Skip to content

CheckDebuggerCrossArchitecture

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

CheckDebuggerCrossArchitecture

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CheckDebuggerCrossArchitecture
CheckDebuggerCrossArchitecture
 
 
README.md
README.md
 
 

README.md

IsDebuggerPresentEx

This project was created to verify if a debugger is attached to the running process. This is done by reading the BeingDebugged flag from PEB, the "tricky part" is that this is done by jumping from 32 bit to 64 bit by using Heaven's Gate.

The idea behind the project is nothing new and in the source code you will find the references to the external projects. It is very simple, if it detects a debugger the process exits with code 1. If no debugger are detected it exits with code 0.

Test case

In the following image you can see an example of execution of the program and its resulting exit code set to 0.

If you run the program under a debugger (in this case x64dbg) and set a breakpoint on ExitProcess you can see that the first argument (the exit code) is set to 1, this means that the debugger was detected:

Ok, nothing new for now, to achive this result is not necessary to transit to x64 mode. Now, let's try to set the BeingDebugged flag from PEB to 0. This can be easily achived in x64dbg with the following command:

byte:[peb()+2]=0

the result of the execution is visible in the following image:

Now, in theory, the exit code should be 0, but if you run the code until the breakpoint you will see that the exit code is still 1 (surprise!).

Build the code

The project is written in Assembly with Visual Studio 2017, it compiles in both x64 and x86. To create the final program I first compiled it in x64, then I dumped the resulting binary code and copied it, as raw data, in the x86 code.

A pre-compiled binary is found here

Conclusion

This toy project may cause some problems if you don't know the theory behind it. Anyway, even if you don't want to mess around with patching and stuff like that, x64dbg offer a very handy option to bypass the check (it is your duty to find it :P).

Updates

As pointed out in this comment, it is not stricly necessary to execute code in x64 to access PEB64, you can access it directly from x86 code.

Just to make more clear that this technique is nothing new, here is a link to the Al-Khaser project that does this exact check to verify if a debugger is attached.

References

[1] PEB - https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_peb

[2] WoW64_call.cpp - https://gist.github.com/Cr4sh/76b66b612a5d1dc2c614

[3] Heaven's Gate: 64-bit code in 32-bit file - https://download.adamas.ai/dlbase/Stuff/VX%20Heavens%20Library/vrg16.html