Noisette-Obfuscator icon indicating copy to clipboard operation
Noisette-Obfuscator copied to clipboard

Published 20 hours ago verified publisher icon XenocodeRCE

feature request - Anti Debugger

Open sndcode opened this issue 7 years ago • 2 comments

Id personally love to see something against debugging the obfuscated assembly :)

sndcode avatar Dec 01 '16 12:12 sndcode

Take a look at IsDebuggerPresent() online and work with that.

WilliamMailhot avatar Jan 15 '17 00:01 WilliamMailhot

I've been studying anti-debugging methods for a little while, and if the assembly is built to target the .NET 2.0 framework, Kernel32+IsDebuggerPresent() will always return 0, because it does not debug native calls.

However, if the assembly is >=.NET4.0, native calls will work, and IsDebuggerPresent() will be accurate.

This means that the following code below will detect most debuggers, with an exception for dnSpy because it makes Debugger.IsAttached return 0 or false

[DllImport("Kernel32.dll")]
public static extern IntPtr IsDebuggerPresent(); //IntPtr because the address will change if the assembly is compiled to amd64. This works in both x86 and x64 (as long as .NET >= 4.0)

public bool IsProgramDebugged() {
    return (Debugger.IsAttached || IsDebuggerPresent() != IntPtr.Zero);
}

Rottweiler avatar Feb 28 '17 22:02 Rottweiler