الفريق العربي للهندسة العكسية
Windows Anti-Debug Reference - نسخة قابلة للطباعة

+- الفريق العربي للهندسة العكسية (https://www.at4re.net/f)
+-- قسم : ENGLISH FORUM (https://www.at4re.net/f/forum-6.html)
+--- قسم : General Discussion (https://www.at4re.net/f/forum-13.html)
+--- الموضوع : Windows Anti-Debug Reference (/thread-291.html)



Windows Anti-Debug Reference - M!X0R - 01-11-2018

Posted By: ArbCracker 02-10-2007, 03:21 PM

إقتباس :Windows Anti-Debug Reference
This paper classifies and presents several anti-debugging techniques used on Windows NT-based 
operating systems. 
Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. 
They are used by commercial executable protectors, packers and malicious software, to prevent or 
slow-down the process of reverse-engineering. 
We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows 
platforms. The paper is aimed towards reverse-engineers and malware analysts. 
Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific 
debugger detection, such as window or processes enumeration, registry scanning, etc. will not be 
addressed here.
Anti-debugging and anti-tracing techniques
Exploiting memory discrepancies
1 kernel32!IsDebuggerPresent
2 PEB!IsDebugged
3 PEB!NtGlobalFlags
4 Heap flags
5 Vista anti-debug (no name)
Exploiting system discrepancies
1 NtQueryInformationProcess
2 kernel32!CheckRemoteDebugger
3 UnhandledExceptionFilter
4 NtSetInformationThread
5 kernel32!CloseHandle and NtClo
6 Self-debugging
7 Kernel-mode timers
8 User-mode timers
9 kernel32!OutputDebugStringA
10 Ctrl-C
CPU anti-debug
1 Rogue Int3
2 "Ice" Breakpoint
3 Interrupt 2Dh
4 Timestamp counters
5 Popf and the trap flag
6 Stack Segment register
7 Debug registers manipulation
8 Context modification
Uncategorized anti-debug
1 TLS-callback
2 CC scanning
3 EntryPoint RVA set to 0