While the HideDebugger script discussed in the previous section is useful for demonstrating some basic programmatic interaction with the debugger and some basics of library function hooking, the total number of known anti-debugging techniques and the complexity of those techniques argue for more robust anti-anti-debugging than can be provided by a simple script. Fortunately, the IdaStealth plug-in is designed to meet our needs for a power debugger-hiding capability. Written by Jan Newger, IdaStealth was the winner of Hex-Rays’s 2009 plug-in writing contest. The plug-in is written in C++ and is available in both source and binary form.

The binary components of IDAStealth consist of a plug-in and a helper library, both of which need to be installed to <IDADIR>/plugins. Upon initial activation, IDAStealth presents the configuration dialog shown in Figure 25-6.

Figure 25-6. IDAStealth configuration dialog

Several tabs full of options allow you to decide which anti-anti-debugging techniques you wish to employ. Once activated, IDAStealth implements evasion techniques for virtually every known debugger-detection technique, including those discussed in the Falliere article and those addressed by the HideDebugger.idc script developed earlier.