الفريق العربي للهندسة العكسية

إقتباس :Windows Anti-Debug Reference
This paper classifies and presents several anti-debugging techniques used on Windows NT-based 
operating systems. 
Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. 
They are used by commercial executable protectors, packers and malicious software, to prevent or 
slow-down the process of reverse-engineering. 
We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows 
platforms. The paper is aimed towards reverse-engineers and malware analysts. 
Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific 
debugger detection, such as window or processes enumeration, registry scanning, etc. will not be 
addressed here.
Anti-debugging and anti-tracing techniques
Exploiting memory discrepancies
1 kernel32!IsDebuggerPresent
2 PEB!IsDebugged
3 PEB!NtGlobalFlags
4 Heap flags
5 Vista anti-debug (no name)
Exploiting system discrepancies
1 NtQueryInformationProcess
2 kernel32!CheckRemoteDebugger
3 UnhandledExceptionFilter
4 NtSetInformationThread
5 kernel32!CloseHandle and NtClo
6 Self-debugging
7 Kernel-mode timers
8 User-mode timers
9 kernel32!OutputDebugStringA
10 Ctrl-C
CPU anti-debug
1 Rogue Int3
2 "Ice" Breakpoint
3 Interrupt 2Dh
4 Timestamp counters
5 Popf and the trap flag
6 Stack Segment register
7 Debug registers manipulation
8 Context modification
Uncategorized anti-debug
1 TLS-callback
2 CC scanning
3 EntryPoint RVA set to 0