Jump to content
Usr6

The "Ultimate" Anti-Debugging Reference

Recommended Posts

Posted (edited)

Contents:


1. NtGlobalFlag
2. Heap flags
3. The Heap
4. Thread Local Storage
5. Anti-Step-Over
6. Hardware
A. Hardware breakpoints
B. Instruction Counting
C. Interrupt 3
D. Interrupt 0x2d
E. Interrupt 0x41
F. MOV SS
7. APIs
A. Heap functions
B. Handles
i. OpenProcess
ii. CloseHandle
iii. CreateFile
iv. LoadLibrary
v. ReadFile
C. Execution Timing
D. Process-level
i. CheckRemoteDebuggerPresent
ii. Parent Process
iii. CreateToolhelp32Snapshot
iv. DbgBreakPoint
v. DbgPrint
vi. DbgSetDebugFilterState
vii. IsDebuggerPresent
viii. NtQueryInformationProcess
ix. OutputDebugString
x. RtlQueryProcessHeapInformation
xi. NtQueryVirtualMemory
xii. RtlQueryProcessDebugInformation
xiii. SwitchToThread
xiv. Toolhelp32ReadProcessMemory
xv. UnhandledExceptionFilter
xvi. VirtualProtect
E. System-level
i. FindWindow
ii. NtQueryObject
iii. NtQuerySystemInformation
iv. Selectors
F. User-interface
i. BlockInput
ii. FLD
iii. NtSetInformationThread.
iv. SuspendThread
v. SwitchDesktop
G. Uncontrolled execution
i. CreateProcess
ii. CreateThread
iii. DebugActiveProcess
iv. Enum...
v. GenerateConsoleCtrlEvent.
vi. NtSetInformationProcess.
vii. NtSetLdtEntries
viii. QueueUserAPC
ix. RaiseException
x. RtlProcessFlsData
xi. WriteProcessMemory..
xii. Intentional exceptions.
H. Conclusion

Download: http://pferrie.host22.com/papers/antidebug.pdf

Autor: Peter Ferrie (Principal Software Development Engineer, Microsoft Corporation virus researcher, reverse-engineer and software preservationist)

Edited by Usr6
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...