Difference between revisions of "Anti-debugging"

From Unprotect Project
Jump to: navigation, search
(Technics)
(Technics)
Line 70: Line 70:
 
|
 
|
 
|-
 
|-
|Debugger exploit
+
|BadStringFormat
 
|
 
|
 
|-
 
|-
|colspan="2"|
+
!rowspan="3"|Disturb Debugger
 +
|TLS Callback
 
|
 
|
 
|-
 
|-
|colspan="2"|
+
|Unhandled Exception Filter
 
|
 
|
 +
|-
 +
|Performing code checksum
 +
|
 +
|-
 +
|Interrupts
 +
|
 +
|-
 +
|INT Scanning
 +
wL
 
|-
 
|-
 
|}
 
|}
  
 
==References==
 
==References==

Revision as of 16:02, 4 November 2016

Technic Description

Malware use also Anti-debug technics to avoid that analyst debug and analyse dynamically the malicious code.

Technics

Below is a list of all the Anti-Debug technics in Unprotect Project:

Anti Debugging Technics
Technics Description
Windows API IsDebuggerPresent
CheckRemoteDebuggerPresent
NtQueryInformationProcess / ZwQueryInformationProcess
NtSetInformationThread / ZwSetInformationThread
NtQueryObject
OutputDebugString
NtSetInformationThread
EventPairHandles
CsrGetProcessID
CloseHandle / NtClose
Checking Manually IsDebugged Flag
Heap Flag
NtGlobalFlag
Timing Check RDTSC
GetTickCount
NtQueryPerformanceCounter
Debugger Detection FindWindow
FindProcess
BadStringFormat
Disturb Debugger TLS Callback
Unhandled Exception Filter
Performing code checksum
Interrupts
INT Scanning

wL

References