Merge pull request #2 from mastercodeon314/master

PR for the third dnSpy debugging hook, System.Diagnostics.Debugger

Author: XenocodeRCE

README.md

@@ -1,7 +1,10 @@
+A fork of the original repo that adds the third dnSpy debugging hook, System.Diagnostics.Debugger
+
 # dnSpyDetector
 A quick way to check for the presence of dnSpy hooks in memory
 
-![](https://i.imgur.com/UE7fleD.png)
+
+![image](https://user-images.githubusercontent.com/78676320/193439132-b5ddeb8c-6e88-40b7-8c16-26f540843b70.png)
 
 # Reverse Engineering Discord server
 Wanna join a cool reverse engineering server ? https://discord.gg/qcfddcE

dnSpyDetector/dnSpyDetector/Program.cs

@@ -1,17 +1,19 @@
 using System;
+using System.Diagnostics;
+
 namespace dnSpyDetector
 {
     class Program
     {
-
         [System.Runtime.InteropServices.DllImport("kernel32.dll")]
         public static extern IntPtr LoadLibrary(string dllToLoad);
 
         [System.Runtime.InteropServices.DllImport("kernel32.dll")]
         public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
 
-        static void Main(string[] args) {
-
+        static void Main(string[] args)
+        {
+            int hookCount = 0;
             Console.WriteLine("Checking the presence of dnSpy hooks ...");
 
             IntPtr kernel32 = LoadLibrary("kernel32.dll");
@@ -21,25 +23,41 @@ static void Main(string[] args) {
             System.Runtime.InteropServices.Marshal.Copy(GetProcessId, data, 0, 1);
 
             //32-bit relative jump = opcode 0xE9
-            if (data[0] == 0xE9) {
+            if (data[0] == 0xE9)
+            {
                 Console.WriteLine($"IsDebuggerPresent hook detected ...");
-                Console.ReadKey();
-                return;
+                hookCount++;
             }
 
             GetProcessId = GetProcAddress(kernel32, "CheckRemoteDebuggerPresent");
-            data = new byte[1];
             System.Runtime.InteropServices.Marshal.Copy(GetProcessId, data, 0, 1);
 
             //32-bit relative jump = opcode 0xE9
-            if (data[0] == 0xE9) {
+            if (data[0] == 0xE9)
+            {
                 Console.WriteLine($"CheckRemoteDebuggerPresent hook detected ...");
-                Console.ReadKey();
-                return;
+                hookCount++;
             }
 
+            var debuggerType = typeof(Debugger);
+            System.Reflection.MethodInfo[] methods = debuggerType.GetMethods();
+            var getMethod = debuggerType.GetMethod("get_IsAttached");
+
+            IntPtr targetAddre = getMethod.MethodHandle.GetFunctionPointer();
+            System.Runtime.InteropServices.Marshal.Copy(targetAddre, data, 0, 1);
 
-            Console.ReadKey();
+            if (data[0] == 0x33)
+            {
+                Console.WriteLine($"System.Diagnostics.Debugger hook detected ...");
+                hookCount++;
+            }
+
+            if (hookCount == 0)
+            {
+                Console.WriteLine("No dnSpy hooks found!");
+            }
+            
+            Console.ReadLine();
         }
     }
 }