In this post I will explain how to bypass IsDebuggerPresent API which is a common Anti debugging technique used by many malware.
parcela0405.pdf.exe is the sample I have used for this example.
Dropped file in Olly Debugger and started traversing till I find something interesting. The file looks like compiled using Autoit Script becoz it searches for Autoit related registry keys. You can see that below,
After traversing several calls I reached at IsDebuggerPresent API in the address 0040D6F1,
First let’s see what happens if we execute the IsDebuggerPresent API Call,
See the jump to address 00431A9D has taken and it displays a message box. Also, the process will be terminated once you click OK.
To avoid this press F7 in OllyDbg and step into the call seen in the address 0040D6F1 (IsDebuggerPresent API) you will see something like shown below,
Continue pressing F7 till RETN instruction. Now double click on the EAX register and change the value to 00000000 from 00000001,
Press F7 twice. That’s it you have bypassed the IsDebuggerPresent API,
Now you can continue debugging the file without any interrupt. Thanks:=)
It was good.. And can you show how this file can be patched ?
ReplyDeleteIs there any other techniques other than EAX bit conversion ?
Excellent one Shiva. Also we are expecting VM theft malware.
ReplyDelete@Gokul Thank you. Yeah sure will definitely post one article about patching files. I hope it will answer your second question as well.
ReplyDelete@Karuna Thanks...Will do it for you if I come across any sample with Vmprotect.
ReplyDeleteHi, how about for VMWare or Virtualbox detection, do these malware call for the same IsDebuggerPresent API too?
ReplyDeleteplease post the MD5 of the file, otherwise how are people going to find it?
ReplyDelete