Low Fragmentation Heap AntiDebug Check (Patreon)
Content
Have you ever wondered why a program does not start when you run it in a debugger? In this article we'll look briefly at the Windows heap, low fragmentation heap policy, and how we can apply this to an anti-debug technique called LFH antidebug. Additionally, we will see how you can bypass this trick in order to prevent this detection.
Low Fragmentaktion Heap AntiDebug Check <-- learn here
Windows Heap & LFH Policy
Checking LFH pointer To Detect Debuggers
LFH is only set when run under a debugger
What is the Windows Heap
The heap is a pre-allocated area of memory used for dynamic memory allocation when the program is executed. Heap is allocated by the operating system when a program is initialized and loaded into memory. Each process has its own heap that is never deleted until the end of the program.
It is used for managing data structures and objects thanks to the "Heap Manager", which takes care of the allocation and de-allocation of memory blocks and managing memory fragmentation. By default, the heap size is 1 MB but it can grow as needed. The heap is a contiguous region of memory that is divided into chunks. You can see chunks as blocks of memory that are allocated, de-allocated, or merged together, this is called fragmentation.