IsDebuggerPresent API

Warning: Undefined array key 1 in /var/www/wptbox/wp-content/plugins/coblocks/src/blocks/gist/index.php on line 27

Warning: Undefined array key 1 in /var/www/wptbox/wp-content/plugins/coblocks/src/blocks/gist/index.php on line 27

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

[code language=”C”]
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website:

#include <windows.h>

int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

View post on

[code language=”C”]

FS is a special kind of segment register which contains pointers to Windows kernel data structures related to the current Process/Thread. FS:[18] is the pointer to the TIB structure. Thread Information Block is also known as the Thread Environment Block. It describes the state of the thread.
Let’s explore the TEB structure using a WinDBG.

View post on

As you can see 0x30 is a pointer to the PEB structure which is the Process Information Block. It contains process information as the name describes. So MOV EAX,DWORD PTR DS:[EAX+30] will move the address of the PEB.

View post on

This is how the PEB Structure looks like.

View post on

MOVZX EAX,BYTE PTR DS:[EAX+2] will move the BeingDebugged bit with zero extend to EAX.
If we check the BeingDebugged bit in this context you can it’s set to 1, meaning the program is being currently debugged.

View post on

I hope you understand the logic behind the IsDebuggerPresent API. Here’s an example using FASM that I have coded to check for a debugger. Instead of this API you could code using inline assembly in C/C++ applications to check for the BeingDebugged bit.

Here’s an example using C in which I first the address of the PEB using the ZwQueryInformationProcess kernel API and then check for the BeingDebugged bit. The API describes using ProcessBasicInformation as the ProcessInformationClass we can retrieve a pointer to a PEB structure.

[code language=”C”]
NTSTATUS WINAPI ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength

If you check the documentation you can see that PebBaseAddress is a member of the ProcessBasicInformation structure and it points to the PEB. So we use a pointer to ProcessBasicInformation as the ProcessInformationClass parameter.

[code language=”C”]
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
Here’s an example I’ve written using C/C++ to get the BeingDebugged Bit.

View post on

You can check out this link to see the Evolution of the PEB over the years in Windows systems. This was created by ReWolf 🙂

There are lots of great articles and resources out there to learn more. Hope to share more of anti-debugging tricks which I have understood and have experimented on my own with examples.

4 thoughts on “IsDebuggerPresent API

Leave a Reply