Rust-for-Malware-Development/AntiDebugging at main · Whitecat18/Rust-for-Malware-Development

Name	Name	Last commit message	Last commit date
parent directory ..
CheckRemoteDebuggerPresent	CheckRemoteDebuggerPresent
ProcessDebugPort	ProcessDebugPort
UnhandledExceptionFilter	UnhandledExceptionFilter
debug_teb	debug_teb
README.md	README.md

Name

Last commit message

Last commit date

CheckRemoteDebuggerPresent

ProcessDebugPort

UnhandledExceptionFilter

debug_teb

README.md

Anti-Debugging in Rust

Welcome to the AntiDebugging directory of Rust-for-Malware-Development. These PoCs let a process notice when it is being watched by a debugger and bail out (or misbehave) when it is. Useful in stealth payloads that want to dodge live analysis.

Sections & Links

CheckRemoteDebuggerPresent: Calls CheckRemoteDebuggerPresent — the documented Win32 way to ask Windows whether a debugger is attached to a given process.
ProcessDebugPort: Queries NtQueryInformationProcess(ProcessDebugPort). If a debugger is attached the port is non-zero.
UnhandledExceptionFilter: Triggers an exception on purpose and watches the filter chain. Under a debugger the unhandled-exception filter does not fire, which gives the trick away.
debug_teb: Reads the BeingDebugged flag directly out of the PEB through the TEB. No API call, so it is harder for an EDR to hook.

How to Use

git clone https://github.com/Whitecat18/Rust-for-Malware-Development.git
cd Rust-for-Malware-Development/AntiDebugging

Each sub-folder is its own Cargo project. Build with cargo build --release.

Resources

https://anti-debug.checkpoint.com/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

Anti-Debugging in Rust

Sections & Links

How to Use

Resources

FilesExpand file tree

AntiDebugging

Directory actions

More options

Directory actions

More options

Latest commit

History

AntiDebugging

Folders and files

parent directory

README.md

Anti-Debugging in Rust

Sections & Links

How to Use

Resources