Anti-Debugger Trick Quicky

Howdy all!

Long time no updates. Sorry about that, the life of the AV reverse engineer is a busy one, but busy is good right?

Anywho, I come bearing gifts. An anti-debugger trick I learned (while coding skiddy AV tool).

The way it works is simple – under normal circumstances, the working set (amount of memory a process needs at a given time) is never very big, however when being debugged, that working set size is huge. By checking the working set size, I was able to see if I was in a debugger. Neato.

Oh right, the code:

#include <windows.h>
#include <Psapi.h>
int main(void)
GetProcessMemoryInfo(GetCurrentProcess(), &pmc, sizeof(pmc));
   MessageBox(GetDesktopWindow(),"No Debugger Here","KEK",MB_OK);
   MessageBox(GetDesktopWindow(),"GTFO with that debugger","ICEBP FOR YOU",MB_OK);
	 _emit 0xF1
return 0;

Next week (or hell maybe even tomorrow), I’m gonna pop out a new longer better blog post on one of my more favorite topics – shellcode.

Until then, happy hacking!


5 thoughts on “Anti-Debugger Trick Quicky
  1. Thanks for sharing. Nice one!

    Is it intended to be used with VS2013 only? When I changed the target platform to VS2010 I got the following error when compiling:

    Error 1 error LNK2001: unresolved external symbol _GetProcessMemoryInfo@12


    1. I compiled using Pelles C compiler. The error you received means you’re missing a library reference – try adding PSAPI.lib to your linker options.

Leave a Reply to Rake Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.