Anti-debugging tricks
Anti-debugging tricks are meantto ensure that the codes are not working under the influence of a debugger. Say we have a program with an anti-debugging code in it. The behavior of the program is just as if it were running without an anti-debugging code. The story becomes different, however, when the program is being debugged. While debugging, we encounter code that goes straight to exiting the program or jumps into code that doesn't make sense. This process is illustrated in the following diagram:
Developing anti-debugging code requires understanding the traits of the program and the system, both when normally running and when being debugged. For example, the Process Environment Block (PEB) contains a flag that is set when a program is being run under a debugger. Another popular trick is to use a Structured Exception Handler (SEH) to continue code that forces an error exception while debugging. To better understand how these work, let's discuss these tricks in a little...