Tutorial Anti Debugging Tricks – CloseHandle Debugger Detection

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat


Dank Tier VIP
Jul 15, 2018
Anti Debugging Tricks – CloseHandle

This is probably one of my favourite antidebugging techniques because its relatively benign. It can be difficult to detect as many programs can have hundreds of legitimate calls to CloseHandle however as we'll see its not that difficult to bypass if you know what you're doing.

So how does it work?

Those of you familiar with the WINAPI know that most function calls end up calling their “big brother” versions inside ntdll (NtClose in the case of CloseHandle). What you may not know is the CloseHandle call operates differently depending on whether a debugger is attached.

Take the following code:
This call will fail (of course) but the interesting thing is it will run normally and not crash to the error reporting screen (as you think). Try running it and see what happens it should run without any issue. However if we run this code inside Visual Studio with the debugger attached we get this interesting piece of information:


That’s interesting. Let’s see if we can leverage this into a program to detect this exception and terminate on detection of it. Take the following example code:

#include <stdio.h>
#include <Windows.h>

BOOL bDetected;

LONG WINAPI ExpCheckForDebugger(EXCEPTION_POINTERS *ExceptionInfo)
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_INVALID_HANDLE)
bDetected = true;

int main(void)
bDetected = false;

LPVOID pHandle = AddVectoredExceptionHandler(1ul, ExpCheckForDebugger);


if (bDetected) {
printf("Stop debugging me!\n");
return -1;


printf("Normal execution\n");
return 0;
Try continuing after the exception is thrown, the application will detect that exception was thrown and exit. Executing the application without a debugger will result in normal execution pretty neat right?


How to beat it

There’s a few options here. You could hook CloseHandle or AddVectoredExeceptionHandler. You could register your own First exception handler check the msdn page for more information. You could also simply nop out the call to CloseHandle.

My own preference would be to hook CloseHandle and perform some tests on the supplied handle to see if it indeed a valid handle or just a junk pointer to trigger the exception. You could use a call like DuplicateHandle to check this.

See the example below:

// This is our hook installed into the target application
BOOL WINAPI MyCloseHandle(HANDLE hHandle)
HANDLE hCurrProcess = GetCurrentProcess(), hOutput = NULL;
if (!DuplicateHandle(hCurrProcess, hHandle, hCurrProcess, &hOutput, NULL, FALSE, DUPLICATE_SAME_ACCESS)) {
// Call failed do not call CloseHandle() to avoid triggering the exception
return FALSE;

// Call the original unhooked function
// Close duplicate handle
// Close the actual handle
return RealCloseHandle(hHandle);


Cesspool Admin
Jan 21, 2014
This premium tutorial has been released to the heathens! Remember you can get early access to our content by donating

Would be cool to make a little anti-debug lib using all these techniques and then make videos of us bypassing them
  • Love
  • Like
Reactions: KF1337 and _Necros_
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts