This method is used to detect if a running process has a debugger attached to it. It involves using CheckRemoteDebuggerPresent, imported from kernel32.dll via PInvoke.

It’s a neat way to add a little bit of protection to your program, but don’t expect too much since .NET is far from being safe.

• tested on Visual Studio's Debugger & OllyDbg

## How to…

First, include the following lines in your program:

1
2
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent);


Now, this method is pretty simple to use since it takes only 2 arguments:

1. IntPtr hProcess = the target process’ handle
2. ref bool isDebuggerPresent = pointer that indicates the result

Since it’s pretty straightforward, I guess there’s no need for additional details - in any case you can find the complete source code below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

public class DetectDebugger
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent);

public static void Main()
{
bool isDebuggerPresent = false;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent);

Console.WriteLine("Debugger Attached: " + isDebuggerPresent);
}
}


## Debugger.IsAttached ?

In order to avoid any confusion about Debugger.IsAttached and CheckRemoteDebuggerPresent - sorry I didn’t mention this earlier in the article:

• IsDebuggerPresent = works for any running process and detects native debuggers too.
• Debugger.IsAttached = works only for the current process and detects only managed debuggers. As an example, OllyDbg won’t be detected by this.