Windows C++ / Call to Interrupt Procedure

Author Alex Schwarz
Platform Windows
Language C++
Technique Call to Interrupt Procedure

Description:

This code is implementing an anti-debugging technique that checks if a debugger is present in the environment. The TestDebugger() function generates a software interrupt (INT 3) using inline assembly code in x86 architecture.

If a debugger is present, it would intercept this interrupt, and the __except block will not execute, resulting in the TestDebugger() function returning false. On the other hand, if no debugger is present, the __except block will be executed, and the function will return true.

The main() function calls the TestDebugger() function and prints a message indicating whether a debugger was found or not. This code could be used as a security measure to protect against reverse engineering or malicious attacks by detecting if a debugger is present during runtime.

Code

#include <stdio.h>
#include <windows.h>

bool TestDebugger() 
{
    __try
    {
        __asm  //x86 implementation
        {
            _emit 0xCD 
            _emit 0x03 //INT 03
            _emit 0xC3 //RET
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        return false;
    }

    return true;
}

int main()
{
    if(TestDebugger())
    {
        printf("Found debugger!\n");
    }
}

Created

March 10, 2023

Last Revised

April 22, 2024