Open sndcode opened 8 years ago
Take a look at IsDebuggerPresent() online and work with that.
I've been studying anti-debugging methods for a little while, and if the assembly is built to target the .NET 2.0 framework, Kernel32+IsDebuggerPresent() will always return 0, because it does not debug native calls.
However, if the assembly is >=.NET4.0, native calls will work, and IsDebuggerPresent() will be accurate.
This means that the following code below will detect most debuggers, with an exception for dnSpy because it makes Debugger.IsAttached return 0 or false
[DllImport("Kernel32.dll")]
public static extern IntPtr IsDebuggerPresent(); //IntPtr because the address will change if the assembly is compiled to amd64. This works in both x86 and x64 (as long as .NET >= 4.0)
public bool IsProgramDebugged() {
return (Debugger.IsAttached || IsDebuggerPresent() != IntPtr.Zero);
}
Id personally love to see something against debugging the obfuscated assembly :)