I found a guide how to bypass it in ollydbg:
But how to do that for an x64 application?
I have found following:
How must i manipulate this to don't get it detect the debugger?
Asked
Active
Viewed 1.2k times
4
-
Use the command `dbh` – mrexodia Apr 13 '17 at 15:03
1 Answers
2
You can do it the same way as described in the guide (i.e. by patching the code of IsDebuggerPresent).
Or you can set a breakpoint at the "movzx eax, byte ptr ds:[rax+2]" instruction, and when the program stops at the breakpoint, go to RAX+2 in the Dump pane and then change the byte from 1 to 0.
Alexander.K.Polyakov
- 51
- 2
-
But when I just do following: replace this function with mov rax, 0 mov eax, 0 -> still detecting the debugger somewhere ... – Martin Fischer Aug 22 '16 at 17:17
-
!! I found usage of CheckRemoteDebuggerPresent in the code. must i care about it,too? – Martin Fischer Aug 22 '16 at 17:55
-
Yes, probably. There are many ways to check if the program is being debugged. Read e.g. this: http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/ – Alexander.K.Polyakov Aug 22 '16 at 19:25
-
-
Generally speaking, yes. You can also try to use hiding plugins for x64dbg (TitanHide, ScyllaHide). – Alexander.K.Polyakov Aug 23 '16 at 13:01