Process Environment Block (PEB)
Jump to navigation
Jump to search
| EMA ID: | ema-1099 |
|---|---|
| Description: | The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call. |
| Associated Behavior: | debugger detect & evade |
| Privilege Level: | User space
|
Inherited Attributes:
| applicable platform: | Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3 |
|---|
References:
| Date | Malware Family | URL |
|---|---|---|
| January 27, 2011 | Rebhip | https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html |
