IsDebuggerPresent
About IsDebuggerPresent¶
When the debugger exists, the IsDebuggerPresent() function of kernel32 returns a non-zero value.
BOOL WINAPI IsDebuggerPresent(void);
Detection code¶
Its detection method is very simple, such as using the following code (32 or 64 bits are the same code) to detect in a 32-bit/64-bit environment:
`asm
call IsDebuggerPresent
test al, al jne being_debugged
In fact, this function simply returns the value of the `BeingDebugged` flag. The method of checking the `BeingDebugged` flag can also be implemented by examining the 32-bit environment with the following 32-bit code:
`` `asm
mov eax, fs:[30h] ;Process Environment Block
cmp b [eax+2], 0 ;check BeingDebugged
jne being_debugged
Or use 64-bit code to detect 64-bit environments
`asm
push 60h
pop rsi gs:lodsq ;Process Environment Block
cmp b [rax+2], 0 ;check BeingDebugged
jne being_debugged
Or use a 32-bit code to detect a 64-bit environment
`` `asm
mov eax, fs:[30h] ;Process Environment Block
;64-bit Process Environment Block
;follows 32-bit Process Environment Block
cmp b [eax+1002h], 0 ;check BeingDebugged
jne being_debugged
How to bypass¶
To overcome these tests, just set the BeingDebugged flag to 0 (or change the return value).
本页面的全部内容在 CC BY-NC-SA 4.0 协议之条款下提供,附加条款亦可能应用。