Jump to navigation Jump to search
The insertion of interrupts can be used by malware to interfere with the debugger.
- Malware sometimes add INT3 instructions to fool the debugger and break where the malware analyst hasn't defined a breakpoint.
- 0xCD03 (often used to interfere with WinDbg)
- Notice that 0xCD03 generates a STATUS_BREAKPOINT exception outside a debugger.
- INT2 is the way kernel debuggers set breakpoints.
- The In-Circuit Emulator (ICE) is an undocumented instruction to set a breakpoint: icebp