determine if debugger is enabled/disabled

traumatic · Post by **traumatic** » Tue Jan 31, 2006 3:10 pm

Somone on IRC asked if there's a way to determine whether the
debugger is being used or not. Since there's no "#compilerif-flag"
for this purpose, I came up with this:

Code: Select all

;
; returns #TRUE if debugger is enabled
; #FALSE otherwise
;
Procedure DebuggerEnabled()
  !if defined _PB_DEBUGGER_Control
  !mov eax, 1
  !else
  !mov eax, 0
  !end if
  ProcedureReturn
EndProcedure

Don't know, maybe it's useful to others as well (that's why I'm posting it here

).

Post by **Dare2** » Tue Jan 31, 2006 3:12 pm

Yes it is useful. As is, and for expanding knowledge/horizons.

Thanks.

dige · Post by **dige** » Tue Jan 31, 2006 3:12 pm

Great!!! That's exactly what Im looking for... Thank you :D

traumatic · Post by **traumatic** » Tue Jan 31, 2006 3:14 pm

dige, didn't we meet on IRC lately?

Post by **Fred** » Tue Jan 31, 2006 3:14 pm

gnozal · Post by **gnozal** » Tue Jan 31, 2006 3:19 pm

Another (generic) one :

Code: Select all

;
; Inline ASM enabled
;
Procedure TestDebugger()
  !RDTSC 
  XOR Ecx,Ecx 
  ADD Ecx,Eax 
  !RDTSC 
  SUB Eax,Ecx 
  CMP Eax,$96 
  JB l_testdebuggerfast
  ProcedureReturn 1 ; debugger present
  testdebuggerfast:
  ProcedureReturn 0 ; no debugger
EndProcedure
;
MessageRequester("", Str(TestDebugger()))

Seems to work for me.

netmaestro · Post by **netmaestro** » Wed Feb 01, 2006 10:20 am

Here on PB 3.94, AMD 64 proc, traumatic code reports correctly, gnozal code says 0 in all cases.

Max. · Post by **Max.** » Wed Feb 01, 2006 12:10 pm

netmaestro wrote:Here on PB 3.94, AMD 64 proc, traumatic code reports correctly, gnozal code says 0 in all cases.

AFAIK, gnozal's code times execution speed (which is slower with enabled debuggers). You probably need to adjust the CMP Eax,$96 for a correct result, but probably it does not work with the PB debugger at all.

thefool · Post by **thefool** » Wed Feb 01, 2006 12:43 pm

Well i did this:

Code: Select all

Procedure isdebugger()
label:
a=1
If PeekB(?label)=104
ProcedureReturn 1
EndIf
EndProcedure

MessageRequester(Str(isdebugger()),"")

It simply looks at the byte in memory @the label. If the debugger is there it adds some instructions between your own, and then the result isnt the same. This of course only works with the pb debugger, as f.ex ollydbg does not add such stuff.

To detect other debuggers you can use the api command IsDebuggerPresent_().. :

Code: Select all

If IsDebuggerPresent_()
MessageRequester("","Debugger is active!")
Else
MessageRequester("","No debugger")
EndIf

SFSxOI · Post by **SFSxOI** » Wed Feb 01, 2006 6:40 pm

What if you want to keep other debuggers from attaching?

thefool · Post by **thefool** » Wed Feb 01, 2006 6:56 pm

SFSxOI wrote:What if you want to keep other debuggers from attaching?

Please read what i post

To detect other debuggers you can use the api command IsDebuggerPresent_().. :

Code:
If IsDebuggerPresent_()
MessageRequester("","Debugger is active!")
Else
MessageRequester("","No debugger")
EndIf

notice that its not hard to overrule that check so better hide it. And the api command isnt that hard to find, however its one method to get rid of totally newbie crackers.

SFSxOI · Post by **SFSxOI** » Wed Feb 01, 2006 7:06 pm

OK i see it now...duh!