Counter-Measures Cheat Sheet (Anti-Debug)

A printable cheat sheet of anti-debugging techniques:

Generics

BeingDebugged: PEB.BeingDebugged db [fs:[30] + 2] == 1
IsDbgPresent: BeingDebugged check, via IsDebuggerPresent
NtGlobalFlag: PEB.NtGlobalFlag dd [fs:[30] + 68] has 70 set
HeapFlags: Heap.Flags dd [[fs:[30] + 18] + C] == 2
ForceFlags: Heap.ForceFlags dd [[fs:[30] + 18] + 10] is not null
msvcrt!trigo: msvcrt!CIasin(invalid) => al = NtGlobalFlag ? a8 : 98
deletefiber: DeleteFiber(invalid) => LastError = ForceFlags ? 80000003 : 57
gs: GS is reset, on thread switch
pop ss: debuggers can't step right after pop SS => TF set in EFlags, 100 via pushf
smsw: operand = just after FPU ? 80010031 : 8001003b
int 2c/2e: slides over next instruction + sets EDX to next EIP, but incorrect if stepped
int 2d: triggers BREAKPOINT exception if not under a debugger
InvalidHandle: CloseHandle(invalid) ! INVALID HANDLE exception if debugger is present
ChkRemoteDbg: CheckRemoteDebuggerPresent(GetCurrentProcess(),;&result) = 1 : 0
NtQueryInfo: NtQueryInformationProcess(-1,ProcessDebugPort =7, var, ...) => [var] = present ?-1:0
HideThread: NtSetInformationThread(-2,ThreadhideFromDebugger= 11, -1, 0) => not responding
csr: OpenProcess(..., 0,CsrGetProcessId()) => no error if SeDebugPrivilege acquired
Timing: comparison of two RDTSC, inlined GetTickCount, GS resets, ...
Timing API: comparison of two APIs like GetTickCount, GetSystemTime, QueryPerformanceCounter, ...

Exceptions tricks (in the exception handler):

jmp: change resume address via Context.regEIP (Context+B8)
step: step next instruction and re-trigger via setting TF in Context.EFlags (Context+C0)
hwbp: set or detects hardware breakpoint via Context.dr* (Context+04/+18)
higher: overwrite higher handler and trigger exception ([esp+18])
return: overwrite return address in stack ! context re-loading is skipped ([esp+24])

Ollydbg (1.1) specific:

esi: esi = -1 on startup under ollydbg, not in general
FPU: Display FFFFFFFF FFFFFFFF C0/40 3D as float => crash
OdbgStr: OutputDebugStringA("%s%s") => crash

VmWare specific:

backdoor: in 'VMXh', 'VX' => exception if not present, else modifed eax and ebx
sidt: [operand + 5] == e8 or ff if present
sldt: result != 0 if present
str: result == 4000h if present

Reminders:

TF is used by a debugger for stepping: set TF, an exception will be triggered after next execution is stepped
TEB is at fs:[18]
the PEB is accessible directly (fs:[30]) or via TEB.EnvironmentPointer ([fs:[18] + 30])
LastError is accessible via TEB.LastErrorValue ([fs:[18] + 34]) => GetLastError is inlinable
GetCurrentProcess = FFFFFFFF (constant value)
GetCurrentThread = -2 (constant value)
CsrGetProcessId= dword[7C980380] => (inlineable)
GetTickCount = dword [7FFE0000] * dword[7FFE0004]) >> 24 => inlineable