This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems. Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. They are used by commercial executable protectors, packers and malicious software, to prevent or slow-down the process of reverse-engineering. We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows platforms. The paper is aimed towards reverse-engineers and malware analysts. Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific debugger detection, such as window or processes enumeration, registry scanning, etc. will not be addressed here.
Expand all |
Post comment
I was taking look at "(6) Stack Segment register" and the last paragraph should refer to "pushf" instead of "popf" for it to make sense.
Also, if anyone is interested in some more anti-debug and anti-reversing tricks. OpenRCE.org has a nice compilation under "Reference Library"->"Anti Reversing"
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1893/962#962