تقييم الموضوع :
  • 7 أصوات - بمعدل 4
  • 1
  • 2
  • 3
  • 4
  • 5
Windows Anti-Debug Reference
#1
Posted By: ArbCracker 02-10-2007, 03:21 PM

إقتباس :Windows Anti-Debug Reference
This paper classifies and presents several anti-debugging techniques used on Windows NT-based 
operating systems. 
Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. 
They are used by commercial executable protectors, packers and malicious software, to prevent or 
slow-down the process of reverse-engineering. 
We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows 
platforms. The paper is aimed towards reverse-engineers and malware analysts. 
Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific 
debugger detection, such as window or processes enumeration, registry scanning, etc. will not be 
addressed here.
Anti-debugging and anti-tracing techniques
Exploiting memory discrepancies
1 kernel32!IsDebuggerPresent
2 PEB!IsDebugged
3 PEB!NtGlobalFlags
4 Heap flags
5 Vista anti-debug (no name)
Exploiting system discrepancies
1 NtQueryInformationProcess
2 kernel32!CheckRemoteDebugger
3 UnhandledExceptionFilter
4 NtSetInformationThread
5 kernel32!CloseHandle and NtClo
6 Self-debugging
7 Kernel-mode timers
8 User-mode timers
9 kernel32!OutputDebugStringA
10 Ctrl-C
CPU anti-debug
1 Rogue Int3
2 "Ice" Breakpoint
3 Interrupt 2Dh
4 Timestamp counters
5 Popf and the trap flag
6 Stack Segment register
7 Debug registers manipulation
8 Context modification
Uncategorized anti-debug
1 TLS-callback
2 CC scanning
3 EntryPoint RVA set to 0


الملفات المرفقة
.rar   Windows Anti-Debug Reference.rar (الحجم : 127.86 KB / التحميلات : 39)
لَّا إِلَٰهَ إِلَّا أَنتَ سُبْحَانَكَ إِنِّي كُنتُ مِنَ الظَّالِمِينْ.

عن أبي هريرة -رضي الله عنه- أن رسول الله -صلى الله عليه وسلم- كانَ يقولُ في سجودِهِ: «اللَّهُمَّ اغْفِرْ لي ذَنْبِي كُلَّهُ: دِقَّهُ وَجِلَّهُ، وَأَوَّلَهُ وَآخِرَهُ، وَعَلاَنِيَتَهُ وَسِرَّهُ».
(صحيح - رواه مسلم).
أعضاء أعجبوا بهذه المشاركة : rce3033 , vosiyons


التنقل السريع :


يقوم بقرائة الموضوع: بالاضافة الى ( 2 ) ضيف كريم