This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.
When the process is being debugged the NtGlobalFlag is set to 0x70.
Advertisements