Jump to content
Tuts 4 You

!hidedebug PyCommand 1.0.0


About This File

HideDebug script, hides from most common Anti-debug tricks while still allowing normal use (e.g. FindWindow works except for ImmDbg)

Patches:

  • IsDebuggerPresent (With Poly-patch code, as too easy to detect Xor EAX, EAX)
  • ZwQueryInformationProcess
  • CheckRemoteDebuggerPresent
  • PEB.IsDebugged
  • PEB.ProcessHeap.Flag
  • PEB.NtGlobalFlag
  • PEB.Ldr 0xFEEEFEEE filling
  • GetTickCount (With poly-patch code, as too easy to detect Mov EAX, xxxxxxxx)
  • ZwQuerySystemInformation (Used by CreateToolHelp32Snapshot / Process32First / Process32Next and others)
  • FindWindowA
  • FindWindowW
  • FindWindowExA
  • FindWindowExW
  • EnumWindows

Types:

  • Anti-Debug Types: IsDebuggerPresent ZwQueryInformationProcess CheckRemoteDebuggerPresent PEB (All PEB patches are done) GetTickCount All_Debug - Applies ALL Debug detect patches
  • Anti-Process-finding Types: ZwQuerySystemInformation (All other process apis use this) All_Process - Applies the debugger-process finding Api patch
  • Anti-Window-finding Types: FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows All_Window - Applies ALL debugger-window finding Api patches

Also a few packer types are included, but most packers protection is defeated by just the PEB patches. This is by no means a complete list, it's not even a good beginning.

Packer Types:

  • Escargot RLPack (still there is guard page detection to bypass though)
  • NsPack
  • ExeStealth
  • Upx-Lock

The list is at the bottom of the source code, add to it as you find the patches that bypass the protections. Sorry for any weird code, I've only been using Python for 2 weeks.

Description:

  • Most of the functions are patched to return Debugger Found = False.
  • The PEB patches are to the various flags in PEB used by anti-debug.
  • Patch for ZwQueryInformationProcess is if DebugPort is checked, returns not debugged.
  • Patch for GetTickCount is to return same number everytime.
  • Patch for ZwQuerySystemInformation is to replace all ImmunityDebugger.exe with SVCHost.EXE.
  • Patch for Window finding apis call Api and if "ID" is classname then return not found.

Maybe ToDo:

  • Patch CreateThread ?

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...