Search For Content
Search Result
131 item(s) found so far for this keyword.
NtSetInformationThread
NtSetInformationThread can be used to hide threads from debuggers using the ThreadHideFromDebugger ThreadInfoClass (0x11 / 17). This is intended to be used by an external process, but any thread can use it on itself.
After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. …
Read moreOutputDebugString
This Windows API is often used by developers for debugging purpose. It will display a text to the attached debugger. This API is also used by Malware to open a communication channel between one or multiple processes.
It is possible to use OutputDebugString in addition of GetLastError / SetLastError to detect debugger presence.
Read moreEventPairHandles
An EventPair Object is an event constructed by two _KEVENT structures which are conventionally named High and Low.
There is a relation between generic Event Objects and Debuggers because they must create a custom event called DebugEvent able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a …
CloseHandle, NtClose
When a process is debugged, calling NtClose or CloseHandle with an invalid handle will generate a STATUS_INVALID_HANDLE exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Read moreHeap Flag
ProcessHeap is located at 0x18 in the PEB structure. This first heap contains a header with fields used to tell the kernel whether the heap was created within a debugger. The heap contains two fields which are affected by the presence of a debugger. These fields are Flags and ForceFlags.
The values of Flags and ForceFlags are normally …
NtGlobalFlag
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.
The NtGlobalFlag field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
RDTSC
The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX.
It will execute RDTSC twice and then calculate the difference between low order values and check it with …
Read moreGetTickCount
This is typical timing function which is used to measure time needed to execute some function/instruction set. If the difference is more than fixed threshold, the process exits.
GetTickCount reads from the KUSER_SHARED_DATA page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates …
TLS Callback
TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.
As an anti-debugging technique, a program can use a TLS callback …
Read moreBad String Format
Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.
For example, the malware may use a string with multiple %s inputs, which …
Read more