Code Examples

***NOTE***: This page does not contain the full list of Classes/Methods available. Please click here to go to the download page and get the full project.

Initialize a new object and use the available methods

  • DirectDebuggerDetection

i) bool DebuggerPresent()

ii) int RemoteDebuggerPresent()

Include the DirectDebuggerDetection.h and add the DirectDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


DirectDebuggerDetection * directdbg = new DirectDebuggerDetection();

Use the methods:


if(directdbg->DebuggerPresent())
{


	cout << endl << "Attached Debugger Detected!!!" << endl;
}

   

else{

	   
        cout << endl << "No Attached Debugger Detected..." << endl;

    }


if(directdbg->RemoteDebuggerPresent() == 1)
{
	
	
	cout << endl << "Attached Debugger Detected!!!" << endl;
}

else if (directdbg->RemoteDebuggerPresent() == 0){

	

cout << endl << "No Attached Debugger Detected..." << endl;

}


  • IndirectDebuggerDetection

i) bool DebugString()

ii) int OpenServicesProcess()

Include the IndirectDebuggerDetection.h and add the IndirectDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


IndirectDebuggerDetection * indirectdbg = new 
IndirectDebuggerDetection();


Use the methods:


if(indirectdbg->DebugString())
{

	
cout << endl << "User-mode debugger through message to debugger has been Detected!!!" << endl;
  
}


else{


  cout << endl << "User-mode debugger through message to debugger has Not been Detected..." << endl;

}





if(indirectdbg->OpenServicesProcess()== 1)
{

  cout << endl << "Debugger Detected through OpenProcess to a system process!!!" << endl;

}


else if(indirectdbg->OpenServicesProcess() == 0)
{

	cout << endl << "Debugger Not Detected through OpenProcess to a system process..." << endl;

}


  • WindowDebuggerDetection

i) bool SpecificWindowNameDetection(string

windowname)

ii) bool SpecificWindowClassDetection(string classname)

iii) void SetListSize()

iv) int GetListSize()

v) bool ListWindowClassDetection(string * arraymemlocation , int

listsize)

Include the WindowDebuggerDetection.h and add the WindowDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


WindowDebuggerDetection * windowdebug = new WindowDebuggerDetection();

Use the methods:


//Detect Olly Debugger example through window class name

if(windowdebug->SpecificWindowClassDetection("OLLYDBG")) 
{

	cout << endl << "Specific Window of Debugger/Reversing Tool Detected through class name!!!" << endl;
	
}



else{

	cout << endl << "Specific Window of Debugger/Reversing Tool Not Detected through class name..." << endl;
}



//Detect Olly Debugger example through window title


if(windowdebug->SpecificWindowNameDetection("OLLYDBG"))
{
 

	cout << endl << "Specific Window of Debugger/Reversing Tool Detected through title name!!!" << endl;
}


else{

	cout << endl << "Specific Window of Debugger/Reversing Tool Not Detected through title name..." << endl;
}



/*Detect a a debugger or a reversing tool from a predefined list
  of windows class names.
  Read the documentation above.*/


if(windowdebug->ListWindowClassDetection(windowdebug-   >SetReverseToolsList(),windowdebug->GetListSize()))
{


cout << endl << "A Window of Debugger/Reversing Tool has been Detected through its class name from the predefined list!!!" << endl;

}


else{
	
cout << endl << "A Window of Debugger/Reversing Tool has NOT been Detected through its class name from the predefined list..." << endl;

}


  • ProcessDebuggerDetection

i) string * SetProcessList()

ii) void SetListSize()

iii) int GetListSize()

iv) int ProcessListDetection(string * arraymemlocation , int

listsize)

Include the ProcessDebuggerDetection.h and add the ProcessDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


ProcessDebuggerDetection * procdbg = new ProcessDebuggerDetection();

Use the methods:


if(procdbg->ProcessListDetection(procdbg->SetProcessList( ), procdbg->GetListSize()) == 1)
{

	cout << endl << "Debugger/Reversing Tool running process Detected from our process name list!!!" << endl;
}

else if(procdbg->ProcessListDetection(procdbg->SetProcessList( ), procdbg->GetListSize()) == 0)
{
	cout << endl << "Debugger/Reversing Tool running process Not Detected from our process name list..." << endl;

}


  • ModuleDebuggerDetection

i) string * SetModulesList()

ii) void SetListSize()

iii) int GetListSize()

iv) int ModuleDetection(string * arraymemlocation, int listsize)

Include the ModuleDebuggerDetection.h and add the ModuleDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


ModuleDebuggerDetection * moddbg = new ModuleDebuggerDetection();

Use the methods:


if(moddbg->ModuleDetection(moddbg->SetModulesList(), moddbg->GetListSize()) == 1)
{
	cout << endl << "Debugger/Reversing tool detected through loaded modules!!!" << endl;
}

else if(moddbg->ModuleDetection(moddbg->SetModulesList(), moddbg->GetListSize()) == 0)

{
	cout << endl << "No Debugger/Reversing tool detected through loaded modules...." << endl;
}


  • ParentProcessDetection

i) int CheckParentProcess()

Include the ParentProcessDetection.h and add the ParentProcessDetectionFunc.cpp to your project.

Initialize a new instance of the class:


ParentProcessDetection * ppdetect = new ParentProcessDetection();

Use the methods:


if(ppdetect->CheckParentProcess() == 1)
{

cout << endl << "Debugger/Reversing Tool Detected through parent process id check!!!" << endl;

}

else if(ppdetect->CheckParentProcess() == 0)
{

cout << endl << "No Debugger/Reversing Tool Detected through parent process id check..." << endl;

}


  • CodeTraceTimeDetection

i) DWORD StartExecutionTime()

ii) DWORD EndExecutionTime()

iii) DWORD GetTimeLimit()

iv) DWORD GetTotalTime()

v) void SetStartTime()

vi) void SetEndTime()

vii) void SetTimeLimit()

viii) void SetTotalTime()

ix) bool IsCodeBeingTaced()

Include the CodeTraceTimeDetection.h and add the CodeTraceTimeDetectionFunc.cpp to your project.

Initialize a new instance of the class:


CodeTraceTimeDetection * tracetime = new CodeTraceTimeDetection();

Use the methods:


tracetime->SetStartTime();/* get the time before the execution of the code block*/


/*the code block you want to check the execution time required goes here*/


tracetime ->SetEndTime();/* get the time after the code block has been executed*/


//perform the check

if(tracetime->IsCodeBeingTaced())
{

   cout << endl << "Debugger Detected through execution time check!!!" << endl;

}


else{

	cout << endl << "Debugger Not Detected through execution time check..." << endl;

}


  • HardwareBreakPointDetection

i) int HwdBreakPoint()

Include the HardwareBreakPointDetection.h and add the HardwareBreakPointDetectionFunc.cpp to your project.

Initialize a new instance of the class:


HardwareBreakPointDetection * hwdbp = new HardwareBreakPointDetection();

Use the methods:


if(hwdbp->HwdBreakPoint()==1)
{

	cout << endl << "Hardware Breakpoint has been Detected!!!" << endl;

}

else if(hwdbp->HwdBreakPoint()==0)
{

    cout << endl << "Hardware Breakpoint has Not been Detected..." << endl;

}


  • ApiBreakPointDetection

i) int ApiBreakPoint(char * DLL, char * API)

Include the ApiBreakPointDetection.h and add the ApiBreakPointDetectionFunc.cpp to your project.

Initialize a new instance of the class:


ApiBreakPointDetection * apibp = new ApiBreakPointDetection();

Use the methods:


/* Example: Check for software breakpoint at the entrypoint of OutputDebugStringA*/

if(apibp->ApiBreakPoint("kernel32","OutputDebugStringA") == 1)
{

    cout << endl << "Breapoint Detected on protected API!!!" << endl;

}


else if(apibp->ApiBreakPoint("kernel32","OutputDebugStringA") == 0)
{

    cout << endl << "Breapoint Not Detected on protected API..." << endl;

}


  • SehDbgDetection

i) bool CloseHandleExcepDetection(HANDLE invalid)

ii) bool SingleStepExcepDetection()

Include the SehDebuggerDetection.h and add the SehDebuggerDetectionFunc.cpp to your project.

Initialize a new instance of the class:


SehDbgDetection * sehdbgdetect = new SehDbgDetection();

Use the methods:


//push an invalid handle
if(sehdbgdetect->CloseHandleExcepDetection( (HANDLE)0x90909090) ) 
{

	cout << endl << "Debugger detected through CloseHandle() exception!!!" << endl;
}

else
{

	cout << endl << "Debugger Not detected through CloseHandle() exception..." << endl;

}





if(sehdbgdetect->SingleStepExcepDetection())
{

  cout << endl << "Debugger detected through Sigle Step exception!!!" << endl;

}


else{

	cout << endl << "Debugger NOT detected through Single Step exception..." << endl;

}


  • AntiAttach

i) int AntiAttachSet()

ii) void AntiAttachSelfDebug()

Include the AntiAttach.h and add the AntiAttachFunc.cpp to your project.

Initialize a new instance of the class:


AntiAttach * antiattach = new AntiAttach();

Use the methods:


if(antiattach->AntiAttachSet() == 1)
{

cout << endl << "Parent Anti-Attach has been set succesfully!!!" << endl;

}

else{

	  cout << endl << "There was an error while setting the Anti-Attach..." << endl;

}




antiattach->AntiAttachSelfDebug();/*see the documentation for more info*/ 

cout << endl << "SelfDebug Anti-Attach has been applied!!!" << endl;


***Final Note:*** Most of the methods will return an error code in case something goes wrong in the implementation.

Check the documentation about the return values of each function and the corresponding possible error codes they may return.

Don’t forget that the purpose of the detection methods is just to detect and not to provide countermeasures.

It is always up to you to decide what it should happen if a debugger is detected by using any of the detection methods provided here.

Always remember that imagination is the best anti-reversing method!

Share