Identifying Debugger Behavior
Recall that debuggers can be used to set breakpoints or to single-step through a process in order to aid the malware analyst in reverse-engineering. However, when these operations are performed in a debugger, they modify the code in the process. Several anti-debugging techniques are used by malware to detect this sort of debugger behavior: INT scanning, checksum checks, and timing checks.
INT Scanning
INT 3
is the software interrupt used by debuggers to
temporarily replace an instruction in a running program and to call the debug exception
handler—a basic mechanism to set a breakpoint. The opcode for INT
3
is 0xCC
. Whenever you use a debugger to set a
breakpoint, it modifies the code by inserting a 0xCC
.
In addition ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.