Anti-Debug Tricks
|
Special flags in system tables, which dwell in process memory and which an operation system sets, can be used to indicate that the process is being debugged. The states of these flags can be verified either by using specific API functions or examining the system tables in memory. The following set of techniques represents the checks which use kernel objects handles to detect a debugger presence. debugging begins. The following methods deliberately cause exceptions to verify if the further behavior is not typical for a process running without a debugger. When a process is traced in a debugger, there is a huge delay between instructions and execution. |
A process can examine its own memory to either detect the debugger presence or interfere with the debugger. Anti-Debug: Assembly instructions The following techniques are intended to detect a debugger presence based on how debuggers behave when the CPU executes a certain instruction. Anti-Debug: Direct debugger interaction The following techniques let the running process manage a user interface or engage with its parent process to discover inconsistencies that are inherent for a debugged process.
Anti-Debug: Misc |