Usermode Debugger Check Prevention

It’s easy enough to use OllyDbg or any other debugger to bypass debugger checks, but any sort of anti-debugging technique that utilizes the time stamp counter such as QueryPerformanceCounter, GetTickCount, and others, can be bypassed by setting the 2nd bit in control register 4 (CR4) which disables the TimeStamp Counter from working for applications operating in UserMode. However, any sort of checks performed from RPL0 (ring 0) are not restricted.

Just a quick sample of setting or unsetting the TSD bit of CR4.

 

Leave a Reply