Debugger Detection Using NtGlobalFlag

This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.

When the process is being debugged the NtGlobalFlag is set to 0x70.


(more…)

Advertisements