From aldeid
Jump to navigation Jump to search


One way to detect the presence of a debugger, used by some malware, is to control the checksum of a section of code. If software breakpoints (INT3) have been placed in this region, it will modify the code and hence the checksum of this region.

The checksum is usually performed using Cyclic Redundancy Check (CRC) or a MD5 checksum of the bytes of a given region.