Usr6 Posted March 8, 2014 Report Posted March 8, 2014 (edited) Contents:1. NtGlobalFlag 2. Heap flags 3. The Heap 4. Thread Local Storage 5. Anti-Step-Over 6. Hardware A. Hardware breakpoints B. Instruction Counting C. Interrupt 3 D. Interrupt 0x2d E. Interrupt 0x41 F. MOV SS 7. APIs A. Heap functions B. Handles i. OpenProcess ii. CloseHandle iii. CreateFile iv. LoadLibrary v. ReadFile C. Execution Timing D. Process-level i. CheckRemoteDebuggerPresent ii. Parent Process iii. CreateToolhelp32Snapshot iv. DbgBreakPoint v. DbgPrint vi. DbgSetDebugFilterState vii. IsDebuggerPresent viii. NtQueryInformationProcess ix. OutputDebugString x. RtlQueryProcessHeapInformation xi. NtQueryVirtualMemory xii. RtlQueryProcessDebugInformation xiii. SwitchToThread xiv. Toolhelp32ReadProcessMemory xv. UnhandledExceptionFilter xvi. VirtualProtect E. System-level i. FindWindow ii. NtQueryObject iii. NtQuerySystemInformation iv. Selectors F. User-interface i. BlockInput ii. FLD iii. NtSetInformationThread. iv. SuspendThread v. SwitchDesktop G. Uncontrolled execution i. CreateProcess ii. CreateThread iii. DebugActiveProcess iv. Enum... v. GenerateConsoleCtrlEvent. vi. NtSetInformationProcess. vii. NtSetLdtEntries viii. QueueUserAPC ix. RaiseException x. RtlProcessFlsData xi. WriteProcessMemory.. xii. Intentional exceptions. H. Conclusion Download: http://pferrie.host22.com/papers/antidebug.pdfAutor: Peter Ferrie (Principal Software Development Engineer, Microsoft Corporation virus researcher, reverse-engineer and software preservationist) Edited March 8, 2014 by Usr6 1 Quote
giv Posted April 3, 2014 Report Posted April 3, 2014 Foarte bun materialul. Tipul prezinta foarte bine situatiile prin care se poate pacali un reverser. Quote
