cd ../../Random Posts

Anti-WinDbg Trick [Quick Post]

1 minute read

If we debug an executable under WinDbg (Classic and Preview), the debugger will create several distinguishable environment variables for the recently created process.

A sample process without a debugger attached:

1

The same sample debugged by WinDbg Classic:

2

The same sample debugged by WinDbg Preview:

3

We can use the change to detect if a sample is under WinDbg debugger:

x

whoami: @_qaz_qaz