|
IsDebuggerPresent is the most weak anti-debug check.
If you want to defeat it then I would propose the following:
- modification of kernel32.dll (overwriting during the runtime)
- hooking the API itself (if the protection is more sophisticated and computes the checksum of it then usually it checks only first few instructions, you should be still able to set the hook at one of the last instructions inside this API)
- modification of IsDebuggerPresent return value in the code space of protected software (e.g. set a hardware breakpoint near the call offset)
Regards.
Last edited by dyn!o; 02-28-2005 at 20:02.
|