Search For Content
Search Result
22 item(s) found so far for this keyword.
IsDebugged Flag
While a process is running, the location of the PEB can be referenced by the location fs:[30h]. For anti-debugging, malware will use that location to check the BeingDebugged flag, which indicates whether the specified process is being debugged.
Performing Code Checksum
Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take …
Read moreInterrupts
Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling.
By triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it …
Read moreGuard Pages
Memory breakpoints are a technique used by malware to detect if a debugger is present. This technique involves setting up a "guard page" in memory, which is a page of memory that is protected by the operating system and cannot be accessed by normal code. If a debugger is present, the malware can use this guard page to detect its …
Read moreDebug Registers, Hardware Breakpoints
Hardware breakpoints allow a debugger to pause execution at specific memory addresses without modifying the program code. They are stored in special CPU registers (DR0 through DR3 on Intel CPUs).
For anti-debugging, malware can inspect the values of these debug registers. If any of the registers contain a non-empty value, it indicates that a hardware breakpoint has been set …
Read moreLocalSize(0)
The function LocalSize retrieves the current size of the specified local memory object, in bytes. By setting the hMem parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.
Themida
Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...
-
Anti-debugger techniques that detect/fool any kind of debugger
-
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
-
Different encryption algorithms and keys in each protected application
-
Anti-API scanners techniques that avoids reconstruction …
Change Module Base Address at Runtime
It is possible to change the DllBase of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address.
This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member InOrderMemoryLinks which we can iterate through to get …
kernel flag inspection via sysctl
The sysctl anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., 0x800) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis.
This technique blends …
Read more