Windows API: CheckRemoteDebuggerPresent

CheckRemoteDebuggerPresent() is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess() with ProcessDebugPort as a ProcessInformationClass parameter.

Code Snippets

#include "windows.h"
int main(void)
    BOOL HasDebugPort = FALSE;
    if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &HasDebugPort))
           ExitProcess(0); // Running in ring-3 debugger
    // Running outside ring-3 debugger
    return 0;

YARA Rules

rule DebuggerCheck__RemoteAPI {
        description = "Rule to RemoteAPI debugger check"
        author = "Thibault Seret"
        date = "2020-09-26"
        $s1 ="CheckRemoteDebuggerPresent"
        any of them

Additional Resources

