D
DioProcess

Clear Debug Flags

Ring 0

Remove debugging indicators from a process to bypass anti-debugging checks.

Anti-Anti-Debugging

This feature clears common debug detection indicators that software uses to detect if it's being analyzed. Useful for malware analysis and reverse engineering.

Overview

Many applications (especially malware and protected software) check for debuggers and refuse to run or behave differently when detected. The clear_debug_flags function removes these indicators directly in kernel memory, bypassing usermode anti-debug checks.

Flags Cleared

StructureFieldBypass
EPROCESSDebugPortNtQueryInformationProcess(ProcessDebugPort)
PEBBeingDebuggedIsDebuggerPresent()
PEBNtGlobalFlagHeap debug flags (FLG_HEAP_*)

Implementation

Algorithm
NTSTATUS ClearDebugFlags(ULONG ProcessId) {
    PEPROCESS Process;
    PPEB Peb;
    
    // 1. Get EPROCESS pointer from PID
    NTSTATUS Status = PsLookupProcessByProcessId(
        (HANDLE)ProcessId, 
        &Process
    );
    if (!NT_SUCCESS(Status)) return Status;
    
    // 2. Clear EPROCESS.DebugPort (removes kernel debugger detection)
    ULONG64 DebugPortOffset = GetDebugPortOffset(GetWindowsVersion());
    *(PVOID*)((PUCHAR)Process + DebugPortOffset) = NULL;
    
    // 3. Get PEB address
    ULONG64 PebOffset = GetPebOffset(GetWindowsVersion());
    Peb = *(PPEB*)((PUCHAR)Process + PebOffset);
    
    // 4. Attach to process context to access PEB
    KAPC_STATE ApcState;
    KeStackAttachProcess(Process, &ApcState);
    
    __try {
        // 5. Clear PEB.BeingDebugged (bypasses IsDebuggerPresent)
        Peb->BeingDebugged = FALSE;
        
        // 6. Clear PEB.NtGlobalFlag (removes heap debug flags)
        Peb->NtGlobalFlag = 0;
    }
    __except(EXCEPTION_EXECUTE_HANDLER) {
        Status = GetExceptionCode();
    }
    
    // 7. Detach and cleanup
    KeUnstackDetachProcess(&ApcState);
    ObDereferenceObject(Process);
    
    return Status;
}

Anti-Debug Checks Bypassed

  • IsDebuggerPresent()
  • CheckRemoteDebuggerPresent()
  • NtQueryInformationProcess(ProcessDebugPort)
  • NtQueryInformationProcess(ProcessDebugFlags)
  • ✓ Heap flag detection via PEB.NtGlobalFlag
  • ✓ HeapWalk checks (FLG_HEAP_ENABLE_TAIL_CHECK, etc.)

API

Usage
use callback::clear_debug_flags;

// Clear debug flags from process PID 1234
let pid: u32 = 1234;
clear_debug_flags(pid)?;

// Now the process won't detect debugger presence via:
// - IsDebuggerPresent()
// - CheckRemoteDebuggerPresent()
// - NtQueryInformationProcess(ProcessDebugPort)
// - PEB.NtGlobalFlag heap checks

IOCTL

IOCTLCodeInput
CLEAR_DEBUG_FLAGS0x00222020TargetProcessRequest (PID)

UI Access

Right-click process → Miscellaneous → 🔍 Clear Debug Flags

Button is disabled/grayed when driver is not loaded.

Limitations

  • • Does not bypass timing-based checks (RDTSC, QueryPerformanceCounter)
  • • Does not hide hardware breakpoints (DR0-DR7)
  • • Does not bypass exception-based checks (INT 3, EXCEPTION_BREAKPOINT)
  • • Application may re-check flags; may need to clear repeatedly

Use Cases

  • • Malware analysis with debugger attached
  • • Reverse engineering protected software
  • • Game hacking / anti-cheat research
  • • Security research and testing