GuidedHacking

How To Bypass Debug Flags Detections

Added 2023-06-13 18:04:20 +0000 UTC

🔍 Continuing our Anti-Debug Series

⚙️ PEB->NtGlobalFlag

🏗️ PEB->BeingDebugged

📡 GetProcessHeap->Flags

😎 Overwrite the flags to bypass

Debug Flags, integral components of Windows Internals structures, are crucial tools for both developers and hackers due to their significant implications on system analysis and security. These flags, which change value during debugging, allow for the detection of debuggers and can be leveraged to restrict access to applications.

Various methods for utilizing Debug Flags, such as the BeingDebugged Debug Flag in the Process Environment Block (PEB), are demonstrated. These methods typically involve the use of Microsoft's Visual C++ compiler functions like _readfsdword(), which read the value of a 32-bit memory location relative to a specific register.

The register in question varies between x86 and x64 applications, with the FS (segment) register used for the former and the GS (segment) register used for the latter, both providing access to the PEB address.

BeingDebugged: To bypass this detection you have to overwrite the BeingDebugged flag with 0.
NtGlobalFlag: In order to prevent this detection we have to set this flag to 0.
HeapFlags: To bypass this detection you have to change the debug flags values to the standard one (HEAP_GROWABLE and 0).

These are the most well-known anti-debug tricks that make use of debug flags. There are other lesser-known techniques, such as LFH Antidebug, which operate in a similar manner by checking the values of the low fragmentation heap. Having this knowledge, you can bypass all anti-debugging techniques that rely on the control of certain flags by changing their value.