GET /api/techniques/62/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 62,
"key": "heap-flag",
"unprotect_id": "U0112,B0001.021",
"name": "Heap Flag",
"description": "`ProcessHeap` is located at `0x18` in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are `Flags` and `ForceFlags`.\r\n\r\nThe values of `Flags and ForceFlags` are normally set to `HEAP_GROWABLE` and `0`, respectively.\r\n\r\nOn 64-bit Windows XP, and Windows Vista and higher, if a debugger is present, the Flags field is set to a combination of these flags:\r\n\r\n- `HEAP_GROWABLE (2)`\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`\r\n\r\nWhen a debugger is present, the ForceFlags field is set to a combination of these flags:\r\n\r\n- `HEAP_TAIL_CHECKING_ENABLED (0x20)`\r\n- `HEAP_FREE_CHECKING_ENABLED (0x40)`\r\n- `HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)`",
"resources": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-heap-flags",
"creation_date": "2019-03-18T13:34:32Z",
"tags": "heapflag",
"modification_date": "2023-10-04T10:42:51.159000Z",
"category": [
3
],
"rules": [],
"attachments": [],
"featured_api": [
258
],
"contributors": []
}
