Call to Interrupt Procedure

Created the Friday 10 March 2023. Updated 6 months, 3 weeks ago.

This anti-debugging technique involves using the INT n instruction to generate a call to the interrupt or exception handler specified with the destination operand.

To implement this technique, the int 0x03 instruction is executed, followed by a ret (0xCD03, 0xC3) nested in a __try, __except block. If a debugger is present, the except block will not be executed, and the function will return TRUE, indicating that a debugger is running.

This technique can be used to prevent analysts from analyzing and manipulating the malware's code during runtime.

Technique Identifier

U0124

Technique Tags

Anti-debugging X86 instruction RET

Code Snippets

Description

This code is implementing an anti-debugging technique that checks if a debugger is present in the environment. The TestDebugger() function generates a software interrupt (INT 3) using inline assembly code in x86 architecture.

If a debugger is present, it would intercept this interrupt, and the __except block will not execute, resulting in the TestDebugger() function returning false. On the other hand, if no debugger is present, the __except block will be executed, and the function will return true.

The main() function calls the TestDebugger() function and prints a message indicating whether a debugger was found or not. This code could be used as a security measure to protect against reverse engineering or malicious attacks by detecting if a debugger is present during runtime.

#include <stdio.h>
#include <windows.h>

bool TestDebugger() 
{
    __try
    {
        __asm  //x86 implementation
        {
            _emit 0xCD 
            _emit 0x03 //INT 03
            _emit 0xC3 //RET
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        return false;
    }

    return true;
}

int main()
{
    if(TestDebugger())
    {
        printf("Found debugger!\n");
    }
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

INT n/INTO/INT 3--Call to Interrupt Procedure