It is set to 1 when the process is being debugged, otherwise it's set to 0. The PEB struct contains a byte field named BeingDebugged. We'll start querying the PEB using assembly. We could say it's the equivalent of the kernel mode data structure EPROCESS. It contains info about the process such as the base address, The PEB is used internally by the system.
The Process Environment Block is a user mode data structure inside the process virtual address space. We'll simply use these differences to check the presence of a debugger. Most (if not all) anti-debug techniques rely on the fact that the system and the concerned app have aĭifferent behaviour when an app is being debugged than when it isn't. By the way, all of this is Windows specific. Techniques nor other adavanced protections. In this paper, we'll go over some basic anti-debug tricks.
Basic anti-debug tricks Posted by Preacher on June 6, 2013Ġ - Introduction 1 - Techniques related to the PEB 1.1 - asm way (inline asm) 1.2 - C Win32 way 2 - Timing based detection 3 - OllyDbg specific 3.1 - OllyDbg v1 3.2 - OllyDbg v2 4 - Custom ways 4.1 - OutputDebugString(): Again (Xp SP 3 only) 4.2 - Parent Process Id (PPID) check 4.3 - Terminate the debugger 5 - Resources Introduction
0 kommentar(er)
