Note: The method described in this post only applies to 32-bit targets.
Background
The ability to live debug is a key to reverse engineering a binary sample. However, most malware implement measures to detect debuggers and the breakpoints that they use.
While analyzing a sample, I ran into this problem. The sample contained various methods to eliminate the use of virtually all types of breakpoints that I could find. I was able to implement breakpoints using data execution prevention, a security feature in modern processors.
more here.............http://untainted.svbtle.com/exploiting-windows-dep-for-stealth-breakpoints
Background
The ability to live debug is a key to reverse engineering a binary sample. However, most malware implement measures to detect debuggers and the breakpoints that they use.
While analyzing a sample, I ran into this problem. The sample contained various methods to eliminate the use of virtually all types of breakpoints that I could find. I was able to implement breakpoints using data execution prevention, a security feature in modern processors.
more here.............http://untainted.svbtle.com/exploiting-windows-dep-for-stealth-breakpoints