Windows API: CheckRemoteDebuggerPresent

CheckRemoteDebuggerPresent() is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess() with ProcessDebugPort as a ProcessInformationClass parameter.

Code Snippets

#include "windows.h"
 
int main(void)
{
    BOOL HasDebugPort = FALSE;
 
    if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &HasDebugPort))
    {
           ExitProcess(0); // Running in ring-3 debugger
    }
    // Running outside ring-3 debugger
    return 0;

YARA Rules

rule DebuggerCheck__RemoteAPI {
    meta:
        description = "Rule to RemoteAPI debugger check"
        author = "Thibault Seret"
        date = "2020-09-26"
    strings:
        $s1 ="CheckRemoteDebuggerPresent"
    condition:
        any of them

Additional Resources

Subscribe to our Newsletter and don't miss important updates