🦊 Philo's Garden

Search

SearchSearch

Environment Detection and Disruption

Oct 08, 20241 min read

Various tips

  • Malware often checks the flag field within the ProcessHeap struct, by seeing if HEAP_GROWABLE bit 2 is set (debugged). ForceFlags is usually compared w/ 0, so !0 if debugged.
  • Can raise debugger exceptions like DBG_CONTROL_C, DBG_CONTROL_BREAK, or DBG_RIPEVENT with RaiseException, RtlRaiseException, or NtRaiseException to attach debugger if the malware’s own exception handlers fail to take control.

Graph View

Backlinks

  • No backlinks found