Skip to content

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

License

Notifications You must be signed in to change notification settings

ThomasThelen/Anti-Debugging

Repository files navigation

alt text Project Status: Active – The project has reached a stable, usable state and is being actively developed. license Maintenance

This repository hosts code that shows some of the trivial ways to detect the presence of debuggers under Windows applications. More thorough resources can be found on other GitHub repositories and Peter Ferrie's The "Ultimate”Anti-Debugging Reference". The examples are organized by functionality.

Building

To build the project run the following from build/.

cmake ../
cmake --build .

The ReadTEB example makes use of __asm which isn't supported on x64 and is excluded from the makefile.

Checking Within Processes

These are some checks that can be run from within the source of an application.

IsDebuggerPresent - Basic Win32 API call to check for the presence of a debugger

OutputDebugString - Use the Win32 API to tryto communicate with a potentially attached debugger

FindWindow - Use the Win32 API to search for debugger windows

ReadTEB - A brief look at the internals of IsDebuggerPresent

DebugBreak - A win32 call that will throw when a debugger isn't attached.

Checking Other Processes

Checking external processes for the presence of an attached debugger.

CheckRemoteDebuggerPresent - IsDebuggerPresent for external processes

References and Other Repositories

Anti Reverse Engineering Protection Techniques to Use Before Releasing Software