Windows Anti-Debug Reference - M!X0R - 01-11-2018
Posted By: ArbCracker 02-10-2007, 03:21 PM
إقتباس :Windows Anti-Debug Reference
This paper classifies and presents several anti-debugging techniques used on Windows NT-based
operating systems.
Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger.
They are used by commercial executable protectors, packers and malicious software, to prevent or
slow-down the process of reverse-engineering.
We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows
platforms. The paper is aimed towards reverse-engineers and malware analysts.
Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific
debugger detection, such as window or processes enumeration, registry scanning, etc. will not be
addressed here.
Anti-debugging and anti-tracing techniques
Exploiting memory discrepancies
1 kernel32!IsDebuggerPresent
2 PEB!IsDebugged
3 PEB!NtGlobalFlags
4 Heap flags
5 Vista anti-debug (no name)
Exploiting system discrepancies
1 NtQueryInformationProcess
2 kernel32!CheckRemoteDebugger
3 UnhandledExceptionFilter
4 NtSetInformationThread
5 kernel32!CloseHandle and NtClo
6 Self-debugging
7 Kernel-mode timers
8 User-mode timers
9 kernel32!OutputDebugStringA
10 Ctrl-C
CPU anti-debug
1 Rogue Int3
2 "Ice" Breakpoint
3 Interrupt 2Dh
4 Timestamp counters
5 Popf and the trap flag
6 Stack Segment register
7 Debug registers manipulation
8 Context modification
Uncategorized anti-debug
1 TLS-callback
2 CC scanning
3 EntryPoint RVA set to 0
|