├── .github
    └── workflows
    │   └── sourceguard.yml
├── .gitignore
├── CNAME
├── LICENSE.md
├── README.md
├── _config.yml
├── _includes
    ├── footer.html
    ├── head.html
    ├── header.html
    ├── icon-github.html
    ├── icon-github.svg
    ├── icon-twitter.html
    ├── icon-twitter.svg
    └── share.html
├── _layouts
    ├── default.html
    ├── main.html
    ├── page.html
    └── post.html
├── _techniques
    ├── assembly.md
    ├── debug-flags.md
    ├── exceptions.md
    ├── interactive.md
    ├── misc.md
    ├── object-handles.md
    ├── process-memory.md
    └── timing.md
├── about.md
├── assets
    ├── css
    │   └── main.scss
    ├── icons
    │   ├── assembly.svg
    │   ├── debug_flags.svg
    │   ├── exceptions.svg
    │   ├── interactive.svg
    │   ├── memory.svg
    │   ├── misc.svg
    │   ├── object-handles.svg
    │   └── timing.svg
    ├── images
    │   ├── CPR_Logo_transparent.png
    │   ├── cpr_logo.png
    │   ├── cpr_logo_big.png
    │   ├── cpr_logo_small.png
    │   ├── dbgbreakpoint.png
    │   └── favicon.ico
    └── js
    │   └── search-script.js
├── favicon.ico
├── feed.xml
└── index.html


/.github/workflows/sourceguard.yml:
--------------------------------------------------------------------------------
 1 | name: SourceGuard Code Analysis
 2 | on: [push]
 3 | jobs:
 4 |   code-analysis:
 5 |     runs-on: ubuntu-latest
 6 |     container:
 7 |       image: sourceguard/sourceguard-cli
 8 |     steps:
 9 |       - name: Scan
10 |         uses: CheckPointSW/sourceguard-action@main
11 |         with:
12 |           SG_CLIENT_ID: ${{ secrets.SG_CLIENT_ID }}
13 |           SG_SECRET_KEY: ${{ secrets.SG_SECRET_KEY }}
14 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | _site
2 | .sass-cache
3 | .jekyll-metadata
4 | *.bak
5 | *.swo
6 | *.swp
7 | *~*


--------------------------------------------------------------------------------
/CNAME:
--------------------------------------------------------------------------------
1 | anti-debug.checkpoint.com


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2016 Hemang Kumar
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Anti-Debug Tricks
 2 | 
 3 | ### Site
 4 | 
 5 | Compiled encyclopedia resides here: https://anti-debug.checkpoint.com.
 6 | 
 7 | ### Description
 8 | 
 9 | Debugging is the essential part of malware analysis. Every time we need to drill down into malware behavior, restore encryption methods or examine communication protocols – generally, whenever we need to examine memory at a certain moment of time – we use debuggers.
10 | 
11 | Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. In turn knowledge of anti-debug techniques helps us detect when the malware tries to prevent us from debugging it and mitigate the interference.
12 | 
13 | This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg). Deprecated techniques (e.g. for SoftICE, etc.) are not included (despite all the love to SoftICE).
14 | 
15 | Anti-Debug tricks are grouped by the way in which they trigger side-effects (“meh, yet another classification”, you might think). Each group includes the description of corresponding tricks, their implementation in C/C++ or x86/x86-64 Assembly language, and recommendations of how to mitigate the trick for developers who want to create their own anti-anti-debug solution. In general, for bypassing anti-debug techniques we recommend using the [ScyllaHide][scylla_link] plugin which supports OllyDbg, x64dbg and IDA Pro.
16 | 
17 | All the techniques which are described in this encyclopedia are implemented in our [ShowStopper][showstopper_link] open-source project. The encyclopedia can help you to better understand how these techniques work or to assess debuggers and anti-anti-debug plugins.
18 | 
19 | <p align="right">
20 |     Yaraslau Harakhavik (<a href="https://twitter.com/slevin_by">@slevin_by</a>),<br />
21 |     <i>Reverse Engineer at Check Point Research</i>
22 | </p>
23 | <br />
24 | 
25 | ## References
26 | * [P. Ferrie. The “Ultimate”Anti-Debugging Reference][ferrie]
27 | * [N. Falliere. Windows Anti-Debug Reference][falliere]
28 | * [J. Jackson. An Anti-Reverse Engineering Guide][jackson]
29 | * [Anti Debugging Protection Techniques with Examples][apriorit]
30 | * [simpliFiRE.AntiRE][simplifire]
31 | 
32 | [ferrie]: <http://pferrie.epizy.com/papers/antidebug.pdf>
33 | [falliere]: <https://www.symantec.com/connect/articles/windows-anti-debug-reference>
34 | [jackson]: <https://forum.tuts4you.com/files/file/1218-anti-reverse-engineering-guide/>
35 | [apriorit]: <https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software>
36 | [simplifire]: <https://bitbucket.org/fkie_cd_dare/simplifire.antire/src/master/>
37 | 
38 | [scylla_link]: <https://github.com/x64dbg/ScyllaHide>
39 | [showstopper_link]: <https://github.com/CheckPointSW/showstopper>
40 | 


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
 1 | # Welcome to Jekyll!
 2 | #
 3 | # This config file is meant for settings that affect your whole blog, values
 4 | # which you are expected to set up once and rarely edit after that. If you find
 5 | # yourself editing these this file very often, consider using Jekyll's data files
 6 | # feature for the data you need to update frequently.
 7 | #
 8 | # For technical reasons, this file is *NOT* reloaded automatically when you use
 9 | # 'jekyll serve'. If you change this file, please restart the server process.
10 | 
11 | # Site settings
12 | # These are used to personalize your new site. If you look in the HTML files,
13 | # you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
14 | # You can create any custom variable you would like, and they will be accessible
15 | # in the templates via {{ site.myvariable }}.
16 | title: Anti-Debug Tricks
17 | description: > # this means to ignore newlines until "baseurl:"
18 |   Anti-Debug Tricks
19 | baseurl: "" # the subpath of your site, e.g. /blog
20 | url: "https://anti-debug.checkpoint.com" # the base hostname & protocol for your site
21 | 
22 | # Build settings
23 | markdown: kramdown
24 | 
25 | collections:
26 |   techniques:
27 |     output: true
28 | 
29 | defaults:
30 |   -
31 |     scope:
32 |       path: ""
33 |       type: post
34 |     values:
35 |       layout: "post"
36 | 
37 | webrick:
38 |   headers:
39 |     Content-Security-Policy: frame-ancestors 'self'
40 |     X-Frame-Options: SAMEORIGIN


--------------------------------------------------------------------------------
/_includes/footer.html:
--------------------------------------------------------------------------------
 1 | 
 2 | <nav class="navbar navbar-default navbar-fixed-bottom">
 3 |   <div class="container footer-content">
 4 | 
 5 |     Made with <font class="a-pink"><i class ="fa fa-heart"></i></font> to serve the community by Check Point Research    |    <a class="a-pink" href="https://research.checkpoint.com">Research blog</a>    |    <a class="a-pink" href="https://research.checkpoint.com/about-us/">About Us</a>    |    <a class="a-pink" href="https://github.com/CheckPointSW"><i class="fa fa-github fa-lg"></i></a> <a class="a-pink" href="https://twitter.com/_CPResearch_"><i class="fa fa-twitter fa-lg"></i></a>
 6 |     
 7 |     <br>
 8 |     
 9 |     © 1994-2022 Check Point Software Technologies LTD | All rights reserved | Property of CheckPoint.com
10 | 
11 | 
12 |   </div>
13 | </nav>
14 | 


--------------------------------------------------------------------------------
/_includes/head.html:
--------------------------------------------------------------------------------
 1 | <head>
 2 |   <meta charset="utf-8">
 3 |   <meta http-equiv="X-UA-Compatible" content="IE=edge">
 4 |   <meta name="viewport" content="width=device-width, initial-scale=1">
 5 |   <!-- Global site tag (gtag.js) - Google Analytics -->
 6 |   <script async src="https://www.googletagmanager.com/gtag/js?id=UA-194688-3"></script>
 7 |   <script>
 8 |    window.dataLayer = window.dataLayer || [];
 9 |    function gtag(){dataLayer.push(arguments);}
10 |    gtag('js', new Date());
11 |    gtag('config', 'UA-194688-3');
12 |   </script>
13 |   <meta content="{{ site.title }}" property="og:site_name">
14 | {% if page.title %}
15 |   <meta content="{{ page.title }}" property="og:title">
16 | {% else %}
17 |   <meta content="{{ site.title }}" property="og:title">
18 | {% endif %}
19 | {% if page.title %}
20 |   <meta content="article" property="og:type">
21 | {% else %}
22 |   <meta content="website" property="og:type">
23 | {% endif %}
24 | {% if page.description %}
25 |   <meta content="{{ page.description }}" property="og:description">
26 | {% else %}
27 |   <meta content="{{ site.description }}" property="og:description">
28 | {% endif %}
29 | {% if page.url %}
30 |   <meta content="{{ site.url }}{{ page.url }}" property="og:url">
31 | {% endif %}
32 | {% if page.date %}
33 |   <meta content="{{ page.date | date_to_xmlschema }}" property="article:published_time">
34 |   <meta content="{{ site.url }}/about/" property="article:author">
35 | {% endif %}
36 | 
37 |   <meta property="og:image" content="">
38 | 
39 | {% if page.categories %}
40 |   {% for category in page.categories limit:1 %}
41 |   <meta content="{{ category }}" property="article:section">
42 |   {% endfor %}
43 | {% endif %}
44 | {% if page.tags %}
45 |   {% for tag in page.tags %}
46 |   <meta content="{{ tag }}" property="article:tag">
47 |   {% endfor %}
48 | {% endif %}
49 |   <title>{% if page.title %}{{ page.title | escape }}{% else %}{{ site.title | escape }}{% endif %}</title>
50 |   <meta name="description" content="{% if page.excerpt %}{{ page.excerpt | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
51 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.2/jquery.min.js"></script>
52 | <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
53 |   <link rel="stylesheet" href="{{ site.url }}{{ site.baseurl }}/assets/css/main.css">
54 | <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
55 | 
56 |   <link href='https://fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>
57 |   <link href='https://fonts.googleapis.com/css?family=Fira+Mono' rel='stylesheet' type='text/css'>
58 |   <link href='https://fonts.googleapis.com/css?family=Lato:400,700' rel='stylesheet' type='text/css'>
59 |   <link href='https://fonts.googleapis.com/css?family=Source+Code+Pro:400,200,300,500,600,700,900' rel='stylesheet' type='text/css'>
60 |   <link href='https://fonts.googleapis.com/css?family=Gentium+Basic:400,700' rel='stylesheet' type='text/css'>
61 |   <link href='https://fonts.googleapis.com/css?family=Alegreya:400,400italic,700' rel='stylesheet' type='text/css'>
62 |   <link href='https://fonts.googleapis.com/css?family=Lora:400,400italic,700' rel='stylesheet' type='text/css'>
63 |   <link href='https://fonts.googleapis.com/css?family=Fira+Sans:400,300,500,700' rel='stylesheet' type='text/css'>
64 |   <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.0/jquery.min.js"></script>
65 |   <link href='https://fonts.googleapis.com/css?family=Open+Sans:400,700' rel='stylesheet' type='text/css'>
66 |   <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
67 |   <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.1/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-hQpvDQiCJaD2H465dQfA717v7lu5qHWtDbWNPvaTJ0ID5xnPUlVXnKzq7b8YUkbN" crossorigin="anonymous">
68 |   <link rel="canonical" href="{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}">
69 |   <link rel="alternate" type="application/rss+xml" title="{{ site.title }}" href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}">
70 | 
71 |   <script src="https://cdnjs.cloudflare.com/ajax/libs/tinysort/2.3.6/tinysort.js"></script>
72 |   <script src="https://cdnjs.cloudflare.com/ajax/libs/tinysort/2.3.6/tinysort.min.js"></script>
73 |   <script src="https://cdnjs.cloudflare.com/ajax/libs/tinysort/2.3.6/tinysort.charorder.js"></script>
74 |   <script src="https://cdnjs.cloudflare.com/ajax/libs/tinysort/2.3.6/tinysort.charorder.min.js"></script>
75 |   <script type="text/javascript" async src="//platform.twitter.com/widgets.js"></script>
76 | 
77 | 
78 | 
79 | 
80 | </head>
81 | 


--------------------------------------------------------------------------------
/_includes/header.html:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | <section>
 4 | <nav class="navbar navbar-default navbar-fixed-top">
 5 | 
 6 |   <div class="container">
 7 |     
 8 |     <!-- Brand and toggle get grouped for better mobile display -->
 9 |     <div class="navbar-header">
10 |       
11 |       <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
12 |         <span class="sr-only">Toggle navigation</span>
13 |         <span class="icon-bar"></span>
14 |         <span class="icon-bar"></span>
15 |         <span class="icon-bar"></span>
16 |       </button>
17 |       <a class="navbar-brand" href="{{site.baseurl}}/">{{site.title}}</a>
18 |       
19 |     </div>
20 |     <div class="collapse navbar-collapse pull-right" id="bs-example-navbar-collapse-1">
21 |       <ul class="nav navbar-nav">
22 |         {% for page in site.pages %}
23 |         {% if page.title %}
24 |         <li><a href="{{page.permalink | prepend: site.baseurl }}">{{page.title}}</a></li>
25 |         {% endif %}
26 |         {% endfor %}
27 |       </ul>
28 | 
29 |       <!--  <ul class="nav navbar-nav navbar-right">
30 |         <li><a href="#">Know More!</a></li>
31 |         
32 |       </ul>-->
33 |       {% comment %}
34 |     <form class="form-inline mr-auto pull-right">
35 |         <div class="md-form my-0">
36 |           <input class="form-control active-pink" type="text" placeholder="Search" aria-label="Search" id="search-input">
37 |           <i class="fa fa-search text-white ml-3" aria-hidden="true"></i>
38 |         </div>
39 |     </form>
40 |       {% endcomment %}
41 |     </div><!-- /.navbar-collapse -->
42 |     
43 |   </div><!-- /.container-fluid -->
44 | 
45 | </nav>
46 | </section>
47 | 


--------------------------------------------------------------------------------
/_includes/icon-github.html:
--------------------------------------------------------------------------------
1 | <a href="https://github.com/{{ include.username }}"><span class="icon icon--github">{% include icon-github.svg %}</span><span class="username">{{ include.username }}</span></a>
2 | 


--------------------------------------------------------------------------------
/_includes/icon-github.svg:
--------------------------------------------------------------------------------
1 | <svg viewBox="0 0 16 16"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>
2 | 


--------------------------------------------------------------------------------
/_includes/icon-twitter.html:
--------------------------------------------------------------------------------
1 | <a href="https://twitter.com/{{ include.username }}"><span class="icon icon--twitter">{% include icon-twitter.svg %}</span><span class="username">{{ include.username }}</span></a>
2 | 


--------------------------------------------------------------------------------
/_includes/icon-twitter.svg:
--------------------------------------------------------------------------------
1 | <svg viewBox="0 0 16 16"><path fill="#828282" d="M15.969,3.058c-0.586,0.26-1.217,0.436-1.878,0.515c0.675-0.405,1.194-1.045,1.438-1.809c-0.632,0.375-1.332,0.647-2.076,0.793c-0.596-0.636-1.446-1.033-2.387-1.033c-1.806,0-3.27,1.464-3.27,3.27 c0,0.256,0.029,0.506,0.085,0.745C5.163,5.404,2.753,4.102,1.14,2.124C0.859,2.607,0.698,3.168,0.698,3.767 c0,1.134,0.577,2.135,1.455,2.722C1.616,6.472,1.112,6.325,0.671,6.08c0,0.014,0,0.027,0,0.041c0,1.584,1.127,2.906,2.623,3.206 C3.02,9.402,2.731,9.442,2.433,9.442c-0.211,0-0.416-0.021-0.615-0.059c0.416,1.299,1.624,2.245,3.055,2.271 c-1.119,0.877-2.529,1.4-4.061,1.4c-0.264,0-0.524-0.015-0.78-0.046c1.447,0.928,3.166,1.469,5.013,1.469 c6.015,0,9.304-4.983,9.304-9.304c0-0.142-0.003-0.283-0.009-0.423C14.976,4.29,15.531,3.714,15.969,3.058z"/></svg>
2 | 


--------------------------------------------------------------------------------
/_includes/share.html:
--------------------------------------------------------------------------------
 1 | <div class="sharebuttons" style="text-align: center">
 2 |         <hr />
 3 |         <ul>
 4 |           <li>
 5 |             <p class="sharetitle"> Share this: </p>
 6 |           </li>
 7 |           <li class="reddit">
 8 |             <a href="http://www.reddit.com/submit?url={{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url | uri_escape}}&title={{ page.title | default:"" | uri_escape }} - Evasion Techniques" target="_blank">
 9 |                 <svg xmlns="http://www.w3.org/2000/svg"
10 |                 aria-label="Reddit" role="img"
11 |                 viewBox="0 0 512 512"><rect
12 |                 width="512" height="512"
13 |                 rx="15%"
14 |                 fill="#f40"/><g fill="#fff"><ellipse cx="256" cy="307" rx="166" ry="117"/><circle cx="106" cy="256" r="42"/><circle cx="407" cy="256" r="42"/><circle cx="375" cy="114" r="32"/></g><g stroke-linecap="round" stroke-linejoin="round" fill="none"><path d="m256 196 23-101 73 15" stroke="#fff" stroke-width="16"/><path d="m191 359c33 25 97 26 130 0" stroke="#f40" stroke-width="13"/></g><g fill="#f40"><circle cx="191" cy="287" r="31"/><circle cx="321" cy="287" r="31"/></g></svg>
15 |                 
16 |             </a>
17 |           </li>
18 |           <li class="hn">
19 |             <a href="http://news.ycombinator.com/submitlink?u={{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url | uri_escape}}&t={{ page.title | default:"" | uri_escape}} - Evasion Techniques" target="_blank">
20 |                 <svg xmlns="http://www.w3.org/2000/svg"
21 |                 aria-label="Hacker News" role="img"
22 |                 viewBox="0 0 512 512"><rect
23 |                 width="512" height="512"
24 |                 rx="15%"
25 |                 fill="#f60"/><path fill="#fff" d="M124 91h51l81 162 81-164h51L276 293v136h-40V293z"/></svg>
26 |             </a>
27 |           </li>
28 |           <li class="twitter">
29 |             <a href="https://twitter.com/intent/tweet?via=_CPResearch_&url={{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url | uri_escape}}&text={{ page.title | default:"" | uri_escape}} - Evasion Techniques" target="_blank">
30 |                 <svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1684 408q-67 98-162 167 1 14 1 42 0 130-38 259.5t-115.5 248.5-184.5 210.5-258 146-323 54.5q-271 0-496-145 35 4 78 4 225 0 401-138-105-2-188-64.5t-114-159.5q33 5 61 5 43 0 85-11-112-23-185.5-111.5t-73.5-205.5v-4q68 38 146 41-66-44-105-115t-39-154q0-88 44-163 121 149 294.5 238.5t371.5 99.5q-8-38-8-74 0-134 94.5-228.5t228.5-94.5q140 0 236 102 109-21 205-78-37 115-142 178 93-10 186-50z"/></svg>
31 |             </a>
32 |           </li>
33 |           <li class="linkedin">
34 |             <a href=https://www.linkedin.com/shareArticle?mini=true&url={{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url | uri_escape}}&title={{ page.title | default:"" | uri_escape}} - Evasion Techniques&source=LinkedIn" target="_blank">
35 |                 <svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M477 625v991h-330v-991h330zm21-306q1 73-50.5 122t-135.5 49h-2q-82 0-132-49t-50-122q0-74 51.5-122.5t134.5-48.5 133 48.5 51 122.5zm1166 729v568h-329v-530q0-105-40.5-164.5t-126.5-59.5q-63 0-105.5 34.5t-63.5 85.5q-11 30-11 81v553h-329q2-399 2-647t-1-296l-1-48h329v144h-2q20-32 41-56t56.5-52 87-43.5 114.5-15.5q171 0 275 113.5t104 332.5z"/></svg>
36 |             </a>
37 |           </li>
38 |         </ul>
39 |       </div>
40 |       


--------------------------------------------------------------------------------
/_layouts/default.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 
 4 |   {% include head.html %}
 5 | 
 6 |   <body>
 7 | <section>
 8 | {{content}}
 9 | </section>
10 | {% include footer.html %}
11 |   </body>
12 | 
13 | </html>
14 | 


--------------------------------------------------------------------------------
/_layouts/main.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | 
 4 |   {% include head.html %}
 5 | 
 6 |   <body>
 7 | {% include header.html %}
 8 | <section>
 9 | {{content}}
10 | </section>
11 | <br />
12 | <br />
13 | <br />
14 | {% include footer.html %}
15 |   </body>
16 | 
17 | </html>
18 | 


--------------------------------------------------------------------------------
/_layouts/page.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | <div class="jumbotron">
 5 | <div class="container">
 6 |   <h1 class="post-title-main" itemprop="name headline">{{ page.title }}</h1>
 7 | <center>  <h4 class="post-title-main" itemprop="name headline">{{ page.tagline}}</h4></center>
 8 | </div>
 9 | </div>
10 | 
11 | <div class="container">
12 | 
13 |   {{ content }}
14 |   <div style="text-align: left">
15 |     <a href={{ site.url }}{{ site.baseurl }}>Back to main page</a>
16 |     <br>
17 |     <br>
18 |     <br>
19 |     <br>
20 |   </div>
21 | </div>


--------------------------------------------------------------------------------
/_layouts/post.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: default
 3 | ---
 4 | <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
 5 |   <div class="jumbotron">
 6 |     <div class="container">
 7 |       <h1 class="post-title-main" itemprop="name headline">{{ page.title }}</h1>
 8 |     </div>
 9 | </div>
10 | 
11 |   <div class="post-content container" itemprop="articleBody">
12 |     <div style="text-align: left">
13 |         <a href={{ site.url }}{{ site.baseurl }}>Back to main page</a>
14 |         <br>
15 |         <br>
16 |     </div>
17 |     {{ content }}
18 |     <br>
19 |     <div style="text-align: left">
20 |         <a href={{ site.url }}{{ site.baseurl }}>Back to main page</a>
21 |     </div>
22 |     <br>
23 |     {% include share.html %}
24 | </article>
25 | 
26 | 


--------------------------------------------------------------------------------
/_techniques/assembly.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Assembly instructions"
  4 | title-image: "/assets/icons/assembly.svg"
  5 | categories: anti-debug 
  6 | tags: assembly
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Assembly instructions](#assembly)
 12 | 
 13 | * [1. INT 3](#int3)
 14 | * [2. INT 2D](#int2d)
 15 | * [3. DebugBreak](#debugbreak)
 16 | * [4. ICE](#ice)
 17 | * [5. Stack Segment Register](#ss_register)
 18 | * [6. Instruction Counting](#instruction-counting)
 19 | * [7. POPF and Trap Flag](#popf_and_trap_flag)
 20 | * [8. Instruction Prefixes](#instruction_prefixes)
 21 | * [Mitigations](#mitigations)
 22 | <br />
 23 | 
 24 | <hr class="space">
 25 | 
 26 | <h2><a class="a-dummy" name="assembly">Assembly instructions</a></h2>
 27 | The following techniques are intended to detect a debugger presence based on how debuggers behave when the CPU executes a certain instruction.
 28 | 
 29 | <br />
 30 | <h3><a class="a-dummy" name="int3">1. INT 3</a></h3>
 31 | Instruction <tt>INT3</tt> is an interruption which is used as a software breakpoint. Without a debugger present, after getting to the <tt>INT3</tt> instruction, the exception <tt>EXCEPTION_BREAKPOINT</tt> (<tt>0x80000003</tt>) is generated and an exception handler will be called. If the debugger is present, the control won't be given to the exception handler.
 32 | 
 33 | <hr class="space">
 34 | 
 35 | <b>C/C++ Code</b>
 36 | <p></p>
 37 | 
 38 | {% highlight c %}
 39 | 
 40 | bool IsDebugged()
 41 | {
 42 |     __try
 43 |     {
 44 |         __asm int 3;
 45 |         return true;
 46 |     }
 47 |     __except(EXCEPTION_EXECUTE_HANDLER)
 48 |     {
 49 |         return false;
 50 |     }
 51 | }
 52 | 
 53 | {% endhighlight %}
 54 | 
 55 | <br />Besides the short form of <tt>INT3</tt> instruction (<tt>0xCC</tt> opcode), there is also a long form of this instruction: <tt>CD 03</tt> opcode.
 56 | 
 57 | When the exception <tt>EXCEPTION_BREAKPOINT</tt> occurs, the Windows decrements <tt>EIP</tt> register to the assumed location of the <tt>0xCC</tt> opcode and pass the control to the exception handler. In the case of the long form of the <tt>INT3</tt> instruction, <tt>EIP</tt> will point to the middle of the instruction (i.e. to <tt>0x03</tt> byte). Therefore, <tt>EIP</tt> should be edited in the exception handler if we want to continue execution after the <tt>INT3</tt> instruction (otherwise we'll most likely get an <tt>EXCEPTION_ACCESS_VIOLATION</tt> exception). If not, we can neglect the instruction pointer modification.
 58 | 
 59 | <hr class="space">
 60 | 
 61 | <b>C/C++ Code</b>
 62 | <p></p>
 63 | 
 64 | {% highlight c %}
 65 | 
 66 | bool g_bDebugged = false;
 67 | 
 68 | int filter(unsigned int code, struct _EXCEPTION_POINTERS *ep)
 69 | {
 70 |     g_bDebugged = code != EXCEPTION_BREAKPOINT;
 71 |     return EXCEPTION_EXECUTE_HANDLER;
 72 | }
 73 | 
 74 | bool IsDebugged()
 75 | {
 76 |     __try
 77 |     {
 78 |         __asm __emit(0xCD);
 79 |         __asm __emit(0x03);
 80 |     }
 81 |     __except (filter(GetExceptionCode(), GetExceptionInformation()))
 82 |     {
 83 |         return g_bDebugged;
 84 |     }
 85 | }
 86 | 
 87 | {% endhighlight %}
 88 | 
 89 | 
 90 | <hr class="space">
 91 | 
 92 | <br />
 93 | <h3><a class="a-dummy" name="int2d">2. INT 2D</a></h3>
 94 | Just like in the case of <tt>INT3</tt> instruction when the instruction <tt>INT2D</tt> is executed, the exception <tt>EXCEPTION_BREAKPOINT</tt> is raised as well. But with <tt>INT2D</tt>, Windows uses the <tt>EIP</tt> register as an exception address and then increments the <tt>EIP</tt> register value. Windows also examines the value of the <tt>EAX</tt> register while <tt>INT2D</tt> is executed. If it's 1, 3 or 4 on all versions of Windows, or 5 on Vista+, the exception address will be increased by one.
 95 | 
 96 | This instruction can cause problems for some debuggers because after the <tt>EIP</tt> incrimination, the byte which follows the <tt>INT2D</tt> instruction will be skipped and the execution might continue from the damaged instruction.
 97 | 
 98 | In the example, we put one-byte <tt>NOP</tt> instruction after <tt>INT2D</tt> to skip it in any case. If the program is executed without a debugger, the control will be passed to the exception handler.
 99 | 
100 | <hr class="space">
101 | 
102 | <b>C/C++ Code</b>
103 | <p></p>
104 | 
105 | {% highlight c %}
106 | 
107 | bool IsDebugged()
108 | {
109 |     __try
110 |     {
111 |         __asm xor eax, eax;
112 |         __asm int 0x2d;
113 |         __asm nop;
114 |         return true;
115 |     }
116 |     __except(EXCEPTION_EXECUTE_HANDLER)
117 |     {
118 |         return false;
119 |     }
120 | }
121 | 
122 | {% endhighlight %}
123 | 
124 | <hr class="space">
125 | 
126 | <br />
127 | <h3><a class="a-dummy" name="debugbreak">3. DebugBreak</a></h3>
128 | As written in <a href="https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-debugbreak">DebugBreak documentation</a>, "<tt>DebugBreak</tt> causes a breakpoint exception to occur in the current process. This allows the calling thread to signal the debugger to handle the exception".
129 | 
130 | If the program is executed without a debugger, the control will be passed to the exception handler. Otherwise, the execution will be intercepted by the debugger.
131 | 
132 | <hr class="space">
133 | 
134 | <b>C/C++ Code</b>
135 | <p></p>
136 | 
137 | {% highlight c %}
138 | 
139 | bool IsDebugged()
140 | {
141 |     __try
142 |     {
143 |         DebugBreak();
144 |     }
145 |     __except(EXCEPTION_BREAKPOINT)
146 |     {
147 |         return false;
148 |     }
149 |     
150 |     return true;
151 | }
152 | 
153 | {% endhighlight %}
154 | 
155 | <hr class="space">
156 | 
157 | <br />
158 | <h3><a class="a-dummy" name="ice">4. ICE</a></h3>
159 | "<tt>ICE</tt>" is one of Intel's undocumented instructions. Its opcode is <tt>0xF1</tt>. It can be used to detect if the program is traced.
160 | 
161 | If <tt>ICE</tt> instruction is executed, the <tt>EXCEPTION_SINGLE_STEP</tt> (<tt>0x80000004</tt>) exception will be raised.
162 | 
163 | However, if the program has been already traced, the debugger will consider this exception as the normal exception generated by executing the instruction with the <a href="https://en.wikipedia.org/wiki/Trap_flag#Single-step_interrupt">SingleStep</a> bit set in the Flags registers. Therefore, under a debugger, the exception handler won't be called and execution will continue after the <tt>ICE</tt> instruction.
164 | 
165 | <hr class="space">
166 | 
167 | <b>C/C++ Code</b>
168 | <p></p>
169 | 
170 | {% highlight c %}
171 | 
172 | bool IsDebugged()
173 | {
174 |     __try
175 |     {
176 |         __asm __emit 0xF1;
177 |         return true;
178 |     }
179 |     __except(EXCEPTION_EXECUTE_HANDLER)
180 |     {
181 |         return false;
182 |     }
183 | }
184 | 
185 | {% endhighlight %}
186 | 
187 | <hr class="space">
188 | 
189 | <br />
190 | <h3><a class="a-dummy" name="ss_register">5. Stack Segment Register</a></h3>
191 | This is a trick that can be used to detect if the program is being traced.
192 | The trick consists of tracing over the following sequence of assembly instructions:
193 | {% highlight asm %}
194 | push ss 
195 | pop ss 
196 | pushf
197 | {% endhighlight %}
198 | 
199 | <br />After single-stepping in a debugger through this code, the <a href="https://en.wikipedia.org/wiki/Trap_flag">Trap Flag</a> will be set. Usually it's not visible as debuggers clear the Trap Flag after each debugger event is delivered. However, if we previously save <tt>EFLAGS</tt> to the stack, we'll be able to check whether the Trap Flag is set.
200 | 
201 | <hr class="space">
202 | 
203 | <b>C/C++ Code</b>
204 | <p></p>
205 | 
206 | {% highlight c %}
207 | 
208 | bool IsDebugged()
209 | {
210 |     bool bTraced = false;
211 | 
212 |     __asm
213 |     {
214 |         push ss
215 |         pop ss
216 |         pushf
217 |         test byte ptr [esp+1], 1
218 |         jz movss_not_being_debugged
219 |     }
220 | 
221 |     bTraced = true;
222 | 
223 | movss_not_being_debugged:
224 |     // restore stack
225 |     __asm popf;
226 | 
227 |     return bTraced;
228 | }
229 | 
230 | {% endhighlight %}
231 | 
232 | <hr class="space">
233 | 
234 | <br />
235 | <h3><a class="a-dummy" name="instruction-counting">6. Instruction Counting</a></h3>
236 | This technique abuses how some debuggers handle <tt>EXCEPTION_SINGLE_STEP</tt> exceptions.
237 | 
238 | The idea of this trick is to set hardware breakpoints to each instruction in some predefined sequence (e.g. sequence of <tt>NOP</tt>s). Execution of the instruction with a hardware breakpoint on it raises the <tt>EXCEPTION_SINGLE_STEP</tt> exception which can be caught by a vectored exception handler. In the exception handler, we increment a register which plays the role of instruction counter (<tt>EAX</tt> in our case) and the instruction pointer <tt>EIP</tt> to pass the control to the next instruction in the sequence. Therefore, each time the control is passed to the next instruction in our sequence, the exception is raised and the counter is incremented. After the sequence is finished, we check the counter and if it is not equal to the length of our sequence, we consider it as if the program is being debugged.
239 | 
240 | <hr class="space">
241 | 
242 | <b>C/C++ Code</b>
243 | <p></p>
244 | 
245 | {% highlight c %}
246 | 
247 | #include "hwbrk.h"
248 | 
249 | static LONG WINAPI InstructionCountingExeptionHandler(PEXCEPTION_POINTERS pExceptionInfo)
250 | {
251 |     if (pExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
252 |     {
253 |         pExceptionInfo->ContextRecord->Eax += 1;
254 |         pExceptionInfo->ContextRecord->Eip += 1;
255 |         return EXCEPTION_CONTINUE_EXECUTION;
256 |     }
257 |     return EXCEPTION_CONTINUE_SEARCH;
258 | }
259 | 
260 | __declspec(naked) DWORD WINAPI InstructionCountingFunc(LPVOID lpThreadParameter)
261 | {
262 |     __asm
263 |     {
264 |         xor eax, eax
265 |         nop
266 |         nop
267 |         nop
268 |         nop
269 |         cmp al, 4
270 |         jne being_debugged
271 |     }
272 | 
273 |     ExitThread(FALSE);
274 | 
275 | being_debugged:
276 |     ExitThread(TRUE);
277 | }
278 | 
279 | bool IsDebugged()
280 | {
281 |     PVOID hVeh = nullptr;
282 |     HANDLE hThread = nullptr;
283 |     bool bDebugged = false;
284 | 
285 |     __try
286 |     {
287 |         hVeh = AddVectoredExceptionHandler(TRUE, InstructionCountingExeptionHandler);
288 |         if (!hVeh)
289 |             __leave;
290 | 
291 |         hThread = CreateThread(0, 0, InstructionCountingFunc, NULL, CREATE_SUSPENDED, 0);
292 |         if (!hThread)
293 |             __leave;
294 | 
295 |         PVOID pThreadAddr = &InstructionCountingFunc;
296 |         // Fix thread entry address if it is a JMP stub (E9 XX XX XX XX)
297 |         if (*(PBYTE)pThreadAddr == 0xE9)
298 |             pThreadAddr = (PVOID)((DWORD)pThreadAddr + 5 + *(PDWORD)((PBYTE)pThreadAddr + 1));
299 | 
300 |         for (auto i = 0; i < m_nInstructionCount; i++)
301 |             m_hHwBps[i] = SetHardwareBreakpoint(
302 |                 hThread, HWBRK_TYPE_CODE, HWBRK_SIZE_1, (PVOID)((DWORD)pThreadAddr + 2 + i));
303 | 
304 |         ResumeThread(hThread);
305 |         WaitForSingleObject(hThread, INFINITE);
306 | 
307 |         DWORD dwThreadExitCode;
308 |         if (TRUE == GetExitCodeThread(hThread, &dwThreadExitCode))
309 |             bDebugged = (TRUE == dwThreadExitCode);
310 |     }
311 |     __finally
312 |     {
313 |         if (hThread)
314 |             CloseHandle(hThread);
315 | 
316 |         for (int i = 0; i < 4; i++)
317 |         {
318 |             if (m_hHwBps[i])
319 |                 RemoveHardwareBreakpoint(m_hHwBps[i]);
320 |         }
321 | 
322 |         if (hVeh)
323 |             RemoveVectoredExceptionHandler(hVeh);
324 |     }
325 | 
326 |     return bDebugged;
327 | }
328 | 
329 | {% endhighlight %}
330 | 
331 | <hr class="space">
332 | 
333 | <br />
334 | <h3><a class="a-dummy" name="popf_and_trap_flag">7. POPF and Trap Flag</a></h3>
335 | This is another trick that can indicate whether a program is being traced.
336 | 
337 | There is a Trap Flag in the Flags register. When the Trap Flag is set, the exception <tt>SINGLE_STEP</tt> is raised. However, if we traced the code, the Trap Flag will be cleared by a debugger so we won't see the exception.
338 | 
339 | <hr class="space">
340 | 
341 | <b>C/C++ Code</b>
342 | <p></p>
343 | 
344 | {% highlight c %}
345 | 
346 | bool IsDebugged()
347 | {
348 |     __try
349 |     {
350 |         __asm
351 |         {
352 |             pushfd
353 |             mov dword ptr [esp], 0x100
354 |             popfd
355 |             nop
356 |         }
357 |         return true;
358 |     }
359 |     __except(GetExceptionCode() == EXCEPTION_SINGLE_STEP
360 |         ? EXCEPTION_EXECUTE_HANDLER
361 |         : EXCEPTION_CONTINUE_EXECUTION)
362 |     {
363 |         return false;
364 |     }
365 | }
366 | 
367 | {% endhighlight %}
368 | 
369 | <hr class="space">
370 | 
371 | <br />
372 | <h3><a class="a-dummy" name="instruction_prefixes">8. Instruction Prefixes</a></h3>
373 | This trick works only in some debuggers. It abuses the way how these debuggers handle instruction prefixes.
374 | 
375 | If we execute the following code in OllyDbg, after stepping to the first byte <tt>F3</tt>, we'll immediately get to the end of <tt>try</tt> block. The debugger just skips the prefix and gives the control to the <tt>INT1</tt> instruction.
376 | 
377 | If we run the same code without a debugger, an exception will be raised and we'll get to <tt>except</tt> block.
378 | 
379 | <hr class="space">
380 | 
381 | <b>C/C++ Code</b>
382 | <p></p>
383 | 
384 | {% highlight c %}
385 | 
386 | bool IsDebugged()
387 | {
388 |     __try
389 |     {
390 |         // 0xF3 0x64 disassembles as PREFIX REP:
391 |         __asm __emit 0xF3
392 |         __asm __emit 0x64
393 |         // One byte INT 1
394 |         __asm __emit 0xF1
395 |         return true;
396 |     }
397 |     __except(EXCEPTION_EXECUTE_HANDLER)
398 |     {
399 |         return false;
400 |     }
401 | }
402 | 
403 | {% endhighlight %}
404 | 
405 | <hr class="space">
406 | 
407 | <br />
408 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
409 | * During debugging:
410 |     * The best way to mitigate all the following checks is to patch them with <tt>NOP</tt> instructions.
411 |     * Regarding anti-tracing techniques: instead of patching the code, we can simply set a breakpoint in the code which follows the check and run the program till this breakpoint.
412 | * For anti-anti-debug tool development: No mitigation.
413 | 


--------------------------------------------------------------------------------
/_techniques/exceptions.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Exceptions"
  4 | title-image: "/assets/icons/exceptions.svg"
  5 | categories: anti-debug 
  6 | tags: exceptions
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Exceptions](#exceptions)
 12 | 
 13 | * [1. UnhandledExceptionFilter()](#unhandledexceptionfilter)
 14 | * [2. RaiseException()](#raiseexception)
 15 | * [3. Hiding Control Flow with Exception Handlers](#hiding-cf-with-eh)
 16 | * [Mitigations](#mitigations)
 17 | <br />
 18 | 
 19 | <hr class="space">
 20 | 
 21 | <h2><a class="a-dummy" name="exceptions">Exceptions</a></h2>
 22 | The following methods deliberately cause exceptions to verify if the further behavior is not typical for a process running without a debugger.
 23 | 
 24 | <br />
 25 | <h3><a class="a-dummy" name="unhandledexceptionfilter">1. UnhandledExceptionFilter()</a></h3>
 26 | If an exception occurs and no exception handler is registered (or it is registered but doesn't handle such an exception), the <tt>kernel32!UnhandledExceptionFilter()</tt> function will be called. It is possible to register a custom unhandled exception filter using the <tt>kernel32!SetUnhandledExceptionFilter()</tt>. But if the program is running under a debugger, the custom filter won't be called and the exception will be passed to the debugger. Therefore, if the unhandled exception filter is registered and the control is passed to it, then the process is not running with a debugger.
 27 | 
 28 | <hr class="space">
 29 | 
 30 | <b>x86 Assembly (FASM)</b>
 31 | <p></p>
 32 | 
 33 | {% highlight asm %}
 34 | include 'win32ax.inc'
 35 | 
 36 | .code
 37 | 
 38 | start:
 39 |         jmp begin
 40 | 
 41 | not_debugged:
 42 |         invoke  MessageBox,HWND_DESKTOP,"Not Debugged","",MB_OK
 43 |         invoke  ExitProcess,0
 44 | 
 45 | begin:
 46 |         invoke SetUnhandledExceptionFilter, not_debugged
 47 |         int  3
 48 |         jmp  being_debugged
 49 | 
 50 | being_debugged:
 51 |         invoke  MessageBox,HWND_DESKTOP,"Debugged","",MB_OK
 52 |         invoke  ExitProcess,0
 53 | 
 54 | .end start
 55 | {% endhighlight %}
 56 | 
 57 | <hr class="space">
 58 | 
 59 | <b>C/C++ Code</b>
 60 | <p></p>
 61 | 
 62 | {% highlight c %}
 63 | 
 64 | LONG UnhandledExceptionFilter(PEXCEPTION_POINTERS pExceptionInfo)
 65 | {
 66 |     PCONTEXT ctx = pExceptionInfo->ContextRecord;
 67 |     ctx->Eip += 3; // Skip \xCC\xEB\x??
 68 |     return EXCEPTION_CONTINUE_EXECUTION;
 69 | }
 70 | 
 71 | bool Check()
 72 | {
 73 |     bool bDebugged = true;
 74 |     SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)UnhandledExceptionFilter);
 75 |     __asm
 76 |     {
 77 |         int 3                      // CC
 78 |         jmp near being_debugged    // EB ??
 79 |     }
 80 |     bDebugged = false;
 81 | 
 82 | being_debugged:
 83 |     return bDebugged;
 84 | }
 85 | 
 86 | {% endhighlight %}
 87 | 
 88 | <hr class="space">
 89 | 
 90 | <br />
 91 | <h3><a class="a-dummy" name="raiseexception">2. RaiseException()</a></h3>
 92 | Exceptions such as <tt>DBC_CONTROL_C</tt> or <tt>DBG_RIPEVENT</tt> are not passed to exception handlers of the current process and are consumed by a debugger. This lets us register an exception handler, raise these exceptions using the <tt>kernel32!RaiseException()</tt> function, and check whether the control is passed to our handler. If the exception handler is not called, the process is likely under debugging.
 93 | 
 94 | <hr class="space">
 95 | 
 96 | <b>C/C++ Code</b>
 97 | <p></p>
 98 | 
 99 | {% highlight c %}
100 | 
101 | bool Check()
102 | {
103 |     __try
104 |     {
105 |         RaiseException(DBG_CONTROL_C, 0, 0, NULL);
106 |         return true;
107 |     }
108 |     __except(DBG_CONTROL_C == GetExceptionCode()
109 |         ? EXCEPTION_EXECUTE_HANDLER 
110 |         : EXCEPTION_CONTINUE_SEARCH)
111 |     {
112 |         return false;
113 |     }
114 | }
115 | 
116 | {% endhighlight %}
117 | 
118 | <hr class="space">
119 | 
120 | <br />
121 | <h3><a class="a-dummy" name="hiding-cf-with-eh">3. Hiding Control Flow with Exception Handlers</a></h3>
122 | This approach does not check whether a debugger is present, but it helps to hide the control flow of the program in the sequence of exception handlers.
123 | 
124 | We can register an exception handler (structured or vectored) which raises another exception which is passed to the next handler which raises the next exception, and so on. Finally, the sequence of handlers should lead to the procedure that we wanted to hide.
125 | 
126 | <br />Using Structured Exception Handlers:
127 | 
128 | <hr class="space">
129 | 
130 | <b>C/C++ Code</b>
131 | <p></p>
132 | 
133 | {% highlight c %}
134 | 
135 | #include <Windows.h>
136 | 
137 | void MaliciousEntry()
138 | {
139 |     // ...
140 | }
141 | 
142 | void Trampoline2()
143 | {
144 |     __try
145 |     {
146 |         __asm int 3;
147 |     }
148 |     __except (EXCEPTION_EXECUTE_HANDLER)
149 |     {
150 |         MaliciousEntry();
151 |     }
152 | }
153 | 
154 | void Trampoline1()
155 | {
156 |     __try 
157 |     {
158 |         __asm int 3;
159 |     }
160 |     __except (EXCEPTION_EXECUTE_HANDLER)
161 |     {
162 |         Trampoline2();
163 |     }
164 | }
165 | 
166 | int main(void)
167 | {
168 |     __try
169 |     {
170 |         __asm int 3;
171 |     }
172 |     __except (EXCEPTION_EXECUTE_HANDLER) {}
173 |     {
174 |         Trampoline1();
175 |     }
176 | 
177 |     return 0;
178 | }
179 | 
180 | {% endhighlight %}
181 | 
182 | <br />Using Vectored Exception Handlers:
183 | 
184 | <hr class="space">
185 | 
186 | <b>C/C++ Code</b>
187 | <p></p>
188 | 
189 | {% highlight c %}
190 | 
191 | #include <Windows.h>
192 | 
193 | PVOID g_pLastVeh = nullptr;
194 | 
195 | void MaliciousEntry()
196 | {
197 |     // ...
198 | }
199 | 
200 | LONG WINAPI ExeptionHandler2(PEXCEPTION_POINTERS pExceptionInfo)
201 | {
202 |     MaliciousEntry();
203 |     ExitProcess(0);
204 | }
205 | 
206 | LONG WINAPI ExeptionHandler1(PEXCEPTION_POINTERS pExceptionInfo)
207 | {
208 |     if (g_pLastVeh)
209 |     {
210 |         RemoveVectoredExceptionHandler(g_pLastVeh);
211 |         g_pLastVeh = AddVectoredExceptionHandler(TRUE, ExeptionHandler2);
212 |         if (g_pLastVeh)
213 |             __asm int 3;
214 |     }
215 |     ExitProcess(0);
216 | }
217 | 
218 | 
219 | int main(void)
220 | {
221 |     g_pLastVeh = AddVectoredExceptionHandler(TRUE, ExeptionHandler1);
222 |     if (g_pLastVeh)
223 |         __asm int 3;
224 | 
225 |     return 0;
226 | }
227 | 
228 | {% endhighlight %}
229 | 
230 | <hr class="space">
231 | 
232 | <br />
233 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
234 | * During debugging: 
235 |     * For debugger detection checks: Just fill the corresponding check with <tt>NOP</tt>s.
236 |     * For Control Flow hiding: You have to manually trace the program till the payload.
237 | * For anti-anti-debug tool development: The issue with these type of techniques is that different debuggers consume different exceptions and do not return them to the debugger. This means that you have to implement a plugin for a specific debugger and change the behavior of the event handlers which are triggered after the corresponding exceptions.
238 | 


--------------------------------------------------------------------------------
/_techniques/interactive.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Direct debugger interaction"
  4 | title-image: "/assets/icons/interactive.svg"
  5 | categories: anti-debug 
  6 | tags: interactive
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Direct debugger interaction](#interactive)
 12 | 
 13 | * [1. Self-Debugging](#self-debugging)
 14 | * [2. GenerateConsoleCtrlEvent()](#generateconsolectrlevent)
 15 | * [3. BlockInput()](#blockinput)
 16 | * [4. NtSetInformationThread()](#ntsetinformationthread)
 17 | * [5. EnumWindows() and SuspendThread()](#suspendthread)
 18 | * [6. SwitchDesktop()](#switchdesktop)
 19 | * [7. OutputDebugString()](#outputdebugstring)
 20 | * [Mitigations](#mitigations)
 21 | <br />
 22 | 
 23 | <hr class="space">
 24 | 
 25 | <h2><a class="a-dummy" name="interactive">Direct debugger interaction</a></h2>
 26 | The following techniques let the running process manage a user interface or engage with its parent process to discover inconsistencies that are inherent for a debugged process.
 27 | 
 28 | <br />
 29 | <h3><a class="a-dummy" name="self-debugging">1. Self-Debugging</a></h3>
 30 | There are at least three functions that can be used to attach as a debugger to a running process:
 31 | 
 32 | * <tt>kernel32!DebugActiveProcess()</tt>
 33 | * <tt>ntdll!DbgUiDebugActiveProcess()</tt>
 34 | * <tt>ntdll!NtDebugActiveProcess()</tt>
 35 | 
 36 | As only one debugger can be attached to a process at a time, a failure to attach to the process might indicate the presence of another debugger.
 37 | 
 38 | In the example below, we run the second instance of our process which tries to attach a debugger to its parent (the first instance of the process). If <tt>kenel32!DebugActiveProcess()</tt> finishes unsuccessfully, we set the named event which was created by the first instance. If the event is set, the first instance understands that a debugger is present.
 39 | 
 40 | <hr class="space">
 41 | 
 42 | <b>C/C++ Code</b>
 43 | <p></p>
 44 | 
 45 | {% highlight c %}
 46 | 
 47 | #define EVENT_SELFDBG_EVENT_NAME L"SelfDebugging"
 48 | 
 49 | bool IsDebugged()
 50 | {
 51 |     WCHAR wszFilePath[MAX_PATH], wszCmdLine[MAX_PATH];
 52 |     STARTUPINFO si = { sizeof(si) };
 53 |     PROCESS_INFORMATION pi;
 54 |     HANDLE hDbgEvent;
 55 | 
 56 |     hDbgEvent = CreateEventW(NULL, FALSE, FALSE, EVENT_SELFDBG_EVENT_NAME);
 57 |     if (!hDbgEvent)
 58 |         return false;
 59 | 
 60 |     if (!GetModuleFileNameW(NULL, wszFilePath, _countof(wszFilePath)))
 61 |         return false;
 62 | 
 63 |     swprintf_s(wszCmdLine, L"%s %d", wszFilePath, GetCurrentProcessId());
 64 |     if (CreateProcessW(NULL, wszCmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
 65 |     {
 66 |         WaitForSingleObject(pi.hProcess, INFINITE);
 67 |         CloseHandle(pi.hProcess);
 68 |         CloseHandle(pi.hThread);
 69 | 
 70 |         return WAIT_OBJECT_0 == WaitForSingleObject(hDbgEvent, 0);
 71 |     }
 72 | 
 73 |     return false;
 74 | }
 75 | 
 76 | bool EnableDebugPrivilege() 
 77 | {
 78 |     bool bResult = false;
 79 |     HANDLE hToken = NULL;
 80 |     DWORD ec = 0;
 81 | 
 82 |     do
 83 |     {
 84 |         if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
 85 |             break;
 86 | 
 87 |         TOKEN_PRIVILEGES tp; 
 88 |         tp.PrivilegeCount = 1;
 89 |         if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
 90 |             break;
 91 | 
 92 |         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 93 |         if( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
 94 |             break;
 95 | 
 96 |         bResult = true;
 97 |     }
 98 |     while (0);
 99 | 
100 |     if (hToken) 
101 |         CloseHandle(hToken);
102 | 
103 |     return bResult;
104 | }
105 | 
106 | int main(int argc, char **argv)
107 | {
108 |     if (argc < 2)
109 |     {        
110 |         if (IsDebugged())
111 |             ExitProcess(0);
112 |     }
113 |     else
114 |     {
115 |         DWORD dwParentPid = atoi(argv[1]);
116 |         HANDLE hEvent = OpenEventW(EVENT_MODIFY_STATE, FALSE, EVENT_SELFDBG_EVENT_NAME);
117 |         if (hEvent && EnableDebugPrivilege())
118 |         {
119 |             if (FALSE == DebugActiveProcess(dwParentPid))
120 |                 SetEvent(hEvent);
121 |             else
122 |                 DebugActiveProcessStop(dwParentPid);
123 |         }
124 |         ExitProcess(0);
125 |     }
126 |     
127 |     // ...
128 |     
129 |     return 0;
130 | }
131 | 
132 | {% endhighlight %}
133 | 
134 | <hr class="space">
135 | 
136 | <br />
137 | <h3><a class="a-dummy" name="generateconsolectrlevent">2. GenerateConsoleCtrlEvent()</a></h3>
138 | When a user presses Ctrl+C or Ctrl+Break and a console window is in the focus, Windows checks if there is a handler for this event. All console processes have a default handler function that calls the <tt>kernel32!ExitProcess()</tt> function. However, we can register a custom handler for these events which neglects the Ctrl+C or Ctrl+Break signals.
139 | 
140 | However, if a console process is being debugged and CTRL+C signals have not been disabled, the system generates a <tt>DBG_CONTROL_C</tt> exception. Usually this exception is intercepted by a debugger, but if we register an exception handler, we will be able to check whether <tt>DBG_CONTROL_C</tt> is raised. If we intercepted the <tt>DBG_CONTROL_C</tt> exception in our own exception handler, it may indicate that the process is being debugged.
141 | 
142 | <hr class="space">
143 | 
144 | <b>C/C++ Code</b>
145 | <p></p>
146 | 
147 | {% highlight c %}
148 | 
149 | bool g_bDebugged{ false };
150 | std::atomic<bool> g_bCtlCCatched{ false };
151 | 
152 | static LONG WINAPI CtrlEventExeptionHandler(PEXCEPTION_POINTERS pExceptionInfo)
153 | {
154 |     if (pExceptionInfo->ExceptionRecord->ExceptionCode == DBG_CONTROL_C)
155 |     {
156 |         g_bDebugged = true;
157 |         g_bCtlCCatched.store(true);
158 |     }
159 |     return EXCEPTION_CONTINUE_EXECUTION;
160 | }
161 | 
162 | static BOOL WINAPI CtrlHandler(DWORD fdwCtrlType)
163 | {
164 |     switch (fdwCtrlType)
165 |     {
166 |     case CTRL_C_EVENT:
167 |         g_bCtlCCatched.store(true);
168 |         return TRUE;
169 |     default:
170 |         return FALSE;
171 |     }
172 | }
173 | 
174 | bool IsDebugged()
175 | {
176 |     PVOID hVeh = nullptr;
177 |     BOOL bCtrlHadnlerSet = FALSE;
178 | 
179 |     __try
180 |     {
181 |         hVeh = AddVectoredExceptionHandler(TRUE, CtrlEventExeptionHandler);
182 |         if (!hVeh)
183 |             __leave;
184 | 
185 |         bCtrlHadnlerSet = SetConsoleCtrlHandler(CtrlHandler, TRUE);
186 |         if (!bCtrlHadnlerSet)
187 |             __leave;
188 | 
189 |         GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0);
190 |         while (!g_bCtlCCatched.load())
191 |             ;
192 |     }
193 |     __finally
194 |     {
195 |         if (bCtrlHadnlerSet)
196 |             SetConsoleCtrlHandler(CtrlHandler, FALSE);
197 | 
198 |         if (hVeh)
199 |             RemoveVectoredExceptionHandler(hVeh);
200 |     }
201 | 
202 |     return g_bDebugged;
203 | }
204 | 
205 | {% endhighlight %}
206 | 
207 | <hr class="space">
208 | 
209 | <br />
210 | <h3><a class="a-dummy" name="blockinput">3. BlockInput()</a></h3>
211 | The function <tt>user32!BlockInput()</tt> can block all mouse and keyboard events, which is quite an effective way to disable a debugger. On Windows Vista and higher versions, this call requires administrator privileges.
212 | 
213 | We can also detect whether a tool that hooks the <tt>user32!BlockInput()</tt> and other anti-debug calls is present. The function allows the input to be blocked only once. The second call will return <tt>FALSE</tt>. If the function returns <tt>TRUE</tt> regardless of the input, it may indicate that some hooking solution is present.
214 | 
215 | <hr class="space">
216 | 
217 | <b>C/C++ Code</b>
218 | <p></p>
219 | 
220 | {% highlight c %}
221 | 
222 | bool IsHooked ()
223 | {
224 |     BOOL bFirstResult = FALSE, bSecondResult = FALSE;
225 |     __try
226 |     {
227 |         bFirstResult = BlockInput(TRUE);
228 |         bSecondResult = BlockInput(TRUE);
229 |     }
230 |     __finally
231 |     {
232 |         BlockInput(FALSE);
233 |     }
234 |     return bFirstResult && bSecondResult;
235 | }
236 | 
237 | {% endhighlight %}
238 | 
239 | <hr class="space">
240 | 
241 | <br />
242 | <h3><a class="a-dummy" name="ntsetinformationthread">4. NtSetInformationThread()</a></h3>
243 | The function <tt>ntdll!NtSetInformationThread()</tt> can be used to hide a thread from a debugger. It is possible with a help of the undocumented value <tt>THREAD_INFORMATION_CLASS::ThreadHideFromDebugger</tt> (<tt>0x11</tt>). This is intended to be used by an external process, but any thread can use it on itself.
244 | 
245 | After the thread is hidden from the debugger, it will continue running but the debugger won’t receive events related to this thread. This thread can perform anti-debugging checks such as code checksum, debug flags verification, etc.
246 | 
247 | However, if there is a breakpoint in the hidden thread or if we hide the main thread from the debugger, the process will crash and the debugger will be stuck.
248 | 
249 | In the example, we hide the current thread from the debugger. This means that if we trace this code in the debugger or put a breakpoint to any instruction of this thread, the debugging will be stuck once <tt>ntdll!NtSetInformationThread()</tt> is called.
250 | 
251 | <hr class="space">
252 | 
253 | <b>C/C++ Code</b>
254 | <p></p>
255 | 
256 | {% highlight c %}
257 | 
258 | #define NtCurrentThread ((HANDLE)-2)
259 | 
260 | bool AntiDebug()
261 | {
262 |     NTSTATUS status = ntdll::NtSetInformationThread(
263 |         NtCurrentThread, 
264 |         ntdll::THREAD_INFORMATION_CLASS::ThreadHideFromDebugger, 
265 |         NULL, 
266 |         0);
267 |     return status >= 0;
268 | }
269 | 
270 | {% endhighlight %}
271 | 
272 | <hr class="space">
273 | 
274 | <br />
275 | <h3><a class="a-dummy" name="suspendthread">5. EnumWindows() and SuspendThread()</a></h3>
276 | The idea of this technique is to suspend the owning thread of the parent process.
277 | 
278 | First, we need to verify whether the parent process is a debugger. This can be achieved by enumerating all top-level windows on the screen (using <tt>user32!EnumWindows()</tt> or <tt>user32!EnumThreadWindows()</tt>), searching the window for which process ID is the ID of the parent process (using <tt>user32!GetWindowThreadProcessId()</tt>), and checking the title of this window (by <tt>user32!GetWindowTextW()</tt>). If the window title of the parent process looks like a debugger title, we can suspend the owning thread using <tt>kernel32!SuspendThread()</tt> or <tt>ntdll!NtSuspendThread()</tt>.
279 | 
280 | <hr class="space">
281 | 
282 | <b>C/C++ Code</b>
283 | <p></p>
284 | 
285 | {% highlight c %}
286 | 
287 | DWORD g_dwDebuggerProcessId = -1;
288 | 
289 | BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
290 | {
291 |     DWORD dwProcessId = *(PDWORD)lParam;
292 | 
293 |     DWORD dwWindowProcessId;
294 |     GetWindowThreadProcessId(hwnd, &dwWindowProcessId);
295 | 
296 |     if (dwProcessId == dwWindowProcessId)
297 |     {
298 |         std::wstring wsWindowTitle{ string_heper::ToLower(std::wstring(GetWindowTextLengthW(hwnd) + 1, L'\0')) };
299 |         GetWindowTextW(hwnd, &wsWindowTitle[0], wsWindowTitle.size());
300 | 
301 |         if (string_heper::FindSubstringW(wsWindowTitle, L"dbg") || 
302 |             string_heper::FindSubstringW(wsWindowTitle, L"debugger"))
303 |         {
304 |             g_dwDebuggerProcessId = dwProcessId;
305 |             return FALSE;
306 |         }
307 |         return FALSE;
308 |     }
309 | 
310 |     return TRUE;
311 | }
312 | 
313 | bool IsDebuggerProcess(DWORD dwProcessId) const
314 | {
315 |     EnumWindows(EnumWindowsProc, reinterpret_cast<LPARAM>(&dwProcessId));
316 |     return g_dwDebuggerProcessId == dwProcessId;
317 | }
318 | 
319 | bool SuspendDebuggerThread()
320 | {
321 |     THREADENTRY32 ThreadEntry = { 0 };
322 |     ThreadEntry.dwSize = sizeof(THREADENTRY32);
323 | 
324 |     DWORD dwParentProcessId = process_helper::GetParentProcessId(GetCurrentProcessId());
325 |     if (-1 == dwParentProcessId)
326 |         return false;
327 | 
328 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwParentProcessId);
329 |     if(Thread32First(hSnapshot, &ThreadEntry))
330 |     {
331 |         do
332 |         {
333 |             if ((ThreadEntry.th32OwnerProcessID == dwParentProcessId) && IsDebuggerProcess(dwParentProcessId))
334 |             {
335 |                 HANDLE hThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, ThreadEntry.th32ThreadID);
336 |                 if (hThread)
337 |                     SuspendThread(hThread);
338 |                 break;
339 |             }
340 |         } while(Thread32Next(hSnapshot, &ThreadEntry));
341 |     }
342 | 
343 |     if (hSnapshot)
344 |         CloseHandle(hSnapshot);
345 | 
346 |     return false;
347 | }
348 | 
349 | {% endhighlight %}
350 | 
351 | <hr class="space">
352 | 
353 | <br />
354 | <h3><a class="a-dummy" name="switchdesktop">6. SwitchDesktop()</a></h3>
355 | Windows supports multiple desktops per session. It is possible to select a different active desktop, which has the effect of hiding the windows of the previously active desktop, and with no obvious way to switch back to the old desktop.
356 | 
357 | Further, the mouse and keyboard events from the debugged process desktop will no longer be delivered to the debugger, because their source is no longer shared. This obviously makes debugging impossible.
358 | 
359 | <hr class="space">
360 | 
361 | <b>C/C++ Code</b>
362 | <p></p>
363 | 
364 | {% highlight c %}
365 | 
366 | BOOL Switch()
367 | {
368 |     HDESK hNewDesktop = CreateDesktopA(
369 |         m_pcszNewDesktopName, 
370 |         NULL, 
371 |         NULL, 
372 |         0, 
373 |         DESKTOP_CREATEWINDOW | DESKTOP_WRITEOBJECTS | DESKTOP_SWITCHDESKTOP, 
374 |         NULL);
375 |     if (!hNewDesktop)
376 |         return FALSE;
377 | 
378 |     return SwitchDesktop(hNewDesktop);
379 | }
380 | 
381 | {% endhighlight %}
382 | 
383 | <hr class="space">
384 | 
385 | <br />
386 | <h3><a class="a-dummy" name="outputdebugstring">7. OutputDebugString()</a></h3>
387 | This technique is deprecated as it works only for Windows versions earlier than Vista. However, this technique is too well known to not mention here.
388 | 
389 | The idea is simple. If a debugger is not present and <tt>kernel32!OutputDebugString</tt> is called, then an error will occur.
390 | 
391 | <hr class="space">
392 | 
393 | <b>C/C++ Code (variant1)</b>
394 | <p></p>
395 | 
396 | {% highlight c %}
397 | 
398 | bool IsDebugged()
399 | {
400 |     if (IsWindowsVistaOrGreater())
401 |         return false;
402 | 
403 |     DWORD dwLastError = GetLastError();
404 |     OutputDebugString(L"AntiDebug_OutputDebugString_v1");
405 |     return GetLastError() != dwLastError;
406 | }
407 | 
408 | {% endhighlight %}
409 | 
410 | <hr class="space">
411 | 
412 | <b>C/C++ Code (variant2)</b>
413 | <p></p>
414 | 
415 | {% highlight c %}
416 | 
417 | bool IsDebugged()
418 | {
419 |     if (IsWindowsVistaOrGreater())
420 |         return false;
421 | 
422 |     DWORD dwErrVal = 0x666; 
423 |     SetLastError(dwErrVal);
424 |     OutputDebugString(L"AntiDebug_OutputDebugString_v2");
425 |     return GetLastError() != dwErrVal;
426 | }
427 | 
428 | {% endhighlight %}
429 | 
430 | <hr class="space">
431 | 
432 | <br />
433 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
434 | During debugging, it is better to skip suspicious function calls (e.g. fill them with <tt>NOP</tt>s).
435 | 
436 | If you write an anti-anti-debug solution, all the following functions can be hooked:
437 | 
438 | * <tt>kernel32!DebugActiveProcess</tt>
439 | * <tt>ntdll!DbgUiDebugActiveProcess</tt>
440 | * <tt>ntdll!NtDebugActiveProcess</tt>
441 | * <tt>kernel32!GenerateConsoleCtrlEvent()</tt>
442 | * <tt>user32!NtUserBlockInput</tt>
443 | * <tt>ntdll!NtSetInformationThread</tt>
444 | * <tt>user32!NtUserBuildHwndList</tt> (for filtering <tt>EnumWindows</tt> output)
445 | * <tt>kernel32!SuspendThread</tt>
446 | * <tt>user32!SwitchDesktop</tt>
447 | * <tt>kernel32!OutputDebugStringW</tt>
448 | 
449 | Hooked functions can check input arguments and modify the original function behavior.


--------------------------------------------------------------------------------
/_techniques/misc.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Misc"
  4 | title-image: "/assets/icons/misc.svg"
  5 | categories: anti-debug 
  6 | tags: misc
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Misc](#misc)
 12 | 
 13 | * [1. FindWindow()](#findwindow)
 14 | * [2. Parent Process Check](#parent-process-check)
 15 |     * [2.1. NtQueryInformationProcess()](#parent-process-check-ntqueryinformationprocess)
 16 |     * [2.2. CreateToolhelp32Snapshot()](#parent-process-check-createtoolhelp32snapshot)
 17 | * [3. Selectors](#selectors)
 18 | * [4. DbgPrint()](#dbgprint)
 19 | * [5. DbgSetDebugFilterState()](#dbgsetdebugfilterstate)
 20 | * [6. NtYieldExecution() / SwitchToThread()](#switchtothread)
 21 | * [7. VirtualAlloc() / GetWriteWatch()](#getwritewatch)
 22 | * [Mitigations](#mitigations)
 23 | <br />
 24 | 
 25 | <hr class="space">
 26 | 
 27 | <h2><a class="a-dummy" name="misc">Misc</a></h2>
 28 | 
 29 | <br />
 30 | <h3><a class="a-dummy" name="findwindow">1. FindWindow()</a></h3>
 31 | This technique includes the simple enumeration of window classes in the system and comparing them with known windows classes of debuggers.
 32 | 
 33 | The following functions can be used:
 34 | 
 35 | * <tt>user32!FindWindowW()</tt>
 36 | * <tt>user32!FindWindowA()</tt>
 37 | * <tt>user32!FindWindowExW()</tt>
 38 | * <tt>user32!FindWindowExA()</tt>
 39 | 
 40 | <hr class="space">
 41 | 
 42 | <b>C/C++ Code</b>
 43 | <p></p>
 44 | 
 45 | {% highlight c %}
 46 | 
 47 | const std::vector<std::string> vWindowClasses = {
 48 |     "antidbg",
 49 |     "ID",               // Immunity Debugger
 50 |     "ntdll.dll",        // peculiar name for a window class
 51 |     "ObsidianGUI",
 52 |     "OLLYDBG",
 53 |     "Rock Debugger",
 54 |     "SunAwtFrame",
 55 |     "Qt5QWindowIcon"
 56 |     "WinDbgFrameClass", // WinDbg
 57 |     "Zeta Debugger",
 58 | };
 59 | 
 60 | bool IsDebugged()
 61 | {
 62 |     for (auto &sWndClass : vWindowClasses)
 63 |     {
 64 |         if (NULL != FindWindowA(sWndClass.c_str(), NULL))
 65 |             return true;
 66 |     }
 67 |     return false;
 68 | }
 69 | 
 70 | {% endhighlight %}
 71 | 
 72 | <hr class="space">
 73 | 
 74 | <br />
 75 | <h3><a class="a-dummy" name="parent-process-check">2. Parent Process Check</a></h3>
 76 | Normally, a user-mode process is executed by double-clicking on a file icon. If the process is executed this way, its parent process will be the shell process (<b>"explorer.exe"</b>).
 77 | 
 78 | The main idea of the two following methods is to compare the PID of the parent process with the PID of <b>"explorer.exe"</b>.
 79 | 
 80 | <br />
 81 | <h4><a class="a-dummy" name="parent-process-check-ntqueryinformationprocess">2.1. NtQueryInformationProcess()</a></h4>
 82 | This method includes obtaining the shell process window handle using <tt>user32!GetShellWindow()</tt> and obtaining its process ID by calling <tt>user32!GetWindowThreadProcessId()</tt>.
 83 | 
 84 | Then, the parent process ID can be obtained from the <tt>PROCESS_BASIC_INFORMATION</tt> structure by calling <tt>ntdll!NtQueryInformationProcess()</tt> with the <tt>ProcessBasicInformation</tt> class.
 85 | 
 86 | <hr class="space">
 87 | 
 88 | <b>C/C++ Code</b>
 89 | <p></p>
 90 | 
 91 | {% highlight c %}
 92 | 
 93 | bool IsDebugged()
 94 | {
 95 |     HWND hExplorerWnd = GetShellWindow();
 96 |     if (!hExplorerWnd)
 97 |         return false;
 98 | 
 99 |     DWORD dwExplorerProcessId;
100 |     GetWindowThreadProcessId(hExplorerWnd, &dwExplorerProcessId);
101 | 
102 |     ntdll::PROCESS_BASIC_INFORMATION ProcessInfo;
103 |     NTSTATUS status = ntdll::NtQueryInformationProcess(
104 |         GetCurrentProcess(),
105 |         ntdll::PROCESS_INFORMATION_CLASS::ProcessBasicInformation,
106 |         &ProcessInfo,
107 |         sizeof(ProcessInfo),
108 |         NULL);
109 |     if (!NT_SUCCESS(status))
110 |         return false;
111 | 
112 |     return (DWORD)ProcessInfo.InheritedFromUniqueProcessId != dwExplorerProcessId;
113 | }
114 | 
115 | {% endhighlight %}
116 | 
117 | <br />
118 | <h4><a class="a-dummy" name="parent-process-check-createtoolhelp32snapshot">2.2. CreateToolhelp32Snapshot()</a></h4>
119 | The parent process ID and the parent process name can be obtained using the <tt>kernel32!CreateToolhelp32Snapshot()</tt> and <tt>kernel32!Process32Next()</tt> functions.
120 | 
121 | <hr class="space">
122 | 
123 | <b>C/C++ Code</b>
124 | <p></p>
125 | 
126 | {% highlight c %}
127 | 
128 | DWORD GetParentProcessId(DWORD dwCurrentProcessId)
129 | {
130 |     DWORD dwParentProcessId = -1;
131 |     PROCESSENTRY32W ProcessEntry = { 0 };
132 |     ProcessEntry.dwSize = sizeof(PROCESSENTRY32W);
133 | 
134 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
135 |     if(Process32FirstW(hSnapshot, &ProcessEntry))
136 |     {
137 |         do
138 |         {
139 |             if (ProcessEntry.th32ProcessID == dwCurrentProcessId)
140 |             {
141 |                 dwParentProcessId = ProcessEntry.th32ParentProcessID;
142 |                 break;
143 |             }
144 |         } while(Process32NextW(hSnapshot, &ProcessEntry));
145 |     }
146 | 
147 |     CloseHandle(hSnapshot);
148 |     return dwParentProcessId;
149 | }
150 | 
151 | bool IsDebugged()
152 | {
153 |     bool bDebugged = false;
154 |     DWORD dwParentProcessId = GetParentProcessId(GetCurrentProcessId());
155 | 
156 |     PROCESSENTRY32 ProcessEntry = { 0 };
157 |     ProcessEntry.dwSize = sizeof(PROCESSENTRY32W);
158 | 
159 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
160 |     if(Process32First(hSnapshot, &ProcessEntry))
161 |     {
162 |         do
163 |         {
164 |             if ((ProcessEntry.th32ProcessID == dwParentProcessId) &&
165 |                 (strcmp(ProcessEntry.szExeFile, "explorer.exe")))
166 |             {
167 |                 bDebugged = true;
168 |                 break;
169 |             }
170 |         } while(Process32Next(hSnapshot, &ProcessEntry));
171 |     }
172 | 
173 |     CloseHandle(hSnapshot);
174 |     return bDebugged;
175 | }
176 | 
177 | {% endhighlight %}
178 | 
179 | <hr class="space">
180 | 
181 | <br />
182 | <h3><a class="a-dummy" name="selectors">3. Selectors</a></h3>
183 | Selector values might appear to be stable, but they are actually volatile in certain circumstances, and also depending on the version of Windows. For example, a selector value can be set within a thread, but it might not hold that value for very long. Certain events might cause the selector value to be changed back to its default value. One such event is an exception. In the context of a debugger, the single-step exception is still an 
184 | exception, which can cause some unexpected behavior.
185 | 
186 | <b>x86 Assembly</b>
187 | <p></p>
188 | 
189 | {% highlight nasm %}
190 |     xor  eax, eax 
191 |     push fs 
192 |     pop  ds 
193 | l1: xchg [eax], cl 
194 |     xchg [eax], cl
195 | {% endhighlight %}
196 | 
197 | <hr class="space">
198 | 
199 | On the 64-bit versions of Windows, single-stepping through this code will cause an access violation exception at <tt>l1</tt> because the DS selector will be restored to its default value even before <tt>l1</tt> is reached. On the 32-bit versions of Windows, the <tt>DS</tt> selector will not have its value restored, unless a non-debugging exception occurs. The version-specific difference in behaviors expands even further if the <tt>SS</tt> selector is used. On the 64-bit versions of Windows, the <tt>SS</tt> selector will be restored to its default value, as in the <tt>DS</tt> selector case. However, on the 32-bit versions of Windows, the <tt>SS</tt> selector value will not be restored, even if an exception occurs.
200 | 
201 | <b>x86-64 Assembly</b>
202 | <p></p>
203 | 
204 | {% highlight nasm %}
205 |     xor  eax, eax 
206 |     push offset l2 
207 |     push d fs:[eax] 
208 |     mov  fs:[eax], esp 
209 |     push fs 
210 |     pop  ss 
211 |     xchg [eax], cl 
212 |     xchg [eax], cl 
213 | l1: int  3 ;force exception to occur 
214 | l2: ;looks like it would be reached 
215 |     ;if an exception occurs 
216 |     ...
217 | {% endhighlight %}
218 | 
219 | <hr class="space">
220 | 
221 | then when the "<tt>int 3</tt>" instruction is reached at <tt>l1</tt> and the breakpoint exception occurs, the exception handler at <tt>l2</tt> is not called as expected. Instead, the process is simply terminated.
222 | 
223 | A variation of this technique detects the single-step event by simply checking if the assignment was successful.
224 | 
225 | {% highlight nasm %}
226 | push 3 
227 | pop  gs 
228 | mov  ax, gs 
229 | cmp  al, 3 
230 | jne  being_debugged
231 | {% endhighlight %}
232 | 
233 | <hr class="space">
234 | 
235 | The <tt>FS</tt> and <tt>GS</tt> selectors are special cases. For certain values, they will be affected by the single-step event, even on the 32-bit versions of Windows. However, in the case of the <tt>FS</tt> selector (and, technically, the <tt>GS</tt> selector), it will be not restored to its default value on the 32-bit versions of Windows, if it was set to a value from zero to three. Instead, it will be set to zero (the <tt>GS</tt> selector is affected in the same way, but the default value for the <tt>GS</tt> selector is zero). On the 64-bit versions of Windows, it (they) will be restored to its (their) default value.
236 | 
237 | This code is also vulnerable to a race condition caused by a thread-switch event. When a thread-switch event occurs, it behaves like an exception, and will cause the selector values to be altered, which, in the case of the <tt>FS</tt> selector, means that it will be set to zero.
238 | 
239 | A variation of this technique solves that problem by waiting intentionally for a thread-switch event to occur.
240 | 
241 | {% highlight nasm %}
242 |     push 3 
243 |     pop  gs 
244 | l1: mov  ax, gs 
245 |     cmp  al, 3 
246 |     je   l1
247 | {% endhighlight %}
248 | 
249 | <hr class="space">
250 | 
251 | However, this code is vulnerable to the problem that it was trying to detect in the first place, because it does not check if the original assignment was successful. Of course, the two code snippets can be combined to produce the desired effect, by waiting until the thread-switch event occurs, and then performing the assignment within the window of time that should exist until the next one occurs. <a href="http://pferrie.host22.com/papers/antidebug.pdf">[Ferrie]</a>
252 | 
253 | <hr class="space">
254 | 
255 | <b>C/C++ Code</b>
256 | <p></p>
257 | 
258 | {% highlight c %}
259 | 
260 | bool IsTraced()
261 | {
262 |     __asm
263 |     {
264 |         push 3
265 |         pop  gs
266 | 
267 |     __asm SeclectorsLbl:
268 |         mov  ax, gs
269 |         cmp  al, 3
270 |         je   SeclectorsLbl
271 | 
272 |         push 3
273 |         pop  gs
274 |         mov  ax, gs
275 |         cmp  al, 3
276 |         jne  Selectors_Debugged
277 |     }
278 | 
279 |     return false;
280 | 
281 | Selectors_Debugged:
282 |     return true;
283 | }
284 | 
285 | {% endhighlight %}
286 | 
287 | <hr class="space">
288 | 
289 | <br />
290 | <h3><a class="a-dummy" name="dbgprint">4. DbgPrint()</a></h3>
291 | The debug functions such as <tt>ntdll!DbgPrint()</tt> and <tt>kernel32!OutputDebugStringW()</tt> cause the exception <tt>DBG_PRINTEXCEPTION_C</tt> (<tt>0x40010006</tt>). If a program is executed with an attached debugger, then the debugger will handle this exception. But if no debugger is present, and an exception handler is registered, this exception will be caught by the exception handler.
292 | 
293 | <hr class="space">
294 | 
295 | <b>C/C++ Code</b>
296 | <p></p>
297 | 
298 | {% highlight c %}
299 | 
300 | bool IsDebugged()
301 | {
302 |     __try
303 |     {
304 |         RaiseException(DBG_PRINTEXCEPTION_C, 0, 0, 0);
305 |     }
306 |     __except(GetExceptionCode() == DBG_PRINTEXCEPTION_C)
307 |     {
308 |         return false;
309 |     }
310 | 
311 |     return true;
312 | }
313 | 
314 | {% endhighlight %}
315 | 
316 | <hr class="space">
317 | 
318 | <br />
319 | <h3><a class="a-dummy" name="dbgsetdebugfilterstate">5. DbgSetDebugFilterState()</a></h3>
320 | The functions <tt>ntdll!DbgSetDebugFilterState()</tt> and <tt>ntdll!NtSetDebugFilterState()</tt> only set a flag which will be checked be a kernel-mode debugger if it is present. Therefore, if a kernel debugger is attached to the system, these functions will succeed. However, the functions can also succeed because of side-effects caused by some user-mode debuggers. These functions require administrator privileges.
321 | 
322 | <hr class="space">
323 | 
324 | <b>C/C++ Code</b>
325 | <p></p>
326 | 
327 | {% highlight c %}
328 | 
329 | bool IsDebugged()
330 | {
331 |     return NT_SUCCESS(ntdll::NtSetDebugFilterState(0, 0, TRUE));
332 | }
333 | 
334 | {% endhighlight %}
335 | 
336 | <hr class="space">
337 | 
338 | <br />
339 | <h3><a class="a-dummy" name="switchtothread">6. NtYieldExecution() / SwitchToThread()</a></h3>
340 | This method is not really reliable because it only shows if there a high priority thread in the current process. However, it could be used as an anti-tracing technique.
341 | 
342 | When an application is traced in a debugger and a single-step is executed, the context can't be switched to other thread. This means that <tt>ntdll!NtYieldExecution()</tt> returns <tt>STATUS_NO_YIELD_PERFORMED</tt> (<tt>0x40000024</tt>), which leads to <tt>kernel32!SwitchToThread()</tt> returning zero.
343 | 
344 | The strategy of using this technique is that there is a loop which modifies some counter if <tt>kernel32!SwitchToThread()</tt> returns zero, or <tt>ntdll!NtYieldExecution()</tt> returns <tt>STATUS_NO_YIELD_PERFORMED</tt>. This can be a loop which decrypts strings or some other loop which is supposed to be analyzed manually in a debugger. If the counter has the expected value (expected i.e. the value if all <tt>kernel32!SwitchToThread()</tt> returned zero) after leaving the loop, we consider that the debugger is present.
345 | 
346 | In the example below, we define a one-byte counter (initialized with 0) which shifts one bit to the left if <tt>kernel32!SwitchToThread</tt> returns zero. If it shifts 8 times, then the value of the counter will become 0 and the debugger is considered to be present.
347 | 
348 | <hr class="space">
349 | 
350 | <b>C/C++ Code</b>
351 | <p></p>
352 | 
353 | {% highlight c %}
354 | 
355 | bool IsDebugged()
356 | {
357 |     BYTE ucCounter = 1;
358 |     for (int i = 0; i < 8; i++)
359 |     {
360 |         Sleep(0x0F);
361 |         ucCounter <<= (1 - SwitchToThread());
362 |     }
363 | 
364 |     return ucCounter == 0;
365 | }
366 | 
367 | {% endhighlight %}
368 | 
369 | <hr class="space">
370 | 
371 | <br />
372 | <h3><a class="a-dummy" name="getwritewatch">7. VirtualAlloc() / GetWriteWatch()</a></h3>
373 | This technique was described as a <a href="https://codeinsecurity.wordpress.com/2018/01/24/anti-debug-with-virtualallocs-write-watch/">suggestion</a> for a famous al-khaser solution, a tool for testing VMs, debuggers, sandboxes, AV, etc. against many malware-like defences.
374 | 
375 | The idea is drawn from the <a href="https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-getwritewatch">documentation</a>  for <tt>GetWriteWatch</tt> function where the following is stated in a "Remarks" section:
376 | 
377 | <i>"When you call the <b>VirtualAlloc</b>  function to reserve or commit memory, you can specify <b>MEM_WRITE_WATCH</b>. This value causes the system to keep track of the pages that are written to in the committed memory region. You can call the <b>GetWriteWatch</b> function to retrieve the addresses of the pages that have been written to since the region has been allocated or the write-tracking state has been reset".</i>
378 | 
379 | This feature can be used to track debuggers that may modify memory pages outside the expected pattern.
380 | 
381 | <hr class="space">
382 | 
383 | <b>C/C++ Code (variant 1)</b>
384 | <p></p>
385 | 
386 | {% highlight c %}
387 | 
388 | bool Generic::CheckWrittenPages1() const {
389 |     const int SIZE_TO_CHECK = 4096;
390 | 
391 |     PVOID* addresses = static_cast<PVOID*>(VirtualAlloc(NULL, SIZE_TO_CHECK * sizeof(PVOID), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE));
392 |     if (addresses == NULL)
393 |     {
394 |         return true;
395 |     }
396 | 
397 |     int* buffer = static_cast<int*>(VirtualAlloc(NULL, SIZE_TO_CHECK * SIZE_TO_CHECK, MEM_RESERVE | MEM_COMMIT | MEM_WRITE_WATCH, PAGE_READWRITE));
398 |     if (buffer == NULL)
399 |     {
400 |         VirtualFree(addresses, 0, MEM_RELEASE);
401 |         return true;
402 |     }
403 | 
404 |     // Read the buffer once
405 |     buffer[0] = 1234;
406 | 
407 |     ULONG_PTR hits = SIZE_TO_CHECK;
408 |     DWORD granularity;
409 |     if (GetWriteWatch(0, buffer, SIZE_TO_CHECK, addresses, &hits, &granularity) != 0)
410 |     {
411 |         return true;
412 |     }
413 |     else
414 |     {
415 |         VirtualFree(addresses, 0, MEM_RELEASE);
416 |         VirtualFree(buffer, 0, MEM_RELEASE);
417 | 
418 |         return (hits == 1) ? false : true;
419 |     }
420 | }
421 | 
422 | {% endhighlight %}
423 | 
424 | <hr class="space">
425 | 
426 | <b>C/C++ Code (variant 2)</b>
427 | <p></p>
428 | 
429 | {% highlight c %}
430 | 
431 | bool Generic::CheckWrittenPages2() const {
432 |     BOOL result = FALSE, error = FALSE;
433 | 
434 |     const int SIZE_TO_CHECK = 4096;
435 | 
436 |     PVOID* addresses = static_cast<PVOID*>(VirtualAlloc(NULL, SIZE_TO_CHECK * sizeof(PVOID), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE));
437 |     if (addresses == NULL)
438 |     {
439 |         return true;
440 |     }
441 | 
442 |     int* buffer = static_cast<int*>(VirtualAlloc(NULL, SIZE_TO_CHECK * SIZE_TO_CHECK, MEM_RESERVE | MEM_COMMIT | MEM_WRITE_WATCH, PAGE_READWRITE));
443 |     if (buffer == NULL)
444 |     {
445 |         VirtualFree(addresses, 0, MEM_RELEASE);
446 |         return true;
447 |     }
448 | 
449 |     // Make some calls where a buffer *can* be written to, but isn't actually edited because we pass invalid parameters    
450 |     if (GlobalGetAtomName(INVALID_ATOM, (LPTSTR)buffer, 1) != FALSE
451 |         || GetEnvironmentVariable("This variable does not exist", (LPSTR)buffer, 4096 * 4096) != FALSE
452 |         || GetBinaryType("This name does not exist", (LPDWORD)buffer) != FALSE
453 |         || HeapQueryInformation(0, (HEAP_INFORMATION_CLASS)69, buffer, 4096, NULL) != FALSE
454 |         || ReadProcessMemory(INVALID_HANDLE_VALUE, (LPCVOID)0x69696969, buffer, 4096, NULL) != FALSE
455 |         || GetThreadContext(INVALID_HANDLE_VALUE, (LPCONTEXT)buffer) != FALSE
456 |         || GetWriteWatch(0, &result, 0, NULL, NULL, (PULONG)buffer) == 0)
457 |     {
458 |         result = false;
459 |         error = true;
460 |     }
461 | 
462 |     if (error == FALSE)
463 |     {
464 |         // A this point all calls failed as they're supposed to
465 |         ULONG_PTR hits = SIZE_TO_CHECK;
466 |         DWORD granularity;
467 |         if (GetWriteWatch(0, buffer, SIZE_TO_CHECK, addresses, &hits, &granularity) != 0)
468 |         {
469 |             result = FALSE;
470 |         }
471 |         else
472 |         {
473 |             // Should have zero reads here because GlobalGetAtomName doesn't probe the buffer until other checks have succeeded
474 |             // If there's an API hook or debugger in here it'll probably try to probe the buffer, which will be caught here
475 |             result = hits != 0;
476 |         }
477 |     }
478 | 
479 |     VirtualFree(addresses, 0, MEM_RELEASE);
480 |     VirtualFree(buffer, 0, MEM_RELEASE);
481 | 
482 |     return result;
483 | }
484 | 
485 | {% endhighlight %}
486 | 
487 | <hr class="space">
488 | 
489 | <br />
490 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
491 | During debugging: Fill anti-debug pr anti-traced checks with <tt>NOP</tt>s.
492 | 
493 |  For anti-anti-debug tool development:
494 | 
495 | 1. For <tt>FindWindow()</tt>: Hook <tt>user32!NtUserFindWindowEx()</tt>. In the hook, call the original <tt>user32!NtUserFindWindowEx()</tt> function. If it is called from the debugged process and the parent process looks suspicious, then return unsuccessfully from the hook.
496 | 
497 | 2. For Parent Process Checks: Hook <tt>ntdll!NtQuerySystemInformation()</tt>. If <tt>SystemInformationClass</tt> is one of the following values:
498 | * <tt>SystemProcessInformation</tt>
499 | * <tt>SystemSessionProcessInformation</tt>
500 | * <tt>SystemExtendedProcessInformation</tt>
501 | 
502 |    and the process name looks suspicious, then the hook must modify the process name.
503 | 
504 | 3. For Selectors: No mitigations.
505 | 
506 | 4. For <tt>DbgPrint</tt>: you have to implement a plugin for a specific debugger and change the behavior of event handler which is triggered after the <tt>DBG_PRINTEXCEPTION_C</tt> exception has arrived.
507 | 
508 | 5. For <tt>DbgSetDebugFilterState()</tt>: Hook <tt>ntdll!NtSetDebugFilterState()</tt>. If the process is running with debug privileges, return unsuccessfully from the hook.
509 | 
510 | 6. For <tt>SwitchToThread</tt>: Hook <tt>ntdll!NtYieldExecution()</tt> and return an unsuccessful status from the hook.
511 | 
512 | 7. For <tt>GetWriteWatch</tt>: Hook <tt>VirtualAlloc()</tt> and <tt>GetWriteWatch()</tt> to track if <tt>VirtualAlloc()</tt> is called with <tt>MEM_WRITE_WATCH</tt> flag. If it is the case, check what is the region to track and return the expected value in <tt>GetWriteWatch()</tt>.
513 | 


--------------------------------------------------------------------------------
/_techniques/object-handles.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Object Handles"
  4 | title-image: "/assets/icons/object-handles.svg"
  5 | categories: anti-debug 
  6 | tags: object-handles
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Object Handles](#object-handles)
 12 | 
 13 | * [1. OpenProcess()](#openprocess)
 14 | * [2. CreateFile()](#createfile)
 15 | * [3. CloseHandle()](#closehandle)
 16 | * [4. LoadLibrary()](#loadlibrary)
 17 | * [5. NtQueryObject()](#ntqueryobject)
 18 | * [Mitigations](#mitigations)
 19 | <br />
 20 | 
 21 | <hr class="space">
 22 | 
 23 | <h2><a class="a-dummy" name="object-handles">Object Handles</a></h2>
 24 | The following set of techniques represents the checks which use kernel objects handles to detect a debugger presence. Some WinAPI functions that accept kernel object handles as their parameters can behave differently under debugging or cause side-effects that emerge because of debuggers' implementation. Moreover, there are specific kernel objecst that are created by the operation system when debugging begins.
 25 | 
 26 | <br />
 27 | <h3><a class="a-dummy" name="openprocess">1. OpenProcess()</a></h3>
 28 | Some debuggers can be detected by using the <tt>kernel32!OpenProcess()</tt> function  on the <b>csrss.exe</b> process. The call will succeed only if the user for the process is a member of the administrators group and has debug privileges.
 29 | 
 30 | <hr class="space">
 31 | 
 32 | <b>C/C++ Code</b>
 33 | <p></p>
 34 | 
 35 | {% highlight c %}
 36 | 
 37 | typedef DWORD (WINAPI *TCsrGetProcessId)(VOID);
 38 | 
 39 | bool Check()
 40 | {   
 41 |     HMODULE hNtdll = LoadLibraryA("ntdll.dll");
 42 |     if (!hNtdll)
 43 |         return false;
 44 |     
 45 |     TCsrGetProcessId pfnCsrGetProcessId = (TCsrGetProcessId)GetProcAddress(hNtdll, "CsrGetProcessId");
 46 |     if (!pfnCsrGetProcessId)
 47 |         return false;
 48 | 
 49 |     HANDLE hCsr = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pfnCsrGetProcessId());
 50 |     if (hCsr != NULL)
 51 |     {
 52 |         CloseHandle(hCsr);
 53 |         return true;
 54 |     }        
 55 |     else
 56 |         return false;
 57 | }
 58 | 
 59 | {% endhighlight %}
 60 | 
 61 | <hr class="space">
 62 | 
 63 | <br />
 64 | <h3><a class="a-dummy" name="createfile">2. CreateFile()</a></h3>
 65 | When the <tt>CREATE_PROCESS_DEBUG_EVENT</tt> event occurs, the handle of the debugged file is stored in the <a href="https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-create_process_debug_info">CREATE_PROCESS_DEBUG_INFO</a> structure. Therefore, debuggers can read the debug information from this file. If this handle is not closed by the debugger, the file won't be opened with exclusive access. Some debuggers can forget to close the handle.
 66 | 
 67 | This trick uses <tt>kernel32!CreateFileW()</tt> (or <tt>kernel32!CreateFileA()</tt>) to exclusively open the file of the current process. If the call fails, we can consider that the current process is being run in the presence of a debugger.
 68 | 
 69 | <hr class="space">
 70 | 
 71 | <b>C/C++ Code</b>
 72 | <p></p>
 73 | 
 74 | {% highlight c %}
 75 | 
 76 | bool Check()
 77 | {
 78 |     CHAR szFileName[MAX_PATH];
 79 |     if (0 == GetModuleFileNameA(NULL, szFileName, sizeof(szFileName)))
 80 |         return false;
 81 |     
 82 |     return INVALID_HANDLE_VALUE == CreateFileA(szFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
 83 | }
 84 | 
 85 | {% endhighlight %}
 86 | 
 87 | <hr class="space">
 88 | 
 89 | <h3><a class="a-dummy" name="closehandle">3. CloseHandle()</a></h3>
 90 | If a process is running under a debugger and an invalid handle is passed to the <tt>ntdll!NtClose()</tt> or <tt>kernel32!CloseHandle()</tt> function, then the <tt>EXCEPTION_INVALID_HANDLE</tt> (<tt>0xC0000008</tt>) exception will be raised. The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
 91 | 
 92 | <hr class="space">
 93 | 
 94 | <b>C/C++ Code</b>
 95 | <p></p>
 96 | 
 97 | {% highlight c %}
 98 | 
 99 | bool Check()
100 | {
101 |     __try
102 |     {
103 |         CloseHandle((HANDLE)0xDEADBEEF);
104 |         return false;
105 |     }
106 |     __except (EXCEPTION_INVALID_HANDLE == GetExceptionCode()
107 |                 ? EXCEPTION_EXECUTE_HANDLER 
108 |                 : EXCEPTION_CONTINUE_SEARCH)
109 |     {
110 |         return true;
111 |     }
112 | }
113 | 
114 | {% endhighlight %}
115 | 
116 | <hr class="space">
117 | 
118 | <h3><a class="a-dummy" name="loadlibrary">4. LoadLibrary()</a></h3>
119 | When a file is loaded to process memory using the <tt>kernel32!LoadLibraryW()</tt> (or <tt>kernel32!LoadLibraryA()</tt>) function, the <tt>LOAD_DLL_DEBUG_EVENT</tt> event occurs. The handle of the loaded file will be stored in the <a href="https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ns-minwinbase-load_dll_debug_info">LOAD_DLL_DEBUG_INFO</a> structure. Therefore, debuggers can read the debug information from this file. If this handle is not closed by the debugger, the file won't be opened with exclusive access. Some debuggers can forget to close the handle.
120 | 
121 | To check for the debugger presence, we can load any file using <tt>kernel32!LoadLibraryA()</tt> and try to exclusively open it using <tt>kernel32!CreateFileA()</tt>. If the <tt>kernel32!CreateFileA()</tt> call fails, it indicates that the debugger is present.
122 | 
123 | <hr class="space">
124 | 
125 | <b>C/C++ Code</b>
126 | <p></p>
127 | 
128 | {% highlight c %}
129 | 
130 | bool Check()
131 | {
132 |     CHAR szBuffer[] = { "C:\\Windows\\System32\\calc.exe" };
133 |     LoadLibraryA(szBuffer);
134 |     return INVALID_HANDLE_VALUE == CreateFileA(szBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
135 | }
136 | 
137 | {% endhighlight %}
138 | 
139 | <hr class="space">
140 | 
141 | <h3><a class="a-dummy" name="ntqueryobject">5. NtQueryObject()</a></h3>
142 | When a debugging session begins, a kernel object called <b>"debug object"</b> is created, and a handle is associated with it. Using the <tt>ntdll!NtQueryObject()</tt> function, it is possible to query for the list of existing objects, and check the number of handles associated with any debug object that exists.
143 | 
144 | However this technique can't say for sure if the current process is being debugged right now. It only shows if the debugger is running on the system at all since the system's boot.
145 | 
146 | <hr class="space">
147 | 
148 | <b>C/C++ Code</b>
149 | <p></p>
150 | 
151 | {% highlight c %}
152 | 
153 | typedef struct _OBJECT_TYPE_INFORMATION
154 | {
155 |     UNICODE_STRING TypeName;
156 |     ULONG TotalNumberOfHandles;
157 |     ULONG TotalNumberOfObjects;
158 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
159 | 
160 | typedef struct _OBJECT_ALL_INFORMATION
161 | {
162 |     ULONG NumberOfObjects;
163 |     OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
164 | } OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;
165 | 
166 | typedef NTSTATUS (WINAPI *TNtQueryObject)(
167 |     HANDLE                   Handle,
168 |     OBJECT_INFORMATION_CLASS ObjectInformationClass,
169 |     PVOID                    ObjectInformation,
170 |     ULONG                    ObjectInformationLength,
171 |     PULONG                   ReturnLength
172 | );
173 | 
174 | enum { ObjectAllTypesInformation = 3 };
175 | 
176 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
177 | 
178 | bool Check()
179 | {
180 |     bool bDebugged = false;
181 |     NTSTATUS status;
182 |     LPVOID pMem = nullptr;
183 |     ULONG dwMemSize;
184 |     POBJECT_ALL_INFORMATION pObjectAllInfo;
185 |     PBYTE pObjInfoLocation;
186 |     HMODULE hNtdll;
187 |     TNtQueryObject pfnNtQueryObject;
188 |     
189 |     hNtdll = LoadLibraryA("ntdll.dll");
190 |     if (!hNtdll)
191 |         return false;
192 |         
193 |     pfnNtQueryObject = (TNtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");
194 |     if (!pfnNtQueryObject)
195 |         return false;
196 | 
197 |     status = pfnNtQueryObject(
198 |         NULL,
199 |         (OBJECT_INFORMATION_CLASS)ObjectAllTypesInformation,
200 |         &dwMemSize, sizeof(dwMemSize), &dwMemSize);
201 |     if (STATUS_INFO_LENGTH_MISMATCH != status)
202 |         goto NtQueryObject_Cleanup;
203 | 
204 |     pMem = VirtualAlloc(NULL, dwMemSize, MEM_COMMIT, PAGE_READWRITE);
205 |     if (!pMem)
206 |         goto NtQueryObject_Cleanup;
207 | 
208 |     status = pfnNtQueryObject(
209 |         (HANDLE)-1,
210 |         (OBJECT_INFORMATION_CLASS)ObjectAllTypesInformation,
211 |         pMem, dwMemSize, &dwMemSize);
212 |     if (!SUCCEEDED(status))
213 |         goto NtQueryObject_Cleanup;
214 | 
215 |     pObjectAllInfo = (POBJECT_ALL_INFORMATION)pMem;
216 |     pObjInfoLocation = (PBYTE)pObjectAllInfo->ObjectTypeInformation;
217 |     for(UINT i = 0; i < pObjectAllInfo->NumberOfObjects; i++)
218 |     {
219 | 
220 |         POBJECT_TYPE_INFORMATION pObjectTypeInfo =
221 |             (POBJECT_TYPE_INFORMATION)pObjInfoLocation;
222 | 
223 |         if (wcscmp(L"DebugObject", pObjectTypeInfo->TypeName.Buffer) == 0)
224 |         {
225 |             if (pObjectTypeInfo->TotalNumberOfObjects > 0)
226 |                 bDebugged = true;
227 |             break;
228 |         }
229 | 
230 |         // Get the address of the current entries
231 |         // string so we can find the end
232 |         pObjInfoLocation = (PBYTE)pObjectTypeInfo->TypeName.Buffer;
233 | 
234 |         // Add the size
235 |         pObjInfoLocation += pObjectTypeInfo->TypeName.Length;
236 | 
237 |         // Skip the trailing null and alignment bytes
238 |         ULONG tmp = ((ULONG)pObjInfoLocation) & -4;
239 | 
240 |         // Not pretty but it works
241 |         pObjInfoLocation = ((PBYTE)tmp) + sizeof(DWORD);
242 |     }
243 | 
244 | NtQueryObject_Cleanup:
245 |     if (pMem)
246 |         VirtualFree(pMem, 0, MEM_RELEASE);
247 | 
248 |     return bDebugged;
249 | }
250 | 
251 | {% endhighlight %}
252 | 
253 | <hr class="space">
254 | 
255 | <br />
256 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
257 | The simplest way to mitigate these checks is to just manually trace the program till a check and then skip it (e.g. patch with <tt>NOP</tt>s or change the instruction pointer or change the Zero Flag after the check).
258 | 
259 | If you write an anti-anti-debug solution, you need to hook the listed functions and change return values after analyzing their input:<br />
260 | 
261 | * <tt>ntdll!OpenProcess</tt>: Return <tt>NULL</tt> if the third argument is the handle of <b>csrss.exe</b>.
262 | * <tt>ntdll!NtClose</tt>: You can check if it is possible to retrieve any information about the input handle using <tt>ntdll!NtQueryObject()</tt> and not throw an exception if the handle is invalid.
263 | * <tt>ntdll!NtQueryObject</tt>: Filter debug objects from the results if the <tt>ObjectAllTypesInformation</tt> class is queried.
264 |   
265 | The following techniques should be handled without hooks:
266 | 
267 | * <tt>ntdll!NtCreateFile</tt>: Too generic to mitigate. However, if you write a plugin for a specific debugger, you can ensure that the handle of the debugged file is closed.
268 | * <tt>kernel32!LoadLibraryW/A</tt>: No mitigation.
269 | 


--------------------------------------------------------------------------------
/_techniques/process-memory.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Process Memory"
  4 | title-image: "/assets/icons/memory.svg"
  5 | categories: anti-debug 
  6 | tags: process-memory
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Process Memory](#process-memory)
 12 | 
 13 | * [1. Breakpoints](#breakpoints)
 14 |     * [1.1. Software Breakpoints (INT3)](#software-breakpoints)
 15 |     * [1.2. Anti-Step-Over](#anti-step-over)
 16 |         * [1.2.1. Direct Memory Modification](#direct-memory-modification)
 17 |         * [1.2.2. ReadFile()](#readfile)
 18 |         * [1.2.3. WriteProcessMemory()](#writeprocessmemory)
 19 |         * [1.2.4. Toolhelp32ReadProcessMemory()](#toolhelp32readprocessmemory)
 20 |     * [1.3. Memory Breakpoints](#memory-breakpoints)
 21 |     * [1.4. Hardware Breakpoints](#hardware-breakpoints)
 22 | * [2. Other memory checks](#other-memory-checks)
 23 |     * [2.1. NtQueryVirtualMemory()](#ntqueryvirtualmemory)
 24 |     * [2.2. Detecting a function patch](#detecting-a-function-patch)
 25 |     * [2.3. Patch ntdll!DbgBreakPoint()](#patch_ntdll_dbgbreakpoint)
 26 |     * [2.4. Patch ntdll!DbgUiRemoteBreakin()](#patch_ntdll_dbguiremotebreakin)
 27 |     * [2.5  Performing Code Checksums](#code-checksums)
 28 | * [Mitigations](#mitigations)
 29 | <br />
 30 | 
 31 | <hr class="space">
 32 | 
 33 | <h2><a class="a-dummy" name="process-memory">Process Memory</a></h2>
 34 | A process can examine its own memory to either detect the debugger presence or interfere with the debugger.
 35 | 
 36 | This section includes the process memory and examining the thread contexts, searching for breakpoints, and function patching as anti-attaching methods.
 37 | 
 38 | <br />
 39 | <h3><a class="a-dummy" name="breakpoints">1. Breakpoints</a></h3>
 40 | It is always possible to examine the process memory and search for software breakpoints in the code, or check the CPU debug registers to determine if hardware breakpoints are set.
 41 | 
 42 | <br />
 43 | <h4><a class="a-dummy" name="software-breakpoints">1.1. Software Breakpoints (INT3)</a></h4>
 44 | The idea is to identify the machine code of some functions for <tt>0xCC</tt> byte which stands for <tt>INT 3</tt> assembly instruction.
 45 | 
 46 | This method can generate many false-positive cases and should therefore be used with caution.
 47 | 
 48 | <hr class="space">
 49 | 
 50 | <b>C/C++ Code</b>
 51 | <p></p>
 52 | 
 53 | {% highlight c %}
 54 | 
 55 | bool CheckForSpecificByte(BYTE cByte, PVOID pMemory, SIZE_T nMemorySize = 0)
 56 | {
 57 |     PBYTE pBytes = (PBYTE)pMemory; 
 58 |     for (SIZE_T i = 0; ; i++)
 59 |     {
 60 |         // Break on RET (0xC3) if we don't know the function's size
 61 |         if (((nMemorySize > 0) && (i >= nMemorySize)) ||
 62 |             ((nMemorySize == 0) && (pBytes[i] == 0xC3)))
 63 |             break;
 64 | 
 65 |         if (pBytes[i] == cByte)
 66 |             return true;
 67 |     }
 68 |     return false;
 69 | }
 70 | 
 71 | bool IsDebugged()
 72 | {
 73 |     PVOID functionsToCheck[] = {
 74 |         &Function1,
 75 |         &Function2,
 76 |         &Function3,
 77 |     };
 78 |     for (auto funcAddr : functionsToCheck)
 79 |     {
 80 |         if (CheckForSpecificByte(0xCC, funcAddr))
 81 |             return true;
 82 |     }
 83 |     return false;
 84 | }
 85 | 
 86 | {% endhighlight %}
 87 | 
 88 | <br />
 89 | <h4><a class="a-dummy" name="anti-step-over">1.2. Anti-Step-Over</a></h4>
 90 | Debuggers allow you to step over the function call. In such a case, the debugger implicitly sets a software breakpoint on the instruction which follows the call (i.e. the return address of the called function).
 91 | 
 92 | To detect if there was an attempt to step over the function,  we can examine the first byte of memory at the return address. If a software breakpoint (<tt>0xCC</tt>) is located at the return address, we can patch it with some other instruction (e.g. <tt>NOP</tt>). It will most likely break the code and crash the process. On the other hand, we can patch the return address with some meaningful code instead of <tt>NOP</tt> and change the control flow of the program.
 93 | 
 94 | <hr class="space">
 95 | 
 96 | <h5><a class="a-dummy" name="direct-memory-modification">1.2.1. Direct Memory Modification</a></h5>
 97 | It is possible to check from inside a function if there is a software breakpoint after the call of this function. We can read one byte at the return address and if the byte is equal to <tt>0xCC</tt> (<tt>INT 3</tt>), it can be rewritten by <tt>0x90</tt> (<tt>NOP</tt>). The process will probably crash because we damage the instruction at the return address. However, if you know which instruction follows the function call, you can rewrite the breakpoint with the first byte of this instruction.
 98 | 
 99 | <hr class="space">
100 | 
101 | <b>C/C++ Code</b>
102 | <p></p>
103 | 
104 | {% highlight c %}
105 | 
106 | #include <intrin.h>
107 | #pragma intrinsic(_ReturnAddress)
108 | 
109 | void foo()
110 | {
111 |     // ...
112 |     
113 |     PVOID pRetAddress = _ReturnAddress();
114 |     if (*(PBYTE)pRetAddress == 0xCC) // int 3
115 |     {
116 |         DWORD dwOldProtect;
117 |         if (VirtualProtect(pRetAddress, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
118 |         {
119 |             *(PBYTE)pRetAddress = 0x90; // nop
120 |             VirtualProtect(pRetAddress, 1, dwOldProtect, &dwOldProtect);
121 |         }
122 |     }
123 |     
124 |     // ...
125 | }
126 | 
127 | {% endhighlight %}
128 | 
129 | <hr class="space">
130 | 
131 | <h5><a class="a-dummy" name="readfile">1.2.2. ReadFile()</a></h5>
132 | The method uses the <tt>kernel32!ReadFile()</tt> function to patch the code at the return address.
133 | 
134 | The idea is to read the executable file of the current process and pass the return address as the output buffer to <tt>kernel32!ReadFile()</tt>. The byte at the return address will be patched with <tt>'M'</tt> character (the first byte of PE image) and the process will probably crash.
135 | 
136 | <hr class="space">
137 | 
138 | <b>C/C++ Code</b>
139 | <p></p>
140 | 
141 | {% highlight c %}
142 | 
143 | #include <intrin.h>
144 | #pragma intrinsic(_ReturnAddress)
145 | 
146 | void foo()
147 | {
148 |     // ...
149 |     
150 |     PVOID pRetAddress = _ReturnAddress();
151 |     if (*(PBYTE)pRetAddress == 0xCC) // int 3
152 |     {
153 |         DWORD dwOldProtect, dwRead;
154 |         CHAR szFilePath[MAX_PATH];
155 |         HANDLE hFile;
156 | 
157 |         if (VirtualProtect(pRetAddress, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
158 |         {
159 |             if (GetModuleFileNameA(NULL, szFilePath, MAX_PATH))
160 |             {
161 |                 hFile = CreateFileA(szFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
162 |                 if (INVALID_HANDLE_VALUE != hFile)
163 |                     ReadFile(hFile, pRetAddress, 1, &dwRead, NULL);
164 |             }
165 |             VirtualProtect(pRetAddress, 1, dwOldProtect, &dwOldProtect);
166 |         }
167 |     }
168 |     
169 |     // ...
170 | }
171 | 
172 | {% endhighlight %}
173 | 
174 | <hr class="space">
175 | 
176 | <h5><a class="a-dummy" name="writeprocessmemory">1.2.3. WriteProcessMemory()</a></h5>
177 | This method uses the <tt>kernel32!WriteProcessMemory()</tt> function for patching the code at the return address.
178 | 
179 | <hr class="space">
180 | 
181 | <b>C/C++ Code</b>
182 | <p></p>
183 | 
184 | {% highlight c %}
185 | 
186 | #include <intrin.h>
187 | #pragma intrinsic(_ReturnAddress)
188 | 
189 | void foo()
190 | {
191 |     // ...
192 |     
193 |     BYTE Patch = 0x90;
194 |     PVOID pRetAddress = _ReturnAddress();
195 |     if (*(PBYTE)pRetAddress == 0xCC)
196 |     {
197 |         DWORD dwOldProtect;
198 |         if (VirtualProtect(pRetAddress, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
199 |         {
200 |             WriteProcessMemory(GetCurrentProcess(), pRetAddress, &Patch, 1, NULL);
201 |             VirtualProtect(pRetAddress, 1, dwOldProtect, &dwOldProtect);
202 |         }
203 |     }
204 |     
205 |     // ...
206 | }
207 | 
208 | {% endhighlight %}
209 | 
210 | <hr class="space">
211 | 
212 | <h5><a class="a-dummy" name="toolhelp32readprocessmemory">1.2.4. Toolhelp32ReadProcessMemory()</a></h5>
213 | The function <tt>kernel32!Toolhelp32ReadProcessMemory()</tt> allows you to read the memory of other processes. However, it can be used for checking an anti-step-over condition.
214 | 
215 | <hr class="space">
216 | 
217 | <b>C/C++ Code</b>
218 | <p></p>
219 | 
220 | {% highlight c %}
221 | 
222 | #include <TlHelp32.h>
223 | 
224 | bool foo()
225 | {
226 |     // ..
227 |     
228 |     PVOID pRetAddress = _ReturnAddress();
229 |     BYTE uByte;
230 |     if (FALSE != Toolhelp32ReadProcessMemory(GetCurrentProcessId(), _ReturnAddress(), &uByte, sizeof(BYTE), NULL))
231 |     {
232 |         if (uByte == 0xCC)
233 |             ExitProcess(0);
234 |     }
235 |     
236 |     // ..
237 | }
238 | 
239 | {% endhighlight %}
240 | 
241 | <br />
242 | <h4><a class="a-dummy" name="memory-breakpoints">1.3. Memory Breakpoints</a></h4>
243 | Memory breakpoints are implemented by using guard pages (at least, in OllyDbg and ImmunityDebugger). A guard page provides a one-shot alarm for memory page access. When a guard page is executed, the exception <tt>STATUS_GUARD_PAGE_VIOLATION</tt> is raised.
244 | 
245 | A guard page can be created by setting the <tt>PAGE_GUARD</tt> page protection modifier in the <tt>kernel32!VirtualAlloc()</tt>, <tt>kernel32!VirtualAllocEx()</tt>, <tt>kernel32!VirtualProtect()</tt>, and <tt>kernel32!VirtualProtectEx()</tt> functions.
246 | 
247 | However, we can abuse the way the debuggers implement memory breakpoints to check whether the program is executed under a debugger. We can allocate an executable buffer which contains only one byte <tt>0xC3</tt> which stands for <tt>RET</tt> instruction. We then mark this buffer as a guard page, push the address where the case if a debugger is present is handled to the stack, and jump to the allocated buffer. The instruction <tt>RET</tt> will be executed and if the debugger (OllyDbg or ImmunityDebugger) is present, we'll get to the address we had pushed to the stack. If the program is executed without the debugger, we'll get to an exception handler.
248 | 
249 | <hr class="space">
250 | 
251 | <b>C/C++ Code</b>
252 | <p></p>
253 | 
254 | {% highlight c %}
255 | 
256 | bool IsDebugged()
257 | {
258 |     DWORD dwOldProtect = 0;
259 |     SYSTEM_INFO SysInfo = { 0 };
260 | 
261 |     GetSystemInfo(&SysInfo);
262 |     PVOID pPage = VirtualAlloc(NULL, SysInfo.dwPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
263 |     if (NULL == pPage)
264 |         return false; 
265 | 
266 |     PBYTE pMem = (PBYTE)pPage;
267 |     *pMem = 0xC3; 
268 | 
269 |     // Make the page a guard page         
270 |     if (!VirtualProtect(pPage, SysInfo.dwPageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &dwOldProtect))
271 |         return false;
272 | 
273 |     __try
274 |     {
275 |         __asm
276 |         {
277 |             mov eax, pPage
278 |             push mem_bp_being_debugged
279 |             jmp eax
280 |         }
281 |     }
282 |     __except(EXCEPTION_EXECUTE_HANDLER)
283 |     {
284 |         VirtualFree(pPage, NULL, MEM_RELEASE);
285 |         return false;
286 |     }
287 | 
288 | mem_bp_being_debugged:
289 |     VirtualFree(pPage, NULL, MEM_RELEASE);
290 |     return true;
291 | }
292 | 
293 | {% endhighlight %}
294 | 
295 | <br />
296 | <h4><a class="a-dummy" name="hardware-breakpoints">1.4. Hardware Breakpoints</a></h4>
297 | Debug registers <tt>DR0</tt>, <tt>DR1</tt>, <tt>DR2</tt> and <tt>DR3</tt> can be retrieved from the thread context. If they contain non-zero values, it may mean that the process is executed under a debugger and a hardware breakpoint was set.
298 | 
299 | <hr class="space">
300 | 
301 | <b>C/C++ Code</b>
302 | <p></p>
303 | 
304 | {% highlight c %}
305 | 
306 | bool IsDebugged()
307 | {
308 |     CONTEXT ctx;
309 |     ZeroMemory(&ctx, sizeof(CONTEXT)); 
310 |     ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS; 
311 | 
312 |     if(!GetThreadContext(GetCurrentThread(), &ctx))
313 |         return false;
314 | 
315 |     return ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3;
316 | }
317 | 
318 | {% endhighlight %}
319 | 
320 | <br />
321 | <h3><a class="a-dummy" name="other-memory-checks">2. Other memory checks</a></h3>
322 | This section contains techniques which directly examine or manipulate the virtual memory of running processes to detect or prevent the debugging.
323 | 
324 | <br />
325 | <h4><a class="a-dummy" name="ntqueryvirtualmemory">2.1. NtQueryVirtualMemory()</a></h4>
326 | Memory pages of the process where code is located are shared between all processes until a page is written. Afterward, the OS makes a copy of this page and map it to the process virtual memory so this page is no longer "shared".
327 | 
328 | Therefore, we can query the <a href="https://docs.microsoft.com/en-us/windows/win32/memory/working-set?redirectedfrom=MSDN">Working Set</a> of the current process and check the <tt>Shared</tt> and <tt>ShareCount</tt> fields of the Working Set Block for the page with code. If there were software breakpoints in the code, these fields must not be set.
329 | 
330 | <hr class="space">
331 | 
332 | <b>NTDLL declarations</b>
333 | <p></p>
334 | 
335 | {% highlight c %}
336 | 
337 | namespace ntdll
338 | {
339 | //...
340 | 
341 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
342 | 
343 | // ...
344 | 
345 | typedef enum _MEMORY_INFORMATION_CLASS {
346 |     MemoryBasicInformation,
347 |     MemoryWorkingSetList,
348 | } MEMORY_INFORMATION_CLASS;
349 | 
350 | // ...
351 | 
352 | typedef union _PSAPI_WORKING_SET_BLOCK {
353 |     ULONG Flags;
354 |     struct {
355 |         ULONG Protection :5;
356 |         ULONG ShareCount :3;
357 |         ULONG Shared     :1;
358 |         ULONG Reserved   :3;
359 |         ULONG VirtualPage:20;
360 |     };
361 | } PSAPI_WORKING_SET_BLOCK, *PPSAPI_WORKING_SET_BLOCK;
362 | 
363 | typedef struct _MEMORY_WORKING_SET_LIST
364 | {
365 |     ULONG NumberOfPages;
366 |     PSAPI_WORKING_SET_BLOCK WorkingSetList[1];
367 | } MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;
368 | 
369 | // ...
370 | }
371 | 
372 | {% endhighlight %}
373 | 
374 | <hr class="space">
375 | 
376 | <b>C/C++ Code</b>
377 | <p></p>
378 | 
379 | {% highlight c %}
380 | 
381 | bool IsDebugged()
382 | {
383 | #ifndef _WIN64
384 |     NTSTATUS status;
385 |     PBYTE pMem = nullptr;
386 |     DWORD dwMemSize = 0;
387 | 
388 |     do
389 |     {
390 |         dwMemSize += 0x1000;
391 |         pMem = (PBYTE)_malloca(dwMemSize);
392 |         if (!pMem)
393 |             return false;
394 | 
395 |         memset(pMem, 0, dwMemSize);
396 |         status = ntdll::NtQueryVirtualMemory(
397 |             GetCurrentProcess(), 
398 |             NULL, 
399 |             ntdll::MemoryWorkingSetList, 
400 |             pMem, 
401 |             dwMemSize, 
402 |             NULL);
403 |     } while (status == STATUS_INFO_LENGTH_MISMATCH);
404 | 
405 |     ntdll::PMEMORY_WORKING_SET_LIST pWorkingSet = (ntdll::PMEMORY_WORKING_SET_LIST)pMem;
406 |     for (ULONG i = 0; i < pWorkingSet->NumberOfPages; i++)
407 |     {
408 |         DWORD dwAddr = pWorkingSet->WorkingSetList[i].VirtualPage << 0x0C;
409 |         DWORD dwEIP = 0;
410 |         __asm
411 |         {
412 |             push eax
413 |             call $+5
414 |             pop eax
415 |             mov dwEIP, eax
416 |             pop eax
417 |         }
418 | 
419 |         if (dwAddr == (dwEIP & 0xFFFFF000))
420 |             return (pWorkingSet->WorkingSetList[i].Shared == 0) || (pWorkingSet->WorkingSetList[i].ShareCount == 0);
421 |     }
422 | #endif // _WIN64
423 |     return false;
424 | }
425 | 
426 | {% endhighlight %}
427 | 
428 | <i>Credits for this technique: <a href="https://www.virusbulletin.com/virusbulletin/2012/12/journey-sirefef-packer-research-case-study">Virus Bulletin</a> </i>
429 | 
430 | <br />
431 | <h4><a class="a-dummy" name="detecting-a-function-patch">2.2. Detecting a function patch</a></h4>
432 | A popular way to detect a debugger is to call <tt>kernel32!IsDebuggerPresent()</tt>. It's simple to mitigate this check e.g. to change the result in the <tt>EAX</tt> register or to patch the <tt>kernel32!IsDebuggerPresent()</tt> function's code.
433 | 
434 | Therefore, instead of examining the process memory for breakpoints, we can verify if <tt>kernel32!IsDebuggerPresent()</tt> was modified. We can read the first bytes of this function and compare them to these bytes of the same function from other processes. Even with enabled ASLR, Windows libraries are loaded to the same base addresses in all the processes. The base addresses are changed only after a reboot, but for all the processes they will stay the same during the session.
435 | 
436 | <hr class="space">
437 | 
438 | <b>C/C++ Code</b>
439 | <p></p>
440 | 
441 | {% highlight c %}
442 | 
443 | bool IsDebuggerPresent()
444 | {
445 |     HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
446 |     if (!hKernel32)
447 |         return false;
448 | 
449 |     FARPROC pIsDebuggerPresent = GetProcAddress(hKernel32, "IsDebuggerPresent");
450 |     if (!pIsDebuggerPresent)
451 |         return false;
452 | 
453 |     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
454 |     if (INVALID_HANDLE_VALUE == hSnapshot)
455 |         return false;
456 | 
457 |     PROCESSENTRY32W ProcessEntry;
458 |     ProcessEntry.dwSize = sizeof(PROCESSENTRY32W);
459 | 
460 |     if (!Process32FirstW(hSnapshot, &ProcessEntry))
461 |         return false;
462 | 
463 |     bool bDebuggerPresent = false;
464 |     HANDLE hProcess = NULL;
465 |     DWORD dwFuncBytes = 0;
466 |     const DWORD dwCurrentPID = GetCurrentProcessId();
467 |     do
468 |     {
469 |         __try
470 |         {
471 |             if (dwCurrentPID == ProcessEntry.th32ProcessID)
472 |                 continue;
473 | 
474 |             hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessEntry.th32ProcessID);
475 |             if (NULL == hProcess)
476 |                 continue;
477 | 
478 |             if (!ReadProcessMemory(hProcess, pIsDebuggerPresent, &dwFuncBytes, sizeof(DWORD), NULL))
479 |                 continue;
480 | 
481 |             if (dwFuncBytes != *(PDWORD)pIsDebuggerPresent)
482 |             {
483 |                 bDebuggerPresent = true;
484 |                 break;
485 |             }
486 |         }
487 |         __finally
488 |         {
489 |             if (hProcess)
490 |                 CloseHandle(hProcess);
491 |         }
492 |     } while (Process32NextW(hSnapshot, &ProcessEntry));
493 | 
494 |     if (hSnapshot)
495 |         CloseHandle(hSnapshot);
496 |     return bDebuggerPresent;
497 | }
498 | 
499 | {% endhighlight %}
500 | 
501 | <i>Credits for this technique: <a href="https://habr.com/en/post/178183/">Rouse_</a> </i>
502 | 
503 | <br />
504 | <h4><a class="a-dummy" name="patch_ntdll_dbgbreakpoint">2.3. Patch ntdll!DbgBreakPoint()</a></h4>
505 | The function <tt>ntdll!DbgBreakPoint()</tt> has the following implementation:
506 | 
507 | <div style="text-align: center">
508 |   <img src="{{site.baseurl}}/assets/images/dbgbreakpoint.png">
509 | </div>
510 | 
511 | <br />It is called when a debugger attaches to a running process. It allows the debugger to gain control because an exception is raised which it can intercept. If we erase the breakpoint inside <tt>ntdll!DbgBreakPoint()</tt>, the debugger won't break in and the thread will exit.
512 | 
513 | <hr class="space">
514 | 
515 | <b>C/C++ Code</b>
516 | <p></p>
517 | 
518 | {% highlight c %}
519 | 
520 | void Patch_DbgBreakPoint()
521 | {
522 |     HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
523 |     if (!hNtdll)
524 |         return;
525 | 
526 |     FARPROC pDbgBreakPoint = GetProcAddress(hNtdll, "DbgBreakPoint");
527 |     if (!pDbgBreakPoint)
528 |         return;
529 | 
530 |     DWORD dwOldProtect;
531 |     if (!VirtualProtect(pDbgBreakPoint, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
532 |         return;
533 | 
534 |     *(PBYTE)pDbgBreakPoint = (BYTE)0xC3; // ret
535 | }
536 | 
537 | {% endhighlight %}
538 | 
539 | <br />
540 | <h4><a class="a-dummy" name="patch_ntdll_dbguiremotebreakin">2.4. Patch ntdll!DbgUiRemoteBreakin()</a></h4>
541 | When a debugger calls the <tt>kernel32!DebugActiveProcess()</tt>, a debugger calls <tt>ntdll!DbgUiRemoteBreakin()</tt> correspondingly. To prevent the debugger from attaching to the process, we can patch <tt>ntdll!DbgUiRemoteBreakin()</tt> code to invoke the <tt>kernel32!TerminateProcess()</tt>.
542 | 
543 | In the example below we patch <tt>ntdll!DbgUiRemoteBreakin()</tt> with the following code:
544 | {% highlight asm %}
545 | 6A 00             push 0
546 | 68 FF FF FF FF    push -1 ; GetCurrentProcess() result
547 | B8 XX XX XX XX    mov  eax, kernel32!TreminateProcess
548 | FF D0             call eax
549 | {% endhighlight %}
550 | 
551 | <br />As the result, the application will terminate itself once we try to attach the debugger to it.
552 | 
553 | <hr class="space">
554 | 
555 | <b>C/C++ Code</b>
556 | <p></p>
557 | 
558 | {% highlight c %}
559 | 
560 | #pragma pack(push, 1)
561 |     struct DbgUiRemoteBreakinPatch
562 |     {
563 |         WORD  push_0;
564 |         BYTE  push;
565 |         DWORD CurrentPorcessHandle;
566 |         BYTE  mov_eax;
567 |         DWORD TerminateProcess;
568 |         WORD  call_eax;
569 |     };
570 | #pragma pack(pop)
571 | 
572 | void Patch_DbgUiRemoteBreakin()
573 | {
574 |     HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
575 |     if (!hNtdll)
576 |         return;
577 | 
578 |     FARPROC pDbgUiRemoteBreakin = GetProcAddress(hNtdll, "DbgUiRemoteBreakin");
579 |     if (!pDbgUiRemoteBreakin)
580 |         return;
581 | 
582 |     HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
583 |     if (!hKernel32)
584 |         return;
585 | 
586 |     FARPROC pTerminateProcess = GetProcAddress(hKernel32, "TerminateProcess");
587 |     if (!pTerminateProcess)
588 |         return;
589 | 
590 |     DbgUiRemoteBreakinPatch patch = { 0 };
591 |     patch.push_0 = '\x6A\x00';
592 |     patch.push = '\x68';
593 |     patch.CurrentPorcessHandle = 0xFFFFFFFF;
594 |     patch.mov_eax = '\xB8';
595 |     patch.TerminateProcess = (DWORD)pTerminateProcess;
596 |     patch.call_eax = '\xFF\xD0';
597 | 
598 |     DWORD dwOldProtect;
599 |     if (!VirtualProtect(pDbgUiRemoteBreakin, sizeof(DbgUiRemoteBreakinPatch), PAGE_READWRITE, &dwOldProtect))
600 |         return;
601 | 
602 |     ::memcpy_s(pDbgUiRemoteBreakin, sizeof(DbgUiRemoteBreakinPatch),
603 |         &patch, sizeof(DbgUiRemoteBreakinPatch));
604 |     VirtualProtect(pDbgUiRemoteBreakin, sizeof(DbgUiRemoteBreakinPatch), dwOldProtect, &dwOldProtect);
605 | }
606 | 
607 | {% endhighlight %}
608 | 
609 | <i>Credits for this technique: <a href="https://habr.com/en/post/178183/">Rouse_</a> </i>
610 | 
611 | <br />
612 | <h4><a class="a-dummy" name="code-checksums">2.5  Performing Code Checksums</a></h4>
613 | Verifying code checksum is a reliable way to detect software breakpoints, debugger's step-overs, functions' inline hooks, or data modification.
614 | 
615 | The example below shows how it is possible to verify the checksum of a function.
616 | 
617 | <b>C/C++ Code</b>
618 | <p></p>
619 | 
620 | {% highlight c %}
621 | 
622 | PVOID g_pFuncAddr;
623 | DWORD g_dwFuncSize;
624 | DWORD g_dwOriginalChecksum;
625 | 
626 | static void VeryImportantFunction()
627 | {
628 |     // ...
629 | }
630 | 
631 | static DWORD WINAPI ThreadFuncCRC32(LPVOID lpThreadParameter)
632 | {
633 |     while (true)
634 |     {
635 |         if (CRC32((PBYTE)g_pFuncAddr, g_dwFuncSize) != g_dwOriginalChecksum)
636 |             ExitProcess(0);
637 |         Sleep(10000);
638 |     }
639 |     return 0;
640 | }
641 | 
642 | size_t DetectFunctionSize(PVOID pFunc)
643 | {
644 |     PBYTE pMem = (PBYTE)pFunc;
645 |     size_t nFuncSize = 0;
646 |     do
647 |     {
648 |         ++nFuncSize;
649 |     } while (*(pMem++) != 0xC3);
650 |     return nFuncSize;
651 | }
652 | 
653 | int main()
654 | {
655 |     g_pFuncAddr = (PVOID)&VeryImportantFunction;
656 |     g_dwFuncSize = DetectFunctionSize(g_pFuncAddr);
657 |     g_dwOriginalChecksum = CRC32((PBYTE)g_pFuncAddr, g_dwFuncSize);
658 |     
659 |     HANDLE hChecksumThread = CreateThread(NULL, NULL, ThreadFuncCRC32, NULL, NULL, NULL);
660 |     
661 |     // ...
662 |     
663 |     return 0;
664 | }
665 | 
666 | {% endhighlight %}
667 | 
668 | <hr class="space">
669 | 
670 | <br />
671 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
672 | * During debugging:
673 |     * For Anti-Step-Over tricks: Step in the function which performs the Step-Over check and execute it till the end (Ctrl+F9 in OllyDbg/x32/x64dbg).
674 |     * The best way to mitigate all the "memory" tricks (including Anti-Step-Over) is to find the exact check and patch it with <tt>NOP</tt>s, or set the return value which allows the application to execute further.
675 | * For anti-anti-debug tool development:
676 |     * Breakpoints scan: 
677 |         * Software Breakpoint & Anti-Step-Over: There is no possibility of interfering with these checks as they don't need to use API and they access memory directly.
678 |         * Memory Breakpoints: In general, it is possible to track the sequence of function that are called to apply this check.
679 |         * Hardware Breakpoints: Hook <tt>kernel32!GetThreadContext()</tt> and modify debug registers.
680 |     * Other checks: No mitigations.
681 | 


--------------------------------------------------------------------------------
/_techniques/timing.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: post
  3 | title:  "Anti-Debug: Timing"
  4 | title-image: "/assets/icons/timing.svg"
  5 | categories: anti-debug 
  6 | tags: timing
  7 | ---
  8 | 
  9 | <h1>Contents</h1>
 10 | 
 11 | [Timing](#timing)
 12 | 
 13 | * [1. RDPMC/RDTSC](#rdpmc_rdtsc)
 14 | * [2. GetLocalTime()](#getlocaltime)
 15 | * [3. GetSystemTime()](#getsystemtime)
 16 | * [4. GetTickCount()](#gettickcount)
 17 | * [5. ZwGetTickCount() / KiGetTickCount()](#kernel-timing)
 18 | * [6. QueryPerformanceCounter()](#queryperformancecounter)
 19 | * [7. timeGetTime()](#timegettime)
 20 | * [Mitigations](#mitigations)
 21 | <br />
 22 | 
 23 | <hr class="space">
 24 | 
 25 | <h2><a class="a-dummy" name="timing">Timing</a></h2>
 26 | When a process is traced in a debugger, there is a huge delay between instructions and execution. The "native" delay between some parts of code can be measured and compared with the actual delay using several approaches.
 27 | 
 28 | <br />
 29 | <h3><a class="a-dummy" name="rdpmc_rdtsc">1. RDPMC/RDTSC</a></h3>
 30 | These instructions require the flag <tt>PCE</tt> to be set in <tt>CR4</tt> register.
 31 | 
 32 | <hr class="space">
 33 | 
 34 | <tt>RDPMC</tt> instruction can be used only in Kernel Mode.
 35 | 
 36 | <b>C/C++ Code</b>
 37 | <p></p>
 38 | 
 39 | {% highlight c %}
 40 | 
 41 | bool IsDebugged(DWORD64 qwNativeElapsed)
 42 | {
 43 |     ULARGE_INTEGER Start, End;
 44 |     __asm
 45 |     {
 46 |         xor  ecx, ecx
 47 |         rdpmc
 48 |         mov  Start.LowPart, eax
 49 |         mov  Start.HighPart, edx
 50 |     }
 51 |     // ... some work
 52 |     __asm
 53 |     {
 54 |         xor  ecx, ecx
 55 |         rdpmc
 56 |         mov  End.LowPart, eax
 57 |         mov  End.HighPart, edx
 58 |     }
 59 |     return (End.QuadPart - Start.QuadPart) > qwNativeElapsed;
 60 | }
 61 | 
 62 | {% endhighlight %}
 63 | 
 64 | <hr class="space">
 65 | 
 66 | <tt>RDTSC</tt> is a User Mode instruction.
 67 | 
 68 | <b>C/C++ Code</b>
 69 | <p></p>
 70 | 
 71 | {% highlight c %}
 72 | 
 73 | bool IsDebugged(DWORD64 qwNativeElapsed)
 74 | {
 75 |     ULARGE_INTEGER Start, End;
 76 |     __asm
 77 |     {
 78 |         xor  ecx, ecx
 79 |         rdtsc
 80 |         mov  Start.LowPart, eax
 81 |         mov  Start.HighPart, edx
 82 |     }
 83 |     // ... some work
 84 |     __asm
 85 |     {
 86 |         xor  ecx, ecx
 87 |         rdtsc
 88 |         mov  End.LowPart, eax
 89 |         mov  End.HighPart, edx
 90 |     }
 91 |     return (End.QuadPart - Start.QuadPart) > qwNativeElapsed;
 92 | }
 93 | 
 94 | {% endhighlight %}
 95 | 
 96 | <hr class="space">
 97 | 
 98 | <br />
 99 | <h3><a class="a-dummy" name="getlocaltime">2. GetLocalTime()</a></h3>
100 | 
101 | <b>C/C++ Code</b>
102 | <p></p>
103 | 
104 | {% highlight c %}
105 | bool IsDebugged(DWORD64 qwNativeElapsed)
106 | {
107 |     SYSTEMTIME stStart, stEnd;
108 |     FILETIME ftStart, ftEnd;
109 |     ULARGE_INTEGER uiStart, uiEnd;
110 | 
111 |     GetLocalTime(&stStart);
112 |     // ... some work
113 |     GetLocalTime(&stEnd);
114 | 
115 |     if (!SystemTimeToFileTime(&stStart, &ftStart))
116 |         return false;
117 |     if (!SystemTimeToFileTime(&stEnd, &ftEnd))
118 |         return false;
119 | 
120 |     uiStart.LowPart  = ftStart.dwLowDateTime;
121 |     uiStart.HighPart = ftStart.dwHighDateTime;
122 |     uiEnd.LowPart  = ftEnd.dwLowDateTime;
123 |     uiEnd.HighPart = ftEnd.dwHighDateTime;
124 |     return (uiEnd.QuadPart - uiStart.QuadPart) > qwNativeElapsed;
125 | }
126 | 
127 | {% endhighlight %}
128 | 
129 | <hr class="space">
130 | 
131 | <br />
132 | <h3><a class="a-dummy" name="getsystemtime">3. GetSystemTime()</a></h3>
133 | 
134 | <b>C/C++ Code</b>
135 | <p></p>
136 | 
137 | {% highlight c %}
138 | 
139 | bool IsDebugged(DWORD64 qwNativeElapsed)
140 | {
141 |     SYSTEMTIME stStart, stEnd;
142 |     FILETIME ftStart, ftEnd;
143 |     ULARGE_INTEGER uiStart, uiEnd;
144 | 
145 |     GetSystemTime(&stStart);
146 |     // ... some work
147 |     GetSystemTime(&stEnd);
148 | 
149 |     if (!SystemTimeToFileTime(&stStart, &ftStart))
150 |         return false;
151 |     if (!SystemTimeToFileTime(&stEnd, &ftEnd))
152 |         return false;
153 | 
154 |     uiStart.LowPart  = ftStart.dwLowDateTime;
155 |     uiStart.HighPart = ftStart.dwHighDateTime;
156 |     uiEnd.LowPart  = ftEnd.dwLowDateTime;
157 |     uiEnd.HighPart = ftEnd.dwHighDateTime;
158 |     return (uiEnd.QuadPart - uiStart.QuadPart) > qwNativeElapsed;
159 | }
160 | 
161 | {% endhighlight %}
162 | 
163 | <hr class="space">
164 | 
165 | <br />
166 | <h3><a class="a-dummy" name="gettickcount">4. GetTickCount()</a></h3>
167 | 
168 | <b>C/C++ Code</b>
169 | <p></p>
170 | 
171 | {% highlight c %}
172 | 
173 | bool IsDebugged(DWORD dwNativeElapsed)
174 | {
175 |     DWORD dwStart = GetTickCount();
176 |     // ... some work
177 |     return (GetTickCount() - dwStart) > dwNativeElapsed;
178 | }
179 | 
180 | {% endhighlight %}
181 | 
182 | <hr class="space">
183 | 
184 | <br />
185 | <h3><a class="a-dummy" name="kernel-timing">5. ZwGetTickCount() / KiGetTickCount()</a></h3>
186 | Both functions are used only from Kernel Mode.
187 | 
188 | Just like User Mode <tt>GetTickCount()</tt> or <tt>GetSystemTime()</tt>, Kernel Mode <tt>ZwGetTickCount()</tt> reads from the <tt>KUSER_SHARED_DATA</tt> page. This page is mapped read-only into the user mode range of the virtual address and read-write in the kernel range. The system clock tick updates the system time, which is stored directly in this page.
189 | 
190 | <tt>ZwGetTickCount()</tt> is used the same way as <tt>GetTickCount()</tt>. Using <tt>KiGetTickCount()</tt> is faster than calling <tt>ZwGetTickCount()</tt>, but slightly slower than reading from the <tt>KUSER_SHARED_DATA</tt> page directly.
191 | 
192 | <b>C/C++ Code</b>
193 | <p></p>
194 | 
195 | {% highlight c %}
196 | 
197 | bool IsDebugged(DWORD64 qwNativeElapsed)
198 | {
199 |     ULARGE_INTEGER Start, End;
200 |     __asm
201 |     {
202 |         int  2ah
203 |         mov  Start.LowPart, eax
204 |         mov  Start.HighPart, edx
205 |     }
206 |     // ... some work
207 |     __asm
208 |     {
209 |         int  2ah
210 |         mov  End.LowPart, eax
211 |         mov  End.HighPart, edx
212 |     }
213 |     return (End.QuadPart - Start.QuadPart) > qwNativeElapsed;
214 | }
215 | 
216 | {% endhighlight %}
217 | 
218 | <hr class="space">
219 | 
220 | <br />
221 | <h3><a class="a-dummy" name="queryperformancecounter">6. QueryPerformanceCounter()</a></h3>
222 | 
223 | <b>C/C++ Code</b>
224 | <p></p>
225 | 
226 | {% highlight c %}
227 | 
228 | bool IsDebugged(DWORD64 qwNativeElapsed)
229 | {
230 |     LARGE_INTEGER liStart, liEnd;
231 |     QueryPerformanceCounter(&liStart);
232 |     // ... some work
233 |     QueryPerformanceCounter(&liEnd);
234 |     return (liEnd.QuadPart - liStart.QuadPart) > qwNativeElapsed;
235 | }
236 | 
237 | {% endhighlight %}
238 | 
239 | <hr class="space">
240 | 
241 | <br />
242 | <h3><a class="a-dummy" name="timegettime">7. timeGetTime()</a></h3>
243 | 
244 | <b>C/C++ Code</b>
245 | <p></p>
246 | 
247 | {% highlight c %}
248 | 
249 | bool IsDebugged(DWORD dwNativeElapsed)
250 | {
251 |     DWORD dwStart = timeGetTime();
252 |     // ... some work
253 |     return (timeGetTime() - dwStart) > dwNativeElapsed;
254 | }
255 | 
256 | {% endhighlight %}
257 | 
258 | <hr class="space">
259 | 
260 | <br />
261 | <h3><a class="a-dummy" name="mitigations">Mitigations</a></h3>
262 | * During debugging: Just fill timing checks with <tt>NOP</tt>s and set the result of these checks to the appropriate value.
263 | * For anti-anti-debug solution development: There is no great need to do anything with it, as all timing checks are not very reliable. You can still hook timing functions and accelerate the time between calls.
264 | 
265 | 


--------------------------------------------------------------------------------
/about.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "About anti-debug tricks"
 4 | permalink: /about/
 5 | ---
 6 | 
 7 | Debugging is the essential part of malware analysis. Every time we need to drill down into malware behavior, restore encryption methods or examine communication protocols – generally, whenever we need to examine memory at a certain moment of time – we use debuggers.
 8 | 
 9 | Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. In turn knowledge of anti-debug techniques helps us detect when the malware tries to prevent us from debugging it and mitigate the interference.
10 | 
11 | This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg). Deprecated techniques (e.g. for SoftICE, etc.) are not included (despite all the love to SoftICE).
12 | 
13 | Anti-Debug tricks are grouped by the way in which they trigger side-effects (“meh, yet another classification”, you might think). Each group includes the description of corresponding tricks, their implementation in C/C++ or x86/x86-64 Assembly language, and recommendations of how to mitigate the trick for developers who want to create their own anti-anti-debug solution. In general, for bypassing anti-debug techniques we recommend using the <a href="https://github.com/x64dbg/ScyllaHide">ScyllaHide</a> plugin which supports OllyDbg, x64dbg and IDA Pro.
14 | 
15 | All the techniques which are described in this encyclopedia are implemented in our <a href="https://github.com/CheckPointSW/showstopper">ShowStopper</a> open-source project. The encyclopedia can help you to better understand how these techniques work or to assess debuggers and anti-anti-debug plugins.
16 | 
17 | <p align="right">
18 |     Yaraslau Harakhavik (<i class="fa fa-twitter fa-lg" style="color:#1DA1F2"></i> <a href="https://twitter.com/slevin_by">@slevin_by</a>),<br />
19 |     <i>Reverse Engineer at Check Point Research</i>
20 | </p>
21 | <br />
22 | 
23 | <h2>References</h2>
24 | <ul>
25 | <li><a href="http://pferrie.epizy.com/papers/antidebug.pdf">P. Ferrie. The “Ultimate”Anti-Debugging Reference</a></li>
26 | <li><a href="https://www.symantec.com/connect/articles/windows-anti-debug-reference">N. Falliere. Windows Anti-Debug Reference</a></li>
27 | <li><a href="https://forum.tuts4you.com/files/file/1218-anti-reverse-engineering-guide/">J. Jackson. An Anti-Reverse Engineering Guide</a></li>
28 | <li><a href="https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software">Anti Debugging Protection Techniques with Examples</a></li>
29 | <li><a href="https://bitbucket.org/fkie_cd_dare/simplifire.antire/src/master/">simpliFiRE.AntiRE</a></li>
30 | </ul>
31 | 
32 | <br />
33 | <br />
34 | 


--------------------------------------------------------------------------------
/assets/css/main.scss:
--------------------------------------------------------------------------------
  1 | ---
  2 | # Only the main Sass file needs front matter (the dashes are enough)
  3 | ---
  4 | @charset "utf-8";
  5 | 
  6 | // Our variables
  7 | $base-font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
  8 | $base-font-size:   16px;
  9 | $base-font-weight: 400;
 10 | $small-font-size:  $base-font-size * 0.875;
 11 | $base-line-height: 1.5;
 12 | 
 13 | $spacing-unit:     30px;
 14 | 
 15 | $text-color:       #111;
 16 | $background-color: #fdfdfd;
 17 | $brand-color:      #2a7ae2;
 18 | 
 19 | $grey-color:       #828282;
 20 | $grey-color-light: lighten($grey-color, 40%);
 21 | $grey-color-dark:  darken($grey-color, 25%);
 22 | 
 23 | // Width of the content area
 24 | $content-width:    800px;
 25 | 
 26 | $on-palm:          600px;
 27 | $on-laptop:        800px;
 28 | 
 29 | 
 30 | .navbar-default{
 31 |   background: #161616!important;
 32 |   border: none !important;
 33 | 
 34 | }
 35 | 
 36 | .navbar-default .navbar-nav > li > a{
 37 |     color:white !important;
 38 | }
 39 | .navbar-default .navbar-nav > li > a:hover{
 40 |   font-weight: bold;
 41 | }
 42 | .navbar-default .navbar-nav > li > a:focus{
 43 |   font-weight: bold;
 44 | }
 45 | .navbar-default .navbar-brand{
 46 |   color:white !important;
 47 | }
 48 | 
 49 | .navbar-fixed-bottom {
 50 |   background-color: #161616 !important;
 51 | }
 52 | .navbar-fixed-top {
 53 |   background-color: #e45785 !important;
 54 |   color: white !important;
 55 | }
 56 | .navbar-fixed-top a {
 57 |   color: white !important;
 58 | 
 59 | }
 60 | .footer-content{
 61 |   text-align: center;
 62 |   padding: 0.5em;
 63 |   background-color: #161616;
 64 |   width:100%;
 65 | }
 66 | 
 67 | .footer-content a {
 68 |   color: #ff4883;
 69 | }
 70 | 
 71 | .footer-content a:hover {
 72 |   color: #ffebf2 !important;
 73 | }
 74 | 
 75 | .logo {
 76 |   margin-top: 20px;
 77 |   font-size: 25pt;
 78 | }
 79 | 
 80 | .title {
 81 |   white-space: nowrap;
 82 | }
 83 | 
 84 | body{
 85 |   background-color: #333333 !important;
 86 |   font-family: "Fira Mono" !important;
 87 |   color: white !important;
 88 | }
 89 | .page-stuff{
 90 |   a {
 91 |     color: #51bffb !important;
 92 |     text-decoration: none;
 93 |       &:hover{
 94 |         color:#ca0098 !important;
 95 |         text-decoration: none !important;
 96 |         border-bottom: 1px dotted #ff34d3;
 97 |         padding-bottom:0.5em;
 98 |       }
 99 |     }
100 |   }
101 | #page-content{
102 |   padding-bottom: 4em;
103 | }
104 | 
105 | .page-stuff{
106 |   padding-top: 2em;
107 |   padding-bottom: 5em;
108 | }
109 | .jumbotron {
110 |   background: #161616!important;
111 | }
112 | a {
113 |   color:#51bffb !important;
114 |   text-decoration: none;
115 | }
116 | a:hover{
117 |   color:#ca0098 !important;
118 |   text-decoration: none !important;
119 |   border-bottom: 1px dotted #ca0098;
120 | 
121 | }
122 | 
123 | .post-list{
124 | 
125 |     text-align: left;
126 | 
127 | }
128 | .post-box{
129 |   padding-top: 2em;
130 | padding-bottom: 2em;
131 | }
132 | 
133 | .post-title{
134 |   color:  #ff20bc !important;
135 | }
136 | 
137 | .post-excerpt{
138 |   color: white !important;
139 | padding-top: 0.5em;
140 | padding-bottom: 0.3em;
141 | }
142 | .post-title-main{
143 |   text-align: left;
144 |   color: white !important;
145 | }
146 | .post-content{
147 |   font-size: 19px;
148 |   text-align: justify;
149 |   padding-bottom: 5em;
150 | }
151 | pre{
152 | background-color: black !important;
153 | border:none !important;
154 | border-radius: 0px !important;
155 | font-size: 20px !important;
156 | padding: 1.5em !important;
157 | color:white !important;
158 | }
159 | .post-meta{
160 |   color: #e45785 !important;
161 | }
162 | 
163 | code{
164 |   background-color: black !important;
165 |   color: white !important;
166 |   border: none !important;
167 |   border-radius: 0px !important;
168 | }
169 | 
170 | .page-tagline{
171 |   font-size: 20px;
172 | text-align: center;
173 | }
174 | 
175 | .download{
176 |   padding:2em;
177 |   font-size: 19px;
178 | }
179 | .intro{
180 |   font-size: 19px;
181 | 
182 | }
183 | .manual-title{
184 |   font-size: 21px;
185 |   padding: 1em;
186 |   /*text-transform: uppercase;*/
187 | 
188 | }
189 | .manual-content{
190 |   text-align: justify;
191 |   font-size: 19px;
192 | }
193 | 
194 | .man-title{
195 |   font-size: 22px;
196 |   text-align: left;
197 |   padding: 1em;
198 |   letter-spacing: 2px;
199 | 
200 | }
201 | 
202 | .jumbotron{
203 |   box-shadow: 0px 1px 10px 0px rgba(0, 0, 0, 0.15);
204 | }
205 | .navbar{
206 |   box-shadow: 0px 1px 10px 0px rgba(0, 0, 0, 0.15);
207 | }
208 | // Our variables
209 | $base-font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
210 | $base-font-size:   16px;
211 | $base-font-weight: 400;
212 | $small-font-size:  $base-font-size * 0.875;
213 | $base-line-height: 1.5;
214 | 
215 | $spacing-unit:     30px;
216 | 
217 | $text-color:       #111;
218 | $background-color: #fdfdfd;
219 | $brand-color:      #2a7ae2;
220 | 
221 | $grey-color:       #828282;
222 | $grey-color-light: lighten($grey-color, 40%);
223 | $grey-color-dark:  darken($grey-color, 25%);
224 | 
225 | // Width of the content area
226 | $content-width:    800px;
227 | 
228 | $on-palm:          600px;
229 | $on-laptop:        800px;
230 | 
231 | 
232 | .navbar-fixed-top {
233 |   background-color: #e45785 !important;
234 |   color: white !important;
235 | }
236 | .navbar-fixed-top a {
237 |   color: white !important;
238 | 
239 | }
240 | // Use media queries like this:
241 | // @include media-query($on-palm) {
242 | //     .wrapper {
243 | //         padding-right: $spacing-unit / 2;
244 | //         padding-left: $spacing-unit / 2;
245 | //     }
246 | // }
247 | @mixin media-query($device) {
248 |     @media screen and (max-width: $device) {
249 |         @content;
250 |     }
251 | }
252 | 
253 | 
254 | .wrap-collabsible {
255 |   margin-bottom: 1.2rem 0;
256 | }
257 | .wrap-collabsible-title {
258 |   margin-bottom: 1.2rem 0;
259 | }
260 | 
261 | input[type='checkbox'] {
262 |   display: none;
263 | }
264 | 
265 | .lbl-toggle {
266 |   display: block;
267 | 
268 |   font-weight: bold;
269 |   font-family: monospace;
270 |   /*text-transform: uppercase;*/
271 |   text-align: left;
272 | 
273 |   padding: 1rem;
274 | 
275 |   color: rgb(201, 38, 166);
276 |   cursor: pointer;
277 | 
278 |   transition: all 0.25s ease-out;
279 | }
280 | .lbl-toggle-title {
281 |   display: block;
282 |   background: #fdeefd;
283 |   font-weight: bold;
284 |   font-family: monospace;
285 |   /*text-transform: uppercase;*/
286 |   text-align: left;
287 |   padding: 1rem;
288 |   color: rgb(201, 38, 166);
289 | }
290 | 
291 | .odd {
292 |   background: #fefefe;
293 | }
294 | 
295 | .even {
296 |   background: #f4f4f4;
297 | }
298 | 
299 | .lbl-toggle:hover {
300 |   color: rgb(138, 0, 131);
301 | }
302 | 
303 | .lbl-toggle .first::before {
304 |   content: ' ';
305 |   display: inline-block;
306 | 
307 |   border-top: 5px solid transparent;
308 |   border-bottom: 5px solid transparent;
309 |   border-left: 5px solid currentColor;
310 |   vertical-align: middle;
311 |   margin-right: .7rem;
312 |   transform: translateY(-2px);
313 | 
314 |   transition: transform .2s ease-out;
315 | }
316 | 
317 | .toggle:checked + .lbl-toggle .first::before {
318 |   transform: rotate(90deg) translateX(-3px);
319 | }
320 | 
321 | .collapsible-content {
322 |   max-height: 0px;
323 |   overflow: hidden;
324 |   transition: max-height .25s ease-in-out;
325 | }
326 | 
327 | .toggle:checked + .lbl-toggle + .collapsible-content {
328 |   max-height: 650px;
329 |   margin-bottom: 10px;
330 | 
331 | }
332 | 
333 | .toggle:checked + .lbl-toggle {
334 |   border-bottom-right-radius: 0;
335 |   border-bottom-left-radius: 0;
336 | }
337 | 
338 | .collapsible-content .content-inner {
339 |   color: black;
340 |   background: rgb(251, 245, 252);
341 |   border-bottom: 1px solid rgb(51, 40, 50);
342 |   border-bottom-left-radius: 7px;
343 |   border-bottom-right-radius: 7px;
344 |   padding: .5rem 1rem;
345 |   overflow-y: auto;
346 |   position: relative;
347 |   max-height: 650px;
348 |   padding-left: 25px;
349 | }
350 | 
351 | .wrap-collabsible label {
352 |   font-weight: normal;
353 |   margin: 0px;
354 | }
355 | 
356 | .wrap-collabsible-title label {
357 |   font-weight: normal;
358 |   margin: 0px;
359 | }
360 | 
361 | .wrap-collabsible a {
362 |   color:  #ff20bc !important;
363 | }
364 | 
365 | .wrap-collabsible-title a {
366 |   color:  #ff20bc !important;
367 | }
368 | 
369 | 
370 | .active-pink {
371 |   border: none !important;
372 |   border-radius: 0 !important;
373 |   margin-top: 5px !important;
374 |   color: white !important;
375 |   border-bottom: 1px solid #ffffff !important;
376 |   box-shadow: 0 1px 0 0 #f48fb1 !important;
377 |   background-color: transparent !important;
378 | }
379 | 
380 | 
381 | .active-pink::placeholder {
382 |   color: #ffd7e5 !important;
383 | }
384 | 
385 | .active-pink:hover {
386 |   border-bottom: 1px solid #ffbdd3 !important;
387 | }
388 | 
389 |   .active-pink:focus::-webkit-input-placeholder {
390 |     color:white;
391 |   }
392 | 
393 | 
394 | .navbar-default .navbar-toggle .icon-bar {
395 |   background-color: white !important;
396 | }
397 | 
398 | 
399 | .btn-sort {
400 |   background-color: #e45785 !important;
401 |   color: white !important;
402 |   border: 0px;
403 | 
404 | }
405 | .btn-sort:hover {
406 |   color: white !important;
407 |   background-color: #c94370 !important;
408 | 
409 | }
410 | 
411 | .btn-sort:focus {
412 |   outline: #ca0098 !important;
413 | }
414 | 
415 | .btn-bleft {
416 |   margin: 0 5px;
417 | }
418 | 
419 | .btn-expand {
420 |   background-color: #fd83ac !important;
421 |   color: white !important;
422 |   border: 0px;
423 |   margin-left: 25px;
424 | }
425 | 
426 | 
427 | .btn-expand:hover {
428 |   color: white !important;
429 |   background-color: #f16d99 !important;
430 | }
431 | 
432 | 
433 | .btn-expand:focus {
434 |   outline: #ca0098 !important;
435 | }
436 | 
437 | 
438 | .content-search {
439 |   margin-bottom: 20px;
440 |   width: 50%;
441 | }
442 | 
443 | 
444 | /* MAIN PARTS OF STYLE */
445 | 
446 | .info {
447 |   background-color: #e7f3fe !important;
448 |   border-left: 6px solid #2196F3 !important;
449 |   margin-bottom: 15px !important;
450 |   padding: 4px 12px !important;
451 | }
452 | 
453 | p {
454 |   font-size: 17px;
455 | }
456 | 
457 | a {
458 |   color: #51bffb;
459 |   text-decoration: none;
460 | }
461 | a:hover {
462 |   border: 0px solid;
463 | }
464 | a:active, a:focus {
465 |   outline: 0;
466 |   border: none;
467 |   text-decoration: none;
468 |   -moz-outline-style: none;
469 | }
470 | 
471 | .a-active {
472 |   display: block;
473 | }
474 | 
475 | .a-pink {
476 |   color:#ff4883 !important;
477 |   text-decoration: none;
478 | }
479 | 
480 | .a-dummy {
481 |   pointer-events: none;
482 |   text-decoration: none;
483 | }
484 | .a-dummy:active, .a-dummy:hover, .a-dummy:focus {
485 |   text-decoration: none;
486 |   color: #51bffb !important;
487 | }
488 | 
489 | table, th, td {
490 |   border: 1px solid gray;
491 |   border-collapse: collapse;
492 |   font-family: Courier New, Verdana, Tahoma, Fixedsys;
493 |   font-size: 15px;
494 | }
495 | th, td {
496 |   padding: 3px;
497 |   text-align: left;
498 | }
499 | 
500 | pre {
501 |   border: 1px solid gray !important;
502 | }
503 | 
504 | pre, code {
505 |   background-color: #343434 !important;
506 |   font-size: 17px !important;
507 | }
508 | 
509 | hr.space {
510 |   height: 3px;
511 |   visibility: hidden;
512 |   margin-bottom: -1px;
513 | }
514 | 
515 | h2 {
516 |   font-size: 27px;
517 | }
518 | 
519 | tt {
520 |   font-size: 20px;
521 | }
522 | 
523 | 
524 | /* CODE HIGHLIGHTING */
525 | 
526 | .highlight pre { background-color: #343434 }
527 | .highlight .hll { background-color: #343434 }
528 | .highlight .c { color: #008800; font-style: italic; background-color: #0f140f } /* Comment */
529 | .highlight .err { color: #ffffff } /* Error */
530 | .highlight .g { color: #ffffff } /* Generic */
531 | .highlight .k { color: #cc8153; font-weight: bold } /* Keyword */
532 | .highlight .l { color: #ffffff } /* Literal */
533 | .highlight .n { color: #ffffff } /* Name */
534 | .highlight .o { color: #ffffff } /* Operator */
535 | .highlight .x { color: #ffffff } /* Other */
536 | .highlight .p { color: #ffffff } /* Punctuation */
537 | .highlight .cm { color: #afceaf; font-style: italic; } /* Comment.Multiline */
538 | .highlight .cp { color: #afceaf; font-weight: bold; font-style: italic; } /* Comment.Preproc */
539 | .highlight .c1 { color: #afceaf; font-style: italic; } /* Comment.Single */
540 | .highlight .cs { color: #afceaf; font-style: italic; } /* Comment.Special */
541 | .highlight .gd { color: #ffffff } /* Generic.Deleted */
542 | .highlight .ge { color: #ffffff } /* Generic.Emph */
543 | .highlight .gr { color: #ffffff } /* Generic.Error */
544 | .highlight .gh { color: #ffffff; font-weight: bold } /* Generic.Heading */
545 | .highlight .gi { color: #ffffff } /* Generic.Inserted */
546 | .highlight .go { color: #444444; background-color: #222222 } /* Generic.Output */
547 | .highlight .gp { color: #ffffff } /* Generic.Prompt */
548 | .highlight .gs { color: #ffffff } /* Generic.Strong */
549 | .highlight .gu { color: #ffffff; font-weight: bold } /* Generic.Subheading */
550 | .highlight .gt { color: #ffffff } /* Generic.Traceback */
551 | .highlight .kc { color: #cc8153; font-weight: bold } /* Keyword.Constant */
552 | .highlight .kd { color: #cc8153; font-weight: bold } /* Keyword.Declaration */
553 | .highlight .kn { color: #cc8153; font-weight: bold } /* Keyword.Namespace */
554 | .highlight .kp { color: #cc8153 } /* Keyword.Pseudo */
555 | .highlight .kr { color: #cc8153; font-weight: bold } /* Keyword.Reserved */
556 | .highlight .kt { color: #cdcaa9; font-weight: bold } /* Keyword.Type */
557 | .highlight .ld { color: #ffffff } /* Literal.Date */
558 | .highlight .m { color: #56a8d7; font-weight: bold } /* Literal.Number */
559 | .highlight .s { color: #56a8d7 } /* Literal.String */
560 | .highlight .na { color: #e562a7; font-weight: bold } /* Name.Attribute */
561 | .highlight .nb { color: #ffffff } /* Name.Builtin */
562 | .highlight .nc { color: #ffffff } /* Name.Class */
563 | .highlight .no { color: #56a8d7 } /* Name.Constant */
564 | .highlight .nd { color: #ffffff } /* Name.Decorator */
565 | .highlight .ni { color: #ffffff } /* Name.Entity */
566 | .highlight .ne { color: #ffffff } /* Name.Exception */
567 | .highlight .nf { color: #e562a7; font-weight: bold } /* Name.Function */
568 | .highlight .nl { color: #ffffff } /* Name.Label */
569 | .highlight .nn { color: #ffffff } /* Name.Namespace */
570 | .highlight .nx { color: #ffffff } /* Name.Other */
571 | .highlight .py { color: #ffffff } /* Name.Property */
572 | .highlight .nt { color: #cc8153; font-weight: bold } /* Name.Tag */
573 | .highlight .nv { color: #cc8153 } /* Name.Variable */
574 | .highlight .ow { color: #ffffff } /* Operator.Word */
575 | .highlight .w { color: #888888 } /* Text.Whitespace */
576 | .highlight .mf { color: #56a8d7; font-weight: bold } /* Literal.Number.Float */
577 | .highlight .mh { color: #56a8d7; font-weight: bold } /* Literal.Number.Hex */
578 | .highlight .mi { color: #56a8d7; font-weight: bold } /* Literal.Number.Integer */
579 | .highlight .mo { color: #56a8d7; font-weight: bold } /* Literal.Number.Oct */
580 | .highlight .sb { color: #56a8d7 } /* Literal.String.Backtick */
581 | .highlight .sc { color: #56a8d7 } /* Literal.String.Char */
582 | .highlight .sd { color: #56a8d7 } /* Literal.String.Doc */
583 | .highlight .s2 { color: #56a8d7 } /* Literal.String.Double */
584 | .highlight .se { color: #56a8d7 } /* Literal.String.Escape */
585 | .highlight .sh { color: #56a8d7 } /* Literal.String.Heredoc */
586 | .highlight .si { color: #56a8d7 } /* Literal.String.Interpol */
587 | .highlight .sx { color: #56a8d7 } /* Literal.String.Other */
588 | .highlight .sr { color: #56a8d7 } /* Literal.String.Regex */
589 | .highlight .s1 { color: #56a8d7 } /* Literal.String.Single */
590 | .highlight .ss { color: #56a8d7 } /* Literal.String.Symbol */
591 | .highlight .bp { color: #ffffff } /* Name.Builtin.Pseudo */
592 | .highlight .vc { color: #cc8153 } /* Name.Variable.Class */
593 | .highlight .vg { color: #cc8153 } /* Name.Variable.Global */
594 | .highlight .vi { color: #cc8153 } /* Name.Variable.Instance */
595 | .highlight .il { color: #56a8d7; font-weight: bold } /* Literal.Number.Integer.Long */
596 | 
597 | 
598 | /* SHARE BUTTONS */
599 | 
600 | 
601 | /* Share buttons */
602 | .sharebuttons {
603 |   margin: 0 auto 0 auto;
604 | }
605 | 
606 | .sharebuttons ul {
607 |   margin: 20px 0 0 0;
608 |   text-align: center;
609 | }
610 | 
611 | .sharebuttons ul li {
612 |   display: inline;
613 | }
614 | 
615 | .sharebuttons ul li a {
616 |   text-decoration: none;
617 | }
618 | 
619 | .sharebuttons ul li svg {
620 |   width: 20px;
621 |   height: 20px;
622 | }
623 | 
624 | .sharebuttons .reddit svg {
625 |   fill: #FF4500;
626 | }
627 | 
628 | .sharebuttons .hn svg {
629 |   fill: #F0652F;
630 | }
631 | 
632 | .sharebuttons .twitter svg {
633 |   fill: #1DA1F2;
634 | }
635 | 
636 | .sharebuttons .linkedin svg {
637 |   fill: #0077B5;
638 | }


--------------------------------------------------------------------------------
/assets/icons/assembly.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg data-name="Devices 1" height="60" id="Devices_1" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M15,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,15,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M45,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,45,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M35,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,35,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M25,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,25,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M20,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,20,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M40,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,40,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M30,10a1,1,0,0,1-1-1V1a1,1,0,0,1,2,0V9A1,1,0,0,1,30,10Z" style="fill:#6d6daa;opacity:0.5"/><path d="M15,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,15,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M45,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,45,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M35,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,35,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M25,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,25,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M40,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,40,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M30,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,30,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M20,60a1,1,0,0,1-1-1V51a1,1,0,0,1,2,0v8A1,1,0,0,1,20,60Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,16H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,46H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,36H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,26H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,16H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,46H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,36H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,26H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,21H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,41H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M59,31H51a1,1,0,0,1,0-2h8a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,21H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,41H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M9,31H1a1,1,0,0,1,0-2H9a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><rect height="42" rx="2" ry="2" style="fill:#939fc6" width="42" x="9" y="9"/><path d="M49,9H11a2,2,0,0,0-2,2v3a2,2,0,0,1,2-2H49a2,2,0,0,1,2,2V11A2,2,0,0,0,49,9Z" style="fill:#fff;opacity:0.5"/><path d="M49,48H11a2,2,0,0,1-2-2v3a2,2,0,0,0,2,2H49a2,2,0,0,0,2-2V46A2,2,0,0,1,49,48Z" style="fill:#2c4b75;opacity:0.2"/><rect height="26" rx="2" ry="2" style="fill:#eef6ff" width="26" x="17" y="17"/><path d="M41,17H19a1.99994,1.99994,0,0,0-2,2v3a1.99994,1.99994,0,0,1,2-2H41a1.99994,1.99994,0,0,1,2,2V19A1.99994,1.99994,0,0,0,41,17Z" style="fill:#fff;opacity:0.75"/><path d="M41,40H19a1.99994,1.99994,0,0,1-2-2v3a1.99994,1.99994,0,0,0,2,2H41a1.99994,1.99994,0,0,0,2-2V38A1.99994,1.99994,0,0,1,41,40Z" style="fill:#2c4b75;opacity:0.2"/><path d="M49,52H11a3.00328,3.00328,0,0,1-3-3V11a3.00328,3.00328,0,0,1,3-3H49a3.00328,3.00328,0,0,1,3,3V49A3.00328,3.00328,0,0,1,49,52ZM11,10a1.0013,1.0013,0,0,0-1,1V49a1.0013,1.0013,0,0,0,1,1H49a1.0013,1.0013,0,0,0,1-1V11a1.0013,1.0013,0,0,0-1-1Z" style="fill:#6d6daa"/><path d="M41,44H19a3.00328,3.00328,0,0,1-3-3V19a3.00328,3.00328,0,0,1,3-3H41a3.00328,3.00328,0,0,1,3,3V41A3.00328,3.00328,0,0,1,41,44ZM19,18a1.0013,1.0013,0,0,0-1,1V41a1.0013,1.0013,0,0,0,1,1H41a1.0013,1.0013,0,0,0,1-1V19a1.0013,1.0013,0,0,0-1-1Z" style="fill:#6d6daa"/><path d="M37,32H23a1,1,0,0,1,0-2H37a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M33,26H27a1,1,0,0,1,0-2h6a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/><path d="M37,36H23a1,1,0,0,1,0-2H37a1,1,0,0,1,0,2Z" style="fill:#6d6daa;opacity:0.5"/></svg>


--------------------------------------------------------------------------------
/assets/icons/debug_flags.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg height="60" id="Basic_1" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M9,3A2,2,0,0,0,5,3V7H9Z" style="fill:#d6b5b0"/><path d="M7,1A2,2,0,0,0,5,3V6A2,2,0,0,1,9,6V3A1.99994,1.99994,0,0,0,7,1Z" style="fill:#fff;opacity:0.5"/><rect height="20" style="fill:#d6b5b0" width="4" x="5" y="35"/><rect height="3" style="fill:#750000;opacity:0.2" width="4" x="5" y="35"/><polygon points="43 7 5 7 5 35 43 35 57 21.001 43 7" style="fill:#eef6ff"/><polygon points="55 19 42 32 5 32 5 35 43 35 57 21 55 19" style="fill:#2c4b75;opacity:0.200000002980232"/><polygon points="42 10 55 23 57 21 43 7 5 7 5 10 42 10" style="fill:#fff;opacity:0.75"/><rect height="28" style="fill:#2c4b75;opacity:0.200000002980232" width="3" x="9" y="7"/><path d="M1,56v3H13V56a1.00005,1.00005,0,0,0-1-1H2A1,1,0,0,0,1,56Z" style="fill:#d4edff"/><path d="M12,55H9a1,1,0,0,1,1,1v3h3V56A1,1,0,0,0,12,55Z" style="fill:#2c4b75;opacity:0.200000002980232"/><path d="M5,55H2a1,1,0,0,0-1,1v3H4V56A1,1,0,0,1,5,55Z" style="fill:#fff;opacity:0.75"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" x1="9" x2="9" y1="32" y2="10"/><circle cx="26.99959" cy="21.0005" r="10" style="fill:#99db6e"/><path d="M26.99957,28.00049a9.99344,9.99344,0,0,1-9.87549-8.5,10.00028,10.00028,0,1,0,19.751,0A9.99353,9.99353,0,0,1,26.99957,28.00049Z" style="fill:#2c4b75;opacity:0.200000002980232"/><path d="M26.99957,14.00049a9.99353,9.99353,0,0,1,9.87549,8.5,10.00028,10.00028,0,1,0-19.751,0A9.99344,9.99344,0,0,1,26.99957,14.00049Z" style="fill:#fff;opacity:0.5"/><path d="M9,3A2,2,0,0,0,5,3V7H9Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><rect height="20" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" width="4" x="5" y="35"/><polygon points="43 7 5 7 5 35 43 35 57 21.001 43 7" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><path d="M1,56v3H13V56a1.00005,1.00005,0,0,0-1-1H2A1,1,0,0,0,1,56Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><circle cx="26.99959" cy="21.0005" r="10" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><polyline points="23 22.001 25.666 24.501 30 17.501" style="fill:none;stroke:#fff;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/></svg>


--------------------------------------------------------------------------------
/assets/icons/exceptions.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg height="60" id="Security" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><polyline points="33 59 33 51 27 51 27 59" style="fill:#ced8ee;fill-rule:evenodd"/><rect height="3" style="fill:#2c4b75;opacity:0.200000002980232" width="6" x="27" y="50.99994"/><path d="M5,35.74815V16.24995L20.26479,1h19.4704L55,16.24995v19.4982L39.73519,51H20.26479L5,35.74815Z" style="fill:#fff;fill-rule:evenodd"/><polygon points="21.265 48 5 31.748 5 35.748 20.265 51 39.735 51 55 35.748 55 31.748 38.735 48 21.265 48" style="fill:#5cbeff;fill-rule:evenodd;opacity:0.300000011920929"/><path d="M9,34.18844V17.81L21.82243,5H38.17756L51,17.81V34.18844L38.17756,47H21.82243L9,34.18844Z" style="fill:none;fill-rule:evenodd"/><path d="M33,60a.99974.99974,0,0,1-1-1V52H28v7a1,1,0,0,1-2,0V51a.99974.99974,0,0,1,1-1h6a.99974.99974,0,0,1,1,1v8A.99974.99974,0,0,1,33,60Z" style="fill:#6d6daa"/><path d="M39.73535,52H20.26465a1.00013,1.00013,0,0,1-.707-.293L4.293,36.45508A.99928.99928,0,0,1,4,35.748V16.25a.9977.9977,0,0,1,.29346-.707L19.55811.293A.999.999,0,0,1,20.26465,0h19.4707a.999.999,0,0,1,.70654.293l15.26465,15.25A.9977.9977,0,0,1,56,16.25V35.748a.99928.99928,0,0,1-.293.707L40.44238,51.707A1.00013,1.00013,0,0,1,39.73535,52ZM20.67871,50H39.32129L54,35.334V16.66406L39.32129,2H20.67871L6,16.66406V35.334Z" style="fill:#6d6daa"/><path d="M9,34.18844V17.81L21.82243,5H38.17756L51,17.81V34.18844L38.17756,47H21.82243L9,34.18844Z" style="fill:#ff9797;fill-rule:evenodd"/><path d="M40.9668,23.32959a2.8402,2.8402,0,0,0-3.27832,1.34277,57.06375,57.06375,0,0,0-.09717-5.97217,2.84623,2.84623,0,0,0-2.78662-2.62646,2.70267,2.70267,0,0,0-1.65039.5058c-.00812-.55188-.018-1.08081-.03125-1.55756A2.96529,2.96529,0,0,0,30.0625,12,3.06476,3.06476,0,0,0,27.001,15.061v.45013a2.935,2.935,0,0,0-1.55322-.40765A2.87463,2.87463,0,0,0,22.54395,17.915c-.00433.70752.00159,1.62268.01337,2.6275a2.57331,2.57331,0,0,0-1.486-.25641,2.86227,2.86227,0,0,0-2.57324,2.6958,31.923,31.923,0,0,0,.11035,5.16064c.10693,1.30811.22852,2.79053.22852,5.02979A9.93667,9.93667,0,0,0,21.146,39.7998,4.62669,4.62669,0,0,0,25.74756,44h6.72412a4.62579,4.62579,0,0,0,4.62061-4.62061V37.98132a8.22437,8.22437,0,0,0,2.79834-2.682c.02-.03564,1.97949-3.64063,1.8916-4.79a16.85723,16.85723,0,0,1,.34766-3.72314l.11768-.74609C42.55322,24.07666,41.57666,23.499,40.9668,23.32959Z" style="fill:#750000;opacity:0.2"/><path d="M38.17773,48H21.82227a1.00013,1.00013,0,0,1-.707-.293L8.293,34.89551a.99928.99928,0,0,1-.293-.707V17.80957a.9977.9977,0,0,1,.29346-.707L21.11572,4.293A.999.999,0,0,1,21.82227,4H38.17773a.999.999,0,0,1,.70654.293L51.70654,17.10254a.9977.9977,0,0,1,.29346.707V34.18848a.99928.99928,0,0,1-.293.707L38.88477,47.707A1.00013,1.00013,0,0,1,38.17773,48ZM22.23633,46H37.76367L50,33.77441V18.22363L37.76367,6H22.23633L10,18.22363V33.77441Z" style="fill:#6d6daa"/><path d="M27.98352,23.86633s-.4472-5.90894-.64655-7.874c-.12927-1.27478-.80817-1.889-1.889-1.889a1.87317,1.87317,0,0,0-1.90381,1.81775c-.01746,2.83948.12445,8.902.18188,11.21588-.10413-.89844-.43195-3.79565-.60443-6.115a1.7887,1.7887,0,0,0-1.92108-1.74438,1.86654,1.86654,0,0,0-1.70435,1.7652c-.23889,3.91467.34076,5.17242.34076,10.12952a8.6062,8.6062,0,0,0,2.28992,6.20691,3.62067,3.62067,0,0,0,3.62067,3.62067h6.72412a3.62069,3.62069,0,0,0,3.62073-3.62067v-1.9137l-.02283-.01489A8.00606,8.00606,0,0,0,39.018,32.8103a17.44009,17.44009,0,0,0,1.76727-4.22418,21.60882,21.60882,0,0,1,.47412-4.69824c.06342-.40784.21552-1.37933-.56036-1.59485-1.57214-.43671-2.42542,1.07635-2.931,2.41382-.43573,1.15253-.52661,2.37628-1.29309,3.11206a97.65081,97.65081,0,0,0,.12109-11.0188,1.86077,1.86077,0,0,0-1.82367-1.72693,1.80628,1.80628,0,0,0-1.82642,1.82642L32.139,26.51715" style="fill:#fff;fill-rule:evenodd"/><path d="M32.12347,13.05a1.98008,1.98008,0,0,0-2.06116-2.05011,2.06114,2.06114,0,0,0-2.06116,2.06122v13.456l4.1203-.21552S32.25079,17.63788,32.12347,13.05Z" style="fill:#fff;fill-rule:evenodd"/><path d="M36.62885,24.64111c.06555-1.79681.11444-3.98511.07489-5.78217-.04272,2.59045-.17139,5.15649-.22882,5.96A2.09784,2.09784,0,0,0,36.62885,24.64111Z" style="fill:#2c4b75;fill-rule:evenodd;opacity:0.200000002980232"/><path d="M23.72607,24.137c-.042-1.69171-.12891-5.384-.16589-8.3587-.00427.048-.01569.09375-.016.14282-.011,1.78815.04114,4.85345.0957,7.45685C23.67474,23.68939,23.70563,23.96045,23.72607,24.137Z" style="fill:#2c4b75;fill-rule:evenodd;opacity:0.200000002980232"/><path d="M41.01276,22.469a13.87783,13.87783,0,0,0-.22748,3.11713A17.44009,17.44009,0,0,1,39.018,29.8103a8.00606,8.00606,0,0,1-2.94843,2.64038l.02283.01489v1.9137a3.62069,3.62069,0,0,1-3.62073,3.62067H25.74756a3.62067,3.62067,0,0,1-3.62067-3.62067A8.6062,8.6062,0,0,1,19.837,28.17236c0-3.28467-.25354-4.94641-.35577-6.83185-.19147,3.679.35577,5.00568.35577,9.83185a8.6062,8.6062,0,0,0,2.28992,6.20691,3.62067,3.62067,0,0,0,3.62067,3.62067h6.72412a3.62069,3.62069,0,0,0,3.62073-3.62067v-1.9137l-.02283-.01489A8.00606,8.00606,0,0,0,39.018,32.8103a17.44009,17.44009,0,0,0,1.76727-4.22418,21.60882,21.60882,0,0,1,.47412-4.69824C41.312,23.5498,41.41742,22.83,41.01276,22.469Z" style="fill:#2c4b75;fill-rule:evenodd;opacity:0.200000002980232"/><path d="M34.5415,37.34473a1.00021,1.00021,0,0,1-.4873-1.874c2.43359-1.35449,3.58057-2.2373,4.09131-3.14941A20.49637,20.49637,0,0,0,39.7876,28.582a17.83325,17.83325,0,0,1,.36719-4.11133l.11621-.73633a2.52317,2.52317,0,0,0,.043-.50586c-.31592-.05371-.92871.02637-1.61035,1.832-.125.33008-.21777.666-.30908.99316A5.11506,5.11506,0,0,1,37.168,28.54a1,1,0,0,1-1.69043-.792,97.45063,97.45063,0,0,0,.12354-10.84863.868.868,0,0,0-.86084-.82715.73717.73717,0,0,0-.53516.21387.8594.8594,0,0,0-.25928.61328l-.81006,9.70215a1.00011,1.00011,0,0,1-1.99316-.168l.80664-9.61816a2.80908,2.80908,0,0,1,.86426-1.96582,2.71606,2.71606,0,0,1,1.99072-.77539,2.84541,2.84541,0,0,1,2.78711,2.625,57.2083,57.2083,0,0,1,.09717,5.97266A2.83967,2.83967,0,0,1,40.9668,21.3291c.60986.16992,1.58691.748,1.28076,2.71094l-.11768.74512a16.86618,16.86618,0,0,0-.34766,3.72363c.08789,1.14844-1.87158,4.75488-1.8916,4.79-.82227,1.4668-2.4707,2.58789-4.86377,3.91992A1.00245,1.00245,0,0,1,34.5415,37.34473Z" style="fill:#6d6daa"/><path d="M28.001,27.51758a.99974.99974,0,0,1-1-1V13.06152A3.06486,3.06486,0,0,1,30.0625,10,2.9657,2.9657,0,0,1,33.123,13.02246c.12646,4.55566-.00049,13.207-.00146,13.29395a1.01134,1.01134,0,0,1-1.01514.98535,1.00036,1.00036,0,0,1-.98486-1.01465c.00146-.08691.12793-8.69531.00244-13.21A.99408.99408,0,0,0,30.0625,12,1.06288,1.06288,0,0,0,29.001,13.06152V26.51758A.99974.99974,0,0,1,28.001,27.51758Z" style="fill:#6d6daa"/><path d="M32.47168,42H25.74756A4.62678,4.62678,0,0,1,21.146,37.79883a9.92935,9.92935,0,0,1-2.30908-6.626c0-2.24023-.12158-3.72266-.22852-5.03027a31.91835,31.91835,0,0,1-.11035-5.16016,2.86268,2.86268,0,0,1,2.57275-2.69629,2.57113,2.57113,0,0,1,1.97412.56836,2.98787,2.98787,0,0,1,1.07373,2.09375c.20313,2.72559.62939,6.32031.63379,6.35645a1.00017,1.00017,0,1,1-1.98633.23633c-.00439-.03613-.43555-3.6748-.6416-6.44434a.99316.99316,0,0,0-.34229-.69141.59988.59988,0,0,0-.45264-.13672.87.87,0,0,0-.83545.83594,30.2886,30.2886,0,0,0,.10742,4.875c.11035,1.3457.23535,2.87109.23535,5.19336a7.60559,7.60559,0,0,0,1.96045,5.46387.99912.99912,0,0,1,.32959.74219A2.62391,2.62391,0,0,0,25.74756,40h6.72412a2.62391,2.62391,0,0,0,2.62061-2.62109V35.46582a1,1,0,0,1,2,0v1.91309A4.6262,4.6262,0,0,1,32.47168,42Z" style="fill:#6d6daa"/><path d="M34.62207,30.01758a1.00006,1.00006,0,0,1-.38135-1.9248,3.45913,3.45913,0,0,0,1.40186-.87891,1.02184,1.02184,0,0,1,1.37354-.25879.97986.97986,0,0,1,.31641,1.32715,4.75108,4.75108,0,0,1-2.33008,1.66016A1.00568,1.00568,0,0,1,34.62207,30.01758Z" style="fill:#6d6daa"/><path d="M23.78223,37.8623h-.30176a3.72113,3.72113,0,0,1-3.853-2.58887A1.00015,1.00015,0,0,1,21.47217,34.5c.54346,1.29688,1.11719,1.3623,2.0083,1.3623h.30176a1,1,0,0,1,0,2Z" style="fill:#6d6daa"/><path d="M23.749,29.06934a.99989.99989,0,0,1-.999-.97363c-.00244-.08594-.22754-8.65625-.20605-12.18066a2.87431,2.87431,0,0,1,2.90381-2.81152A2.79186,2.79186,0,0,1,28.332,15.8916c.19824,1.95508.63037,7.65723.64844,7.89941a.9999.9999,0,1,1-1.99414.15039c-.00439-.05859-.44873-5.91895-.64453-7.84863-.09277-.91309-.47559-.98926-.894-.98926a.87086.87086,0,0,0-.90381.82324c-.021,3.49219.20313,12.03027.20508,12.11621a1.00029,1.00029,0,0,1-.97314,1.02637Z" style="fill:#6d6daa"/></svg>


--------------------------------------------------------------------------------
/assets/icons/interactive.svg:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" ?><!DOCTYPE svg  PUBLIC '-//W3C//DTD SVG 1.1//EN'  'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'><svg id="Layer_1" style="enable-background:new 0 0 256 256;" version="1.1" viewBox="0 0 256 256" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><style type="text/css">
 2 | 	.st0{fill:#1C868E;}
 3 | 	.st1{fill:#40C4DF;}
 4 | 	.st2{fill:#FFFFFF;}
 5 | 	.st3{fill:#D8D6D7;}
 6 | 	.st4{fill:#F85252;}
 7 | 	.st5{fill:#7BEFE4;}
 8 | 	.st6{fill:#56C1B3;}
 9 | 	.st7{fill:#491352;}
10 | 	.st8{fill:#41C4DF;}
11 | 	.st9{fill:#D73735;}
12 | 	.st10{fill:#EDAF85;}
13 | 	.st11{fill:#F7C09A;}
14 | 	.st12{fill:#1B868E;}
15 | 	.st13{fill:none;stroke:#491352;stroke-width:4;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}
16 | 	.st14{fill:none;stroke:#491352;stroke-width:4;stroke-miterlimit:10;}
17 | </style><g id="XMLID_3640_"><g id="XMLID_2333_"><path class="st2" d="M245.833,156.636H10.167c-2.761,0-5-2.239-5-5V15.879c0-2.761,2.239-5,5-5h235.667    c2.761,0,5,2.239,5,5v135.757C250.833,154.398,248.595,156.636,245.833,156.636z" id="XMLID_3346_"/><path class="st3" d="M112.56,136.64v20H10.17c-2.76,0-5-2.24-5-5V15.88c0-2.76,2.24-5,5-5h15v120.76    c0,1.72,0.87,3.24,2.2,4.14c0.8,0.54,1.76,0.86,2.8,0.86H112.56z" id="XMLID_3345_"/><path class="st5" d="M238.15,27.01v113.5c0,2.76-2.24,5-5,5H22.85c-2.76,0-5-2.24-5-5V27.01c0-2.76,2.24-5,5-5    h210.3C235.91,22.01,238.15,24.25,238.15,27.01z" id="XMLID_3337_"/><rect class="st3" height="60.834" id="XMLID_3328_" width="59.16" x="98.42" y="156.636"/><rect class="st2" height="59.638" id="XMLID_3317_" width="45.105" x="112.562" y="156.64"/><path class="st3" d="M192.17,222.47v17.65c0,2.75-2.25,5-5,5H68.83c-2.75,0-5-2.25-5-5v-17.65c0-2.75,2.25-5,5-5    h118.34C189.92,217.47,192.17,219.72,192.17,222.47z" id="XMLID_3316_"/><path class="st2" d="M192.17,222.47v8.51H82.97c-2.75,0-5-2.25-5-5v-8.51h109.2    C189.92,217.47,192.17,219.72,192.17,222.47z" id="XMLID_3116_"/></g><circle class="st4" cx="101.928" cy="61.572" id="XMLID_4618_" r="11.211"/><circle class="st9" cx="78.381" cy="85.119" id="XMLID_4632_" r="27.628"/><circle class="st1" cx="195.064" cy="148.958" id="XMLID_2332_" r="59"/><path class="st3" d="M226.562,157.163c-4.613-3.964-10.982-4.934-16.46-2.933l-20.307-20.307   c2.161-5.861,0.894-12.702-3.812-17.408c-3.366-3.366-7.822-4.974-12.231-4.827c-2.339,0.078-3.419,2.964-1.764,4.619l7.101,7.101   c1.058,1.058,1.058,2.772,0,3.83l-5.745,5.745c-1.058,1.058-2.772,1.058-3.83,0l-7.097-7.097c-1.68-1.68-4.558-0.537-4.626,1.839   c-0.137,4.776,1.786,9.601,5.773,13.027c4.613,3.964,10.982,4.934,16.46,2.932l20.307,20.307   c-2.161,5.861-0.894,12.702,3.812,17.408c3.366,3.366,7.822,4.974,12.231,4.827c2.339-0.078,3.419-2.964,1.764-4.619l-7.101-7.101   c-1.058-1.058-1.058-2.772,0-3.83l5.745-5.745c1.058-1.058,2.772-1.058,3.83,0l7.097,7.097c1.68,1.68,4.558,0.536,4.626-1.839   C232.472,165.414,230.548,160.589,226.562,157.163z" id="XMLID_2067_"/><path class="st6" d="M231.765,119.146l-6.89-6.89c-0.953-0.953-2.463-1.06-3.541-0.251   c-15.161,11.517-10.742,6.976-15.052,14.693c-1.255,2.36,1.399,3.946,1.74,4.45l-24.504,24.504l-3.958-3.958   c-1.058-1.058-2.772-1.058-3.83,0l-17.369,17.369c-1.057,1.058-1.057,2.772,0,3.83l12.766,12.766c1.058,1.058,2.772,1.058,3.83,0   l17.369-17.369c1.058-1.058,1.058-2.772,0-3.83l-3.958-3.958L212.873,136l1.264,1.264c0.842,0.842,2.135,1.035,3.187,0.476   c7.692-4.251,3.282-0.032,14.692-15.052C232.826,121.609,232.719,120.1,231.765,119.146z" id="XMLID_3462_"/><g id="XMLID_3571_"><path class="st7" d="M131.53,89.79l-18.05,1.33c-1.496,0.083-1.71-1.053-5.52-4.58    c-0.061-1.043,0.451-6.053-2.06-12.37c2.025-0.654,3.8-1.69,5.37-3.26c4.478-4.478,3.811-9.979,3.83-10.111l5.166-1.722    c2.51-0.837,1.245-4.636-1.266-3.795l-4.739,1.58c-0.085-0.1-1.672-5.37-7.621-7.622c-0.001,0-0.001,0-0.002,0l1.58-4.74    c0.35-1.049-0.217-2.181-1.265-2.53c-1.051-0.354-2.182,0.218-2.53,1.265l-1.722,5.166c-0.39,0.056-5.722-0.559-10.111,3.83    c-1.55,1.55-2.64,3.4-3.25,5.37c-6.039-2.395-10.372-1.943-12.38-2.06l-4.03-4.04c-0.39-0.39-0.59-0.93-0.55-1.48l1.33-18.05    c0.09-1.11-0.74-2.06-1.84-2.15c-1.09-0.08-2.06,0.75-2.14,1.85l-1.34,18.05c-0.13,1.71,0.49,3.39,1.71,4.61l1.88,1.88    c-4.73,1.03-9.24,3.23-13.08,6.6L48.66,52.57c-0.78-0.78-2.05-0.78-2.83,0c-0.78,0.78-0.78,2.04,0,2.82l10.24,10.24    c-3.37,3.84-5.57,8.36-6.6,13.09c-1.15-0.899-2.815-3.888-6.49-3.59l-18.05,1.33c-1.1,0.08-1.93,1.04-1.84,2.15    c0.08,1.1,1.05,1.92,2.14,1.84l18.05-1.33c1.431-0.131,1.771,1.09,5.52,4.59c-0.812,17.196,13.125,31.732,30.99,30.99l4.04,4.04    c0.39,0.39,0.6,0.93,0.55,1.479l-1.33,18.05c-0.189,2.598,3.784,3.006,3.99,0.3l1.33-18.05c0.13-1.71-0.49-3.39-1.71-4.61    l-1.88-1.88c1.62-0.35,3.21-0.84,4.75-1.47c2.98-1.2,5.81-2.91,8.34-5.13l10.24,10.24c0.39,0.39,0.9,0.59,1.41,0.59    s1.02-0.2,1.41-0.59c0.78-0.78,0.78-2.05,0-2.83l-10.24-10.24c3.37-3.84,5.57-8.35,6.6-13.08c1.285,1.033,2.784,3.843,6.49,3.59    l18.05-1.34c1.1-0.08,1.93-1.04,1.85-2.14C133.59,90.53,132.63,89.71,131.53,89.79z M79.11,110.71    c-14.731,0.434-26.754-11.571-26.32-26.32c0.383-26.388,37.988-35.229,49.02-9.61C109.315,91.667,96.76,110.46,79.11,110.71z     M92.99,59.35c1.724-6.939,10.434-9.335,15.45-4.29c5.057,5.056,2.638,13.73-4.29,15.45C101.525,65.855,97.631,61.967,92.99,59.35    z" id="XMLID_3589_"/><path class="st7" d="M218.26,139.5l5.12-2.72c0.6-0.32,1.14-0.78,1.55-1.32l8.69-11.57    c1.39-1.87,1.21-4.51-0.44-6.16l-6.89-6.89c-1.65-1.64-4.29-1.83-6.16-0.43l-11.56,8.68c-0.55,0.41-1.01,0.95-1.33,1.55    l-2.72,5.12c-0.95,1.78-0.67,3.91,0.68,5.38l-7.68,7.68l-5.44-5.44c1.87-6.45,0.1-13.5-4.68-18.28    c-3.61-3.61-8.61-5.58-13.71-5.41c-1.88,0.06-3.47,1.19-4.16,2.95c-0.7,1.76-0.29,3.75,1.05,5.08l7.1,7.1    c0.25,0.25,0.285,0.71,0,1.01l-5.75,5.74c-0.28,0.28-0.72,0.28-1,0l-7.1-7.1c-1.35-1.35-3.29-1.75-5.07-1.04    c-1.77,0.7-2.91,2.33-2.97,4.24c-0.16,5.61,2.2,10.93,6.47,14.6c0.52,0.45,1.06,0.86,1.62,1.24c4.53,3.08,10.26,4,15.6,2.46    l5.45,5.45l-1.41,1.4l-2.54-2.54c-0.89-0.89-2.08-1.38-3.33-1.38c-1.26,0-2.44,0.49-3.33,1.38l-17.37,17.37    c-0.86,0.86-1.32,1.98-1.37,3.11v0.45c0.05,1.12,0.51,2.24,1.37,3.1l12.76,12.76c0.92,0.92,2.13,1.38,3.33,1.38    c1.21,0,2.41-0.46,3.33-1.38l17.37-17.36c1.84-1.84,1.84-4.83,0-6.66l-2.54-2.55l1.41-1.4h0l5.44,5.44    c-1.87,6.44-0.1,13.49,4.68,18.27c3.47,3.47,8.21,5.43,13.1,5.43c0.2,0,0.41-0.01,0.61-0.01c1.87-0.07,3.47-1.2,4.16-2.95    c0.69-1.76,0.28-3.76-1.05-5.09l-7.1-7.1c-0.28-0.27-0.28-0.72,0-1l5.75-5.74c0.27-0.28,0.72-0.28,1,0l7.09,7.09    c1.35,1.35,3.29,1.76,5.07,1.05c1.78-0.71,2.92-2.33,2.97-4.24c0.01-0.19,0.01-0.38,0.01-0.57c0-4.03-1.3-7.88-3.68-11.05    c-0.81-1.08-1.74-2.08-2.79-2.98c-0.42-0.36-0.85-0.7-1.3-1.02c-4.58-3.27-10.45-4.26-15.92-2.68l-5.45-5.45l7.68-7.68    C214.409,140.229,216.581,140.411,218.26,139.5z M181.44,142.27c-0.558-0.558-1.39-0.718-2.1-0.46    c-4.97,1.81-10.51,0.83-14.47-2.57c-3.35-2.89-5.2-7.06-5.08-11.46c0.015-0.614,0.776-0.929,1.21-0.48l7.1,7.1    c0.89,0.89,2.07,1.38,3.33,1.38s2.44-0.49,3.33-1.38l5.74-5.75c0.89-0.88,1.38-2.07,1.38-3.32c0-1.26-0.49-2.45-1.38-3.33    l-7.1-7.11c-0.423-0.423-0.16-1.183,0.42-1.2c4.06-0.15,7.88,1.37,10.75,4.24c3.99,3.99,5.31,10,3.35,15.3    c-0.766,2.072,1.552,2.721,6.77,8.42c-0.1,0.1-7.03,7.04-6.93,6.94C187.559,148.389,181.063,141.893,181.44,142.27z     M190.91,166.88l-17.37,17.37c-0.27,0.27-0.72,0.27-1,0l-12.76-12.77c-0.1-0.1-0.17-0.23-0.2-0.37c-0.01-0.09-0.01-0.18,0-0.26    c0.03-0.14,0.1-0.27,0.2-0.37l17.37-17.37c0.18-0.18,0.39-0.21,0.5-0.21s0.32,0.03,0.5,0.21    C191.753,166.713,191.61,166.18,190.91,166.88z M207.68,154.63l1.01,1.01c0.55,0.56,1.37,0.74,2.1,0.47    c1.65-0.6,3.36-0.9,5.05-0.9c3.39,0,6.72,1.18,9.36,3.42c0.02,0.02,0.04,0.03,0.06,0.05c3.35,2.88,5.2,7.06,5.08,11.45    c-0.02,0.41-0.29,0.58-0.45,0.64c-0.17,0.07-0.48,0.13-0.77-0.16l-7.09-7.09c-0.89-0.89-2.07-1.38-3.33-1.38s-2.44,0.49-3.33,1.38    l-5.75,5.74c-0.89,0.89-1.38,2.07-1.38,3.33c0,1.26,0.49,2.44,1.38,3.33l7.1,7.1c0.31,0.3,0.21,0.65,0.16,0.79    c-0.07,0.18-0.23,0.41-0.57,0.42c-4.07,0.14-7.88-1.37-10.75-4.24c-3.99-3.99-5.31-10-3.35-15.31c0.27-0.73,0.09-1.55-0.46-2.1    l-3.95-3.95l-2.36-2.36c0.1-0.1,7.392-7.402,6.93-6.94L207.68,154.63z M188.37,157.67l-2.02-2.02    c4.014-4.005,21.565-21.565,21.67-21.67l2.02,2.02C208.94,137.1,189.235,156.805,188.37,157.67z M208.05,127.64l2.72-5.12    c0.05-0.09,0.12-0.17,0.2-0.23l11.57-8.68c0.273-0.228,0.692-0.186,0.92,0.06l6.89,6.89c0.25,0.25,0.28,0.65,0.07,0.93    c-9.316,12.355-8.662,11.617-8.92,11.76c-7.114,3.743-4.632,3.613-8.63-0.08C208.094,128.364,207.687,128.299,208.05,127.64z" id="XMLID_3585_"/><path class="st7" d="M252.83,129.35V15.88c0-3.86-3.14-7-7-7H10.17c-3.86,0-7,3.14-7,7v135.75c0,3.86,3.14,7,7,7    h86.25v56.83H68.83c-3.86,0-7,3.15-7,7v17.66c0,3.86,3.14,7,7,7h118.34c3.86,0,7-3.14,7-7v-17.66c0-3.85-3.14-7-7-7h-27.59v-16.92    c39.927,28.707,96.48,0.188,96.48-49.58C256.06,142.1,254.92,135.51,252.83,129.35z M10.17,154.63c-1.66,0-3-1.34-3-3V15.88    c0-1.66,1.34-3,3-3h235.66c1.66,0,3,1.34,3,3v104.29c-2.38-4.44-5.31-8.56-8.68-12.26v-80.9c0-3.86-3.15-7-7-7H22.85    c-3.85,0-7,3.14-7,7v113.5c0,3.86,3.15,7,7,7c10.691,0,100.39,0,111.23,0c-0.049,2.374,0.007,4.729,0.25,7.12    C102.811,154.63,33.596,154.63,10.17,154.63z M236.15,27.01v76.89c-37.178-33.889-97.393-10.501-101.84,39.61H22.85    c-1.65,0-3-1.35-3-3V27.01c0-1.66,1.35-3,3-3h210.3C234.8,24.01,236.15,25.35,236.15,27.01z M134.83,158.63    c2.34,14.65,9.92,27.57,20.75,36.78v20.05h-55.16v-56.83H134.83z M187.17,219.46c1.66,0,3,1.35,3,3v17.66c0,1.66-1.34,3-3,3H68.83    c-1.66,0-3-1.34-3-3v-17.66c0-1.65,1.34-3,3-3C90.224,219.46,174.271,219.46,187.17,219.46z M251.69,155.44    c-3.22,28.39-27.39,50.52-56.63,50.52c-33.247,0-59.886-28.572-56.74-62.45c4.842-50.847,70.141-70.452,101.83-29.38    c3.69,4.76,6.64,10.12,8.68,15.91c2.09,5.92,3.23,12.29,3.23,18.92C252.06,151.15,251.94,153.31,251.69,155.44z" id="XMLID_3658_"/></g></g></svg>


--------------------------------------------------------------------------------
/assets/icons/memory.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg data-name="Devices 1" height="60" id="Devices_1" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M59,25.1008V13a2,2,0,0,0-2-2H3a2,2,0,0,0-2,2V25.1008A5.001,5.001,0,0,1,5,30a5.001,5.001,0,0,1-4,4.8992V47a2,2,0,0,0,2,2H8V45a2,2,0,0,1,4,0v4h6V45a2,2,0,0,1,4,0v4h6V45a2,2,0,0,1,4,0v4h6V45a2,2,0,0,1,4,0v4h6V45a2,2,0,0,1,4,0v4h5a2,2,0,0,0,2-2V34.8992a5.00027,5.00027,0,0,1,0-9.7984Z" style="fill:#89dbba"/><g style="opacity:0.5"><path d="M5,33a4.966,4.966,0,0,0-.24432-1.5A4.99622,4.99622,0,0,1,1,34.89917v3A5.001,5.001,0,0,0,5,33Z" style="fill:#fff"/><path d="M57,11H3a1.99994,1.99994,0,0,0-2,2v3a1.99994,1.99994,0,0,1,2-2H57a2,2,0,0,1,2,2V13A2,2,0,0,0,57,11Z" style="fill:#fff"/><path d="M55.24432,31.5A4.95488,4.95488,0,0,0,59,37.89917v-3A4.99622,4.99622,0,0,1,55.24432,31.5Z" style="fill:#fff"/></g><g style="opacity:0.2"><rect height="3" style="fill:#2c4b75" width="6" x="22" y="46"/><path d="M12,42a2,2,0,0,0-4,0v3a2,2,0,0,1,4,0Z" style="fill:#2c4b75"/><path d="M22,42a2,2,0,0,0-4,0v3a2,2,0,0,1,4,0Z" style="fill:#2c4b75"/><rect height="3" style="fill:#2c4b75" width="6" x="12" y="46"/><path d="M4.75568,28.5A4.96628,4.96628,0,0,0,5,27a5.001,5.001,0,0,0-4-4.89923v3A4.9964,4.9964,0,0,1,4.75568,28.5Z" style="fill:#2c4b75"/><path d="M1,44v3a1.99994,1.99994,0,0,0,2,2H8V46H3A1.99994,1.99994,0,0,1,1,44Z" style="fill:#2c4b75"/><path d="M55,27a4.96628,4.96628,0,0,0,.24432,1.5A4.9964,4.9964,0,0,1,59,25.10077v-3A5.001,5.001,0,0,0,55,27Z" style="fill:#2c4b75"/><path d="M52,42a2,2,0,0,0-4,0v3a2,2,0,0,1,4,0Z" style="fill:#2c4b75"/><path d="M32,42a2,2,0,0,0-4,0v3a2,2,0,0,1,4,0Z" style="fill:#2c4b75"/><rect height="3" style="fill:#2c4b75" width="6" x="42" y="46"/><path d="M57,46H52v3h5a2,2,0,0,0,2-2V44A2,2,0,0,1,57,46Z" style="fill:#2c4b75"/><rect height="3" style="fill:#2c4b75" width="6" x="32" y="46"/><path d="M42,42a2,2,0,0,0-4,0v3a2,2,0,0,1,4,0Z" style="fill:#2c4b75"/></g><rect height="18" style="fill:#9eb2cc" width="10" x="11" y="17"/><rect height="3" style="fill:#fff;opacity:0.5" width="10" x="10.99987" y="16.99983"/><rect height="18" style="fill:#9eb2cc" width="10" x="25" y="17"/><rect height="18" style="fill:#9eb2cc" width="10" x="39" y="17"/><rect height="3" style="fill:#2c4b75;opacity:0.2" width="10" x="10.99987" y="32"/><rect height="3" style="fill:#fff;opacity:0.5" width="10" x="25" y="16.99983"/><rect height="3" style="fill:#2c4b75;opacity:0.2" width="10" x="25" y="32"/><rect height="3" style="fill:#fff;opacity:0.5" width="10" x="39" y="16.99983"/><rect height="3" style="fill:#2c4b75;opacity:0.2" width="10" x="39" y="32"/><path d="M57,50H52a.99974.99974,0,0,1-1-1V45a1,1,0,0,0-2,0v4a.99974.99974,0,0,1-1,1H42a.99974.99974,0,0,1-1-1V45a1,1,0,0,0-2,0v4a.99974.99974,0,0,1-1,1H32a.99974.99974,0,0,1-1-1V45a1,1,0,0,0-2,0v4a.99974.99974,0,0,1-1,1H22a.99974.99974,0,0,1-1-1V45a1,1,0,0,0-2,0v4a.99974.99974,0,0,1-1,1H12a.99974.99974,0,0,1-1-1V45a1,1,0,0,0-2,0v4a.99974.99974,0,0,1-1,1H3a3.00328,3.00328,0,0,1-3-3V34.89941a1.00009,1.00009,0,0,1,.80078-.98A4.01053,4.01053,0,0,0,4,30,4.01053,4.01053,0,0,0,.80078,26.08057,1.00009,1.00009,0,0,1,0,25.10059V13a3.00328,3.00328,0,0,1,3-3H57a3.00328,3.00328,0,0,1,3,3V25.10059a1.00009,1.00009,0,0,1-.80078.98,4.0005,4.0005,0,0,0,0,7.83887,1.00009,1.00009,0,0,1,.80078.98V47A3.00328,3.00328,0,0,1,57,50Zm-4-2h4a1.001,1.001,0,0,0,1-1V35.65771a6.00122,6.00122,0,0,1,0-11.31543V13a1.001,1.001,0,0,0-1-1H3a1.001,1.001,0,0,0-1,1V24.34229A6.02207,6.02207,0,0,1,6,30a6.02207,6.02207,0,0,1-4,5.65771V47a1.001,1.001,0,0,0,1,1H7V45a3,3,0,0,1,6,0v3h4V45a3,3,0,0,1,6,0v3h4V45a3,3,0,0,1,6,0v3h4V45a3,3,0,0,1,6,0v3h4V45a3,3,0,0,1,6,0Zm6-22.89941h0Z" style="fill:#6d6daa"/><path d="M21,36H11a.99974.99974,0,0,1-1-1V17a.99974.99974,0,0,1,1-1H21a.99974.99974,0,0,1,1,1V35A.99974.99974,0,0,1,21,36Zm-9-2h8V18H12Z" style="fill:#6d6daa"/><path d="M35,36H25a.99974.99974,0,0,1-1-1V17a.99974.99974,0,0,1,1-1H35a.99974.99974,0,0,1,1,1V35A.99974.99974,0,0,1,35,36Zm-9-2h8V18H26Z" style="fill:#6d6daa"/><path d="M49,36H39a.99974.99974,0,0,1-1-1V17a.99974.99974,0,0,1,1-1H49a.99974.99974,0,0,1,1,1V35A.99974.99974,0,0,1,49,36Zm-9-2h8V18H40Z" style="fill:#6d6daa"/></svg>


--------------------------------------------------------------------------------
/assets/icons/misc.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg height="60" id="Basic_1" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M50,55l-5-5-5,5-5-5-5,5-5-5-5,5-5-5-5,5V23A20,20,0,0,1,30,3h0A20,20,0,0,1,50,23Z" style="fill:#96d7ff"/><path d="M30,3c8.83655,0,16,8.95428,16,20V51l4,4V23A20,20,0,0,0,30,3Z" style="fill:#2c4b75;opacity:0.2"/><polygon points="28.75 53.333 30 55 29.25 50 28.75 53.333" style="fill:#96d7ff"/><polygon points="30.75 50 30 55 31.25 53.333 30.75 50" style="fill:#96d7ff"/><polygon points="27.5 51.667 28.125 52.5 27.75 50 27.5 51.667" style="fill:#96d7ff"/><path d="M15,23V50l5,5,5-5,2,2V23c0-11.04572,1.34314-20,3-20C21.7157,3,15,11.95429,15,23Z" style="fill:#fff;opacity:0.5"/><polygon points="31.875 52.5 32.5 51.667 32.25 50 31.875 52.5" style="fill:#96d7ff"/><path d="M40,52l-4.29289-4.29289a1,1,0,0,0-1.41421,0L30,52l-4.29289-4.29289a1,1,0,0,0-1.41421,0L20,52l-4.29289-4.29289a1,1,0,0,0-1.41421,0L10,52v3l5-5,5,5,5-5,5,5,5-5,5,5,5-5,5,5V52l-4.29289-4.29289a1,1,0,0,0-1.41421,0Z" style="fill:#2c4b75;opacity:0.2"/><path d="M30,3A20,20,0,0,0,10,23v3a20,20,0,1,1,40,0V23A20,20,0,0,0,30,3Z" style="fill:#fff;opacity:0.5"/><path d="M50,55l-5-5-5,5-5-5-5,5-5-5-5,5-5-5-5,5V23A20,20,0,0,1,30,3h0A20,20,0,0,1,50,23Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><path d="M38,29h0a2,2,0,0,1-2-2V21a2,2,0,0,1,2-2h0a2,2,0,0,1,2,2v6A2,2,0,0,1,38,29Z" style="fill:#fff"/><path d="M28,29h0a2,2,0,0,1-2-2V21a2,2,0,0,1,2-2h0a2,2,0,0,1,2,2v6A2,2,0,0,1,28,29Z" style="fill:#fff"/><path d="M38,19a1.99994,1.99994,0,0,0-2,2v3a2,2,0,0,1,4,0V21A1.99994,1.99994,0,0,0,38,19Z" style="fill:#2c4b75;opacity:0.2"/><path d="M28,29h0a2,2,0,0,1-2-2V21a2,2,0,0,1,2-2h0a2,2,0,0,1,2,2v6A2,2,0,0,1,28,29Z" style="fill:#fff"/><path d="M28,19a1.99994,1.99994,0,0,0-2,2v3a2,2,0,0,1,4,0V21A1.99994,1.99994,0,0,0,28,19Z" style="fill:#2c4b75;opacity:0.2"/><path d="M38,29h0a2,2,0,0,1-2-2V21a2,2,0,0,1,2-2h0a2,2,0,0,1,2,2v6A2,2,0,0,1,38,29Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><path d="M28,29h0a2,2,0,0,1-2-2V21a2,2,0,0,1,2-2h0a2,2,0,0,1,2,2v6A2,2,0,0,1,28,29Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/></svg>


--------------------------------------------------------------------------------
/assets/icons/object-handles.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg height="60" id="Basic_2" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M57,33.7242V26.2758L50.59561,24.141a21.28166,21.28166,0,0,0-1.8893-4.5619l3.019-6.0376-5.2668-5.2668-6.0376,3.019A21.27141,21.27141,0,0,0,35.859,9.4044L33.72421,3h-7.4484L24.141,9.4044a21.27152,21.27152,0,0,0-4.56191,1.8893l-6.0376-3.019-5.2668,5.2668,3.019,6.0376a21.27147,21.27147,0,0,0-1.8893,4.5619L3,26.2758v7.4484L9.40441,35.859a21.27147,21.27147,0,0,0,1.8893,4.5619l-3.019,6.0376,5.2668,5.2668,6.0376-3.019A21.27152,21.27152,0,0,0,24.141,50.5956L26.27581,57h7.4484L35.859,50.5956a21.27141,21.27141,0,0,0,4.56189-1.8893l6.0376,3.019,5.2668-5.2668-3.019-6.0376a21.28166,21.28166,0,0,0,1.8893-4.5619Z" style="fill:#ced8ee"/><path d="M48.7063,37.4209l.751,1.50183A21.31017,21.31017,0,0,0,50.59558,35.859L57,33.72418v-3L50.59558,32.859A21.2806,21.2806,0,0,1,48.7063,37.4209Z" style="fill:#2c4b75;opacity:0.2"/><path d="M46.4585,48.72528l-6.0376-3.019A21.2718,21.2718,0,0,1,35.859,47.59558L33.72418,54H26.27582L24.141,47.59558A21.27309,21.27309,0,0,1,19.5791,45.7063l-6.0376,3.019L9.27478,44.45856,8.27472,46.4585l5.26678,5.26678,6.0376-3.019A21.27309,21.27309,0,0,0,24.141,50.59558L26.27582,57h7.44836L35.859,50.59558A21.2718,21.2718,0,0,0,40.4209,48.7063l6.0376,3.019,5.26678-5.26678-1.00006-1.99994Z" style="fill:#2c4b75;opacity:0.2"/><path d="M10.54272,38.92273l.751-1.50183A21.27438,21.27438,0,0,1,9.40442,32.859L3,30.72418v3L9.40442,35.859A21.31017,21.31017,0,0,0,10.54272,38.92273Z" style="fill:#2c4b75;opacity:0.2"/><path d="M11.2937,22.5791l-.751-1.50183A21.30747,21.30747,0,0,0,9.40442,24.141L3,26.27576v3L9.40442,27.141A21.2718,21.2718,0,0,1,11.2937,22.5791Z" style="fill:#fff;opacity:0.5"/><path d="M13.5415,11.27466l6.0376,3.019A21.27016,21.27016,0,0,1,24.141,12.40436L26.27582,6h7.44836L35.859,12.40436A21.26887,21.26887,0,0,1,40.4209,14.2937l6.0376-3.019,4.26672,4.26678,1.00006-1.99994L46.4585,8.27466l-6.0376,3.019A21.26887,21.26887,0,0,0,35.859,9.40436L33.72418,3H26.27582L24.141,9.40436A21.27016,21.27016,0,0,0,19.5791,11.2937l-6.0376-3.019L8.27472,13.5415l1.00006,1.99994Z" style="fill:#fff;opacity:0.5"/><path d="M50.59558,24.141a21.30747,21.30747,0,0,0-1.13831-3.06372l-.751,1.50183A21.278,21.278,0,0,1,50.59558,27.141L57,29.27576v-3Z" style="fill:#fff;opacity:0.5"/><circle cx="30.00002" cy="30" r="15" style="fill:#d4edff"/><path d="M30,42A15.00077,15.00077,0,0,1,15.07574,28.5C15.02673,28.99353,15,29.49359,15,30a15,15,0,0,0,30,0c0-.50641-.02673-1.00647-.07574-1.5A15.00077,15.00077,0,0,1,30,42Z" style="fill:#2c4b75;opacity:0.2"/><path d="M30,18A15.00077,15.00077,0,0,1,44.92426,31.5c.049-.49353.07574-.99359.07574-1.5a15,15,0,0,0-30,0c0,.50641.02673,1.00647.07574,1.5A15.00077,15.00077,0,0,1,30,18Z" style="fill:#fff;opacity:0.5"/><path d="M57,33.7242V26.2758L50.59561,24.141a21.28166,21.28166,0,0,0-1.8893-4.5619l3.019-6.0376-5.2668-5.2668-6.0376,3.019A21.27141,21.27141,0,0,0,35.859,9.4044L33.72421,3h-7.4484L24.141,9.4044a21.27152,21.27152,0,0,0-4.56191,1.8893l-6.0376-3.019-5.2668,5.2668,3.019,6.0376a21.27147,21.27147,0,0,0-1.8893,4.5619L3,26.2758v7.4484L9.40441,35.859a21.27147,21.27147,0,0,0,1.8893,4.5619l-3.019,6.0376,5.2668,5.2668,6.0376-3.019A21.27152,21.27152,0,0,0,24.141,50.5956L26.27581,57h7.4484L35.859,50.5956a21.27141,21.27141,0,0,0,4.56189-1.8893l6.0376,3.019,5.2668-5.2668-3.019-6.0376a21.28166,21.28166,0,0,0,1.8893-4.5619Z" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><circle cx="30.00002" cy="30" r="15" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><path d="M30,28.30769,32.17564,19.757a.65593.65593,0,0,0-1.22611-.40469L22.48907,30.54026a.76273.76273,0,0,0,.56137,1.16027l6.18151-.00822L26.97823,40.243a.65593.65593,0,0,0,1.22611.40469l9.30661-11.20514a.76273.76273,0,0,0-.56137-1.16027Z" style="fill:#fff27d;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" x1="19.00011" x2="19.00011" y1="30.03" y2="30"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" x1="41.00011" x2="41.00011" y1="30.03" y2="30"/></svg>


--------------------------------------------------------------------------------
/assets/icons/timing.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" ?><svg height="60" id="Basic_2" viewBox="0 0 60 60" width="60" xmlns="http://www.w3.org/2000/svg"><title/><path d="M24,56.7173a23,23,0,1,0,0-41.4346" style="fill:#eef6ff"/><path d="M34,56a22.90689,22.90689,0,0,1-10-2.28271v3A23.00838,23.00838,0,0,0,57,36c0-.50446-.022-1.0036-.054-1.5A22.99747,22.99747,0,0,1,34,56Z" style="fill:#2c4b75;opacity:0.2"/><path d="M56.94606,37.5c.032-.4964.054-.99554.054-1.5A23.00838,23.00838,0,0,0,24,15.28271v3A23.00455,23.00455,0,0,1,56.94606,37.5Z" style="fill:#fff;opacity:0.75"/><path d="M24,52.1337a19,19,0,1,0,0-32.2674" style="fill:#d4edff"/><circle cx="34.00002" cy="36" r="2" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" x1="41.77822" x2="30.46452" y1="28.2218" y2="39.5355"/><path d="M31.75417,17.14435c-.39563.04669-.78638.10858-1.17419.1792-.187.03448-.37659.06158-.56158.10162-.4657.09937-.92291.22083-1.37524.35364-.30487.09052-.60437.1933-.90271.29852q-.246.086-.48871.17883a19.19156,19.19156,0,0,0-3.24915,1.60864L24,19.86633v2.98938A18.97146,18.97146,0,0,1,52.92427,37.5C52.96315,37.0036,53,36.50641,53,36A19,19,0,0,0,34,17c-.57715,0-1.14545.03595-1.70947.0863C32.11086,17.1026,31.93233,17.123,31.75417,17.14435Z" style="fill:#2c4b75;opacity:0.2"/><path d="M24,45.75989V50.0025L49.27187,24.73065v-.00006q-.43643-.59042-.9118-1.14783c-.05542-.06409-.11456-.12469-.17084-.188-.28369-.32361-.57275-.6424-.87994-.94415Z" style="fill:#fff;opacity:0.5"/><path d="M31.75417,17.14435c-.39563.04669-.78638.10858-1.17419.1792-.187.03448-.37659.06158-.56158.10162-.4657.09937-.92291.22083-1.37524.35364-.30487.09052-.60437.1933-.90271.29852q-.246.086-.48871.17883a19.19156,19.19156,0,0,0-3.24915,1.60864L24,19.86633V41.51727L44.99458,20.52271c-.34033-.24225-.6922-.469-1.04846-.68909-.09534-.05878-.19073-.11731-.28717-.17444-.338-.20074-.68164-.39313-1.03265-.57324-.11951-.061-.24225-.11633-.36322-.17493a18.92844,18.92844,0,0,0-1.83014-.77026c-.19781-.07129-.39111-.15173-.59186-.21661-.24957-.08124-.50653-.14539-.7605-.21637-.30511-.08459-.61078-.16748-.92181-.237-.23315-.05261-.46875-.09821-.70514-.14209q-.54822-.1008-1.10736-.169c-.197-.0246-.39276-.05267-.59167-.07111C35.1761,17.03552,34.59236,17,34,17c-.57715,0-1.14545.03595-1.70947.0863C32.11086,17.1026,31.93233,17.123,31.75417,17.14435Z" style="fill:#fff;opacity:0.5"/><path d="M24,56.7173a23,23,0,1,0,0-41.4346" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><path d="M24,52.1337a19,19,0,1,0,0-32.2674" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><circle cx="34.00002" cy="7" r="6" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="34.00002" x2="34.00002" y1="21" y2="21"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="34.00002" x2="34.00002" y1="51" y2="51"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="49.00002" x2="49.00002" y1="36" y2="36"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="26.50002" x2="26.50002" y1="23.0096" y2="23.0096"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="41.50002" x2="41.50002" y1="48.9904" y2="48.9904"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="46.99042" x2="46.99042" y1="28.5" y2="28.5"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="46.99042" x2="46.99042" y1="43.5" y2="43.5"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="41.50002" x2="41.50002" y1="23.0096" y2="23.0096"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="26.50002" x2="26.50002" y1="48.9904" y2="48.9904"/><polyline points="33 13 33 8 35 8 35 13" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px"/><rect height="5.65685" style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" transform="translate(4.29542 43.37007) rotate(-45)" width="1.41421" x="53.79291" y="13.67157"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px" x1="54.00002" x2="50.72922" y1="17" y2="20.2708"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="19.00002" x2="20.00002" y1="20" y2="20"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="14.00002" x2="20.00002" y1="28" y2="28"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="17.00002" x2="20.00002" y1="24" y2="24"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="9.99999" x2="20.00002" y1="52" y2="52"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="11.00002" x2="20.00002" y1="32" y2="32"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="0.99998" x2="20.00002" y1="44" y2="44"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="5.99999" x2="20.00002" y1="48" y2="48"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="3.99999" x2="20.00002" y1="40" y2="40"/><line style="fill:none;stroke:#6d6daa;stroke-linecap:round;stroke-linejoin:round;stroke-width:2px;opacity:0.5" x1="6.99999" x2="20.00002" y1="36" y2="36"/></svg>


--------------------------------------------------------------------------------
/assets/images/CPR_Logo_transparent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/CPR_Logo_transparent.png


--------------------------------------------------------------------------------
/assets/images/cpr_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/cpr_logo.png


--------------------------------------------------------------------------------
/assets/images/cpr_logo_big.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/cpr_logo_big.png


--------------------------------------------------------------------------------
/assets/images/cpr_logo_small.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/cpr_logo_small.png


--------------------------------------------------------------------------------
/assets/images/dbgbreakpoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/dbgbreakpoint.png


--------------------------------------------------------------------------------
/assets/images/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/assets/images/favicon.ico


--------------------------------------------------------------------------------
/assets/js/search-script.js:
--------------------------------------------------------------------------------
  1 | /*!
  2 |   * Simple-Jekyll-Search v1.7.2 (https://github.com/christian-fei/Simple-Jekyll-Search)
  3 |   * Copyright 2015-2018, Christian Fei
  4 |   * Licensed under the MIT License.
  5 |   */
  6 | 
  7 |  (function(){
  8 |   /* globals ActiveXObject:false */
  9 |   
 10 |   'use strict'
 11 |   
 12 |   var _$JSONLoader_2 = {
 13 |     load: load
 14 |   }
 15 |   
 16 |   function load (location, callback) {
 17 |     var xhr = getXHR()
 18 |     xhr.open('GET', location, true)
 19 |     xhr.onreadystatechange = createStateChangeListener(xhr, callback)
 20 |     xhr.send()
 21 |   }
 22 |   
 23 |   function createStateChangeListener (xhr, callback) {
 24 |     return function () {
 25 |       if (xhr.readyState === 4 && xhr.status === 200) {
 26 |         try {
 27 |           callback(null, JSON.parse(xhr.responseText))
 28 |         } catch (err) {
 29 |           callback(err, null)
 30 |         }
 31 |       }
 32 |     }
 33 |   }
 34 |   
 35 |   function getXHR () {
 36 |     return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
 37 |   }
 38 |   
 39 |   'use strict'
 40 |   
 41 |   var _$OptionsValidator_3 = function OptionsValidator (params) {
 42 |     if (!validateParams(params)) {
 43 |       throw new Error('-- OptionsValidator: required options missing')
 44 |     }
 45 |   
 46 |     if (!(this instanceof OptionsValidator)) {
 47 |       return new OptionsValidator(params)
 48 |     }
 49 |   
 50 |     var requiredOptions = params.required
 51 |   
 52 |     this.getRequiredOptions = function () {
 53 |       return requiredOptions
 54 |     }
 55 |   
 56 |     this.validate = function (parameters) {
 57 |       var errors = []
 58 |       requiredOptions.forEach(function (requiredOptionName) {
 59 |         if (typeof parameters[requiredOptionName] === 'undefined') {
 60 |           errors.push(requiredOptionName)
 61 |         }
 62 |       })
 63 |       return errors
 64 |     }
 65 |   
 66 |     function validateParams (params) {
 67 |       if (!params) {
 68 |         return false
 69 |       }
 70 |       return typeof params.required !== 'undefined' && params.required instanceof Array
 71 |     }
 72 |   }
 73 |   
 74 |   'use strict';
 75 |   
 76 |   function fuzzysearch (needle, haystack) {
 77 |     var tlen = haystack.length;
 78 |     var qlen = needle.length;
 79 |     if (qlen > tlen) {
 80 |       return false;
 81 |     }
 82 |     if (qlen === tlen) {
 83 |       return needle === haystack;
 84 |     }
 85 |     outer: for (var i = 0, j = 0; i < qlen; i++) {
 86 |       var nch = needle.charCodeAt(i);
 87 |       while (j < tlen) {
 88 |         if (haystack.charCodeAt(j++) === nch) {
 89 |           continue outer;
 90 |         }
 91 |       }
 92 |       return false;
 93 |     }
 94 |     return true;
 95 |   }
 96 |   
 97 |   var _$fuzzysearch_1 = fuzzysearch;
 98 |   
 99 |   'use strict'
100 |   
101 |   /* removed: var _$fuzzysearch_1 = require('fuzzysearch') */;
102 |   
103 |   var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
104 |   
105 |   function FuzzySearchStrategy () {
106 |     this.matches = function (string, crit) {
107 |       return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
108 |     }
109 |   }
110 |   
111 |   'use strict'
112 |   
113 |   var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
114 |   
115 |   function LiteralSearchStrategy () {
116 |     this.matches = function (str, crit) {
117 |       if (!str) return false
118 |   
119 |       str = str.trim().toLowerCase()
120 |       crit = crit.trim().toLowerCase()
121 |   
122 |       return crit.split(' ').filter(function (word) {
123 |         return str.indexOf(word) >= 0
124 |       }).length === crit.split(' ').length
125 |     }
126 |   }
127 |   
128 |   'use strict'
129 |   
130 |   var _$Repository_4 = {
131 |     put: put,
132 |     clear: clear,
133 |     search: search,
134 |     setOptions: setOptions
135 |   }
136 |   
137 |   /* removed: var _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
138 |   /* removed: var _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
139 |   
140 |   function NoSort () {
141 |     return 0
142 |   }
143 |   
144 |   var data = []
145 |   var opt = {}
146 |   
147 |   opt.fuzzy = false
148 |   opt.limit = 10
149 |   opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
150 |   opt.sort = NoSort
151 |   
152 |   function put (data) {
153 |     if (isObject(data)) {
154 |       return addObject(data)
155 |     }
156 |     if (isArray(data)) {
157 |       return addArray(data)
158 |     }
159 |     return undefined
160 |   }
161 |   function clear () {
162 |     data.length = 0
163 |     return data
164 |   }
165 |   
166 |   function isObject (obj) {
167 |     return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
168 |   }
169 |   
170 |   function isArray (obj) {
171 |     return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
172 |   }
173 |   
174 |   function addObject (_data) {
175 |     data.push(_data)
176 |     return data
177 |   }
178 |   
179 |   function addArray (_data) {
180 |     var added = []
181 |     clear()
182 |     for (var i = 0, len = _data.length; i < len; i++) {
183 |       if (isObject(_data[i])) {
184 |         added.push(addObject(_data[i]))
185 |       }
186 |     }
187 |     return added
188 |   }
189 |   
190 |   function search (crit) {
191 |     if (!crit) {
192 |       return []
193 |     }
194 |     return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
195 |   }
196 |   
197 |   function setOptions (_opt) {
198 |     opt = _opt || {}
199 |   
200 |     opt.fuzzy = _opt.fuzzy || false
201 |     opt.limit = _opt.limit || 10
202 |     opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
203 |     opt.sort = _opt.sort || NoSort
204 |   }
205 |   
206 |   function findMatches (data, crit, strategy, opt) {
207 |     var matches = []
208 |     for (var i = 0; i < data.length && matches.length < opt.limit; i++) {
209 |       var match = findMatchesInObject(data[i], crit, strategy, opt)
210 |       if (match) {
211 |         matches.push(match)
212 |       }
213 |     }
214 |     return matches
215 |   }
216 |   
217 |   function findMatchesInObject (obj, crit, strategy, opt) {
218 |     for (var key in obj) {
219 |       if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
220 |         return obj
221 |       }
222 |     }
223 |   }
224 |   
225 |   function isExcluded (term, excludedTerms) {
226 |     var excluded = false
227 |     excludedTerms = excludedTerms || []
228 |     for (var i = 0, len = excludedTerms.length; i < len; i++) {
229 |       var excludedTerm = excludedTerms[i]
230 |       if (!excluded && new RegExp(term).test(excludedTerm)) {
231 |         excluded = true
232 |       }
233 |     }
234 |     return excluded
235 |   }
236 |   
237 |   'use strict'
238 |   
239 |   var _$Templater_7 = {
240 |     compile: compile,
241 |     setOptions: __setOptions_7
242 |   }
243 |   
244 |   var options = {}
245 |   options.pattern = /\{(.*?)\}/g
246 |   options.template = ''
247 |   options.middleware = function () {}
248 |   
249 |   function __setOptions_7 (_options) {
250 |     options.pattern = _options.pattern || options.pattern
251 |     options.template = _options.template || options.template
252 |     if (typeof _options.middleware === 'function') {
253 |       options.middleware = _options.middleware
254 |     }
255 |   }
256 |   
257 |  function htmlDecode(input){
258 |     var e = document.createElement('div');
259 |     e.innerHTML = input;
260 |     return e.childNodes.length === 0 ? "" : e.childNodes[0].nodeValue;
261 |   }
262 | 
263 | 
264 |   function compile (data) {
265 |     return options.template.replace(options.pattern, function (match, prop) {
266 |       var value = options.middleware(prop, data[prop], options.template)
267 |       if (typeof value !== 'undefined') {
268 |         return value
269 |       }
270 |       if (prop == 'content') {
271 |         return(htmlDecode(data[prop]))  || match
272 |       }
273 |       return data[prop] || match
274 |     })
275 |   }
276 |   
277 |   'use strict'
278 |   
279 |   var _$utils_9 = {
280 |     merge: merge,
281 |     isJSON: isJSON
282 |   }
283 |   
284 |   function merge (defaultParams, mergeParams) {
285 |     var mergedOptions = {}
286 |     for (var option in defaultParams) {
287 |       mergedOptions[option] = defaultParams[option]
288 |       if (typeof mergeParams[option] !== 'undefined') {
289 |         mergedOptions[option] = mergeParams[option]
290 |       }
291 |     }
292 |     return mergedOptions
293 |   }
294 |   
295 |   function isJSON (json) {
296 |     try {
297 |       if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
298 |         return true
299 |       }
300 |       return false
301 |     } catch (err) {
302 |       return false
303 |     }
304 |   }
305 |   
306 |   var _$src_8 = {};
307 |   (function (window) {
308 |     'use strict'
309 |   
310 |     var options = {
311 |       searchInput: null,
312 |       resultsContainer: null,
313 |       json: [],
314 |       success: Function.prototype,
315 |       searchResultTemplate:'<div class="wrap-collabsible"><input id="collapsible{id}" class="toggle" type="checkbox"><label for="collapsible{id}" class="lbl-toggle odd"> <div class="container"> <div class="row"> <div class="col-md-6 first"> <a class="post-title" href="{url}" > {title} </a> </div> <div class="col-md-4"> {category} </div> <div class="col-md-2"> {year} </div> </div> </div></label><div class="collapsible-content"> <div class="content-inner"> {content} <div class="posted"> posted on <span class="posted-on"> {date} </span> <span class="in"> in </span> <span class="categories-on"> {category} </span> </div> </div> </div></div>',
316 |       templateMiddleware: Function.prototype,
317 |       sortMiddleware: function () {
318 |         return 0
319 |       },
320 |       noResultsText: 'No results found',
321 |       limit: 10,
322 |       fuzzy: false,
323 |       exclude: []
324 |     }
325 |   
326 |     var requiredOptions = ['searchInput', 'resultsContainer', 'json']
327 |   
328 |     /* removed: var _$Templater_7 = require('./Templater') */;
329 |     /* removed: var _$Repository_4 = require('./Repository') */;
330 |     /* removed: var _$JSONLoader_2 = require('./JSONLoader') */;
331 |     var optionsValidator = _$OptionsValidator_3({
332 |       required: requiredOptions
333 |     })
334 |     /* removed: var _$utils_9 = require('./utils') */;
335 |   
336 |     window.SimpleJekyllSearch = function (_options) {
337 |       var errors = optionsValidator.validate(_options)
338 |       if (errors.length > 0) {
339 |         throwError('You must specify the following required options: ' + requiredOptions)
340 |       }
341 |   
342 |       options = _$utils_9.merge(options, _options)
343 |   
344 |       _$Templater_7.setOptions({
345 |         template: options.searchResultTemplate,
346 |         middleware: options.templateMiddleware
347 |       })
348 |   
349 |       _$Repository_4.setOptions({
350 |         fuzzy: options.fuzzy,
351 |         limit: options.limit,
352 |         sort: options.sortMiddleware
353 |       })
354 |   
355 |       if (_$utils_9.isJSON(options.json)) {
356 |         initWithJSON(options.json)
357 |       } else {
358 |         initWithURL(options.json)
359 |       }
360 |   
361 |       return {
362 |         search: search
363 |       }
364 |     }
365 |   
366 |     function initWithJSON (json) {
367 |       options.success(json)
368 |       _$Repository_4.put(json)
369 |       registerInput()
370 |     }
371 |   
372 |     function initWithURL (url) {
373 |       _$JSONLoader_2.load(url, function (err, json) {
374 |         if (err) {
375 |           throwError('failed to get JSON (' + url + ')')
376 |         }
377 |         initWithJSON(json)
378 |       })
379 |     }
380 |   
381 |     function emptyResultsContainer () {
382 |       options.resultsContainer.innerHTML = ''
383 |     }
384 |   
385 |     function appendToResultsContainer (text) {
386 |       options.resultsContainer.innerHTML += text
387 |     }
388 |   
389 |     function registerInput () {
390 |       options.searchInput.addEventListener('keyup', function (e) {
391 |         if (isWhitelistedKey(e.which)) {
392 |           emptyResultsContainer()
393 |           search(e.target.value)
394 |         }
395 |       })
396 |     }
397 |   
398 |     function search (query) {
399 |       if (isValidQuery(query)) {
400 |         emptyResultsContainer()
401 |         render(_$Repository_4.search(query), query)
402 |       }
403 |     }
404 |   
405 |     function render (results, query) {
406 |       var len = results.length
407 |       if (len === 0) {
408 |         return appendToResultsContainer(options.noResultsText)
409 |       }
410 |       for (var i = 0; i < len; i++) {
411 |         results[i].query = query
412 |         appendToResultsContainer(_$Templater_7.compile(results[i]))
413 |       }
414 |     }
415 |   
416 |     function isValidQuery (query) {
417 |       return query && query.length > 0
418 |     }
419 |   
420 |     function isWhitelistedKey (key) {
421 |       return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
422 |     }
423 |   
424 |     function throwError (message) {
425 |       throw new Error('SimpleJekyllSearch --- ' + message)
426 |     }
427 |   })(window)
428 |   
429 |   }());
430 |   


--------------------------------------------------------------------------------
/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CheckPointSW/Anti-Debug-DB/289d3cd9b0c37450f90d14891ba1625f4b0d97ff/favicon.ico


--------------------------------------------------------------------------------
/feed.xml:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: null
 3 | ---
 4 | <?xml version="1.0" encoding="UTF-8"?>
 5 | <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
 6 |   <channel>
 7 |     <title>{{ site.title | xml_escape }}</title>
 8 |     <description>{{ site.description | xml_escape }}</description>
 9 |     <link>{{ site.url }}{{ site.baseurl }}/</link>
10 |     <atom:link href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}" rel="self" type="application/rss+xml"/>
11 |     <pubDate>{{ site.time | date_to_rfc822 }}</pubDate>
12 |     <lastBuildDate>{{ site.time | date_to_rfc822 }}</lastBuildDate>
13 |     <generator>Jekyll v{{ jekyll.version }}</generator>
14 |     {% for post in site.posts limit:10 %}
15 |       <item>
16 |         <title>{{ post.title | xml_escape }}</title>
17 |         <description>{{ post.content | xml_escape }}</description>
18 |         <pubDate>{{ post.date | date_to_rfc822 }}</pubDate>
19 |         <link>{{ post.url | prepend: site.baseurl | prepend: site.url }}</link>
20 |         <guid isPermaLink="true">{{ post.url | prepend: site.baseurl | prepend: site.url }}</guid>
21 |         {% for tag in post.tags %}
22 |         <category>{{ tag | xml_escape }}</category>
23 |         {% endfor %}
24 |         {% for cat in post.techniques %}
25 |         <category>{{ cat | xml_escape }}</category>
26 |         {% endfor %}
27 |       </item>
28 |     {% endfor %}
29 |   </channel>
30 | </rss>
31 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: main
  3 | ---
  4 | 
  5 | <head>
  6 | <style>
  7 | body {
  8 |    min-width:380px;
  9 | }
 10 | 
 11 | .flex-top {
 12 |   display: flex;
 13 |   align-items: center;
 14 |   justify-content: center;
 15 | }
 16 | 
 17 | .flex-container {
 18 |   display: -webkit-box;
 19 |   display: -moz-box;
 20 |   display: -ms-flexbox;
 21 |   display: -webkit-flex;
 22 |   display: inline-flex;
 23 |   flex-wrap: wrap;
 24 |   align-content: space-around;
 25 |   align-items: center;
 26 |   justify-content: space-evenly;
 27 |   max-width: 800px;
 28 | }
 29 | 
 30 | .flex-container > div {
 31 |   flex: 0 0 25%;
 32 |   text-align: center;
 33 |   margin-bottom: 30px;
 34 |   display: grid;
 35 | }
 36 | 
 37 | .outer-img-pink {
 38 |     height: 120px;
 39 |     width: 120px;
 40 |     display: inline-flex;
 41 |     background-color: rgb(255,86,136);
 42 |     padding: 10px;
 43 |     border: 0px;
 44 | }
 45 | .outer-img-pink:hover {
 46 |     height: 120px;
 47 |     width: 120px;
 48 |     display: inline-flex;
 49 |     background-color: rgb(255,86,136);
 50 |     padding: 10px;
 51 |     border: 0px;
 52 | }
 53 | 
 54 | .outer-img-grey {
 55 |     height: 120px;
 56 |     width: 120px;
 57 |     display: inline-flex;
 58 |     background-color: rgb(159,159,159);
 59 |     padding: 10px;
 60 |     border: 0px;
 61 | }
 62 | .outer-img-grey:hover {
 63 |     height: 120px;
 64 |     width: 120px;
 65 |     display: inline-flex;
 66 |     background-color: rgb(159,159,159);
 67 |     padding: 10px;
 68 |     border: 0px;
 69 | }
 70 | 
 71 | .inner-img {
 72 |     width: 100px;
 73 |     height: 100px;
 74 |     display: inline-flex;
 75 |     background-size: 100px 100px;
 76 | }
 77 | .inner-img-grey {
 78 |     width: 100px;
 79 |     height: 100px;
 80 |     display: inline-flex;
 81 |     background-size: 100px 100px;
 82 | }
 83 | 
 84 | .grey-text {
 85 |   color: darkgrey;
 86 |   display: block;
 87 | }
 88 | 
 89 | .icon {
 90 |   min-width: 180px;
 91 |   height: 140px;
 92 | }
 93 | 
 94 | </style>
 95 | </head>
 96 | 
 97 | <body>
 98 | 
 99 | <section>
100 |   <div class="jumbotron">
101 |     <div class="container logo">
102 |       <img src="assets/images/CPR_Logo_transparent.png" width="165px" />
103 |       <span class="title">{{site.description}}</span>
104 |     </div>
105 | </div>
106 | </section>
107 | 
108 | <br />
109 | <br />
110 | 
111 | <div class="flex-top">
112 |   <div class="flex-container" style="justify-content: center;">
113 | 
114 |     <!-- first row -->
115 | 
116 |     <div class="icon">
117 |       <div>
118 |         <span class="outer-img-pink">
119 |           <a class="a-active" href="techniques/debug-flags.html" >
120 |             <span class="inner-img" style='background-image:url("assets/icons/debug_flags.svg")' />
121 |           </a>
122 |         </span>
123 |       <a class="a-active" href="techniques/debug-flags.html">Debug Flags</a>
124 |      </div>
125 |     </div>
126 | 
127 |     <div class="icon">
128 |       <div>
129 |         <span class="outer-img-pink">
130 |           <a class="a-active" href="techniques/object-handles.html" >
131 |             <span class="inner-img" style='background-image:url("assets/icons/object-handles.svg")' />
132 |           </a>
133 |         </span>
134 |         <a class="a-active" href="techniques/object-handles.html">Object Handles</a>
135 |       </div>
136 |     </div>
137 | 
138 |     <div class="icon">
139 |       <div>
140 |         <span class="outer-img-pink">
141 |           <a class="a-active" href="techniques/exceptions.html" >
142 |             <span class="inner-img" style='background-image:url("assets/icons/exceptions.svg")' />
143 |           </a>
144 |         </span>
145 |         <a class="a-active" href="techniques/exceptions.html">Exceptions</a>
146 |       </div>
147 |     </div>
148 | 
149 |     <div class="icon">
150 |       <div>
151 |         <span class="outer-img-pink">
152 |           <a class="a-active" href="techniques/timing.html">
153 |             <span class="inner-img" style='background-image:url("assets/icons/timing.svg")' />
154 |           </a>
155 |         </span>
156 |       <a class="a-active" href="techniques/timing.html">Timing</a>
157 |       </div>
158 |     </div>
159 | 
160 |     <!-- second row -->
161 | 
162 |     <div class="icon">
163 |       <font>
164 |         <span class="outer-img-pink">
165 |           <a class="a-active" href="techniques/process-memory.html">
166 |             <span class="inner-img" style='background-image:url("assets/icons/memory.svg")' />
167 |           </a>
168 |         </span>
169 |       </font>
170 |       <a class="a-active" href="techniques/process-memory.html">Process Memory</a>
171 |     </div>
172 |     <div class="icon">
173 |       <font>
174 |         <span class="outer-img-pink">
175 |           <a class="a-active" href="techniques/assembly.html">
176 |             <span class="inner-img" style='background-image:url("assets/icons/assembly.svg")' />
177 |           </a>
178 |         </span>
179 |       </font>
180 |       <a class="a-active" href="techniques/assembly.html">Assembly instructions</a>
181 |     </div>
182 |     <div class="icon">
183 |       <font>
184 |         <span class="outer-img-pink">
185 |           <a class="a-active" href="techniques/interactive.html">
186 |             <span class="inner-img" style='background-image:url("assets/icons/interactive.svg")' />
187 |           </a>
188 |         </span>
189 |       </font>
190 |       <a class="a-active" href="techniques/interactive.html">Interactive Checks</a>
191 |     </div>
192 |     <div class="icon">
193 |       <font>
194 |         <span class="outer-img-pink">
195 |           <a class="a-active" href="techniques/misc.html">
196 |             <span class="inner-img" style='background-image:url("assets/icons/misc.svg")' />
197 |           </a>
198 |         </span>
199 |       </font>
200 |       <a class="a-active" href="techniques/misc.html">Misc</a>
201 |     </div>
202 | 
203 |   </div>
204 | </div>
205 | 
206 | <br />
207 | 
208 | </body>
209 | 


--------------------------------------------------------------------------------