HelpBlogCommunity🍌 PromptsNEWRulesWorkflowsAgent SkillsMCPsAdvertise
ENEnglishESEspaΓ±olZHδΈ­ζ–‡JAζ—₯本θͺžDEDeutschPTPortuguΓͺsRUРусский
Back to Security & Vulnerability Analysis

anti-reversing-techniques

software securityreverse engineeringmalware analysisanti-debuggingobfuscationbinary analysisthreat intelligencepentesting
⭐ 36.8kπŸ“„ MITπŸ•’ 2026-06-16Source β†—

Install this skill

npx skills add wshobson/agents

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

This skill provides methods for identifying and neutralizing defensive code patterns that attempt to block debuggers, virtual environments, and analysis instrumentation. It focuses on technical countermeasures against Windows and Linux-specific checks such as PEB inspection, timing-based execution delays, hardware breakpoint detection, and ptrace-based self-monitoring. By recognizing how applications probe their own environment for traces of human analysis, agents can automate the patching or hooking processes required to maintain visibility. It translates raw anti-debugging logic into actionable bypass strategies, enabling the continued execution of software under controlled conditions. This resource bridges the gap between identifying a binary's protective barriers and modifying memory or process state to ensure the analyst remains undetected by the target process during behavioral inspection.

When to Use This Skill

  • β€’Reverse engineering obfuscated malware samples in sandbox environments
  • β€’Analyzing binary executables that contain self-protection logic for CTF challenges
  • β€’Debugging proprietary software during authorized security audits
  • β€’Testing the efficacy of custom instrumentation tools against anti-analysis measures

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

  • β€œHow do I bypass IsDebuggerPresent checks in this binary?
  • β€œShow me how to neutralize PEB-based anti-debugging logic
  • β€œHelp me hook ptrace to stop a Linux binary from exiting
  • β€œExplain how to handle RDTSC timing checks during dynamic analysis
  • β€œIdentify common anti-analysis techniques in this Windows executable

Pro Tips

  • πŸ’‘Always prioritize ethical considerations and legal compliance; unauthorized circumvention has severe consequences.
  • πŸ’‘Combine this skill with dynamic analysis tools (debuggers, sandboxes) for a comprehensive understanding of protection mechanisms.
  • πŸ’‘Focus on identifying the *intent* behind protection techniques to better strategize bypass methods.

What this skill does

  • β€’Identify and nullify Windows PEB-based debugger detection flags
  • β€’Hook timing APIs to prevent detection of latency introduced by manual stepping
  • β€’Bypass Linux ptrace traps and TracerPid verification within /proc/self/status
  • β€’Patch exception handling mechanisms used to detect software breakpoints
  • β€’Automate memory patching to disable conditional exits triggered by integrity checks

When not to use it

  • βœ•Analyzing software without explicit written authorization from the owner
  • βœ•Performing activities that violate regional legal frameworks regarding DRM bypass

Example workflow

  1. Identify the entry point of the binary using static analysis
  2. Locate anti-debugging API calls like NtQueryInformationProcess or IsDebuggerPresent
  3. Draft a patching strategy to replace detection logic with NOP instructions or forced returns
  4. Apply the patch using an IDAPython script or binary patching tool
  5. Verify execution flow continues past the former exit points

Prerequisites

  • –Basic knowledge of x86/x64 assembly
  • –Familiarity with debugging tools like x64dbg, GDB, or IDA Pro
  • –Understanding of Windows PEB and Linux system process structures

Pitfalls & limitations

  • !Over-patching can cause application crashes if the binary performs self-checksumming
  • !Hardware breakpoints may still trigger if the target monitors debug registers directly
  • !Sophisticated anti-VM logic often requires environment-specific spoofing rather than simple code patching

FAQ

Why does the target exit immediately when I attach a debugger?
The application is likely performing environment checks upon initialization. It may be polling the PEB BeingDebugged flag or timing execution blocks using RDTSC.
Can I use LD_PRELOAD for all anti-debugging bypasses?
LD_PRELOAD is effective for intercepting dynamic library calls like ptrace, but it will not help against direct syscalls or inline assembly checks.
What is the risk of using hardware breakpoints instead of software ones?
Software breakpoints replace instructions with INT3, which changes the file's CRC. Hardware breakpoints leave the code intact, making them harder for simple integrity checks to detect.

How it compares

Unlike generic prompts that offer broad advice, this skill provides specific code-level patterns and hooking strategies for known API-based and environment-probing obstacles.

Source & trust

⭐ 37k starsπŸ“„ MITπŸ•’ Updated 2026-06-16
πŸ“„ Full skill instructions β€” original source: wshobson/agents
> **AUTHORIZED USE ONLY**: This skill contains dual-use security techniques. Before proceeding with any bypass or analysis:
>
> 1. **Verify authorization**: Confirm you have explicit written permission from the software owner, or are operating within a legitimate security context (CTF, authorized pentest, malware analysis, security research)
> 2. **Document scope**: Ensure your activities fall within the defined scope of your authorization
> 3. **Legal compliance**: Understand that unauthorized bypassing of software protection may violate laws (CFAA, DMCA anti-circumvention, etc.)
>
> **Legitimate use cases**: Malware analysis, authorized penetration testing, CTF competitions, academic security research, analyzing software you own/have rights to

# Anti-Reversing Techniques

Understanding protection mechanisms encountered during authorized software analysis, security research, and malware analysis. This knowledge helps analysts bypass protections to complete legitimate analysis tasks.

## Anti-Debugging Techniques

### Windows Anti-Debugging

#### API-Based Detection

// IsDebuggerPresent
if (IsDebuggerPresent()) {
    exit(1);
}

// CheckRemoteDebuggerPresent
BOOL debugged = FALSE;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &debugged);
if (debugged) exit(1);

// NtQueryInformationProcess
typedef NTSTATUS (NTAPI *pNtQueryInformationProcess)(
    HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

DWORD debugPort = 0;
NtQueryInformationProcess(
    GetCurrentProcess(),
    ProcessDebugPort,        // 7
    &debugPort,
    sizeof(debugPort),
    NULL
);
if (debugPort != 0) exit(1);

// Debug flags
DWORD debugFlags = 0;
NtQueryInformationProcess(
    GetCurrentProcess(),
    ProcessDebugFlags,       // 0x1F
    &debugFlags,
    sizeof(debugFlags),
    NULL
);
if (debugFlags == 0) exit(1);  // 0 means being debugged


**Bypass Approaches:**

# x64dbg: ScyllaHide plugin
# Patches common anti-debug checks

# Manual patching in debugger:
# - Set IsDebuggerPresent return to 0
# - Patch PEB.BeingDebugged to 0
# - Hook NtQueryInformationProcess

# IDAPython: Patch checks
ida_bytes.patch_byte(check_addr, 0x90)  # NOP


#### PEB-Based Detection

// Direct PEB access
#ifdef _WIN64
    PPEB peb = (PPEB)__readgsqword(0x60);
#else
    PPEB peb = (PPEB)__readfsdword(0x30);
#endif

// BeingDebugged flag
if (peb->BeingDebugged) exit(1);

// NtGlobalFlag
// Debugged: 0x70 (FLG_HEAP_ENABLE_TAIL_CHECK |
//                 FLG_HEAP_ENABLE_FREE_CHECK |
//                 FLG_HEAP_VALIDATE_PARAMETERS)
if (peb->NtGlobalFlag & 0x70) exit(1);

// Heap flags
PDWORD heapFlags = (PDWORD)((PBYTE)peb->ProcessHeap + 0x70);
if (*heapFlags & 0x50000062) exit(1);


**Bypass Approaches:**

; In debugger, modify PEB directly
; x64dbg: dump at gs:[60] (x64) or fs:[30] (x86)
; Set BeingDebugged (offset 2) to 0
; Clear NtGlobalFlag (offset 0xBC for x64)


#### Timing-Based Detection

// RDTSC timing
uint64_t start = __rdtsc();
// ... some code ...
uint64_t end = __rdtsc();
if ((end - start) > THRESHOLD) exit(1);

// QueryPerformanceCounter
LARGE_INTEGER start, end, freq;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&start);
// ... code ...
QueryPerformanceCounter(&end);
double elapsed = (double)(end.QuadPart - start.QuadPart) / freq.QuadPart;
if (elapsed > 0.1) exit(1);  // Too slow = debugger

// GetTickCount
DWORD start = GetTickCount();
// ... code ...
if (GetTickCount() - start > 1000) exit(1);


**Bypass Approaches:**

- Use hardware breakpoints instead of software
- Patch timing checks
- Use VM with controlled time
- Hook timing APIs to return consistent values


#### Exception-Based Detection

// SEH-based detection
__try {
    __asm { int 3 }  // Software breakpoint
}
__except(EXCEPTION_EXECUTE_HANDLER) {
    // Normal execution: exception caught
    return;
}
// Debugger ate the exception
exit(1);

// VEH-based detection
LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ep) {
    if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) {
        ep->ContextRecord->Rip++;  // Skip INT3
        return EXCEPTION_CONTINUE_EXECUTION;
    }
    return EXCEPTION_CONTINUE_SEARCH;
}


### Linux Anti-Debugging

// ptrace self-trace
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) {
    // Already being traced
    exit(1);
}

// /proc/self/status
FILE *f = fopen("/proc/self/status", "r");
char line[256];
while (fgets(line, sizeof(line), f)) {
    if (strncmp(line, "TracerPid:", 10) == 0) {
        int tracer_pid = atoi(line + 10);
        if (tracer_pid != 0) exit(1);
    }
}

// Parent process check
if (getppid() != 1 && strcmp(get_process_name(getppid()), "bash") != 0) {
    // Unusual parent (might be debugger)
}


**Bypass Approaches:**

# LD_PRELOAD to hook ptrace
# Compile: gcc -shared -fPIC -o hook.so hook.c
long ptrace(int request, ...) {
    return 0;  // Always succeed
}

# Usage
LD_PRELOAD=./hook.so ./target


## Anti-VM Detection

### Hardware Fingerprinting

// CPUID-based detection
int cpuid_info[4];
__cpuid(cpuid_info, 1);
// Check hypervisor bit (bit 31 of ECX)
if (cpuid_info[2] & (1 << 31)) {
    // Running in hypervisor
}

// CPUID brand string
__cpuid(cpuid_info, 0x40000000);
char vendor[13] = {0};
memcpy(vendor, &cpuid_info[1], 12);
// "VMwareVMware", "Microsoft Hv", "KVMKVMKVM", "VBoxVBoxVBox"

// MAC address prefix
// VMware: 00:0C:29, 00:50:56
// VirtualBox: 08:00:27
// Hyper-V: 00:15:5D


### Registry/File Detection

// Windows registry keys
// HKLM\SOFTWARE\VMware, Inc.\VMware Tools
// HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
// HKLM\HARDWARE\ACPI\DSDT\VBOX__

// Files
// C:\Windows\System32\drivers\vmmouse.sys
// C:\Windows\System32\drivers\vmhgfs.sys
// C:\Windows\System32\drivers\VBoxMouse.sys

// Processes
// vmtoolsd.exe, vmwaretray.exe
// VBoxService.exe, VBoxTray.exe


### Timing-Based VM Detection

// VM exits cause timing anomalies
uint64_t start = __rdtsc();
__cpuid(cpuid_info, 0);  // Causes VM exit
uint64_t end = __rdtsc();
if ((end - start) > 500) {
    // Likely in VM (CPUID takes longer)
}


**Bypass Approaches:**

- Use bare-metal analysis environment
- Harden VM (remove guest tools, change MAC)
- Patch detection code
- Use specialized analysis VMs (FLARE-VM)


## Code Obfuscation

### Control Flow Obfuscation

#### Control Flow Flattening

// Original
if (cond) {
    func_a();
} else {
    func_b();
}
func_c();

// Flattened
int state = 0;
while (1) {
    switch (state) {
        case 0:
            state = cond ? 1 : 2;
            break;
        case 1:
            func_a();
            state = 3;
            break;
        case 2:
            func_b();
            state = 3;
            break;
        case 3:
            func_c();
            return;
    }
}


**Analysis Approach:**

- Identify state variable
- Map state transitions
- Reconstruct original flow
- Tools: D-810 (IDA), SATURN

#### Opaque Predicates

// Always true, but complex to analyze
int x = rand();
if ((x * x) >= 0) {  // Always true
    real_code();
} else {
    junk_code();  // Dead code
}

// Always false
if ((x * (x + 1)) % 2 == 1) {  // Product of consecutive = even
    junk_code();
}


**Analysis Approach:**

- Identify constant expressions
- Symbolic execution to prove predicates
- Pattern matching for known opaque predicates

### Data Obfuscation

#### String Encryption

// XOR encryption
char decrypt_string(char *enc, int len, char key) {
    char *dec = malloc(len + 1);
    for (int i = 0; i < len; i++) {
        dec[i] = enc[i] ^ key;
    }
    dec[len] = 0;
    return dec;
}

// Stack strings
char url[20];
url[0] = 'h'; url[1] = 't'; url[2] = 't'; url[3] = 'p';
url[4] = ':'; url[5] = '/'; url[6] = '/';
// ...


**Analysis Approach:**

# FLOSS for automatic string deobfuscation
floss malware.exe

# IDAPython string decryption
def decrypt_xor(ea, length, key):
    result = ""
    for i in range(length):
        byte = ida_bytes.get_byte(ea + i)
        result += chr(byte ^ key)
    return result


#### API Obfuscation

// Dynamic API resolution
typedef HANDLE (WINAPI *pCreateFileW)(LPCWSTR, DWORD, DWORD,
    LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);

HMODULE kernel32 = LoadLibraryA("kernel32.dll");
pCreateFileW myCreateFile = (pCreateFileW)GetProcAddress(
    kernel32, "CreateFileW");

// API hashing
DWORD hash_api(char *name) {
    DWORD hash = 0;
    while (*name) {
        hash = ((hash >> 13) | (hash << 19)) + *name++;
    }
    return hash;
}
// Resolve by hash comparison instead of string


**Analysis Approach:**

- Identify hash algorithm
- Build hash database of known APIs
- Use HashDB plugin for IDA
- Dynamic analysis to resolve at runtime

### Instruction-Level Obfuscation

#### Dead Code Insertion

; Original
mov eax, 1

; With dead code
push ebx           ; Dead
mov eax, 1
pop ebx            ; Dead
xor ecx, ecx       ; Dead
add ecx, ecx       ; Dead


#### Instruction Substitution

; Original: xor eax, eax (set to 0)
; Substitutions:
sub eax, eax
mov eax, 0
and eax, 0
lea eax, [0]

; Original: mov eax, 1
; Substitutions:
xor eax, eax
inc eax

push 1
pop eax


## Packing and Encryption

### Common Packers

UPX          - Open source, easy to unpack
Themida      - Commercial, VM-based protection
VMProtect    - Commercial, code virtualization
ASPack       - Compression packer
PECompact    - Compression packer
Enigma       - Commercial protector


### Unpacking Methodology

1. Identify packer (DIE, Exeinfo PE, PEiD)

2. Static unpacking (if known packer):
   - UPX: upx -d packed.exe
   - Use existing unpackers

3. Dynamic unpacking:
   a. Find Original Entry Point (OEP)
   b. Set breakpoint on OEP
   c. Dump memory when OEP reached
   d. Fix import table (Scylla, ImpREC)

4. OEP finding techniques:
   - Hardware breakpoint on stack (ESP trick)
   - Break on common API calls (GetCommandLineA)
   - Trace and look for typical entry patterns


### Manual Unpacking Example

1. Load packed binary in x64dbg
2. Note entry point (packer stub)
3. Use ESP trick:
   - Run to entry
   - Set hardware breakpoint on [ESP]
   - Run until breakpoint hits (after PUSHAD/POPAD)
4. Look for JMP to OEP
5. At OEP, use Scylla to:
   - Dump process
   - Find imports (IAT autosearch)
   - Fix dump


## Virtualization-Based Protection

### Code Virtualization

Original x86 code is converted to custom bytecode
interpreted by embedded VM at runtime.

Original:     VM Protected:
mov eax, 1    push vm_context
add eax, 2    call vm_entry
              ; VM interprets bytecode
              ; equivalent to original


### Analysis Approaches

1. Identify VM components:
   - VM entry (dispatcher)
   - Handler table
   - Bytecode location
   - Virtual registers/stack

2. Trace execution:
   - Log handler calls
   - Map bytecode to operations
   - Understand instruction set

3. Lifting/devirtualization:
   - Map VM instructions back to native
   - Tools: VMAttack, SATURN, NoVmp

4. Symbolic execution:
   - Analyze VM semantically
   - angr, Triton


## Bypass Strategies Summary

### General Principles

1. **Understand the protection**: Identify what technique is used
2. **Find the check**: Locate protection code in binary
3. **Patch or hook**: Modify check to always pass
4. **Use appropriate tools**: ScyllaHide, x64dbg plugins
5. **Document findings**: Keep notes on bypassed protections

### Tool Recommendations

Anti-debug bypass:    ScyllaHide, TitanHide
Unpacking:           x64dbg + Scylla, OllyDumpEx
Deobfuscation:       D-810, SATURN, miasm
VM analysis:         VMAttack, NoVmp, manual tracing
String decryption:   FLOSS, custom scripts
Symbolic execution:  angr, Triton


### Ethical Considerations

This knowledge should only be used for:

- Authorized security research
- Malware analysis (defensive)
- CTF competitions
- Understanding protections for legitimate purposes
- Educational purposes

Never use to bypass protections for:

- Software piracy
- Unauthorized access
- Malicious purposes

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

  1. Click "Download" above
  2. In your project, create the directory: .agent/skills/anti-reversing-techniques/
  3. Save the file as SKILL.md
  4. The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

  • Claude Code: ~/.claude/skills/wshobson/agents/anti-reversing-techniques/SKILL.md
  • Cursor: ~/.cursor/skills/wshobson/agents/anti-reversing-techniques/SKILL.md
  • Antigravity: ~/.gemini/antigravity/skills/wshobson/agents/anti-reversing-techniques/SKILL.md

πŸš€ Install with CLI:
npx skills add wshobson/agents

Read the Master Guide: Mastering Agent Skills β†’

Related Skill Units

Reverse Engineering Game Security Tools

reverse-engineeringsecuritykernel+2
This skill provides a curated collection of techniques, frameworks, and workflows for analyzing protected binaries, anti-cheat modules, and kernel-mode drivers. It focuses on the technical challenges inherent in game security research, such as bypassing anti-debugging checks, deobfuscating obfuscate...

Recommended Rules

View more rules β†’

Go CLI Development

GoCLICobra
You are an expert in building command-line interfaces (CLI) with Go, specifically using Cobra. Key Principles: - Build intuitive and consistent CLIs ...

Rust Fundamentals & Ownership

RustOwnershipBorrowing
You are an expert in Rust programming, specializing in ownership, borrowing, and lifetimes. Key Principles: - Ownership is the central feature of Rus...

Rust Async Programming with Tokio

RustAsyncTokio
You are an expert in Rust asynchronous programming using the Tokio runtime. Key Principles: - Async/await is syntactic sugar for Futures - Futures do...

Recommended Workflows

View more workflows β†’

Generate TypeScript Types from API

TypeScriptAPICodegen
--- description: Auto-generate type-safe API client from OpenAPI/Swagger spec --- 1. **Get Your API Schema**: - Most APIs expose OpenAPI spec at `...

Setup Environment Variables Per Branch

DevOpsEnvironmentVercel
--- description: Configure different env vars for dev, staging, and production --- 1. **Local Development (.env.local)**: - Create `.env.local` fo...

Create GitHub PR Template

GitGitHubTeam
--- description: Standardize pull request descriptions for better code reviews --- 1. **Create Template Directory**: - GitHub looks for templates ...

Recommended MCP Servers

View more MCP servers β†’
CrowdStrike Falcon

CrowdStrike Falcon

Official

Connects AI agents with the CrowdStrike Falcon platform for intelligent security analysis, providing programmatic access to detections, incidents, behaviors, threat intelligence, hosts, vulnerabilities, and identity protection capabilities.

O

OpenCTI

Community

Interact with OpenCTI platform to retrieve threat intelligence data including reports, indicators, malware and threat actors.

S

Solvitor

Community

Solvitor MCP server provides tools to access reverse engineering tools that help developers extract IDL files from closed - source Solana smart contracts and decompile them.

Take It Further

Maximize your productivity with these powerful resources

πŸ“‹

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library
πŸ“–

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide

How to use this Skill in Claude Code & Cursor

For Claude Code (CLI)

To use this skill in Claude Code, copy the rule content into your project's custom instructions or follow our Add-Skill CLI guide. This ensures Claude follows your standards during every code generation.

For Cursor & Windsurf

For Cursor or Windsurf, individual skills are best used in the "Rules for AI" section. This specific unit helps the agent avoid security & vulnerability analysis issues, leading to cleaner, more efficient code.

Why the skill format matters: the standardized Agent Skills format lets your AI agent load detailed instructions only when they are relevant, keeping your prompt clean while improving results.

Source & attribution

This skill is categorized under Security & Vulnerability Analysis and is published by W. Shobson, maintained in wshobson/agents.

← Browse All Agent Skills
Sponsored AI assistant. Recommendations may be paid.