Tracing exception handlers

Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won’t miss anything important.

The highlighter

Today I’ll present you a pretty small yet useful plugin.

The ultimate stealth method

The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger from the application. In fact there are many anti-debugging tricks and each of them requires an appropriate reaction from the debugger, let’s start with something simple: we will make the IsDebuggerPresent function call always return zero.

TLS callbacks

I promised to tell you about the TLS callbacks. Here is the discussion.

Several files in one IDB

IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let’s take a closer look at the situation…