/AntiDebugging

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

Primary LanguageC++MIT LicenseMIT

Project Status: Active – The project has reached a stable, usable state and is being actively developed. license

Each directory represents a different that can be used to reinforce anti-debugging/anti-cracking. Each technique, can of course, be bypassed.

IsDebuggerPresent

The most trivial way to check if a debugger is present is by calling IsDebuggerPresent. Internally, IsDebuggerPresent checks a flag in the Process Environment Block (PEB). The address of the PEB can be found in the Thread Information Block, which can be found in the FS register. Most software do not soley rely on this method as it can easily be bypassed by jumping over the cmp instruction.

MSDN Documentation

BOOL WINAPI IsDebuggerPresent(void);

CheckRemoteDebuggerPresent

When access to the program is limited, it cna be checked remotely with CheckRemoteDebuggerPresent. The function acts as a wrapper to NtQueryInformationProcess, which provides infomration about a specified process. One piece of infomration that can be extracted are the available debug ports. When the number is non-zero, a debugger is attached to the process. This again is easily bypassed and software rarely relies on it to stop reverse engineers.

MSDN Documentation

BOOL WINAPI CheckRemoteDebuggerPresent(
_In_    HANDLE hProcess,
_Inout_ PBOOL  pbDebuggerPresent
);

ReadTeb

Reads the BeingDebugged field in the Process Environment Block(PEB). One way to determine the address of the PEB is by reading offset 0x30 from the Thread Information Block(TIB), which is obtained from the FS segment register. This is how IsDebuggerPresent works internally. Instead of calling IsDebuggerPresent, some software will manually perform this check. It can be bypassed the same way a call to IsDebuggerPresent is.

OutputDebugString

The Windows API allows for printing debug statements out to a debugger, and will set an error if a debugger is not found. This is used by attempting to send a message to an attached debugger and checking for errors to determine if one is attached. MSDN Documentation

void WINAPI OutputDebugString( In_opt LPCTSTR lpOutputString );

FindWindow

Instead of using debug specific APIs, if the window name of the debugger is known it can be searched for via FindWindow. Software/malware can search for window titles such as OllyDbg, x64dbg, Soft Ice, etc. MSDN Documentation

HWND WINAPI FindWindow(
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName
);