Is The Debugger Attached?

Download demo project - 12 Kb

Introduction

Is The Debugger Attached? As a very big part of my work is being a bugslayer, I tend to have a need for more debugging or debug support code in my projects. This article's code of substance is just one small function with effectively about 13 lines of code. Seems rather insignificant, but it has been very useful to me as a person who does a lot of debugging, and of course, that I even came to writing this function was interesting in itself.

Details

The function is called IsDebuggerAttached(). As the name implies, it returns a BOOL indication if a debugger is attached to the process. This was developed on and for Windows NT 4.0, and also works on Windows 2000. I do not know if it will work on Win9x as internal Windows structures differ. I will now go into some example reason(s) I had the need for this, and how it might help others who might have such needs as well.

One of the first things I consider one of the pillars of good programming practices is the validation and verification of parameters coming into a function. More importantly, the validation of pointers. I've had a steady supply of 'business' due to the encounters of the lack of such practices in my last few years of software engineering. There are situations where parameters coming into a function should always be valid. In such a situation, the standard things to do is to check the parameters for validity via ASSERT's. This is perfect for parameters that should never fail the assertion. The great thing about the assertions is that it gives you the option to break into the debugger. In the case of release builds, this is not available as the ASSERT's evaluate to nothing.

There were situations that I decided that I wanted to take different actions depending on whether a debugger was attached to my process or not. If there was no debugger attached, I had my code either popup a message box on a seriously bad condition, or to output a debug string, and quietly continue on it's way if it's possible. However, I also wanted it to be able to break at the spot of the erroneous condition if a debugger was attached. And obviously, I didn't want to build one version of the code that popped up a message box and/or output a debug string, and another version that did a DebugBreak(). Also, if you called a DebugBreak() and a debugger is not attached to you process, the system would popup a nasty dialog indicating a debug break exception.

All that being said, this was clearly what I wanted :

if (Big_Bad_Error)
{
    if (Debugger_Is_Attached)
    {
        Break_Into_Debugger;
    }
    else
    {
        Say_Something;
    }
}

Here is the code for the function IsDebuggerAttached() :

BOOL IsDebuggerAttached()
{
    DWORD dw;


    __asm
    {
        push eax    // Preserve the registers
        push ecx
        mov eax, fs:[0x18]  // Get the TIB's linear address
        mov eax, dword ptr [eax + 0x30]
        mov ecx, dword ptr [eax]    // Get the whole DWORD
        mov dw, ecx // Save it
        pop ecx // Restore the registers
        pop eax
    }


    // The 3rd byte is the byte we really need to check for the
    // presence of a debugger.
    // Check the 3rd byte
    return (BOOL)(dw & 0x00010000 ? TRUE : FALSE);

}

This is a dig into the Thread Information Block (TIB) of the process to check if a debugger is attached. And for those who don't already know, the FS register points to the current thread's TIB. Needless to say, coming to this involved a fair amount of disassemblies of Windows while in the debugger. Following, is code from the sample application for this article. It's an MFC dialog app where the test is done in the OnOK() handler :

void CDebuggerDlg::OnOK() 
{
    LPBYTE lpBuffer = (LPBYTE)0x80000000;


    // Give it a bogus buffer that will crash it for sure
    ReadMemory(lpBuffer, 1024);

}

BOOL CDebuggerDlg::ReadMemory(LPVOID lpBuffer, 
                              DWORD dwSize)
{
    // Validate the buffer
    if (IsBadWritePtr(lpBuffer, dwSize))
    {
        // This is bad! Must say something!
        if (IsDebuggerAttached())
        {
            // So we'll break into the debugger
            __asm   int 3

            // If you don't mind the function call overhead, 
            // you can call DebugBreak();
            // instead...
        }
        else
        {
            MessageBox(
                "CDebuggerDlg::ReadMemory() : "
                "Bad output buffer : lpBuffer!");
        }

        return FALSE;
    }


    // Well, we're not really gonna write anything to the buffer,
    // it's just a demo ;)
    return TRUE;

}

Well folks, I hope that this technique may be of use to some of you out there.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Tim Chew

United States

Member

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

You must Sign In to use this message board. (secure sign-in)

Search this forum
	Profile popups Noise Layout Per page

Why do you want to save the general registers?

zhzhtst

16:43 1 Oct '07

Why do you want to save the general registers? Such as this: push eax // Preserve the registers push ecx ... pop ecx // Restore the registers pop eax There is no need.
Sign In·View Thread·Permalink

Re: Why do you want to save the general registers?

Ganoes Paran

12:25 8 Jun '09

mov eax, dword ptr [eax + 0x30]
mov ecx, dword ptr [eax] // Get the whole DWORD

That modifies the original code of the registers

mov command in asm basicly means a "copy" of sorts
*example*
mov eax, 5 (means that the you move the value of eax to 5, so now eax = 5)
*relating to anti-debug example*
mov eax, dword ptr [eax + 0x30] (Moves the value of eax to be the value of the pointer of [eax + 0x30] )
mov ecx, dword ptr [eax] (Moves the value of ecx to be the value pointed by eax)

then you pop the registers again to restor the original values. as if "nothing" happened.

I really like this code as most people use standard winapi "IsDebuggerPresent" and in debuggers it's REALLY easy to see that call to the api (trust me, i kow =) ). using this masks it, very nice =)

Windows API has a function for this

nobot0

7:52 8 Jan '07

I'm not sure whether the Windows API had call for this at the time this article was written, but it does contain one now: IsDebuggerPresent(). It works in Win98 and up.
Sign In·View Thread·Permalink	4.20/5 (2 votes)

Re: Windows API has a function for this

Artemis

15:59 8 Jan '07

Yes it did. This was just digging under the hood. -------- "Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill
Sign In·View Thread·Permalink

Re: Windows API has a function for this

Ganoes Paran

12:26 8 Jun '09

yes, but if someone decides to debug your app, they can see the call very easily =). This method masks it so you don't really know when you get detected, unless you are a really good "cracker"
Sign In·View Thread·Permalink

Great !

Max2351

4:27 19 Oct '06

I writing code using DirectShow and Cyberlink MPEG2 DVD decoder, and the filter was showing a warning MessageBox in Debug mode, and after it crash. So I'm writing this code from your exemple `__asm { mov eax, fs:[0x18] // Get the TIB's linear address mov eax, dword ptr [eax + 0x30] mov ecx, dword ptr [eax] // Get the whole DWORD and ecx, 0x11101111 mov dword ptr [eax], ecx }` Thanks !
Sign In·View Thread·Permalink

Re: Great !

Artemis

16:41 19 Oct '06

That's definitely a very good use for it Good job! -------- "Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill
Sign In·View Thread·Permalink

Does it work for XP and 2K3?

morntide

21:14 21 May '06

Does someone know whether the meaning of the PEB's offset 0x03 is changed in Windows Xp and 2K3?
Sign In·View Thread·Permalink

How to send parameters to a attached Function

Anonymous

0:54 21 Oct '05

hai, I have a small doubt in java script. I want to send parameters to a function which is attached to an element as the parameter values change dynamically. regards, kalyan
Sign In·View Thread·Permalink

How can I check whether Drwatson is present

Vikas Gandhi

19:00 4 May '04

Hi ALL How can I check whether DrWatson is present or not and how can I attach to it. What I mean to say is this I do not want to get a normal windows box ("myexe.exe has enounteread a problem and ....(Send Error Report\|Don't Send)) and some how dont send should be pressed by default so that an automatic error dmp is created. Thus we straightway give the control to DrWatson ourselves. --Vikas
Sign In·View Thread·Permalink

Re: How can I check whether Drwatson is present

zhzhtst

16:35 1 Oct '07

You only need to check "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger" value. If it is "drwtsn32 -p %ld -e %ld -g", you get it, or else you need type "drwtsn32 -i" to install it manually.
Sign In·View Thread·Permalink

IsDebuggerPresent() not in windows 95

Anonymous

3:22 30 Oct '01

The SDK function IsDebuggerPresent() is not in Windows 95, only Windows98/ME/NT/2000 and XP. Does the function IsDebuggerAttached() work in windows95?
Sign In·View Thread·Permalink

Re: IsDebuggerPresent() not in windows 95

Artemis

0:44 15 Nov '01

I doubt it will work in Windows 95 as I have described that the TIB is different between the OS's. However, I think Win95 and Win98 should be the same. I could go check in Win98 (I don't have Win95) and see what the difference is so it can be ported for Win9x. -------- "Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill
Sign In·View Thread·Permalink	4.40/5 (2 votes)

Debugging

DarrenSchroeder

3:14 24 Oct '01

What other neat debug tricks/utilities do you have up your sleeve? Perhaps they're not all already written in msdn. hehe
Sign In·View Thread·Permalink

Re: Debugging

Artemis

21:10 24 Oct '01

Heheh

Well, I have tricks, and I hope they're not documented in MSDN! Anyway, there are some really cool debugging toolkits on this section, so I guess they're in a much more publishable state than what I have on my own.

OK, I will think of some tricks that haven't already been mentioned, if I do in fact have any, and will put them up... Wink | ;)

But a lot of the time it involves what would often be considered hacking the system, I guess Wink | ;)

--------
"Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill

Re: Debugging

Darren Schroeder

15:09 25 Oct '01

Hack away, man. I'm ready for it. Show me the money!
Sign In·View Thread·Permalink

Re: Debugging

Artemis

16:11 25 Oct '01

Okey-dokey Wink | ;)

I'll see what I can come up with that makes enough sense. In any case, happen to have anything while debugging you thought might be cool but haven't done or figured out? One thing I did recently was write my own memory allocators by overriding new and delete... Then I could do a gazillion dumps on the allocation info... I also have a memory allocation monitor for processes, but I can't make an article out of that, though...

--------
"Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill

Re: Debugging

Toby Opferman

12:19 24 Mar '04

I think I remember in the old days you used to be able to use self modifying code to check for debuggers. This is more a DOS trick than a Windows trick though.

One of the tricks I remeber was to modify the next instruction in memory. If you were in a debugger or being stepped through the cache would be flushed before you accessed that instruction and the "new" instruction would be executed instead of the old. Of course, this was also a good way to detect if your old 386 had any CPU cache to begin with (Systems without cache would always execute the new instruction anyway). There were other tricks though. A jmp would obviously force the clearing of the cache to execute the instruction. I think one of the other tricks was to change certain memory and attempt to read it again.

In windows, this would assume that when this occurs the cache isn't flushed. It also assumes that no context switch occured between the execution time. Also, being that Windows has native support for debugging, it's not like the cache trick would matter most likely.

I'm not sure about this though, I can't remember the details. I know I've done the next byte modification and found cache/non cache systems. I know there was SOME trick that you could use self modifying code to detect debuggers, this may or may not be it. I just don't remember anymore...

Re: Debugging

Toby Opferman

13:04 24 Mar '04

Also considering instruction pairing where two instructions can be paired to execute at the same time... Unless of course the CPU validates it's not referencing the memory of the next instruction before pairing.
Sign In·View Thread·Permalink

IsDebuggerPresent()

Obermayr Johann

21:31 23 Oct '01

There is a window function available. BOOL IsDebuggerPresent(VOID);
Sign In·View Thread·Permalink

Re: IsDebuggerPresent()

Tim @ Artemis

22:04 23 Oct '01

I just checked MSDN, and lo' and behold, it does exist!!! Well, guess I never looked in the Win32 API for something like that, but found it while debugging. Thanks for letting me know! Wink | ;)

I also checked out the code for IsDebuggerPresent(), and obviously, it checks for the exact same byte! Oh well, it's not a total loss, I guess.

Thanks again!

--------
"Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill

Re: IsDebuggerPresent()

Anonymous

22:06 28 Oct '01

Yes but according to some friends, the Windows functions can be hooked and faked by debuggers & hackers. So can be this one. Then it's better to use our own version. Same remark for registry access.
Sign In·View Thread·Permalink

Re: IsDebuggerPresent()

Artemis

15:45 29 Oct '01

It is a fact that all Win32 functions can be hooked. But there are two ways to hook them : globally, or per-process. To globally hook the Win32 functions, it can only be done in Win9x. But the per-process hook can be done on both Win9x and WinNT.

Sure this techniques can be used for hacking Wink | ;)

Pretty common. But I do it to learn system behaviour as researchers to in general. After all, system-wide hooks in Windows has been the holy-grail of Windows systems programming for god knows how long.

Well, as for registry access, Mark Russinovich has already had the final word on that! Wink | ;)

However, that isn't Win32 API hooking. It was system services.

I admit that I have also in some cases, changed the TIB to fool the system into thinking that there wasn't a debugger attached to make it behave differently.

Thanks for your remarks Smile | :)

--------
"Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill

5 Points from Me!

Oz Solomonovich

2:34 29 Oct '01

OK, so there's an equivalent Win32 API call. So what?! IMHO that doesn't deminish the great value of this article which was consise & to the point, and most importantly, shed a bit of light on an area I knew nothing about. Keep up the good work! --- Grab WndTabs from http://www.wndtabs.com to make your VC++ experience that much more comfortable...
Sign In·View Thread·Permalink

Re: 5 Points from Me!

Artemis

15:51 29 Oct '01

Oz,

Thanks a million! Smile | :)

Even after I found out about the Win32 API function, I was hoping that I'd have at least mentioned something that wasn't mentioned something before, namely, the TIB. I'm glad you liked the article, and I hope to put some more about the system that would be useful... If I know anything else useful, that is Wink | ;)

Thanks again Smile | :)

--------
"Sometimes men stumble upon the truth, but most pick themselves up and hurry of as if nothing happened" ~ Winston Churchill