In order to test it I created a couple of executable inlining the INT1 instruction and it seems to work fine.
I also tried to test it with Al-Kasher (which, accordingly to README should call INT1), but it was unsuccessful: by looking into the code, the call to Interrupt 1 test uses the __debugbreak() intrinsic, which is actually translated in an INT3, so I think that the detection is working fine at the end.
Let me know what do you think about it or if a rework is required.
Thanks a lot!
hasherezade
commented
11 months ago
Minor update to detect INT1 (as per https://anti-debug.checkpoint.com/techniques/assembly.html#ice).
In order to test it I created a couple of executable inlining the INT1 instruction and it seems to work fine.
I also tried to test it with Al-Kasher (which, accordingly to README should call INT1), but it was unsuccessful: by looking into the code, the call to
Interrupt 1test uses the __debugbreak() intrinsic, which is actually translated in an INT3, so I think that the detection is working fine at the end.Let me know what do you think about it or if a rework is required. Thanks a lot!