

Stack Necromancy: Defeating Debuggers by Raising the Dead - 2510c39011c5
http://spareclockcycles.org/2012/02/14/stack-necromancy-defeating-debuggers-by-raising-the-dead.html

======
spydum
so if i understood, when you launch processes in a debugger, it will walk the
list of functions and instantiate them.. this means you could craft a bit of
cleverness to detect whether app was launched from a debugger with minimal
overhead, by tripping up an uninitiated pointer.

none of this works for debuggers which attach AFTER the process starts
though.. so if I were a MALware creator, this might be a handy trick to force
different code paths while someone is snooping my newest creation. the only
way to know it was going on would be to do a static analysis (which i imagine,
is more effort).

~~~
Kalium
Static analysis can be much more difficult, and there's a whole different
toolbox for defeating static analysis. Often disassemblers can be attacked
directly.

------
SomeCallMeTim
My history is with CPUs that don't have a separate system stack, so my first
thought was that interrupts could stomp on the stack. But not so on Intel.

