The universal antidebugger, x64 revamped
10 April 2020 at 00:00
A single step for a debugger a giant leap for the obfuscator. When a debugger hits a breakpoint, it can perform single-stepping into the subsequent instructions by halting itself each time. To do so, it uses a specially crafted flag called Trap Flag (TF) residing at 0x8th bit position inside the EFLAGS x86 register.
If the Trap Flag is enabled, the processor then triggers an interrupt after each instruction has been executed.