Detect if dotTrace is attached to my app
Hello,
I've implemented several anti-debug techniques (debugger detection) in my .NET (WPF) application to protect it from reverse engineering.
- Simple checks like System.Diagnostics.Debugger.IsAttached.
- More advance like kernel32.dll: IsDebuggerPresent or CheckRemoteDebuggerPresent
- And even more like ntdll.dll: NtQuerySystemInformation or NtQueryInformationProcess
dotTrace though seems to elude all of this as I still can profile my app and see a lot of details of the source and how it works!
Can you explain - at least as much as you are willing to disclose - how dotTrace is doing this? Even more important: How can I detect in my app if dotTrace (or similar applications) are profiling me?
Thanks in advance
Please sign in to leave a comment.
Hi,
dotTrace uses the Microsoft Profiling API to collect necessary data about a profiled process: https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/ Unfortunately, we don't know if there is a way to detect or prevent using this API in code, since this functionality is provided by the dotnet runtime itself.
Thanks a lot Anna, I will see if I can find something about that.