Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let’s
start with something simple: we will make the IsDebuggerPresent
function call always return zero.
When the debugger is active, we will go to the disassembly of the
IsDebuggerPresent function. We will use the ‘goto to the specified
address’ command for that. Unfortunately, the current version of IDA
does not display imported names in the name list and we will need to
type in the function name in the input field manually:
Please note how we form the address: the
dll name followed by an underscore followed by the function name. We
put a breakpoint at the end of the function so we will have a chance
to intercept the execution and modify the result:
Since we don’t want to suspend the program and modify the result
manually each time IsDebuggerPresent is called, we will automate it.
We will use breakpont conditions. The breakpoint condition field
can be used to determine whether a breakpoint should be triggered or
not. The condition is an IDC expression. If the expression evaluates
to zero, the breakpoint will not fire. Since IDA evaluates the
expression in order to determine its value, we can use it for the side
effects, like modifying register values, memory, or anything else you
can think of. We modify the breakpoint attributes the following way
(right click, Edit breakpoint):
We specified the condition as “EAX=0”. It is not a comparison, it is an
assignment. When IDA evaluates it, EAX will become zero as a side
effect, exactly what we want it to be. We have also to clear the
‘break’ attribute since we don’t want to suspend the application.
With a breakpoint defined like this, our debugger is immune against
the IsDebuggerPresent call. It may sound too simple and you may ask
“what about not-so-childish anti-debugging tricks?” Hold on, we will
develop this topic more.
