Page values for "Ema-1099"
Jump to navigation
Jump to search
"Associations" values
Association_Type | Behavior |
Associated_Page | debugger detect & evade |
"Behavior_Instances" values
Associated_Behavior | debugger detect & evade |
"Pages" values
Name | Process Environment Block (PEB) |
Title_Icon | BehaviorInstance-Windows.png |
Description | The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call. |
"References" values
Reference_Date | 2011-01-27 |
Malware_Family | Rebhip |
Reference_URL | https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html |