programmers resources
  http://www.intel-assembler.it/  (c)2017 intel-assembler.it   info@intel-assembler.it
 
Search :  
Lingua Italiana    English Language   
Index
 
just an empty assembly space
just an arrow Intel Platform
just an arrow Article & Guides
just an arrow Download Software


23/01/2009 Featured Article: How to remove Buzus Virus (permalink)




:::3373486:::
Bottone Scambio Directory Pubblicitaonline.it
Home Page | Articles & Guides | Download | Intel Platform | Contacts

Google
 


Bookmark and Share
Download 
Tell a friend



Windows Anti-Debug Reference

Several anti-debugging techniques used on Windows

(by nicolas falliere)

Windows Anti-Debug Reference
Author Nicolas Falliere
This article is online from 3179 days and has been seen 6856 times




(*** download for full text ***)

This paper classifies and presents several anti-debugging techniques used on 
Windows NT-based operating systems. Anti-debugging techniques are ways for a 
program to detect if it runs under control of a debugger. They are used by 
commercial executable protectors, packers and malicious software, to prevent 
or slow-down the process of reverse-engineering. We'll suppose the program is 
analyzed under a ring3 debugger, such as OllyDbg on Windows platforms. 

The paper is aimed towards reverse-engineers and malware analysts. 

Note that we will talk purely about generic anti-debugging and anti-tracing 
techniques. Specific debugger detection, such as window or processes 
enumeration, registry scanning, etc. will not be addressed here.

[1] Intro
[2] Anti-debugging and anti-tracing techniques 

- Exploiting memory discrepancies
[2.1] kernel32!IsDebuggerPresent
[2.2] PEB!IsDebugged
[2.3] PEB!NtGlobalFlags
[2.4] Heap flags
[2.5] Vista anti-debug

- Exploiting system discrepancies
[2.6] NtQueryInformationProcess
[2.7] kernel32!CheckRemoteDebuggerPresent
[2.8] UnhandledExceptionFilter
[2.9] NtSetInformationThread
[2.10] kernel32!CloseHandle and NtClose
[2.11] Self-debugging
[2.12] Kernel-mode timers
[2.13] User-mode timers
[2.14] kernel32!OutputDebugStringA
[2.15] Ctrl-C

- CPU anti-debug
[2.16] Rogue Int3
[2.17] "Ice" Breakpoint
[2.18] Interrupt 2Dh
[2.19] Timestamp counters
[2.20] Popf and the trap flag
[2.21] Stack Segment register
[2.22] Debug registers manipulation
[2.23] Context modification

- Uncategorized anti-debug
[2.24] TLS-callback
[2.25] CC scanning
[2.26] EntryPoint RVA set to 0

[3] Conclusion
[4] Links
[5] Data reference

source: http://www.securityfocus.com/infocus/1893/

(*** download for full text ***)




Top
Download 
Tell a friend
Bookmark and Share



Similar Articles

Anti Debugging Tricks Analysis
Notes by M.Forrest on 'Anti Debugging Tricks'
(by Michael Forrest)

Anti Debugging Tricks Rel.2
Tecniche di Antidebug in assembler
(by Inbar Raz)

Anti Debugging Tricks Rel.5
Antidebugging techniques
(by Inbar Raz)

Anti-Debugger Techniques
Assembler techniques for protecting code
(by Anonymous)

Applied Binary Code Obfuscation
Obfuscation in assembler
(by N.George, G.Charalambous)

Binary Protection Schemes
Code Protection under Linux
(by Andrew Griffiths)

Code Concealment
Come sigillare il proprio codice
(by Demogorgon)

Keep Your Code Hidden From Prying Eyes
Tecniche di back-jump nel codice
(by Demogorgon)

Reverse engineering: Anti-cracking Techniques
How to protect your code in 24 pages
(by N.George, G.Charalambous)

Writing Self-Modifying Code
Utilizing Advanced Assembly techniques
(by Russell Sanford)

 Tags: antidebug


webmaster jes
writers rguru, tech-g, aiguru, drAx

site optimized for IE/Firefox/Chrome with 1024x768 resolution

Valid HTML 4.01 Transitional


ALL TRADEMARKS ® ARE PROPERTY OF LEGITTIMATE OWNERS.
© ALL RIGHTS RESERVED.

hosting&web - www.accademia3.it

grossocactus
find rguru on
http://www.twitter.com/sicurezza3/
... send an email ...
Your name

Destination email

Message

captcha! Code