IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

 * IsDebuggerPresent Example
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website:	

#include <windows.h>

int main() {	
	MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.


FS is a special kind of segment register which contains pointers to Windows kernel data structures related to the current Process/Thread. FS:[18] is the pointer to the TIB structure. Thread Information Block is also known as the Thread Environment Block. It describes the state of the thread.
Let’s explore the TEB structure using a WinDBG.

As you can see 0x30 is a pointer to the PEB structure which is the Process Information Block. It contains process information as the name describes. So MOV EAX,DWORD PTR DS:[EAX+30] will move the address of the PEB.

This is how the PEB Structure looks like.

MOVZX EAX,BYTE PTR DS:[EAX+2] will move the BeingDebugged bit with zero extend to EAX.
If we check the BeingDebugged bit in this context you can it’s set to 1, meaning the program is being currently debugged.

I hope you understand the logic behind the IsDebuggerPresent API. Here’s an example using FASM that I have coded to check for a debugger. Instead of this API you could code using inline assembly in C/C++ applications to check for the BeingDebugged bit.

Here’s an example using C in which I first the address of the PEB using the ZwQueryInformationProcess kernel API and then check for the BeingDebugged bit. The API describes using ProcessBasicInformation as the ProcessInformationClass we can retrieve a pointer to a PEB structure.

NTSTATUS WINAPI ZwQueryInformationProcess(
  _In_      HANDLE           ProcessHandle,
  _In_      PROCESSINFOCLASS ProcessInformationClass,
  _Out_     PVOID            ProcessInformation,
  _In_      ULONG            ProcessInformationLength,
  _Out_opt_ PULONG           ReturnLength

If you check the documentation you can see that PebBaseAddress is a member of the ProcessBasicInformation structure and it points to the PEB. So we use a pointer to ProcessBasicInformation as the ProcessInformationClass parameter.

    PVOID Reserved1;
    PPEB PebBaseAddress;
    PVOID Reserved2[2];
    ULONG_PTR UniqueProcessId;
    PVOID Reserved3;
Here’s an example I’ve written using C/C++ to get the BeingDebugged Bit.

You can check out this link to see the Evolution of the PEB over the years in Windows systems. This was created by ReWolf 🙂

There are lots of great articles and resources out there to learn more. Hope to share more of anti-debugging tricks which I have understood and have experimented on my own with examples.


2 thoughts on “IsDebuggerPresent API

  1. Pingback: Debugger Detection Using NtGlobalFlag | Blog of Osanda

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s