Created
February 7, 2024 12:46
-
-
Save WKL-Sec/628ff74303a22527479db74b692870d2 to your computer and use it in GitHub Desktop.
Debugger Detection with PEB Inspection - White Knight Labs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development | |
| # Debugger Check - PEB | |
| #include <windows.h> | |
| #include <iostream> | |
| void TriggerBreakpoint() { | |
| __asm { | |
| int 3 // Software Breakpoint | |
| } | |
| } | |
| // Function to check the BeingDebugged flag in the PEB for x64 | |
| bool IsBeingDebuggedPEB() { | |
| BOOL isDebugged = FALSE; | |
| __asm { | |
| mov rax, gs:[0x60] // Access the PEB through GS segment for x64 applications | |
| mov al, [rax + 0x2] // BeingDebugged offset is 2 | |
| mov isDebugged, al | |
| } | |
| return isDebugged; | |
| } | |
| int main() { | |
| if (IsBeingDebuggedPEB()) { | |
| std::cout << "Debugger detected, triggering breakpoint." << std::endl; | |
| TriggerBreakpoint(); | |
| } else { | |
| std::cout << "No debugger detected." << std::endl; | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment