The Trap Flag

[ghost]

This approach is similar to the previous one, except that here you enable the trap flag in the current process and check whether an exception is raised or not. If an exception is not raised, you can assume that a debugger has “swallowed” the exception for us, and that the program is being traced. The beauty of this approach is that it detects every debugger, user mode or kernel mode, because they all use the trap flag for tracing a program. The following is a sample implementation of this technique. Again, the code is written in C for the Microsoft C/C++ compiler.

BOOL bExceptionHit = FALSE;
__try
{
_asm
{
pushfd
or dword ptr [esp], 0x100 // Set the Trap Flag
popfd
// Load value into EFLAGS register
nop
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
bExceptionHit = TRUE; // An exception has been raised –
// there is no debugger.
}
if (bExceptionHit == FALSE)
printf (“A debugger is present!\n”);

Just as with the previous approach, this trick is somewhat limited because the PUSHFD and POPFD instructions really stand out. Additionally, some debuggers will only be detected if the detection code is being stepped through, in such cases the mere presence of the debugger won’t be detected as long the code is not being traced.

This technique from https://github.com/wanttobeno/AntiDebuggers/blob/master/Tencent2016D.cpp#L541 and Reversing Secrets of Reverse Engineering book.

Need add to al-khaser?

[ayoubfaouzi]

Hello @lurumdare

I had a look and made a quick implementation. Thanks for sharing.