{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T18:54:58Z","timestamp":1768416898939,"version":"3.49.0"},"reference-count":67,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,2,5]],"date-time":"2021-02-05T00:00:00Z","timestamp":1612483200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,2,5]],"date-time":"2021-02-05T00:00:00Z","timestamp":1612483200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"published-print":{"date-parts":[[2021,6]]},"DOI":"10.1007\/s11416-020-00371-x","type":"journal-article","created":{"date-parts":[[2021,2,5]],"date-time":"2021-02-05T06:26:30Z","timestamp":1612506390000},"page":"105-117","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["DBI, debuggers, VM: gotta catch them all"],"prefix":"10.1007","volume":"17","author":[{"given":"Fran\u00e7ois","family":"Plumerault","sequence":"first","affiliation":[]},{"given":"Baptiste","family":"David","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,5]]},"reference":[{"issue":"05","key":"371_CR1","doi-asserted-by":"publisher","first-page":"513","DOI":"10.3390\/e21050513","volume":"21","author":"H Men\u00e9ndez","year":"2019","unstructured":"Men\u00e9ndez, H., Llorente, J.: Mimicking anti-viruses with machine learning and entropy profiles. Entropy 21(05), 513 (2019)","journal-title":"Entropy"},{"key":"371_CR2","unstructured":"Brosch, T., Morgenstern, M.: Runtime packers: the hidden problem? In: Proceedings of Black Hat, 01 (2006)"},{"key":"371_CR3","doi-asserted-by":"crossref","unstructured":"Guo, F., Ferrie, P., tzi-cker Chiueh.: A study of the packer problem and its solutions. In: RAID, vol. 5230, pp. 98\u2013115 (2008)","DOI":"10.1007\/978-3-540-87403-4_6"},{"issue":"02","key":"371_CR4","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/s11416-017-0291-9","volume":"14","author":"Catalin Lita","year":"2017","unstructured":"Lita, Catalin, Cosovan, Doina, Gavrilut, Dragos: Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in upa packers. J. Comput. Virol. Hacking Tech. 14(02), 107 (2017)","journal-title":"J. Comput. Virol. Hacking Tech."},{"issue":"11","key":"371_CR5","first-page":"1","volume":"52","author":"A Afianian","year":"2019","unstructured":"Afianian, A., Niksefat, S., Sadeghiyan, B., Baptiste, D.: Malware dynamic analysis evasion techniques: a survey. ACM Comput. Surv. 52(11), 1\u201328 (2019)","journal-title":"ACM Comput. Surv."},{"issue":"01","key":"371_CR6","doi-asserted-by":"publisher","first-page":"1662","DOI":"10.18517\/ijaseit.8.4-2.6827","volume":"8","author":"R Sihwail","year":"2018","unstructured":"Sihwail, R., Omar, K., Ariffin, K.A.Z.: A survey on malware analysis techniques: static, dynamic, hybrid and memory analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 8(01), 1662 (2018)","journal-title":"Int. J. Adv. Sci. Eng. Inf. Technol."},{"key":"371_CR7","doi-asserted-by":"crossref","unstructured":"Gao, Y., Lu, Z., Luo, Y.: Survey on malware anti-analysis. In: 5th International Conference on Intelligent Control and Information Processing, ICICIP 2014-Proceedings, pp. 270\u2013275 (2015)","DOI":"10.1109\/ICICIP.2014.7010353"},{"key":"371_CR8","unstructured":"Microsoft.: IsDebuggerPresent function (2018). Last accessed on 2020-10-04"},{"issue":"05","key":"371_CR9","doi-asserted-by":"publisher","first-page":"23","DOI":"10.4316\/AECE.2019.02003","volume":"19","author":"J Park","year":"2019","unstructured":"Park, J., Jang, Y.-H., Hong, S., Park, Y.: Automatic detection and bypassing of anti-debugging techniques for microsoft windows environments. Adv. Electr. Comput. Eng. 19(05), 23\u201328 (2019)","journal-title":"Adv. Electr. Comput. Eng."},{"issue":"06","key":"371_CR10","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2007.71","volume":"5","author":"M Gagnon","year":"2007","unstructured":"Gagnon, M., Taylor, S., Ghosh, A.: Software protection through anti-debugging. Secur. Privacy IEEE 5(06), 82\u201384 (2007)","journal-title":"Secur. Privacy IEEE"},{"key":"371_CR11","unstructured":"Lukan, D.: Anti-debugging: Detecting system debugger, 02 (2013)"},{"key":"371_CR12","doi-asserted-by":"crossref","unstructured":"Xie, P., Lu, X., Wang, Y., Su, J., Li, M.: An automatic approach to detect anti-debugging in malware analysis. In: ISCTCS, vol. 320, pp. 436\u2013442 (2013)","DOI":"10.1007\/978-3-642-35795-4_55"},{"key":"371_CR13","first-page":"813","volume":"28","author":"Zhengwei Qi","year":"2012","unstructured":"Qi, Zhengwei, Li, Bingyu, Lin, Qian, Miao, Yu., Xia, Mingyuan, Guan, Haibing: Spad: software protection through anti-debugging using hardware-assisted virtualization. J. Inf. Sci. Eng. 28, 813\u2013827 (2012)","journal-title":"J. Inf. Sci. Eng."},{"key":"371_CR14","unstructured":"Fran\u00e7Sois, P., Baptiste, D.: Exploiting flaws in windbg: how to escape or fool debuggers from existing flaws. J. Comput. Virol. Hacking Tech, 10.1007\/s11416-020-00347-x (2020)"},{"key":"371_CR15","doi-asserted-by":"crossref","unstructured":"Marhusin, M.F., Larkin, H., Lokan, C., Cornforth, D.: An evaluation of api calls hooking performance. In: Proceedings - 2008 International Conference on Computational Intelligence and Security, CIS 2008, vol. 1: pp. 315\u2013319 (2008)","DOI":"10.1109\/CIS.2008.199"},{"key":"371_CR16","doi-asserted-by":"crossref","unstructured":"Sun, H-M., Lin, Y-H., Wu, M-F.: Api monitoring system for defeating worms and exploits in ms-windows system. In: Proceedings of the 11th Australasian Conference on Information Security and Privacy, ACISP\u201906, pages 159\u2013170, Berlin, Heidelberg. Springer-Verlag (2006)","DOI":"10.1007\/11780656_14"},{"key":"371_CR17","unstructured":"Ortega, A.: Pafish (paranoid fish), 07 (2012)"},{"key":"371_CR18","doi-asserted-by":"crossref","unstructured":"Ortega, A.: Al-khaser v0.79, 11 (2015)","DOI":"10.23850\/22565035.132"},{"key":"371_CR19","unstructured":"Karvandi, S.: Defeating malware\u2019s anti-vm techniques (cpuid-based instructions), 06 (2018)"},{"key":"371_CR20","unstructured":"Rutkowska, J.: Subverting vistatm kernel forfun and profit, 08 (2006)"},{"key":"371_CR21","unstructured":"Quist, D., Smith, V., Offensive Computing.: detecting the presence of virtual machines using the local data table. Offensive Comput., 25(04) (2006)"},{"key":"371_CR22","unstructured":"Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction, 11 (2007)"},{"key":"371_CR23","unstructured":"Leon, R., Kiperberg, M., Algawi, A., Resh, A., Zaidenberg, N.: Creating modern blue pills and red pills. In: European Conference on Cyber Warfare and Security, vol. 1: p. 9 (2019)"},{"key":"371_CR24","doi-asserted-by":"publisher","first-page":"S98","DOI":"10.1016\/j.diin.2018.04.015","volume":"26","author":"T Tuzel","year":"2018","unstructured":"Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.J.: Who watches the watcher? detecting hypervisor introspection from unprivileged guests. Digital Investig. 26, S98\u2013S106 (2018)","journal-title":"Digital Investig."},{"key":"371_CR25","doi-asserted-by":"crossref","unstructured":"Korkin, I.: Two challenges of stealthy hypervisors detection: Time cheating and data fluctuations. J. Digital Forensics Secur. Law, 25, 05 (2015)","DOI":"10.15394\/jdfsl.2015.1200"},{"issue":"02","key":"371_CR26","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/s11416-009-0130-8","volume":"7","author":"A Desnos","year":"2011","unstructured":"Desnos, A., Filiol, E., Lefou, I.: Detecting (and creating!) a hvm rootkit (aka bluepill-like). J. Comput. Virol. 7(02), 23\u201349 (2011)","journal-title":"J. Comput. Virol."},{"key":"371_CR27","doi-asserted-by":"crossref","unstructured":"Ali, M., Shiaeles, S., Ghita, B.V., Papadaki, M.: Agent-based vs agent-less sandbox for dynamic behavioral analysis. In: 2018 Global Information Infrastructure and Networking Symposium, p.\u00a05 (2018)","DOI":"10.1109\/GIIS.2018.8635598"},{"key":"371_CR28","unstructured":"Ben-Yehuda, M.: Machine virtualization:efficient hypervisors, stealthy malware, 03 (2013)"},{"key":"371_CR29","unstructured":"Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: 30th Annual Computer Security Applications Conference, 12 2014"},{"key":"371_CR30","unstructured":"Aaraj, N., Raghunathan, A., Jha, N.K.: Dynamic binary instrumentation-based framework for malware defense. In DIMVA, vol. 5137, 07 (2008)"},{"key":"371_CR31","doi-asserted-by":"crossref","unstructured":"D\u2019Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: Sok: Using dynamic binary instrumentation for security (and how you may get caught red handed). In: ACM Asia Conference on Information, Computer and Communications Security (ASIACCS 2019), p.\u00a014 (2019)","DOI":"10.1145\/3321705.3329819"},{"key":"371_CR32","doi-asserted-by":"publisher","first-page":"3583","DOI":"10.1007\/s11227-016-1777-9","volume":"74","author":"D Kim","year":"2016","unstructured":"Kim, D., Kim, S., Ryou, J.: Design and implementation of user-level dynamic binary instrumentation on arm architecture. J. Supercomput. 74, 3583 (2016)","journal-title":"J. Supercomput."},{"key":"371_CR33","unstructured":"Zhao, V.: Evaluation of dynamic binary instrumentation approaches: Dynamic binary translation vs. dynamic probe injection. Master\u2019s thesis, Williams College, 06 (2018)"},{"key":"371_CR34","doi-asserted-by":"crossref","unstructured":"Rodriguez, R.J., Artal, J., Merseguer, J.: Performance evaluation of dynamic binary instrumentation frameworks. Latin America Trans. IEEE (Revista IEEE America Latina), 12:1572\u20131580 (2014)","DOI":"10.1109\/TLA.2014.7014530"},{"key":"371_CR35","doi-asserted-by":"crossref","unstructured":"Kirsch, J., Zhechev, Z., Bierbaumer, B. and Kittel, T.: PwIN - Pwning Intel piN: Why DBI is unsuitable for security applications. In: European Symposium on Research in Computer Security pp. 363\u2013382. ESORICS, : Barcelona. Spain (2018)","DOI":"10.1007\/978-3-319-99073-6_18"},{"key":"371_CR36","unstructured":"Zhechev, Z.: Security evaluation of dynamic binary instrumentation engines. Master\u2019s thesis, University of Munich, 06 (2018)"},{"key":"371_CR37","unstructured":"Julian, K., Zhechko, Z.: Pwning intel pin - reconsidering intel pin in context of security. In: REcon. REcon Montreal 2018, June (2018)"},{"key":"371_CR38","unstructured":"Polino, M., Continella, A., Mariani, S., D\u2019Alessio, S., Fontana, L., Gritti, F., Zanero, S.: Measuring and defeating anti-instrumentation-equipped malware. In: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)"},{"key":"371_CR39","unstructured":"Bougacha, A.: Detecting valgrind, 09 (2012)"},{"key":"371_CR40","unstructured":"Intel.: Intel\u00ae\u00a064 and IA-32 Architectures Software Developer\u2019s Manual Volume 3A: 8.1.3 Handling Self- and Cross-Modifying Code. Intel (2016)"},{"key":"371_CR41","doi-asserted-by":"crossref","unstructured":"Microsoft.: SpinLock, 03 (2017). Last accessed on 2020-10-04","DOI":"10.1055\/s-0037-1602671"},{"key":"371_CR42","unstructured":"Microsoft.: What is .NET?, 02 (2002). Last accessed on 2020-10-04"},{"key":"371_CR43","unstructured":"Osnat Levi.: Pin - a dynamic binary instrumentation tool, 06 (2012)"},{"key":"371_CR44","unstructured":"Tessier, C., Hubain, C.: Qbdi - quarkslab dynamic binary instrumentation home page, 09 (2015)"},{"key":"371_CR45","unstructured":"Kalleberg, K.T., Ravnas, O.A.V.: Testing interoperability with closed-source software through scriptable diplomacy. (FOSDEM \u201916), 01 (2016)"},{"key":"371_CR46","doi-asserted-by":"crossref","unstructured":"Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. (PLDI \u201907) ACM (2007)","DOI":"10.1145\/1250734.1250746"},{"key":"371_CR47","doi-asserted-by":"crossref","unstructured":"Fiedor, J., Vojnar, T.: Anaconda: A framework for analysing multi-threaded c\/c++ programs on the binary level. In: Shaz Qadeer and Serdar Tasiran, editors, RV, volume 7687 of Lecture Notes in Computer Science, pages 35\u201341. Springer (2012)","DOI":"10.1007\/978-3-642-35632-2_5"},{"key":"371_CR48","doi-asserted-by":"crossref","unstructured":"Bruening, Z., Amarasinghe.: Transparent dynamic instrumentation. In: (VEE \u201912). ACM (2012)","DOI":"10.1145\/2151024.2151043"},{"key":"371_CR49","unstructured":"Microsoft.: Structured Exception Handling (C\/C++), 08 (2018). Last accessed on 2020-10-04"},{"key":"371_CR50","unstructured":"Intel.: Pin - Command Line Switches, 05 (2018)"},{"key":"371_CR51","unstructured":"Chatterjee, N., Majumdar, S., Sahoo, S., Das, P.: Debugging multi-threaded applications using pin-augmented gdb (pgdb), 07 (2015)"},{"key":"371_CR52","unstructured":"Gdb: The gnu project debugger"},{"key":"371_CR53","doi-asserted-by":"crossref","unstructured":"Ambavkar, P.: Debugging on linux. Int. Organ. Sci. Res. J. Eng. (IOSRJEN)February 2012, page\u00a07, 02 (2012)","DOI":"10.9790\/3021-0202320324"},{"key":"371_CR54","unstructured":"Debugging in visual studio, 11 (2016). Last accessed on 2020-10-04"},{"key":"371_CR55","unstructured":"x64dbg: An open-source x64\/x32 debugger for windows"},{"key":"371_CR56","unstructured":"ollydbg"},{"key":"371_CR57","unstructured":"Intel.: Intel\u00ae\u00a064 and IA-32 Architectures Software Developer\u2019s Manual Volume 3A: chapter 23 - introduction to virtual machine extensions. Intel (2016)"},{"key":"371_CR58","first-page":"09","volume":"4","author":"Kamanashis Biswas","year":"2009","unstructured":"Biswas, Kamanashis, Islam, Md: Hardware virtualization support in intel, amd and ibm power processors. Int. J. Comput. Sci. Inf. Secur. 4, 09 (2009)","journal-title":"Int. J. Comput. Sci. Inf. Secur."},{"key":"371_CR59","unstructured":"Intel.: Intel\u00ae\u00a064 and IA-32 Architectures Software Developer\u2019s Manual Volume 3C (2016)"},{"key":"371_CR60","unstructured":"Intel.: Intel\u00ae\u00a064 and IA-32 Architectures Software Developer\u2019s Manual Volume 2A (2016)"},{"key":"371_CR61","unstructured":"vmware"},{"key":"371_CR62","unstructured":"Virtualbox"},{"key":"371_CR63","unstructured":"Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track(2005)"},{"key":"371_CR64","unstructured":"Microsoft.: Hyper-V Technology Overview, 11 (2016). Last accessed on 2020-10-04"},{"key":"371_CR65","unstructured":"Microsoft.: Introduction to Hyper-V on Windows 10, 06 (2018). Last accessed on 2020-10-04"},{"key":"371_CR66","unstructured":"Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)"},{"key":"371_CR67","doi-asserted-by":"crossref","unstructured":"Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: Exploiting speculative execution. In 40th IEEE Symposium on Security and Privacy (S&P\u201919), (2019)","DOI":"10.1109\/SP.2019.00002"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-020-00371-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-020-00371-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-020-00371-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,5,20]],"date-time":"2021-05-20T08:55:57Z","timestamp":1621500957000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-020-00371-x"}},"subtitle":["How to escape or fool debuggers with internal architecture CPU flaws?"],"short-title":[],"issued":{"date-parts":[[2021,2,5]]},"references-count":67,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2021,6]]}},"alternative-id":["371"],"URL":"https:\/\/doi.org\/10.1007\/s11416-020-00371-x","relation":{},"ISSN":["2263-8733"],"issn-type":[{"value":"2263-8733","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,5]]},"assertion":[{"value":"30 June 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"12 October 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 February 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}