Years ago I needed to debug an application that just had the binary code with no symbols or source code. To make things even more difficult, I found out the application had some kind of anti-debugger protection.

After analyzing the dead listing of the application using DumpBin I discovered the trick. The application performed some IsDebuggerPresent() calls and, besides, it used inline assembly as a fail-over protection. J

I managed to make the debugger work by changing the application on the memory after attaching the debugger to it.

Then sometime later I decided to create this very simple “just for fun” script that disables IsDebuggerPresent().

 

Just attach the debugger to the application using IsDebuggerPresent(), and then run the script using the “g” command to continue the execution.

 

If you want to know what happens when not using the script just attach the debugger to the application using IsDebuggerPresent() and use the "g" command. The IsDebuggerPresent() will detect the debugger and the application may take actions (it's not the case in this sample) reacting to the debugger presence.

 

Screenshots:

 

 

 

 

 

 

 

 

 

 

 

Source code for DISABLE_ISDEBUGGER.TXT:

 

$$

$$ =============================================================================

$$ Disable the IsDebuggerPresent API, returning always false.

$$ This approach doesn't use breakpoints.

$$

$$ Compatibility: Win32.

$$

$$ Usage: $$>< to run the program.

$$

$$ Requirements: Public symbols.

$$

$$ Roberto Alexis Farah

$$ Blog: http://blogs.msdn.com/debuggingtoolbox/

$$

$$ All my scripts are provided "AS IS" with no warranties, and confer no rights.

$$ =============================================================================

$$

r @$t0 = kernel32!IsDebuggerPresent; eb @$t0+0x9 31 c0 90 90

$$

$$ ========================================

 

 

 

Read me.