Interrupts

From aldeid

Jump to navigation Jump to search

Description

The insertion of interrupts can be used by malware to interfere with the debugger.

INT3

Description: Malware sometimes add INT3 instructions to fool the debugger and break where the malware analyst hasn't defined a breakpoint.
Opcode: 0xCC; 0xCD03 (often used to interfere with WinDbg); Notice that 0xCD03 generates a STATUS_BREAKPOINT exception outside a debugger.

INT2D

Description: INT2 is the way kernel debuggers set breakpoints.
Opcode: 0x2D

ICE

Description: The In-Circuit Emulator (ICE) is an undocumented instruction to set a breakpoint: icebp
Opcode: 0xF1

Retrieved from "https://www.aldeid.com/w/index.php?title=Interrupts&oldid=28617"

Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Anti-Debug/Thwarting-Debugger

Share your opinion