CheckRemoteDebuggerPresent
About CheckRemoteDebuggerPresent¶
The CheckRemoteDebuggerPresent() function of kernel32 is used to detect if the specified process is being debugged. Remote refers to a different process in the same machine.
BOOL WINAPI CheckRemoteDebuggerPresent(
_In_ HANDLE hProcess,
_Inout_ PBOOL pbDebuggerPresent
);
If the debugger exists (usually to detect if it is being debugged), the function will set the value pointed to by pbDebuggerPresent to 0xffffffff.
Detection code¶
The 32-bit environment can be detected with the following 32-bit code
`asm
push eax
push esp
push -1 ;GetCurrentProcess()
call CheckRemoteDebuggerPresent
pop eax
test eax, eax
jne being_debugged
Or 64-bit code to detect 64-bit environments
`` `asm
enter 20h, 0
mov edx, ebp
or rcx, -1 ;GetCurrentProcess()
call CheckRemoteDebuggerPresent
leave
test ebp, ebp
jne being_debugged
How to bypass¶
For example, there is the following code
int main(int argc, char *argv[])
{
BOOL isDebuggerPresent = FALSE;
if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &isDebuggerPresent ))
{
if (isDebuggerPresent )
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
return 0;
}
We can directly modify the value of isDebuggerPresent or modify the jump condition to bypass (note that izhi is not CheckRemoteDebuggerPresent, its return value is used to indicate whether the function is executed correctly).
But if you want to modify the api function of CheckRemoteDebuggerPresent. First of all, you need to know that CheckRemoteDebuggerPresent internally does the function by calling NtQueryInformationProcess. And we need to modify the return value of NtQueryInformationProcess. We will be [NtQueryInformationProcess] (./ntqueryinformationprocess/index.html) for introduction.
本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供,附加条款亦可能应用。