Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Windows Anti-Debug Reference
Nicolas Falliere

This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems. Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. They are used by commercial executable protectors, packers and malicious software, to prevent or slow-down the process of reverse-engineering. We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows platforms. The paper is aimed towards reverse-engineers and malware analysts. Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific debugger detection, such as window or processes enumeration, registry scanning, etc. will not be addressed here.

Comments Mode:
Windows Anti-Debug Reference 2007-09-14
DBD
Most of this has been available for a long time.

How about using references ? a lot of tricks were introduced by protection systems years ago, and/or have been published in papers, websites etc.

And regarding your RDTSC checks , you should use cpuid before the rdtsc (or other serializing instruc...

[ more ]  [ reply ]
Windows Anti-Debug Reference 2007-09-15
angeljyt
One simple way to circumvent this anti-tracing is to breakpoint on popf and run the program (to avoid using the TF flag).

whereis is the popf? is pushf?

I have translated it in to Chinese at

http://bbs.pediy.com/attachment.php?attachmentid=8676&d=1189853735

thanks for you sharing

BTW, bbs.pe...

[ more ]  [ reply ]
Windows Anti-Debug Reference 2007-09-18
Ero Carrera
Great compilation of tricks!

I was taking look at "(6) Stack Segment register" and the last paragraph should refer to "pushf" instead of "popf" for it to make sense.

Also, if anyone is interested in some more anti-debug and anti-reversing tricks. OpenRCE.org has a nice compilation under "Refer...

[ more ]  [ reply ]
Windows Anti-Debug Reference 2007-09-29
Nicolas
DBD: the goal was to have an AD reference (read the intro).

angeljyt, Ero: thx

Ero: you're right, it should be pushf instead of popf

...

[ more ]  [ reply ]
Windows Anti-Debug Reference 2007-10-02
Anonymous
I remember playing with a DOS Virus about 10 years ago that had a weird anti-debuging technigue:

015C BA7201 MOV DX,0172

015F B80635 MOV AX,3506

0162 CD21 INT 21

0164 B425 MOV AH,25

0166 CD21 INT 21

0168 8DD3 LEA DX,BX...

[ more ]  [ reply ]
Windows Anti-Debug Reference 2008-04-19
Anonymous (1 replies)
I stopped reading the article after a certain point, after noticing this:

If your program has a debugger-detected function that every anti-debug function calls, shouldn't it be easy for the hacker to remove all your circumvention code by searching for calls to this code?...

[ more ]  [ reply ]
Re: Windows Anti-Debug Reference 2008-11-22
Anonymous
Most of the anti-debug functions were written with the __inline keyword so that they wont end up being discrete callable functions, but instead the compiler will inject the statements directly into the code stream every time they are called....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus