ADBG is a low-level Windows anti-debugging and anti-analysis library built using NT internals, direct syscalls, and execution-level tricks.
It is designed to detect, disrupt, and prevent:
- User-mode debuggers
- Kernel-assisted debugging
- Dynamic analysis tools
- Instrumentation frameworks
- Runtime attach attempts
- PEB checks (
BeingDebugged,NtGlobalFlag) - Debug object & debug port detection
- Remote debugger detection
- Kernel debugger detection (
NtSystemDebugControl) - Process heap flags / force flags
- Parent process heuristics
- Hardware breakpoints (DR0–DR7)
- Page exception breakpoints
- Guard page execution checks
- Stack read anomalies
- Continuous debug register validation
- Hash-based syscall resolution
- Dynamic export parsing from
ntdll - Cross-compiler syscall stubs (MSVC / GCC)
- SysWhispers-style implementation
DbgNtCreateThreadEx(...);
DbgNtQuerySystemInformation(...);- Native thread creation (
NtCreateThreadEx) - Hidden threads (
ThreadHideFromDebugger) - Thread enumeration & manipulation
- Debug register sanitization across threads
One of the strongest parts of this library.
- Executes before
main() - Detects debugger attach via thread injection
- Scans thread start addresses
- Terminates if debugger attach thread is detected
-
Hooks:
DbgUiRemoteBreakin→ redirected to__fastfailDbgBreakPoint→ patched toret
- Enumerates all threads
- Clears DR registers across process
-
Vectored exception handler (
handler.c) -
Detects:
- Single-step exceptions
- Hardware breakpoint usage
- Hooked
KiUserExceptionDispatcher
LONG CALLBACK VectoredDebuggerCheck(...)MEM_WRITE_WATCHdetection- Module CRC verification (
hasher.c) - Hook detection via memory inspection
- Stack integrity validation
- Debugger window detection (x64dbg, WinDbg, etc.)
- Job object detection (sandboxing)
- Suspicious parent process detection
- Duplicate handle anomalies
- RDTSC timing checks
- Execution delay detection
- Anti-instrumentation heuristics
/core
syscall.*, syscall-core.asm, syscalls.h
syscall_converter.py
/anti_debug
dbgpresent.*, dbgobj.*, procdbgport.*, rdbgpresent.*
ntglobalflag.*
/breakpoints
hwbreakp.*, hwbreakp2.*
membreakp.*, pgexcbp.*
raiseexc.*
/process
prochpflag.*, prochpforceflag.*
duphnd.*, prothnd.*, clshandle.*
opnproc.*, job.*, prntproc.*
/execution
thrmng.*, handler.*
atcptr.* ← TLS + anti-attach core
/system
kerneldbg.*, sysdbgctl.*
window.*, timing.*, ntldt.*
/memory
vrtalloc.*, readstck.*
hasher.*, loadlib.*
/firmware
dbgp.c ← ACPI DBGP detection
#include "adbg.h"
int main() {
StartDebugProtection(); // continuous monitoring
StartAttachProtection(); // anti-attach hardening
}if (CheckOpenProcess()) return -1;
if (ProtectedHandle()) return -1;
if (NtSystemDebugControl()) return -1;Hidden Thread Example
HANDLE hThread = DbgCreateThread(
GetCurrentProcess(),
0,
MyThread,
NULL,
0,
NULL,
NULL
);Avoid user-mode API hooks entirely.
No single bypass → attacker must defeat many layers.
TLS callbacks trigger before main logic.
Uses __fastfail() to immediately terminate.
-
Windows-only (NT-based)
-
Some techniques may trigger:
- AV / EDR alerts
- Sandbox detections
-
Syscall numbers must match OS version
This project is intended for:
- Software protection
- Anti-reverse engineering research
- Security education
Do not use for malicious purposes.
- Hypervisor detection
- ETW bypass
- AMSI bypass
- Kernel-mode extension
- Anti-VM heuristics
Compile with _DEBUG:
[!] Debugger detected in: <function>
MIT / Custom