Anti-WinDbg Trick [Quick Post]1 minute read
If we debug an executable under WinDbg (Classic and Preview), the debugger will create several distinguishable environment variables for the recently created process.
A sample process without a debugger attached:
The same sample debugged by WinDbg Classic:
The same sample debugged by WinDbg Preview:
We can use the change to detect if a sample is under WinDbg debugger: