IsDebuggerPresent() * ntdll->NtQueryInformationProcess with ProcessInformationClass argument of 7 (7 == ProcessDebugPort) * Timing checks. Some functions or instructions can be used to infer the presence of a debugger * rdtsc instruction * GetTickCount() * QueryPerformanceCounter() * Virtual Machine Detection * [[http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf | Thwarting VM Detection under VMWare ]] * [[ http://msdn.microsoft.com/en-us/library/windows/desktop/ms686708%28v=vs.85%29.aspx | TEB ]] or [[ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706%28v=vs.85%29.aspx | PEB ]] access * xor eax, eax mov eax, fs:[eax+0x0] -> _TEB xor eax, eax mov eax, fs:[eax+0x30] -> _TEB.Peb mov eax, fs:[30] mov eax, [eax+2] -> PEB.IsDebugged flag test eax, eax jnz debugger_detected * SEH manipulation * The following IDC script checks for basic stuff mentioned above * #include static main() { auto start, end, addr, mnem, count, opnd, opnd1, opnd2; start = SegStart( ScreenEA() ); end = SegEnd( ScreenEA() ); addr = start; count = 0; while( addr < end ) { mnem = GetMnem( addr ); // Common VM detect instructions if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) { Message( "%08x: Found %s\n", addr, mnem ); SetColor( addr, CIC_ITEM, 0x0088ff ); // orange } // Read Time Stamp Counter if( mnem == "rdtsc" ) { Message( "%08x: Found %s\n", addr, mnem ); SetColor( addr, CIC_ITEM, 0xff8800 ); // blue } // Exception Handling or other PEB/TEB access opnd = ""; opnd1 = GetOpnd( addr, 0 ); opnd2 = GetOpnd( addr, 1 ); if( strstr( opnd1, "fs:" ) > -1 ) { opnd = opnd1; } else { if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2; } if( opnd != "" ) { Message( "%08x: Found %s\n", addr, opnd ); SetColor( addr, CIC_ITEM, 0xff8888 ); // purple } addr = NextHead( addr, BADADDR ); count = count + 1; } Message( "Processed %d instructions from %08x to %08x\n", count, start, end ); } * More details and other techniques [[ http://www.symantec.com/connect/articles/windows-anti-debug-reference | here ]] ===.NET tools === * .NET Decompiler [[ http://ilspy.net/ | ILSpy ]] * .NET code analyzer [[ http://www.red-gate.com/products/dotnet-development/reflector | .NET Reflector ]] and plugin for assembly editing [[ http://reflexil.net/ | ReflexIL ]] === LLVM === * LLVM bytecode can be converted to ELF with llvmc === Packer defeating tools === * [[ http://www.ntcore.com/exsuite.php | CFF Explorer ]] supports packing identification == ARM == TODO == Android / Mobile related Tools == * [[ http://pof.eslack.org/2011/02/18/from-apk-to-readable-java-source-code-in-3-easy-steps/ | Steps for APK binary decompilation ]] == General Tools == * [[http://www.hexblog.com/?p=27 | FindCrypt: IDA plugin that detects standard crypto/hash algorithms ]] * Excellent [[ https://github.com/gdbinit/Gdbinit | gdbinit ]] script for facilitating debugging in gdb * RE framework - https://github.com/radare/radare2