access violations due to isdeubbggerpresent" sentence. IsDebugerPresent is an API function exported by KERNEL32.DLL library, many people use this to detect running debugger (well this will only work with so called SEH debuggers). Generally this function do following things: MOV EAX,DWORD PTR FS:[18] ; eax = TEB MOV EAX,DWORD PTR DS:[EAX+30] ; eax = PEB MOVZX EAX,BYTE PTR DS:[EAX+2] ; UCHAR BeingDebugged As you can see this code only gets BeingDebugged value from the PEB block. Anyway if you don't want to write some more complicated software, and you don't like to use softice (it is not the SEH debugger so the trick will not work) and you are using OllyDebug i advice you to download script called HideDebugger (google should help). If you have any further question feel free to mail me. hope this helps, Piotr Bania

Darawk		August 9, 2005 18:39.44 CDT
I believe he is talking about protection schemes that check the debuggerPresent flag, and cause exceptions if a debugger is detected. If you're looking to get around a protection, you'll want to set Olly(i'm assuming you're usuing olly...if not, then look up how to do this on your debugger) to pass exceptions to the program. You can do this in the Options -> Debugging Options -> Exceptions menu. Also, i'd recommend getting the plugin to set/unset the debuggerPresent flag. Which is available here http://ollydbg.win32asmcommunity.net/stuph/ along with many other useful goodies.

anonymouse		August 10, 2005 09:32.06 CDT
using ollydbg and want your application be hidden from IsDebuggerPresent() api ?? if yes when your app is loaded hit alt+f1 and invoke commandline type set byte ptr ds:[fs:[30]+2]] = 0 and hit enter and olly is hidden from IsPresentDebuggerApi all it does is change the return value of the api to always be 0 this also works if some coder ripped the code and inserted it inline but this is a pretty old trick no body uses it as a main weapon they resort to more deeper ways like ZwQueryProcessInformation() with info class 7 InfoClass = ProcessDebugPort or some of the latest CheckIsRemoteDebuggerPresent() etc

dwarkeeper		August 10, 2005 16:18.30 CDT
Thanks everyone for the responses. I should have mentioned I am able to successfully use isDebugPresent plugin in ollydbg to hide the request. I am attempting to learn the IDA pro 4.8 which has a debugger included in its new interface and wondered if there was a way to do the same in IDA Pro. In fact, I want to try and learn some basic techniques on using IDA pro both the decompiler part and debugger, any good sources or advice is greatly appreciated. Thanks again for your responses.

stevem		August 10, 2005 20:12.54 CDT
There's probably an IDA plug-in to do it, but in case you don't have it, or can't find it, you can use the PatchByte IDC command to change the 3rd byte in the PEB structure to 0. When a process starts, EBX points to the PEB structure, so if you set a breakpoint at the first instruction, you can then do: File->IDC Command and enter the Text: PatchByte(EBX+0x2, 0x0); hth

daeken		August 11, 2005 02:03.54 CDT
Not sure if this will help you at all, I've done a bit of research in removing anti-debugger routines automatically and developed a piece of python code that can detect and remove many common anti-debugger routines from a binary. I'm also working on an article for the site on debugger routines and how to work around them, so keep an eye out for that if you're interested. My work in progress is located at http://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic;f=4;t=000320;p=0 Hope you find it interesting, Cody Brocious.

dwarkeeper		August 12, 2005 11:53.31 CDT
Thanks that was exacly what i was looking for.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit