By checking the parent process of a given process we can determine if the process is being debugged or not by expecting “explorer.exe” to be the usual parent process started by the user.
For this technique the following Windows APIs are used.
We also use a pointer to PROCESSENTRY32 structure which will store the information of each process taken from the snapshot.
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
First we get the PID of the explorer.exe process by taking a snapshot of all process and enumerating through the list. Next we again take a snapshot and locate the current Process ID (PID) of our process by enumerating through the list and then we evaluate if the Parent Process ID (PPID) of our current process is equal to “explorer.exe”.
In case if someone rename something else as “explorer.exe” we can write more checks to determine if the parent process is equal “explorer.exe”.
Here’s an example I wrote in C.
https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.c
This is an example which I wrote in MASM.
https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.asm
Example when we normally run the program.
When the PPID is not equal to explorer.exe.
One thought on “Parent Process Detection”