.NET: How to isolate an anti-debugging class library?

Question

I built a .NET class library and used an obfuscator to obfuscate it with anti-debugging.

I built a testing project using my obfuscated class library. I would have hoped that anti-debugging forbids debugger to step into my class library. But it simply threw exception "Debugger detected" when my class library was invoked when I started the project in debugging mode (by pressing "F5" in Visual Studio).

What this means is that if a project uses my library then the developer simply cannot debug at all. They may have millions of lines of code that has nothing to do with my library. Not being able to debug at all in their project will only mean one thing: they will not use my library.

Is there anyway a developer can do to "isolate" my library, so that they can debug elsewhere?

Answer 1

Specially thanks to @Artem Razin for:

isolate sensitive code to a separate process that runs with the enabled anti-debugging feature.

Its great and helpful. Also virtualization he specified is good approach. I will post you a good approach if you need exactly working with anti-debug envirnoment. Bceause you mention the exception: Debugger Detected

Am assume you use Eziriz .NET Reactor. When I speak with support. They said you can't provide two anti-debug version for specific HardwareID. Because HardwareID involved in the licensing system and it must not bypassed!

I can tell you a workaround for that by using .NET Reactor CLI and MSBuild targets.

What scenario it should be? (I will show what we need to do before write CLI...)

1. If you a have a developer team, or friend who need to use your obfuscated library. That's great. But he can't debug because its anti-debugged.
2. Then we must separate an assembly into two assemblies. One for developer its obfuscated but without anti-debug feature enabled. and other assembly into release folder for consumer or your audience.
3. So when you build your assembly. or need to create nuget package for it. you need to do a double obfuscation. Firstly you will obfuscate the anti-debug version for consumer into Consumer/AntiDebug folder. Secondly you will obfuscate the original DLL again but for developer without anti-debug feature!

So please use Directory.Build.targets for that. Here's code for obfuscation:

<Target Name="ObfuscateDLL" Condition="'$(Configuration)' == 'Release' AND $(OutputType) == 'Library'"
        AfterTargets="AfterBuild">

    <PropertyGroup>
          <ObfuscatedFolder>$(MSBuildThisFileDirectory)\Anti Debug</ObfuscatedFolder>
          <ObfuscatorPath>C:\Program Files (x86)\Eziriz\.NET Reactor\dotNET_Reactor.Console.exe</ObfuscatorPath>
          <ObfuscatorParameters>-antitamp 1 -anti_debug 1 -hide_calls 1 -hide_calls_internals 1 -control_flow_obfuscation 1 -flow_level 9 -resourceencryption 1 -antistrong 1 -virtualization 1 -necrobit 1 -mapping_file 1 -mapping_file_overwrite 1 -mapping_filename "&lt;ProtectedAssemblyLocation&gt;\&lt;AssemblyName&gt;.nrmap" </ObfuscatorParameters>
    </PropertyGroup>

    <!-- Obfuscate with anti-debug to Obfuscated folder or \Release path when GenerateNuget enabled -->
    <Exec Command="&quot;$(ObfuscatorPath)&quot; -file &quot;$(TargetPath)&quot; -targetfile &quot;$(ObfuscatedFolder)\$(TargetFileName)&quot; $(ObfuscatorParameters)"/>

    <!-- Obfuscate without anti-debug to /Release path for Nuget package for Developers -->
    <Exec Command="&quot;$(ObfuscatorPath)&quot; -file &quot;$(TargetPath)&quot; -targetfile &quot;$(TargetPath)&quot; $(ObfuscatorParameters.Replace('-anti_debug 1','').Replace('-mapping_file 1', ''))"/>
</Target>

Please use above code! if you need it as simple as possible. But you need to manually create nuget package for you developer. via MSBuild or by the way you need.

But If you use .NET Framework and want to generate obfuscated debuggable nuget package (for developers). And also provide anti-debug version to your consumer. You can use following MSBuild targets.

1. It contains ability to create Nuget package with all dependencies automatically.
2. It obfuscate the consumer library to Anti Debug folder. then It will obfuscate nuget version and packacking it. then copy back Anti Debug version to Release folder.
3. You can manually turn on/off GenerateNuget property. If you will not generate nuget so anti-debug version only produced.
4. Change the code depending on your needs...

https://pastebin.com/wmvcWMUp

(See link XML content are large can't posted to StackOverflow)

Answer 2

Anti-debugging is a well-known feature since the times of exe packers. Unfortunately, it is a process-wide thing. Usually, .NET obfuscators check debugger-specific environment variables.

There is no way to prevent a debugger from stepping into your assembly.

I would say that anti-debugging is for those who want to protect their end-user products, not libraries.

You can virtualize your code (modern obfuscators like ArmDot provide this feature), so debugging it would have almost no sense.

Another idea is to isolate sensitive code to a separate process that runs with the enabled anti-debugging feature. On the client-side, you just provide a proxy that redirects all calls to the process.