Checkremotedebuggerpresent
About CheckRemoteDebuggerPresent¶
The CheckRemoteDebuggerPresent() function of kernel32 is used to detect if the specified process is being debugged. Remote refers to a different process in the same machine.
BOOL WINAPI CheckRemoteDebuggerPresent( _In_ HANDLE hProcess, _Inout_ PBOOL pbDebuggerPresent );
If the debugger exists (usually to detect if it is being debugged), the function will set the value pointed to by pbDebuggerPresent to 0xffffffff.
Detection code¶
The 32-bit environment can be detected with the following 32-bit code
`asm
push eax
push esp
push -1 ;GetCurrentProcess()
call CheckRemoteDebuggerPresent
pop eax
test eax, eax
jne being_debugged
Or 64-bit code to detect 64-bit environments `` `asm enter 20h, 0 mov edx, ebp or rcx, -1 ;GetCurrentProcess() call CheckRemoteDebuggerPresent leave test ebp, ebp jne being_debugged
How to bypass¶
For example, there is the following code
int main(int argc, char *argv[]) { BOOL isDebuggerPresent = FALSE; if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &isDebuggerPresent )) { if (isDebuggerPresent ) { std::cout << "Stop debugging program!" << std::endl; exit(-1); } } return 0; }
We can directly modify the value of isDebuggerPresent or modify the jump condition to bypass (note that izhi is not CheckRemoteDebuggerPresent, its return value is used to indicate whether the function is executed correctly).
But if you want to modify the api function of CheckRemoteDebuggerPresent. First of all, you need to know that CheckRemoteDebuggerPresent internally does the function by calling NtQueryInformationProcess. And we need to modify the return value of NtQueryInformationProcess. We will be [NtQueryInformationProcess] (./ntqueryinformationprocess/index.html) for introduction.