Easiest Way for an App to Determine Whether It Is Running in a Debugger?

raleeper · April 21, 2012, 12:13:49 PM

I use WinDbg 6, but hopefully there is some method that works for all.

I would like to be able to disable certain potentially destructive functions, such as diskfile writes and deletes, while debugging code that might use those functions.

Thanks, Robert

dedndave · April 21, 2012, 12:26:07 PM

you could do it with conditional assembly :P

Code Select

RalDebug = 1 ;set to 0 if debugging
;
;
;
.if RalDebug
        INVOKE  WriteFile......
.else
        mov     eax,TRUE
.endif

a more deluxified version - you could set the dwNumberOfBytesWritten value to whatever was in the 3rd parameter
maybe write a NotWrite function to do it for you

qWord · April 21, 2012, 12:54:28 PM

Commonly IsDebuggerPresent() is used for such purpose.

raleeper · April 21, 2012, 07:06:53 PM

Thanks to dedndave & qWord. Looks as if both conditional assembly & IsDebuggerPresent() would work.

Conditional assembly is obvious once you think of it and I should have. It will meet my need easily. dedndave, you answered the question I should have asked.

qWord, you answered the question I thought I was asking - for a runtime way to determine - and while I haven't gone into details, it looks as if that might be useful too.

Thank you, Robert

ragdog · April 21, 2012, 07:31:36 PM

here is a simply macro for IsDebuggerPresent

Code Select


DEBUG_VERSION equ 1

Debug MACRO
    .if DEBUG_VERSION
        pusha
        invoke   IsDebuggerPresent
        test     eax,eax
        popa
        jz       @F;NoDebug
        db 0CCh    ;int3
     @F:
    .endif
ENDM

Debug ; <=== here run will stop and started debugging of this procedure
invoke wsprintf,addr @Result,addr szFrm,eax
invoke MessageBox,0,addr @Result,0,MB_OK

qWord · April 21, 2012, 09:17:26 PM

Quote from: shlomok on April 21, 2012, 09:02:09 PM
There is an official paper by Microsoft research

that is not true! Furthermore it's contented has nothing to do with raleeper's question.

shlomok · April 21, 2012, 09:32:04 PM

Quote from: qWord on April 21, 2012, 09:17:26 PM
Quote from: shlomok on April 21, 2012, 09:02:09 PM
There is an official paper by Microsoft research
that is not true! Furthermore it's contented has nothing to do with raleeper's question.

Ok, I agree that might have been misleading , a better description would be a paper by a researcher at Microsoft.

Why doesn't it have nothing to do with his question??? Quote from the paper:

Code Select


d. Special APIs
i. IsDebuggerPresent
The kernel32 IsDebuggerPresent() function was introduced in Windows 95. It returns TRUE if a debugger is present. Internally, it simply returns the value of the
PEB->BeingDebugged flag.
Example code looks like this:

call IsDebuggerPresent
test al, al
jne being_debugged
Some packers avoid using the kernel32 IsDebuggerPresent() function ...

Are you worried that he will read the rest of the paper? nothing is going to happen, on the contrary he will be more knowledgeable and a better programmer.

S.

qWord · April 21, 2012, 09:44:58 PM

QuoteANTI-UNPACKER TRICKS

that is not what he ask for ... but your right, the function is described.

shlomok · April 21, 2012, 09:52:25 PM

Quote from: qWord on April 21, 2012, 09:44:58 PM
QuoteANTI-UNPACKER TRICKS
that is not what he ask for ... but your right, the function is described.

Now you are misleading.
Peter is the head of the Malware Research and Response at Microsoft and the paper describes COUNTERMEASURES against "anti unpacker tricks".

qWord · April 21, 2012, 10:00:34 PM

Quote from: shlomok on April 21, 2012, 09:52:25 PMNow you are misleading.
Peter is the head of the Malware Research and Response at Microsoft and the paper describes COUNTERMEASURES against "anti unpacker tricks".

fantastic, but that is not what raleeper ask for!

shlomok · April 21, 2012, 10:06:30 PM

Quote from: qWord on April 21, 2012, 10:00:34 PM
fantastic, but that is not what raleeper ask for!

qWord,
I have THAT much respect for you, so, I agree again, this is not exactly what he asked for.

qWord · April 21, 2012, 10:19:43 PM

Quote from: shlomok on April 21, 2012, 10:06:30 PMI have THAT much respect for you, so, I agree again, this is not exactly what he asked for.

sorry for being so harsh.
The problem with your (and Zemtext's) post is, that they make a legitimate question dubious (IMO).

raleeper · April 21, 2012, 11:43:13 PM

Quote from: zemtex on April 21, 2012, 08:37:43 PM
If you are the one who is going to debug your own program, it is enough to use IsDebuggerPresent but if you need to determine if another player has neutralized IsDebuggerPresent, you can debug your own application programmatically, when you debug it check if IsDebuggerPresent return 0, if it does then it is neutralized and is being debugged against your wish. It is very easy to neutralize it with VirtualAllocEx and CreateRemoteThread (or dll injection for that matter)

Useful related information. I am debugging my own program, and after dedndave reminded me of conditional assembly, I realize that I need to prevrent faulty code from corrupting files whether or not I am running it in a debugger, and conditional assembly makes that easy.

Code Select

IF AppName NE "lfwStable"... (have to look up exact syntax).

But I have filed your reply for future reference.

Thanks, Robert

jj2007 · April 22, 2012, 12:04:46 AM

It's @FileName:

Code Select

	ifidni @FileName, <lfwStable>
		% echo @FileName is the stable one
		.err
	endif

BogdanOntanu · April 22, 2012, 12:31:46 AM

shlomok and zemtex,

Please do not move the discussions into the grey area of unpacking and anti debugging tricks...

News:

Easiest Way for an App to Determine Whether It Is Running in a Debugger?