Hex Rays
Hex Rays Blog —  State of the art code analysis

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger from the application. In fact there are many anti-debugging tricks and each of them requires an appropriate reaction from the debugger, let’s start with something simple: we will make the IsDebuggerPresent function call always return zero. When the debugger is active, we will go to the disassembly of the IsDebuggerPresent function. We will use the ‘goto to the specified address’ command for that. Unfortunately, the current version of IDA does not display imported names in the name list and we will need to type in the function name in the input field manually: Please note how we form the address: the dll name followed by an underscore followed by the function name. We put a breakpoint at the end of the function so we will have a chance to intercept the execution and modify the result: Since we don’t want to suspend the program and modify the result manually each time IsDebuggerPresent is called, we will automate it. We will use breakpont conditions. The breakpoint condition field can be used to determine whether a breakpoint should be triggered or not. The condition is an IDC expression. If the expression evaluates to zero, the breakpoint will not fire. Since IDA evaluates the expression in order to determine its value, we can use it for the side effects, like modifying register values, memory, or anything else you can think of. We modify the breakpoint attributes the following way (right click, Edit breakpoint): We specified the condition as “EAX=0”. It is not a comparison, it is an assignment. When IDA evaluates it, EAX will become zero as a side effect, exactly what we want it to be. We have also to clear the ‘break’ attribute since we don’t want to suspend the application. With a breakpoint defined like this, our debugger is immune against the IsDebuggerPresent call. It may sound too simple and you may ask “what about not-so-childish anti-debugging tricks?” Hold on, we will develop this topic more.
Go to top of page