Binary Analysis
RE: Debugger Detection Functions May 24 2007 10:09PM
Aleksander P. Czarnowski (aleksander czarnowski avet com pl)
This is great example of very short and simple question which rises long
and complex answer.
First of all you need to dived debugger detection into 2 areas: user
mode and kernel (ring0) ones. Secondly some tricks will not work on
certain lines of systems - for example detection procedures will look
differently for Win9x and NT line of systems.

I'll assume we are talking about NT and newer systems.

Softice can be detected by checking for certain device files. You can
also check Debug Registers or list of device drivers loaded.

You can also try to look for tracing sings like:
- insertion of int 3 (CCh opcode) within your code
- use of int 3 (try to call it and see what will happen)
- use of int 1
- measure execution time for certain areas of code

The last method can be implemented using rdtsc instruction. To properly
measure execution time you first need to use cpuid instruction between 2



As for IsDebuggerPresent you don't need to call this API - instead you
can use its code from your ring 3 code section:

;FASM format
mov eax, [fs:18h]
mov eax, [eax+30h]
movzx eax, byte [eax+2]

The bad news: all those methods fail when you are using emulator like
x86-emu ida plugin unless you base your detection on calling different
API functions and assuming certain return values or memory

Alex Czarnowski

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Gleyson Melo
> Sent: Thursday, May 24, 2007 10:36 PM
> To: binaryanalysis (at) securityfocus (dot) com [email concealed]
> Subject: Debugger Detection Functions
> Hi Everyone!
> Does anyone of you know what are the documented/undocumented
> ways to find if there's a debugger running your Windows program?
> I know about the IsDebuggerPresent API function, but I don't
> know about others.
> _______________________
> Thanks a lot,
> Gleyson Melo

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus