Low Fragmentation Heap AntiDebug Check (Patreon)

Have you ever wondered why a program does not start when you run it in a debugger? In this article we'll look briefly at the Windows heap, low fragmentation heap policy, and how we can apply this to an anti-debug technique called LFH antidebug. Additionally, we will see how you can bypass this trick in order to prevent this detection.

Low Fragmentaktion Heap AntiDebug Check <-- learn here

Windows Heap & LFH Policy

Checking LFH pointer To Detect Debuggers

LFH is only set when run under a debugger

What is the Windows Heap​

The heap is a pre-allocated area of memory used for dynamic memory allocation when the program is executed. Heap is allocated by the operating system when a program is initialized and loaded into memory. Each process has its own heap that is never deleted until the end of the program.

It is used for managing data structures and objects thanks to the "Heap Manager", which takes care of the allocation and de-allocation of memory blocks and managing memory fragmentation. By default, the heap size is 1 MB but it can grow as needed. The heap is a contiguous region of memory that is divided into chunks. You can see chunks as blocks of memory that are allocated, de-allocated, or merged together, this is called fragmentation.