GET /api/techniques/164/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Debug Registers, Hardware Breakpoints",
    "category": [
        "https://search.unprotect.it/api/categories/3/"
    ],
    "description": "Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.",
    "resources": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentthread\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext\r\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registers-window",
    "tags": "DR0",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/9/",
            "technique": "https://search.unprotect.it/api/techniques/164/",
            "description": "",
            "plain_code": "#include <windows.h>\r\n#include <stdio.h>\r\n\r\nint main() {\r\n\r\n    HANDLE thread = GetCurrentThread();\r\n    CONTEXT threadContext;\r\n    int errorCode;\r\n\r\n    memset(&threadContext, 0, sizeof(CONTEXT));\r\n    threadContext.ContextFlags = CONTEXT_ALL;\r\n\r\n    if( !GetThreadContext(thread, &threadContext) ){\r\n        errorCode = GetLastError();\r\n        puts(\"Could not get thread context\");\r\n        return errorCode;\r\n    }\r\n\r\n    if( threadContext.Dr0 || threadContext.Dr1 || threadContext.Dr2 || threadContext.Dr3 ){\r\n        puts(\"Detected\");\r\n    }\r\n    else{\r\n        puts(\"Undetected\");\r\n    }\r\n\r\n    return 0;\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "debug_register",
            "rule": "rule:\r\n  meta:\r\n    name: check for hardware breakpoints\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x42035D\r\n  features:\r\n    - and:\r\n      - api: kernel32.GetThreadContext\r\n      - number: 0x10010 = CONTEXT_DEBUG_REGISTERS\r\n      - offset: 0x4 = DR0\r\n      - offset: 0x8 = DR1\r\n      - offset: 0xC = DR2\r\n      - offset: 0x10 = DR3\r\n      - count(mnemonic(cmp)): 4 or more"
        }
    ]
}