如何通过OllyDbg绕过IsDebuggerPresent? [英] How do I bypass IsDebuggerPresent with OllyDbg?

问题描述

我不太了解如何避开IsDebuggerPresent.我想我应该找到用于调试的寄存器，然后将其设置为0来欺骗IsDebuggerPresent，但是我不知道该怎么做.我曾尝试在Google周围搜索，甚至尝试了一些解决方案，但对我而言确实没有用.有人可以告诉我这应该如何工作以及如何绕过它吗?

I don't really understand how to get around IsDebuggerPresent. I think I am supposed to find the registers used for debugging and then set it to 0 to trick IsDebuggerPresent, but I don't know how to do that. I tried searching around Google, and even tried a few solutions but it didn't really work for me. Could someone please explain to me how this should work and how I can bypass this?

推荐答案

有很多方法可以做到这一点.如您所说，可以修补程序的线程块.这是一个教程，介绍如何通过简单地修补此函数使其始终返回0来解决IsDebuggerPresent问题.

There are many ways to do it. As you said, it's possible to patch the program's thread block. Here is a tutorial, how to get around IsDebuggerPresent, by simply patching this function so it always returns 0.

1)找到IsDebuggerPresent

1) locate IsDebuggerPresent

在我的情况下，它是7664EFF7，仅包含三个指令和一个RET.它读取线程块(地址为FS:18)，然后找到显示我正在调试"的字节并返回它.返回值存储在EAX中(与大多数WINAPI函数一样).如果我修改该函数，以便最后它的EAX = 0，则我将成功绕过IsDebuggerPresent.

In my situation, it is at 7664EFF7, and consist of only three instructions + one RET. It reads the thread block (address is at FS:18), and then locates the byte that says "i am being debugged" and returns it. The returns value is stored in EAX (as for most WINAPI functions). If I modify the function so that at the end it will have EAX = 0, I will have successfully bypassed IsDebuggerPresent.

2)修补

现在最简单的方法是简单地使函数先执行MOV EAX, 0指令，然后执行RETN:

Now the easiest way to do it is to simply make the function simply do a MOV EAX, 0 instruction and then a RETN:

请注意，我还用NOP填充了该函数的其余部分，以避免更改其大小.可能没有必要，您也可以先执行MOV EAX, 0然后执行RETN.

Note that I also filled the rest of the function with NOPs to avoid changing the size of it. It probably is not necessary, you could also just do MOV EAX, 0 and then just RETN.

您还应该知道，修改仅对程序的一次运行有效.重新启动它时，它将使用原始功能加载kernel32.dll(位于IsDebuggerPresent所在的位置)的新副本，并且您将不得不再次应用该修补程序.如果要使补丁永久保留，则需要修改启动二进制文件并修改/删除对该功能的 call .但是在执行此操作之前，您还需要确保二进制文件不会检查自身是否有修改.

Also you should know, that the modification is only valid for one run of the program. When you restart it, it will load a new copy of kernel32.dll (where IsDebuggerPresent is located) with the original function, and you will have to apply the patch again. If you want to make the patch permanent, you need to modify the launching binary and modify/remove the call to this function. But before you do that you also need to make sure that the binary doesn't check itself for modifications.

这篇关于如何通过OllyDbg绕过IsDebuggerPresent?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！