Usr6 Posted March 8, 2014 Report Share Posted March 8, 2014 (edited) Contents:1. NtGlobalFlag 2. Heap flags 3. The Heap 4. Thread Local Storage 5. Anti-Step-Over 6. Hardware A. Hardware breakpoints B. Instruction Counting C. Interrupt 3 D. Interrupt 0x2d E. Interrupt 0x41 F. MOV SS 7. APIs A. Heap functions B. Handles i. OpenProcess ii. CloseHandle iii. CreateFile iv. LoadLibrary v. ReadFile C. Execution Timing D. Process-level i. CheckRemoteDebuggerPresent ii. Parent Process iii. CreateToolhelp32Snapshot iv. DbgBreakPoint v. DbgPrint vi. DbgSetDebugFilterState vii. IsDebuggerPresent viii. NtQueryInformationProcess ix. OutputDebugString x. RtlQueryProcessHeapInformation xi. NtQueryVirtualMemory xii. RtlQueryProcessDebugInformation xiii. SwitchToThread xiv. Toolhelp32ReadProcessMemory xv. UnhandledExceptionFilter xvi. VirtualProtect E. System-level i. FindWindow ii. NtQueryObject iii. NtQuerySystemInformation iv. Selectors F. User-interface i. BlockInput ii. FLD iii. NtSetInformationThread. iv. SuspendThread v. SwitchDesktop G. Uncontrolled execution i. CreateProcess ii. CreateThread iii. DebugActiveProcess iv. Enum... v. GenerateConsoleCtrlEvent. vi. NtSetInformationProcess. vii. NtSetLdtEntries viii. QueueUserAPC ix. RaiseException x. RtlProcessFlsData xi. WriteProcessMemory.. xii. Intentional exceptions. H. Conclusion Download: http://pferrie.host22.com/papers/antidebug.pdfAutor: Peter Ferrie (Principal Software Development Engineer, Microsoft Corporation virus researcher, reverse-engineer and software preservationist) Edited March 8, 2014 by Usr6 1 Quote Link to comment Share on other sites More sharing options...
giv Posted April 3, 2014 Report Share Posted April 3, 2014 Foarte bun materialul. Tipul prezinta foarte bine situatiile prin care se poate pacali un reverser. Quote Link to comment Share on other sites More sharing options...