12.14. Detecting Windows Debuggers
Problem
You need to prevent someone from debugging a Windows binary.
Solution
The Win32 API provides the IsDebuggerPresent(
)
function for checking whether the current
process is being debugged. It returns nonzero if a debugger is
present.
Discussion
The simplest method of detecting the presence of a debugger on
Windows is to use the IsDebuggerPresent( )
Win32
API function. It is exported by the system DLL
kernel32.dll and is available on Windows 98,
Windows ME, and Windows NT 4.0 and later. Note that it is not
available on Windows 95 or Windows NT 3.51 or earlier.
This method only detects process debuggers that rely on the Win32
Debug API, and it can easily be circumvented by using a
ring0
debugger such as SoftICE. This, and other
methods of varying quality, have appeared in many tutorials on
software protection, virus writing, and software cracking.
See Also
“Anti-Debugging in Win32” by Lord Julus: http://vx.netlux.org/texts/html/lj_vx03.html
“Win32 Anti-Debugging Tricks” by Billy Belcebu: http://library.succurit.com/virus/ANTIDEBG.TXT
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.