debugging

A debugger allows to observer and hopefully correct programming errors.

A debugger creates a new process or attaches to an existing one. Then, the debugger allows to

• control execution of this process (for example by setting breakpoints).
• read and write memory
• read and write CPU (registers and flags)
• examine call stack
• dissasemble the program (and merge it with source code if available)

A breakpoint is a special instruction in the executable code. When such a breakpoint is reached during execution of a program, the execution of the program stops.

If a debugger has established a handler for the breakpoint, the execution is resumed in the debugger's breakpoint handler, typically to analyze the debuggee and issue further debugger commands.

Check if debugger is attached (Windows: PEB.IsDebugged).

Scan for int 3 instructions.

Check the time it takes to run through a specific portion of the code. The assumption is that a debugging entity slows down the execution time.

The rdtsc instruction (x86/x64) is useful for that.

Try to detect virtual machines.

Debugging Windows applications