https://github.com/checkpointsw/anti-debug-db

Anti-Debug encyclopedia contains methods used by malware to verify if they are executed under debugging. It includes the description of various anti-debug tricks, their implementation, and recommendations of how to mitigate the each trick.
https://github.com/checkpointsw/anti-debug-db

anti-debug malware research

Last synced: 1 day ago
JSON representation

Anti-Debug encyclopedia contains methods used by malware to verify if they are executed under debugging. It includes the description of various anti-debug tricks, their implementation, and recommendations of how to mitigate the each trick.

• Host: GitHub
• URL: https://github.com/checkpointsw/anti-debug-db
• Owner: CheckPointSW
• License: mit
• Created: 2020-06-04T13:09:39.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-11-08T10:07:01.000Z (about 1 year ago)
• Last Synced: 2023-11-08T11:26:48.311Z (about 1 year ago)
• Topics: anti-debug, malware, research
• Language: HTML
• Homepage:
• Size: 134 KB
• Stars: 40
• Watchers: 6
• Forks: 19
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

        
# Anti-Debug Tricks

### Site

Compiled encyclopedia resides here: https://anti-debug.checkpoint.com.

### Description

Debugging is the essential part of malware analysis. Every time we need to drill down into malware behavior, restore encryption methods or examine communication protocols – generally, whenever we need to examine memory at a certain moment of time – we use debuggers.

Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. In turn knowledge of anti-debug techniques helps us detect when the malware tries to prevent us from debugging it and mitigate the interference.

This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg). Deprecated techniques (e.g. for SoftICE, etc.) are not included (despite all the love to SoftICE).

Anti-Debug tricks are grouped by the way in which they trigger side-effects (“meh, yet another classification”, you might think). Each group includes the description of corresponding tricks, their implementation in C/C++ or x86/x86-64 Assembly language, and recommendations of how to mitigate the trick for developers who want to create their own anti-anti-debug solution. In general, for bypassing anti-debug techniques we recommend using the [ScyllaHide][scylla_link] plugin which supports OllyDbg, x64dbg and IDA Pro.

All the techniques which are described in this encyclopedia are implemented in our [ShowStopper][showstopper_link] open-source project. The encyclopedia can help you to better understand how these techniques work or to assess debuggers and anti-anti-debug plugins.



    Yaraslau Harakhavik (@slevin_by),


    Reverse Engineer at Check Point Research






## References

* [P. Ferrie. The “Ultimate”Anti-Debugging Reference][ferrie]

* [N. Falliere. Windows Anti-Debug Reference][falliere]

* [J. Jackson. An Anti-Reverse Engineering Guide][jackson]

* [Anti Debugging Protection Techniques with Examples][apriorit]

* [simpliFiRE.AntiRE][simplifire]

[ferrie]: 

[falliere]: 

[jackson]: 

[apriorit]: 

[simplifire]: 

[scylla_link]: 

[showstopper_link]: