Hi,
I am currently working on anti-debugging techniques which will also be my project for this year in college.Though i know for a fact most basic anti-debug techniques are API based techniques, but i am still doing this post because firstly i did not find any working code and whatever non-working code was present was also implemented locally… By the way I am really impressed by the work compiled by Tyler Shields in 2009 and he has put up some of the best resources out there!
This post is basically about one of those standard API’s > CheckRemoteDebuggerPresent function. Now there is enough stuff on msdn and other websites that you can find about its implementations and about the working of the function however for some reason they did not work for me! So here is what finally worked. And I have done a remote process example too.
Implementation for process locally
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0601
#endif
#include<windows.h>
#include<stdio.h>
#include<conio.h>
int main()
{
BOOL pblsPresent = FALSE;
HANDLE hndle = NULL;
CheckRemoteDebuggerPresent(GetCurrentProcess(),&pblsPresent);
if(pblsPresent){
printf(“Being Debugged\n“);
}
else{
printf(“Not being debugged\n“);
}
getch();
return 0;
}
Implementation For Remote Process (with PID 2800)
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0601
#endif
#include<windows.h>
#include<stdio.h>
#include<conio.h>
int main()
{
BOOL pblsPresent = FALSE;
HANDLE hndle = NULL;
hndle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,2800);
if(hndle){
printf(“Done getting a handle \n“);
}else {
printf(“Invalid PID \n“);
}
CheckRemoteDebuggerPresent(hndle,&pblsPresent);
if(pblsPresent){
printf(“Being Debugged\n“);
}
else{
printf(“Not being debugged\n“);
}
getch();
return 0;
}
You Might Want To Check Out:
by Adwiteeya Agrawal
All the best for your project! :D