Collection of anti debug tricks [Archive] - RCE Messageboard's Regroupment

View Full Version : Collection of anti debug tricks

Harding

November 12th, 2007, 14:07

Searched on the forum and didn't find it.

Alot of nice (and to me, new) ways of anti debugging tricks.

http://www.securityfocus.com/infocus/1893

JMI

November 12th, 2007, 14:17

Hi Harding:

There is no problem with you posting the collection you found.

Just wanted to point out that if you had searched with:

anti-debugging tricks (in this case, either with, or without the ""

you would have found around 28 Threads which discuss this topic.

If you search with:

anti debugging tricks (no hyphen)

you should have found 8 Threads with references.

Regards,

Kayaker

November 12th, 2007, 15:30

Hi

That link was already posted a couple of months ago in this forum, scan down the page for "collection of anti-debug tricks", but the contribution is always appreciated.

Just for future reference, you don't need to obscure links with that hxxp:// stuff here.

Kayaker

Squallsurf

November 17th, 2007, 13:42

I've just a pdf version of this reference, I've mail it to the author, Nicolas Falliere, who's agree of this pagination.

Regards.

Maximus

November 18th, 2007, 08:58

eheh one is very neat.
pop ss won't break next instruction because it is executed in a strictly 'unblockable sequence' with interrupt disabled.
If i remind it well, it was needed to avoid the unwanted hardware interrupt on old 16 bit to 'fall off' the stack segment pop, breaking the machine code flow... forever.
THere are other critical instructions that share this behavior or have implicit memory locks (i.e. xchange, because it was initially used for lock sequences).