Debug Registers, Hardware Breakpoints
Created the Friday 13 November 2020. Updated 1 year, 2 months ago.
Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.
Code Snippets
Detection Rules
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- GetCurrentThread function (processthreadsapi.h) - Win32 apps | Microsoft Docs
- GetThreadContext function (processthreadsapi.h) - Win32 apps | Microsoft Docs
- Viewing and Editing Registers in WinDbg - Windows drivers | Microsoft Docs