This post is part of the series of Practical Malware Analysis Exercises.
The program checks for flags linked to the Process Environment Block (PEB) that indicate debugging: BeingDebugged, ForceFlags (XP), and NtGlobalFlags.
The anti-debugging code starts in function 403530, at 403540. Local variables are initialized, and then the flags BeingDebugged (PEB+02h), ForceFlag (ProcessHeap+10h, XP offset), and NtGlobalFlag (PEB+68h) are checked.
When an anti-debugging technique succeeds, the program tries to delete itself from disk and terminate.
To get around the anti-debugging flag checks, change the flags in memory during runtime.
If PEB is located at 7FFDA000, then set the following memory addresses:
7FFDA002: BeingDebugged =00
7FFDA068: NtGlobalFlags =00
00140010: ForceFlags =00 00 00 00
Patching is also an option.
Find the memory address of PEB, view the address in the dump window, and fill the offset bytes with zeros.
Once the anti-debugging measures were found, a breakpoint was set on the first one to determine the address. After the instructionMOV EAX,DWORD PTR FS:[30], the EAX register was set to 7FFDA000, the address of PEB. The offset PEB+02h (7FFDA002) contained the BeingDebugged flag byte. Displaying this addresses in the dump showed what was expected: BeingDebugged flag set. This was zero'd out with a binary edit.
The same was done for the ForceFlag at PEB+68h (7FFDA068), and NtGlobalFlag at ProcessHeap+10h (00140010).
Passed the arguments-in abcdto install the program, as discovered in 9.1, and the program installed successfully.
There are severeal OllyDbg plugins to hide a debugger (Hyde, HideOD). For Immunity Debugger, the included "hidedebug" plugin will automatically patch the flag bytes.
