首页
社区
课程
招聘
[转帖]Windows Anti-Debug Reference
发表于: 2007-9-13 10:10 4265

[转帖]Windows Anti-Debug Reference

2007-9-13 10:10
4265


Windows Anti-Debug Reference
Nicolas Falliere 2007-09-12

This paper classifies and presents several anti-debugging techniques used on
Windows NT-based operating systems. Anti-debugging techniques are ways for a
program to detect if it runs under control of a debugger. They are used by
commercial executable protectors, packers and malicious software, to prevent
or slow-down the process of reverse-engineering. We'll suppose the program is
analyzed under a ring3 debugger, such as OllyDbg on Windows platforms.
The paper is aimed towards reverse-engineers and malware analysts. Note that
we will talk purely about generic anti-debugging and anti-tracing techniques.
Specific debugger detection, such as window or processes enumeration,
registry scanning, etc. will not be addressed here.




FYI, more on http://www.securityfocus.com/infocus/1893

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (13)
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
2
Again to LaoNa
2007-9-13 10:16
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
3
(3) EntryPoint RVA set to 0

Some packed files have their entry point RVA set to 0, which means they will start executing 'MZ...' which corresponds to 'dec ebx / pop edx ...'.

This is not an anti-debug trick in itself, but can be annoying if you want to break on the entry-point by using a software breakpoint.

If you create a suspended process, then set an INT3 at RVA 0, you will erase part of the magic MZ value ('M'). The magic was checked when the process was created, but it will get checked again by ntdll when the process is resumed (in the hope of reaching the entry-point). In that case, an INVALID_IMAGE_FORMAT exception will be raised.

If you create your own tracing or debugging tool, you will want to use hardware breakpoint to avoid this problem.

这个好玩
2007-9-13 10:23
0
雪    币: 209
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
very good, very strong
2007-9-13 10:46
0
雪    币: 97697
活跃值: (200829)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
5
Hi.yes.
2007-9-13 20:49
0
雪    币: 226
活跃值: (15)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
6
good,is true.
2007-9-13 20:53
0
雪    币: 97697
活跃值: (200829)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
7
I think:"http://bbs.pediy.com/showthread.php?t=51022"
2007-9-14 00:06
0
雪    币: 226
活跃值: (15)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
8
think what?
2007-9-15 04:58
0
雪    币: 222
活跃值: (15)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
9
I am translating it to Chinese
2007-9-15 14:56
0
雪    币: 222
活跃值: (15)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
10
花了我整整一下午,终于完工了. 我只翻译完成,没有仔细检查, 如果有什么不妥的地方多多见谅.
英语水平好的就不用看了. 偶的水平也烂得很大专都没毕业
上传的附件:
2007-9-15 18:55
0
雪    币: 222
活跃值: (15)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
11
咋的没人发表意见呢.看来都和我一样哦,喜欢沉默 通常我用别人东西也不发表什么哦
2007-9-15 22:50
0
雪    币: 226
活跃值: (15)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
12
看英文版就够了,
不过也收藏了.
感谢耶稣,感谢佛祖,感谢angeljyt
2007-9-16 12:28
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
well done.but...........no profession
2007-10-28 22:01
0
雪    币: 449
活跃值: (189)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
14
I had saw this paper in the foums magazine  <hacker defender>,did the paper was ready translate by you????
2007-11-14 00:01
0
游客
登录 | 注册 方可回帖
返回
//