Giters

schrodyn / AntiDebugging

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AntiDebugging

This is a collection of short snippets that are/can be used to detect if a debugger is attached to a process.

CheckRemoteDebuggerPresent

Any process including your own can be checked for attached debuggers by using CheckRemoteDebuggerPresent.

MSDN Documentation

BOOL WINAPI CheckRemoteDebuggerPresent(
_In_    HANDLE hProcess,
_Inout_ PBOOL  pbDebuggerPresent
);

FindWindow

The FindWindow check works by searching the current window's properties for the name of a specified debugger/reversing tool.

MSDN Documentation

HWND WINAPI FindWindow(
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName
);

You can, for example, search for the title of a debugger and determine its presence based on the return value.

IsDebuggerPresent

MSDN Documentation

BOOL WINAPI IsDebuggerPresent(void);

ReadTeb

Reads the BeingDebugged field in the Process Environment Block(PEB). One way to determine the address of the PEB is by reading offset 0x30 from the Thread Information Block(TIB), which is obtained from the fs segment register.

OutputDebugString MSDN Documentation

void WINAPI OutputDebugString( In_opt LPCTSTR lpOutputString );

About

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

Languages

Language:C++ 71.2%Language:C 28.8%