I am currently trying to attach a debugger to a program with a callback for IsDebuggerPresent. Normally, i would patch the program to pass over this check, but patching the program is not an option. How would I go about getting a debugger attached so dynamic analysis is possible?
Asked
Active
Viewed 352 times
1 Answers
1
as I understand your question, if your binary doesn't have a packer / protector, and you can't use any way to hook the original source, try using a kernel hooke like TitanHide, and observe the behavior, now if not having anything so complicated check the sides of your debugger look for flags and find the "zero flag", and change your return, this is something simple, but if you specify better I can give you another answer, good luck.
Happy
- 366
- 1
- 12
IsDebuggerPresentindicates that this is on Windows, but even that may be a fallacy on my part. So what debugger, what OS? If this isIsDebuggerPresenton Windows, it's implemented by checking for some value in the PEB, IIRC. So presumably you could attempt to set a hardware breakpoint there and be notified whenever some code access this particular piece of data. – 0xC0000022L Jun 27 '20 at 21:57