Saad et al.

LGU (IJECI) 2022 LGU (IJECI)

ISSN: 2522-3429 (Print)
ISSN: 2616-6003 (Online)
LGU International Journal for
Electronic Crime Investigation
Research Article Vol. 6 issue 3 Year 2022

Study of the Anti-Debugging Techniques and their

Mitigations
Muhammad Saad and Muhammad Taseer
School of Electrical Engineering and Computer Sciences, NUST, Islamabad, Pakistan
Corresponding author: 12msccsmsuleman@seecs.edu.pk

Abstract:
The major goal of this study is to provide anti-debugging and anti-reversing strategies/techniques
employed by executables, DLLs, and packers/protectors, as well as to examine strategies that can be
utilized to bypass or disable these protections. Anti-debugging techniques are designed to make sure
that a program is not being executed inside a debugger. In most cases, the anti-debugging process
slows down the reverse engineering [1] process but doesn't stop it. This information will allow
malware analysts and researchers to identify the techniques used by the malware. This information
may also be used by security researchers, reverse engineers those want to slow down the process of
reverse engineering in order to add security [2] to their software. It causes some difficulties for a
reverse engineer, but, of course, nothing stops a skilled, knowledgeable, and committed reverse
engineer.
Keywords: malware analysis, anti-debugging, anti-reversing, protectors, packers

1. Introduction malware developers would like to avoid. That

is why they must implement anti-debugging
techniques. Anti-debugging techniques[3] can
P rior to then, malware Development be used to merely detect the presence of a
served as a showcase for malware coders. debugger, deactivate it, lose control of it, or
Malware analysts have used debuggers to run a even take advantage of a flaw in the debugger.
malware program's instructions one by one, Disabling or avoiding debugger checks can be
introducing modifications to memory spaces, done generally and specifically. However, you
settings as well as variable values. Debuggers can exploit this vulnerability against specific
are the most commonly used reverse engineer- debuggers. Furthermore, The Supervisory
ing tools, such as Interactive Disassembler Control and Data Acquisition (SCADA)[4]
(IDA), x64dbg, and OllyDBG. If debugging is system has a vulnerability, according to the
successful, it helps to understand malware Trend Micro report "Unseen Threats, Immi-
behavior and its capabilities. This is something nent losses,” which is the part of industrial

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 29

 Study of the Anti-Debugging Techniques and their Mitigations

control systems (ICS)[5]. In addition, In many manually. The fs segment register can access
situations, knowing how to apply anti-debug- the Process Environment Block (PEB) at fs:
ging techniques to malicious code to prevent it [30]. On an x86 [8] computer, this register
from being tracked down and evaluated is also corresponds to a Thread Information Block
helpful. One of the main tools used by malware (TIB).There is also a flag below the Process
analysts and reverse engineers is the debugger. Environment Block (PEB) that indicates
What is a debugger? A debugger is software whether the first memory space of the process
that is used to evaluate and control the flow of was created in debug mode. Provide an offset
execution of other executables or software. By of 0x18 in the Process Environment Bloc
using a debugger, we can execute each instruc- (PEB). So, here I break down the anti-debug-
tion step by step and can note down the chang- ging techniques into two categories: static
es that can be displayed on the stack, memory anti-debugging and dynamic anti-debugging
dumps, registers, etc. Most packers use these [9], as seen in the Table 1 below.
techniques to determine whether the system is
running a debugger or if a process is being Table 1. Static Vs Dynamic Techniques
debugged. These debugger detection meth- Difference
ods[6] include checks that are relatively basic Static Dynamic
all the way up to ones that are applicable to
Difficulty Easy, Medium Hard
native Application Programming Interfaces Level
(APIs) and kernel objects[7].This section Use System Reverse and exploit
discusses how anti-debugging techniques Main Idea Debugger
Info
work. Each process's user space contains a data Detect Hide its own code
Target
structure called a Process Environment Block Debugger and data
(PEB), which holds information about the Time Point When While debugger is
debugging start running
related process. Each process's user space
contains a data structure called a Process Defend API Hook, API hook, Debugger
Method(s) debugger plugin Plugin
Environment Block (PEB), which holds infor-
Breakpoints (INT3),
mation about the related process. It is intended Example(s) PEB, TEB, TLS
TimingCheck
to access Windows API (WinAPI)It is intended
to access Windows API (WinAPI) but access is In our research we will discuss we will discuss
not restricted by this. Process Environment some of the main anti-debugging techniques
Block (PEB) can be accessed directly from and how a reverse engineer can be able to
memory. Checking the value of the Process identify them easily for example in this paper
Environment Block (PEB) structure that has we will discuss about the IsDebuggerPresent,
been debugged is a relatively straightforward TimeChecks, NtQueryInformationProcess,
implementation and technique. As we know NtSetInformationThread, SwitchDesktops,
that there are so many Applications Program- SeDebugPrivilege, ParentProcess, Debugger-
mable Interfaces (APIs) which are documented Window, DeviceDrivers etc.
and undocumented. For example, IsDebugger-
Present, which we will discuss later in this Anti-Debugging Techniques Mechanism:
paper. To enhance, we can also check the APIs Anti-debugging[10] is the implementation of

30 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)

 Study of the Anti-Debugging Techniques and their Mitigations

one or more techniques in computer code that Solution:

make it difficult to reverse engineer or debug This technique can be easily bypassed by
the target process. These techniques are ways manually patching the Process Environment
for a program to detect whether it is running Block (PEB). BeingDebugged flag with the
under the control of a debugger[11]. If a value 0x00 in the bytes.
debugger is detected, the malware will execute
arbitrary code, usually code to terminate. The 3. Nt Query Information Process
anti-debugging process slows down the () / Check Remote Debugger
reverse engineering process but doesn't stop it. Present ()

2. Is Debugger Present: CheckRemoteDebuggerPresent() is another a

debugger should be attached to a process? Use
The easiest debugger detection technique is to this Check Remote DebuggerPresent() to
check the BeingDebugged flag in the Process decide. The API calls ntdll!ProcessDebugPort
Environment Block (PEB). The kernel32IsDe- inside the kernel A value that is not zero in the
buggerPresent() function was introduced in DebugPort field tells that the process is being
Windows 95, and the Application Programma- debugged in user mode by the debugger. If so,
ble Interface (API) checks the value of this flag ProcessInformation will be set to
to identify the process whether it is in the 0xFFFFFFFF, otherwise the value of
user-mode debugger. This code (same 32-bit or ProcessInformation will be 0x0.The Check-
64-bit Windows environment) can be used for RemoteDebuggerPresent()[12] function in
verification to check the 32-bit or 64-bit Kernel32 is functional.On either the 32-bit or
Windows environment. As we can see the 64-bit version of Windows, the check can be
assembly code of the IsDebuggerPresent() in made by using this 32-bit code to look at the
Figure 1. 32-bit window environment. The Function The
function CheckRemoteDebuggerPresent()
takes 2 parameters; the first parameter is the
(PID), and the A pointer to a Boolean variable
serves as the second parameter. That will hold
Figure 1. Assembly code of IsDebuggerPre- TRUE if the process is being debugged. As we
sent() can see from the C/C++ code in Figure 3.

C/C++ Code:
As we can see in the example if IsDebugger-
Present() in Figure 2.

Figure 3 C/C++ Code for CheckRemoteDe-

bugger

Figure 2. C/C++ code of IsDebuggerPre- Ntdll! NtQueryInformationProcess() has 5

sent() parameters. To detect the debugger, the

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 31

 Study of the Anti-Debugging Techniques and their Mitigations

ProcessInformation class is set to as to hide threads from the debugger. It can also be
ProcessDebugPort as we can see C/C++ code done with the help of a non-documented value,
in the Figure 4. which is not documented but can be used.
THREAD_INFORMATION_CLASS::Threa-
dHideFromDebugger (0x11). When a thread is
hidden in the debugger, it will not be informed
of anything pertaining to that thread not be
informed of anything pertaining to that thread.
Figure 4. C/C++ Code for NtQueryInfor- The thread is also capable of anti-debugging
mationProcess() methods, such as examining debug flags, code
checksums, etc. If there are hidden breakpoints
This example shows how the call to the Check- in the thread, If we try to keep the main thread
RemoteDebuggerPresent() and To see whether hidden from the debugger, either the process
the current process is being debugged, utilize will crash or the debugger will gets stuck. An
the NtQueryInformationProcess function. as example of calling the NtSetInformation-
we can see in Figure 5 and Figure 6. Thread would be like this, as we can see in
Figure 7.

Figure 5 Assembly code of CheckRemot- Figure 7. Assembly code of NtSetInforma-

eDebuggerPresent() tionThread()

C/C++ Code:
As we can see, C/C++ code in Figure 8.

Figure 6. Assembly code of NtQueryInfor-

mationProcess()

Solution: Figure 8. C/C++ code of NtSetInformation-

One solution is to set NtQueryInformationPro- Thread()
cess(return )'s value is a breakpoint. ProcessIn-
formation is patched to a DWORD value of 0 Solution:
when the breakpoint is reached of 0. The breakpoint is set to ntdll!NtSetInforma-
tionThread(), and when the breakpoint is hit,
4. Nt SetInformation Thread: reverse engineers can modify the EIP, to
prevent the API calls from reaching the kernel
NtSetInformationThread()[13] is usually used and being called from other functions.
to set the priority of a thread. It can also be used

32 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)

 Study of the Anti-Debugging Techniques and their Mitigations

process and uses a single step in code, there is

5. SwitchDesktop() a significant delay between the execution of
the individual’s instructions[13]. The process
Platforms based on Windows NT allow for
is running under a debugger if the amount of
multiple desktop sessions. The windows of the
time required is excessive compared to a
previous active desktop can be hidden by
typical execution. Here is a list of some
choosing a different active desktop, but there is
instructions that can be used to increase the
no visible way to return to the previous
execution time of the instruction.
desktop. the mouse and keyboard events won't
be sent to the debugger from the debugger's a. RDTSC (Read Time-Stamp Counter)
desktop.[13] , they no longer divulge their b. RDPMC (Read Performance-Monitor-
source, either. Debugging could become ing Counters)
impossible as a result. Both the 32-bit and
64-bit versions of Windows can be used to c. GetLocalTime
make this call. Here is an example of a 32-bit d. GetSystemTime
version of Windows as we can see in Figure 9.
e. GetTickCount

Now we will take an example of a timing

check.

As we can see in Figure 11.

Figure 9. Assembly code of SwitchDesk-

top()

C/C++ Code:
As we can see the C/C++ code in the Figure 10.

Figure 11 Assembly Code of GetTick-

Count()

We check the synchronization using the

kernel32 GetTickCount() API or manually
verify that the SharedUserData structure's
Figure 10 C/C++ code of SwitchDesktop() TickCountLow and TickCountMultiplier
entries are always set to 0xc.Identifying these
6. Execution Time / Timing timing techniques can be challenging,
Checks especially when RDTSC is used as spam, when
other obscure techniques are used to mask
When a reverse engineer tries to debug a them.

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 33

 Study of the Anti-Debugging Techniques and their Mitigations

Solution: If the process can open the CSRSS.EXE

One of the solutions is to identify where the process, then SeDebugPrivilege is active when
time checks are and try to avoid stepping into the process is accessed.
them. and the code between these time checks.
Reverse Engineers can place a breakpoint Token pointing to the process being debugged.
before that delta and execute instead of steps The test is valid for the following reasons: The
until a breakpoint is reached or a breakpoint is Process Security Descriptor CSRSS.EXE
reached. We can also set a breakpoint in allows the system access to the process.
GetTickCount() to specify where to call it or to
change its return value. Mitigations During However, if the process has SeDebugPrivilege
Debugging: just fill time checks with NOPs privilege, other processes have independent
and set the result of these checks to the appro- access to the Security Descriptor. This permis-
priate value. For anti-debugging solution sion is only granted to administrative groups
development: there is no great need to do by default, as we can see in Figure 12.
anything with it, as time checks are not very
reliable, but you can still hook timing functions
and accelerate the time between calls.

Mitigations:
• During Debugging, just fill time checks
with NOPs and set the result of these
checks to the appropriate value.

• For anti-debugging solution develop-

Figure 12 Assembly Code of SeDebugPrivi-
ment: there is no great need to do
lege()
anything with it, as time checks are not
very reliable, but you can still hook
This control uses ntdll! The CSRSS.exe
timing functions and accelerate the time
GetProcessId() API gets the Process ID (PID)
between calls.
from CSRSS.EXE. You can get it manually by
looking at the Process ID CSRSS.EXE
7. SeDebugPrivilege: processes. If OpenProcess() succeeds, SeDe-
bugPrivilege is activated, indicating that the
By default, the SeDebugPrivilege permission process is currently running and debugging,
is disabled for the process access token. When too.
a debugger like x32dbg, OllyDBG, etc. loads a
process, SeDebugPrivilege permission is Solution:
enabled. This is because these debuggers keep The ntdll breakpoint can be hit by setting a
trying . SeDebugPrivilege permissions are breakpoint as a solution. Returns from
inherited. NtOpenProcess(). If PID passed by
CSRSS.exe is CSRSS.exe, set the EX-value to
0xC0000022 (STATUS_ACCESS_DENIED).

34 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)

 Study of the Anti-Debugging Techniques and their Mitigations

Parent Process: Solution:

Users launch apps by clicking on the executa- One solution is to set breakpoints in FindWin-
ble's icon that the shell process displays dow() and FindWindowEx() When the break-
(Explorer.exe).By clicking on the executable's point is hit, modify the value of the
icon that the shell process displays, users can lpClassName string parameter to prevent the
launch apps (Explorer.exe).Due to this,Explor- API from functioning. Setting the return value
er.exe becomes the parent process of the active to NULL is another option.
process. This will show that the program was
created by someone else and suggest that you 9. Debugger Process:
can debug it.
List all the processes on the system and see
1. Using Process32First/Next(), it will list whether the process name matches the name of
every process and note explorer.exe. the debugger to find out if it is currently
PROCESS32.szExeFile and the PRO- running (for example, OLLYDBG.EXE, wind-
CESSENTRY32.th32parentProcessID bg.exe, etc.).Simple to implement; just use
are the two files that provide the process Process32First / Next() after confirming that
ID and the parent process ID of the the image name corresponds to the name of the
current process, respectively. debugger.

2. The target is being debugged if the Sometimes these methods also use Kernel32
Process ID (PID) of the parent process ReadProcessMemory() to read process
differs from the Process ID (PID) of the memory and then look for debugger-related
explorer.exe. strings such as "x64dbg", "IDA", "OllyDBG",
etc. to reverse engineer the debugger. to imple-
Solution: ment. After getting the debugger. The malware
We need to patch the element of will stop his execution and silently exit or
Kernel32!Process32NextW() that contains the terminates the process.
code that performs a return after setting the
value of EAX to 0. Solution:
Another solution is to check the main process,
8. Debugger Window: including patching the kernel 32 patch!
Process32NextW() always fails and prevents
The presence of the debug window is a flag the developer from enumerating the process.
that the debugger is running system[13].
Because the debugger creates windows with 10. Device Drivers
special class names (OllyDBG for OLLYDBG
and WinDbgFrameClass for WinDbg), user32 An old technique is to verify that the debugger
can easily identify these debug windows! is running in a Kernel Mode in the system and
FindWindow`() or User32! findWindowEx(). try to, access device drivers. This technique is
very simple and consists of simply making a
call to the against well-known device names

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 35

 Study of the Anti-Debugging Techniques and their Mitigations

used by kernel-mode debuggers, such as byte value 0xCC (INT3 / Breakpoint

SoftICE, using Kernel32!CreateFile().Some Interrupt)[17]. Finding the byte 0xCC in the
versions of Soft-ICE also add numbers to the API code and protector code will help you
device name, making it to check. The reversing locate software breakpoints as seen by the
forum's suggested technique is to brute force example of assembly code in Figure 13.
the corresponding digits until the right device
name is discovered[14].The new packer also
uses device driver detection techniques to
detect system monitors such as “Process Moni-
tor” etc.

Solution: Figure 13 Assembly Code of Software

Establishing a breakpoint in kernel32 is the Breakpoint Detection
simple fix. When the breakpoint is reached,
CreateFileFileW() should either handle the C/C++ Code:
FileName parameter or alter its return value to As we can C/C++ code in the Figure 14.
INVALID HANDLE VALUE (0xFFFFFFFF).

Process Memory:
A process can check or interact with its own
memory for the presence of a debugger. This
section includes anti-hitch methods[15] such
as process memory and thread context check-
ing, breakpoint DETECTION, PATCHING function
and debugging functions.

11. Breakpoint and Patching

Detection:

To verify if our code has any software break- Figure 14. C/C++ code of Software Break-
points, we may still inspect the process point Detection
memory, and we can also check the CPU
debug registers to see if any hardware break- Solution:
points have been set. Hardware breakpoints can be reverse
engineered if software breakpoints are identi-
12. Software Breakpoints fied. If you need to set a breakpoint in the API
Detection: code, and when the packer tries to find a break-
point in the API code, reverse engineering the
Software breakpoints are defined as break- UNICODE API version allows for the setting
points that are created by altering the code at of breakpoints. That eventually calls the ANSI
the target location and replacing it with the version, such as LoadLibraryExW LoadLibrar-

36 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)

 Study of the Anti-Debugging Techniques and their Mitigations

yA or the native API corresponding to Load-

DLL to replace.

13. Hardware Breakpoints:

DR0, DR1, DR2, and DR3 are debug registers

that can be obtained from the thread context.
Debug registers 0-3 are used to store virtual
address of the so-called hardware breakpoints.
C/C++ Code:

As we can see C/C++ code in the figure 15.

Figure 16 NTDLL Deceleration of

NtQueryVirtualMemory()

C/C++ Code:
As we can see the C/C++ code in the Figure
Figure 15 C/C++ code of Hardware 17.
Breakpoints

14. Memory Checks:

This section includes methods for directly

inspecting or modifying a process's virtual
memory in order to spot and stop debug-
ging[18].

15. Nt Query Virtual Memory ():

The memory page of the process in which the Figure 17 C/C++ Code for Hardware
code is located is shared by all processes prior Breakpoints
to the page being written. Then the OS creates
a replica of this page and allocates it to the 16. Detecting A function Patch:
process's virtual memory[19], so the page is no
longer "shared". Now we can see how to Calling kernel32 is a common approach to find
declare NTDLL, as we can see in figure 16. a debugger. IsDebuggerPresent(). By altering
the outcome in the EAX register or hacking the
NTDLL declarations: kernel32, you may easily get around this
check! IsDebuggerPresent(). Instead of

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 37

 Study of the Anti-Debugging Techniques and their Mitigations

looking for breakpoints in the process memory, Of course, as with all malware analysis, the
we can check to see if kernel32IsDebuggerPre- best way to learn how to stop it by using
sent() has been altered[20].The first few bytes debugging techniques by continuously testing
of this function can be read and compared to malware. Malware developers are constantly
the same function's bytes from other processes. coming up with new techniques to evade
Windows libraries are loaded at the same base debuggers and keep security researchers like
address throughout the process, even if the you on their toes.
Address Space Layout Randomization (ASLR)
feature is enabled. The base address only 17. References:
changes across reboots but remains the same
for the duration of the session. [1] V. Bhardwaj, V. Kukreja, C. Sharma, I.
Kansal, and R. Popali, “Reverse
Mitigations: Engineering-A Method for Analyzing
• During Debugging: Enter the function Malicious Code Behavior,” in 2021
that conducts the Step-Over check and International Conference on Advances
run it till the end(Ctrl + F9). in Computing, Communication, and
Control (ICAC3), Dec. 2021, pp. 1–5.
• Finding the specific check and either doi: 10.1109/ICAC353642.2021.
path it with NOPs or setting the return to 9697150.
a value that permits the application to
keep running are the best ways to [2] M. N. Gagnon, S. Taylor, and A. K.
mitigate all "memory" techniques, Ghosh, “Software Protection through
including anti-step over. Anti-Debugging,” IEEE Security &
Privacy Magazine, vol. 5, no. 3, pp.
Conclusion: 82–84, May 2007, doi: 10.1109/M-
To defend itself against reverse engineering SP.2007.71.
analysis, the malware employs anti-debugging
techniques. Debug analysis can be avoided by [3] J.-W. Kim, J. Bang, Y.-S. Moon, and
anti-debugging techniques. Reverse engineers M.-J. Choi, “Disabling Anti-Debugging
need advanced debuggers and knowledge to Techniques for Unpacking System in
analyze malware using anti-debugging User-level Debugger,” in 2019 Interna-
techniques. By applying common sense and tional Conference on Information and
slowly debugging the process, it is possible to Communication Technology Conver-
identify the majority of anti-debugging gence (ICTC), Oct. 2019, pp. 954–959.
techniques. For example, if you see that the doi: 10.1109/ICTC46691.2019.
code is terminating too rapidly in a conditional 8939719.
jump, which could mean preventing debugging
[4] T. Akhtar, B. B. Gupta, and S. Yamagu-
technical. The most widely used anti-debug-
chi, “Malware propagation effects on
ging methods involve fs access: [30h] by using
SCADA system and smart power grid,”
a Windows API or performing a time check.
in 2018 IEEE International Conference
on Consumer Electronics (ICCE), Jan.

38 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)

 Study of the Anti-Debugging Techniques and their Mitigations

2018, pp. 1–6. doi: 10.1109/ICCE.2018. (APCC), Oct. 2012, pp. 765–769. doi:
8326281. 10.1109/APCC.2012.6388211.

[5] G. Wang, L. Zhuang, T. Liu, S. Li, S. [10] Xu Chen, J. Andersen, Z. M. Mao, M.

Yang, and J. Lan, “Formal analysis and Bailey, and J. Nazario, “Towards an
verification of industrial control system understanding of anti-virtualization and
security via timed automata,” in 2020 anti-debugging behavior in modern
International Conference on Internet of malware,” in 2008 IEEE International
Things and Intelligent Applications Conference on Dependable Systems and
(ITIA), Nov. 2020, pp. 1–5. doi: Networks With FTCS and DCC (DSN),
10.1109/ITIA50152.2020.9312289. 2008, pp. 177–186. doi: 10.1109/
DSN.2008.4630086.
[6] A. J. Smith, R. F. Mills, A. R. Bryant, G.
L. Peterson, and M. R. Grimaila, [11] P. Chen, C. Huygens, L. Desmet, and W.
“REDIR: Automated static detection of Joosen, “Advanced or Not? A Compara-
obfuscated anti-debugging techniques,” tive Study of the Use of Anti-debugging
in 2014 International Conference on and Anti-VM Techniques in Generic and
Collaboration Technologies and Targeted Malware,” 2016, pp. 323–336.
Systems (CTS), May 2014, pp. 173–180. doi: 10.1007/978-3-319-33630-5_22.
doi: 10.1109/CTS.2014.6867561.
[12] P. Xie, X. Lu, Y. Wang, J. Su, and M. Li,
[7] J. Raber, “Stealthy Profiling and Debug- “An Automatic Approach to Detect
ging of Malware Trampolining from Anti-debugging in Malware Analysis,”
User to Kernel Space,” in 2011 18th 2013, pp. 436–442. doi: 10.1007/
Working Conference on Reverse 978-3-642-35795-4_55.
Engineering, Oct. 2011, pp. 431–432.
doi: 10.1109/WCRE.2011.62. [13] A. Mylonas and D. Gritzalis, “Practical
Malware Analysis: The Hands-On
[8] J. G. Alcalde, G. Chua, I. M. Demabildo, Guide to Dissecting Malicious
M. A. Ong, and R. L. Uy, “CALVIS32: Software,” Comput Secur, vol. 31, no. 6,
Customizable assembly language pp. 802–803, Sep. 2012, doi: 10.1016/j.-
visualizer and simulator for intel x86-32 cose.2012.05.004.
architecture,” in 2016 IEEE Region 10
Conference (TENCON), Nov. 2016, pp. [14] P. Chen, C. Huygens, L. Desmet, and W.
214–217. doi: 10.1109/TEN- Joosen, “Advanced or Not? A Compara-
CON.2016.7847992. tive Study of the Use of Anti-debugging
and Anti-VM Techniques in Generic and
[9] Chan Lee Yee, Lee Ling Chuan, M. Targeted Malware,” 2016, pp. 323–336.
Ismail, and N. Zainal, “A static and doi: 10.1007/978-3-319-33630-5_22.
dynamic visual debugger for malware
analysis,” in 2012 18th Asia-Pacific [15] J.-W. Kim, J. Namgung, Y.-S. Moon,
Conference on Communications and M.-J. Choi, “Experimental Compar-

LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022) 39

 Study of the Anti-Debugging Techniques and their Mitigations

ison of Machine Learning Models in Malware

Packing Detection,” in 2020 21st
Asia-Pacific Network Operations and
Management Symposium (APNOMS),
Sep. 2020, pp. 377–380. doi:
10.23919/APNOMS50412.2020.
9237007.

[16] R. R. Branco and G. N. Barbosa,

“Distributed malware analysis schedul-
ing,” in 2011 6th International Confer-
ence on Malicious and Unwanted
Software, Oct. 2011, pp. 34–41. doi:
10.1109/MALWARE.2011.6112324.

[17] K. Coogan, S. Debray, T. Kaochar, and

G. Townsend, “Automatic Static
Unpacking of Malware Binaries,” in
2009 16th Working Conference on
Reverse Engineering, 2009, pp.
167–176. doi: 10.1109/WCRE.2009.24.

[18] G. Jeong, E. Choo, J. Lee, M.

Bat-Erdene, and H. Lee, “Generic
unpacking using entropy analysis,” in
2010 5th International Conference on
Malicious and Unwanted Software, Oct.
2010, pp. 98–105. doi: 10.1109/MAL-
WARE.2010.5665789.

[19] C. R. Hill, “A real-time microprocessor

debugging technique,” ACM SIGPLAN
Notices, vol. 18, no. 8, pp. 145–148,
Aug. 1983, doi: 10.1145/1006142.
1006179.

[20] R. Sihwail, K. Omar, K. Zainol Ariffin,

and S. al Afghani, “Malware Detection
Approach Based on Artifacts in Memory
Image and Dynamic Analysis,” Applied
Sciences, vol. 9, no. 18, p. 3680, Sep.
2019, doi: 10.3390/app9183680.

40 LGU Int.J. Elect.Crime Investigation 6(3):LGUIJECI MS.ID- 05 (2022)