One of the most widely used anti-debugging techniques is called IsDebuggerPresent(), this simple API call used so oftenly by malware developers because it’s relatively easy to use.

The function kernel32!IsDebuggerPresent() determines whether the current process is being debugged by a user-mode debugger such as x64dbg. Generally, the function only checks the BeingDebugged flag of the Process Environment Block (PEB), if the BeingDebugged flag is true then malware exits itself without executing any malicious functions.

Example of Assembly Code

In order to perform a Reverse Engineering on this example, we write a dummy application to understand the anti-debugging technique itself and tips for malware analysts on how to defeat that.

We can examine the compiled dummy application on IDA pro, it can show us the basic usage of IsDebuggerPresent() API, we can read that Assembly code as; if this application is debugging then go to the ExitProcess function else do some evil things.

So the question is how to evade that anti-debug check and continue the execution. After setting breakpoint on IsDebuggerPresent() API, we can step through and examine the RAX register on the debugger, we can clearly see that it stores a boolean data which is 1 (True).

Remember, kernel32!IsDebuggerPresent() is looking for the BeingDebugged flag inside the PEB Structure, that flag only has true or false data which is boolean, if we can set this RAX data to 0 we can easily evade this anti-debugging.

After setting the RAX to 0, we can now execute the code.