Debugger Detection using OutputDebugString + SEH

Here it is a cool way to detect the presence of a ring3 debugger using OutputDebugString and SEH.

Apart, from an already known way to use OutputDebugString Windows API to achieve this by checking the value in EAX register, which is also already included in the A.R.F inside the IndirectDebuggerDetection Class, today I am going to show you also another way to use this API for the same purpose.

The concept is quite simple. If we call OutputDebugString in order to pass a string to the debugger, and a debugger is attached, then when we return back to the user code, the value in EAX will be a valid address inside the process address space.

However, if a debugger is not attached, then the value in EAX will be either 0 in Windows 7 (probably the same also in Vista) or 1 in Windows XP (tested in WinXP SP3), which are not of course valid addresses.

So in that case if we try to read the contents of an invalid memory address, an exception will be raised ( EXCEPTION_ACCESS_VIOLATION – 0xc0000005) and we will know that a debugger is not attached.
On the other hand if an exception does not occur then we know that a debugger is attached.

So, here it is an example:


#include <iostream>

#include <Windows.h>

using namespace std;

int main()
{
OutputDebugStringA("aaaaa");

__try{

__asm mov ebx, dword ptr [eax] //if not debugged it will raise an exception cause eax will be 0 or 1

cout << "debugger found" << endl;
}

__except(EXCEPTION_EXECUTE_HANDLER)
{
cout << "no debugger" << endl;
}

system ("pause");

return 0;

There is no…immagination, that is no power, so what would you think of using also the exception code value for doing something with it, since the exception should occur when the process is not debugged… ;o)

Enjoy,

kyREcon

Share