search

XenocodeRCE / Noisette-Obfuscator

An Obfuscator for .NET assembly
GNU General Public License v3.0
254 stars 76 forks source link

feature request - Anti Debugger #11

Open sndcode opened 7 years ago

sndcode commented 7 years ago

Id personally love to see something against debugging the obfuscated assembly :)

WilliamMailhot commented 7 years ago

Take a look at IsDebuggerPresent() online and work with that.

Rottweiler commented 7 years ago

I've been studying anti-debugging methods for a little while, and if the assembly is built to target the .NET 2.0 framework, Kernel32+IsDebuggerPresent() will always return 0, because it does not debug native calls.

However, if the assembly is >=.NET4.0, native calls will work, and IsDebuggerPresent() will be accurate.

This means that the following code below will detect most debuggers, with an exception for dnSpy because it makes Debugger.IsAttached return 0 or false

[DllImport("Kernel32.dll")]
public static extern IntPtr IsDebuggerPresent(); //IntPtr because the address will change if the assembly is compiled to amd64. This works in both x86 and x64 (as long as .NET >= 4.0)

public bool IsProgramDebugged() {
    return (Debugger.IsAttached || IsDebuggerPresent() != IntPtr.Zero);
}