Guard Pages Anti-Debugging

Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a "guard page" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its …

NtSetDebugFilterState Anti-Debugging

The NtSetDebugFilterState and DbgSetDebugFilterState functions are used by malware to detect the presence of a kernel mode debugger. These functions allow the malware to set up a debug filter, which is a mechanism that can be used to detect and respond to the presence of a debugger.

When a kernel mode debugger is present, the debug filter will be triggered, …

Debugger Evasion Defense Evasion [Mitre]

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they …

Alienyze Packers

Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.

Anti-Debugger techniques that detect and fool present debuggers
Anti-VM techniques that detect sandbox & virtualized environments
Protection from disassemblers and software analysis tools
Hardware ID locking for making applications machine dependant
Integrity checks that detect code …

OutputDebugString Anti-Debugging

This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.

It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.

NtQueryObject Anti-Debugging

This function retrieves object information. By calling this function with the class ObjectTypeInformation will retrieve the specific object type (debug) to detect the debugger.

NtGlobalFlag Anti-Debugging

The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.

The NtGlobalFlag field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on 64-bit …

AddVectoredExceptionHandler Anti-Debugging

The AddVectoredExceptionHandler technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler) to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.

After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP exception, …

Bad String Format Anti-Debugging

Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.

For example, the malware may use a string with multiple %s inputs, which OllyDbg …

Image File Execution Options Injection Process Manipulating

Image File Execution Options Injection, also known as IFEO Injection, is a technique used by malware to evade detection and persist on a compromised system.

The technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating …

Search Evasion Techniques

Search Result