GET /api/techniques/53/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "CheckRemoteDebuggerPresent",
    "category": [
        "https://search.unprotect.it/api/categories/3/"
    ],
    "description": "CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present.  Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.",
    "resources": "https://msdn.microsoft.com/en-us/library/windows/desktop/ms679280(v=vs.85).aspx",
    "tags": "",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/6/",
            "technique": "https://search.unprotect.it/api/techniques/53/",
            "description": "",
            "plain_code": "#include \"windows.h\"\r\n \r\nint main(void)\r\n{\r\n    BOOL HasDebugPort = FALSE;\r\n \r\n    if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &HasDebugPort))\r\n    {\r\n           ExitProcess(0); // Running in ring-3 debugger\r\n    }\r\n    // Running outside ring-3 debugger\r\n    return 0;"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "capa_debugger_api",
            "rule": "rule:\r\n  meta:\r\n    name: check for debugger via API\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]\r\n      - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x420000\r\n  features:\r\n    - or:\r\n      - api: kernel32.CheckRemoteDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsAnyDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsKernelDebuggerPresent\r\n      - api: WUDFPlatform.WudfIsUserDebuggerPresent"
        }
    ]
}