LocalSize(0)

Anti-Debugging

The function LocalSize retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.

Themida

Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction …

AxProtector

Packers

AxProtector encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine. Best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.

kernel flag inspection via sysctl

Anti-Debugging

The sysctl anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., 0x800) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis.

This technique blends …

INT 0x2D

Anti-Debugging

When the instruction INT2D is executed, the exception EXCEPTION_BREAKPOINT is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while INT2D is executed.

Search For Content

Search Result

LocalSize(0)

Anti-Debugging

Themida

Packers

AxProtector

Packers

kernel flag inspection via sysctl

Anti-Debugging

INT 0x2D

Anti-Debugging