Anti-Analysis

Malware monitors mouse movements, click counts, or browser history to determine whether it is running in a real user environment rather than an automated sandbox.

Malware measures elapsed wall-clock time with GetTickCount to detect the artificial slowdown caused by single-stepping or software breakpoints in a debugger.

Malware enumerates running processes to verify its parent is explorer.exe; an unexpected parent (e.g., a sandbox or analysis tool) triggers evasive behaviour.

Malware calls CheckRemoteDebuggerPresent (or NtQueryInformationProcess with ProcessDebugPort) to detect a user-mode debugger attached to the process.

Malware reads the CPU debug registers DR0–DR3 via GetThreadContext to detect hardware breakpoints set by a debugger.

Malware inspects the Flags and ForceFlags fields of the process heap header (via PEB.ProcessHeap) to detect debugger-modified heap metadata.

Malware reads the NtGlobalFlag field of the PEB (offset 0x68/0xBC) to detect if the process was launched under a debugger via the 0x70 heap flag combination.

Sandboxes often patch Sleep() to fast-forward time so samples detonate quickly; malware detects the skipped delay by comparing wall-clock timestamps before and after sleeping.

On Linux, a process calls ptrace(PTRACE_TRACEME) on itself so that any debugger trying to attach later fails — a single process can only be traced once.

Detecting a virtualized environment by checking bit 31 of ECX returned by CPUID leaf 1, and reading the hypervisor vendor string from leaf 0x40000000.

Using the RDTSC instruction to measure execution time and detect the slowdown caused by single-stepping or breakpoints in a debugger.

A Windows API call that reads the BeingDebugged flag in the PEB to detect a user-mode debugger attached to the current process.