Page values for "Ema-1099"
Jump to navigation
Jump to search
"Associations" values
| Association_Type | Behavior |
| Associated_Page | debugger detect & evade |
"Behavior_Instances" values
| Associated_Behavior | debugger detect & evade |
"Pages" values
| Name | Process Environment Block (PEB) |
| Title_Icon | BehaviorInstance-Windows.png |
| Description | The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call. |
"References" values
| Reference_Date | 2011-01-27 |
| Malware_Family | Rebhip |
| Reference_URL | https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html |
