Detect if dotTrace is attached to my app

Hello,

I've implemented several anti-debug techniques (debugger detection) in my .NET (WPF) application to protect it from reverse engineering.

  • Simple checks like System.Diagnostics.Debugger.IsAttached.
  • More advance like kernel32.dll: IsDebuggerPresent or CheckRemoteDebuggerPresent
  • And even more like ntdll.dll: NtQuerySystemInformation or NtQueryInformationProcess

 

dotTrace though seems to elude all of this as I still can profile my app and see a lot of details of the source and how it works!

Can you explain - at least as much as you are willing to disclose - how dotTrace is doing this? Even more important: How can I detect in my app if dotTrace (or similar applications) are profiling me?

Thanks in advance

0
2 comments

Hi,

dotTrace uses the Microsoft Profiling API to collect necessary data about a profiled process: https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/ Unfortunately, we don't know if there is a way to detect or prevent using this API in code, since this functionality is provided by the dotnet runtime itself.

0

Thanks a lot Anna, I will see if I can find something about that.

0

Please sign in to leave a comment.