Skip to content
Reverse Engineering
Anti-Analysisbeginner

IsDebuggerPresent

A Windows API call that reads the BeingDebugged flag in the PEB to detect a user-mode debugger attached to the current process.

IsDebuggerPresent is the simplest anti-debugging check on Windows. It reads a single byte — the BeingDebugged flag — from the Process Environment Block (PEB) of the calling process and returns non-zero when a user-mode debugger is attached.

How it works

The function is a one-line read of PEB.BeingDebugged (offset 0x02). The kernel sets this flag when a process is created under a debugger, or when a debugger later attaches.

c
#include <windows.h>

if (IsDebuggerPresent()) {
    // Debugger detected — bail out or mislead the analyst.
    ExitProcess(0);
}

Because the flag lives in user-accessible memory, malware often reads it directly to avoid an obvious import:

asm
mov eax, fs:[30h]      ; PEB
movzx eax, byte [eax+2] ; PEB.BeingDebugged
test eax, eax
jne  debugger_detected

Detection & bypass

When reverse engineering a sample that uses this check:

  • Patch the PEB flag: set BeingDebugged to 0 from your debugger before the check runs (x64dbg: Command → SetPEB).
  • Hook the API: intercept kernel32!IsDebuggerPresent and force a 0 return value.
  • ScyllaHide / TitanHide automate hiding the PEB flag and many related artifacts.

For static detection, flag any read of fs:[30h]+2 (x86) or gs:[60h]+2 (x64), as well as direct imports of IsDebuggerPresent.

Votes

Comments(0)