Search For Content
Search Result
257 item(s) found so far for this keyword.
GetLocalTime, GetSystemTime, timeGetTime, NtQueryPerformanceCounter
When a debugger is present, and used to single-step through the code, there is a significant delay between the executions of the individual instructions, when compared to native execution.
Read moreDetecting Window with FindWindow API
The FindWindowA / FindWindowW function can be used to search for windows by name or class.
It is also possible to use EnumWindows API in conjunction with GetWindowTextLength and GetWindowText to locate a piece of string that could reveal the presence of a known debugger.
Some Known Debuggers
- ImmunityDebugger
- OllyDbg
- IDA
- x64dbg / …
Detecting Running Process: EnumProcess API
Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the EnumProcess function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.
By detecting these processes …
Read moreTLS Callback
TLS (Thread Local Storage) callbacks are a mechanism in Windows that allows a program to define a function that will be called when a thread is created. These callbacks can be used to perform various tasks, such as initializing thread-specific data or modifying the behavior of the thread.
As an anti-debugging technique, a program can use a TLS callback …
Read moreBad String Format
Bad string format is a technique used by malware to evade detection and analysis by OllyDbg, a popular debugger used by security researchers and analysts. This technique involves using malformed strings that exploit a known bug in OllyDbg, causing the debugger to crash or behave unexpectedly.
For example, the malware may use a string with multiple %s inputs, which …
Read moreUnhandled Exception Filter
An application-defined function that passes unhandled exceptions to the debugger, if the process is being debugged. Otherwise, it optionally displays an application error message box and causes the exception handler to be executed.
If an exception occurs and no exception handler is registered, the UnhandledExceptionFilter function will be called. It is possible to register a custom unhandled exception filter …
Performing Code Checksum
Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take …
Read moreInterrupts
Adversaries may use exception-based anti-debugging techniques to detect whether their code is being executed in a debugger. These techniques rely on the fact that most debuggers will trap exceptions and not immediately pass them to the process being debugged for handling.
By triggering an exception and checking whether it is handled properly, the adversary's code can determine whether it …
Read moreINT3 Instruction Scanning
Instruction INT3 is an interruption which is used as Software breakpoints. These breakpoints are set by modifying the code at the target address, replacing it with a byte value 0xCC (INT3 / Breakpoint Interrupt).
The exception EXCEPTION_BREAKPOINT (0x80000003) is generated, and an exception handler will be raised. Malware identify software breakpoints by scanning for the byte 0xCC in the …
API Obfuscation
API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …
Read more