GET /api/techniques/63/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 63,
"key": "ntglobalflag",
"unprotect_id": "U0111,B0001.036",
"name": "NtGlobalFlag",
"description": "The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset `0x68`. If the value at this location is `0x70`, we know that we are running in a debugger.\r\n\r\nThe `NtGlobalFlag` field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit Windows) is 0 by default. Attaching a debugger doesn’t change the value of NtGlobalFlag. However, if the process was created by a debugger, the following flags will be set:\r\n\r\n- `FLG_HEAP_ENABLE_TAIL_CHECK` (0x10)\r\n- `FLG_HEAP_ENABLE_FREE_CHECK` (0x20)\r\n- `FLG_HEAP_VALIDATE_PARAMETERS` (0x40)\r\n\r\nThe presence of a debugger can be detected by checking a combination of those flags.",
"resources": "https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-ntglobalflag",
"creation_date": "2019-03-18T13:35:07Z",
"tags": "ntglobalflag",
"modification_date": "2023-10-04T10:44:18.871000Z",
"category": [
3
],
"rules": [
4,
25
],
"attachments": [],
"featured_api": [
24,
355,
419,
425
],
"contributors": []
}
