IsDebuggerPresent Bypass

There are many ways to do it. Here is a tutorial, how to get around IsDebuggerPresent, by simply patching this function so it always returns 0.

1) locate IsDebuggerPresent

In my situation, it is at 7664EFF7, and consist of only three instructions + one RET. It reads the thread block (address is at FS:18), and then locates the byte that says “i am being debugged” and returns it. The returns value is stored in EAX (as for most WINAPI functions). If I modify the function so that at the end it will have EAX = 0, I will have successfully bypassed IsDebuggerPresent.

2) patch it

Note that I also filled the rest of the function with NOPs to avoid changing the size of it. It probably is not necessary, you could also just do MOV EAX, 0 and then just RETN.

Also you should know, that the modification is only valid for one run of the program. When you restart it, it will load a new copy of kernel32.dll (where IsDebuggerPresent is located) with the original function, and you will have to apply the patch again. If you want to make the patch permanent, you need to modify the launching binary and modify/remove the call to this function. But before you do that you also need to make sure that the binary doesn’t check itself for modifications.

Another options:

Runtime patching:

  • Set EAX to zero after IsDebuggerPresent being called
  • Modify the PEB itself by injecting this code:
    mov eax,dword ptr fs:[18]
    mov eax,dword ptr ds:[eax+30]
    mov byte ptr ds:[eax+2],0

    This will patch the BeingDebugged flag in the PEB, ensuring IsDebuggerPresent always returns 0.

  • You can use a plugin like idastealth

Permanent Patching:

  • You can fill the call to IsDebuggerPresent with NOPs or something similar to skip the check


Leave a Reply

Your email address will not be published. Required fields are marked *