Identifying Debugger Behavior
Recall that debuggers can be used to set breakpoints or to single-step through a process in order to aid the malware analyst in reverse-engineering. However, when these operations are performed in a debugger, they modify the code in the process. Several anti-debugging techniques are used by malware to detect this sort of debugger behavior: INT scanning, checksum checks, and timing checks.
INT 3 is the software interrupt used by debuggers to
temporarily replace an instruction in a running program and to call the debug exception
handler—a basic mechanism to set a breakpoint. The opcode for
0xCC. Whenever you use a debugger to set a
breakpoint, it modifies the code by inserting a
In addition ...