| The detection is done via the Win32 Thread Information Block (fs:[18]) which accesses offset +30 (Process Environment Block) from which offset +2 is accessed (BeingDebugged Field). The value is written in esp+14 which is later checked and then either one of the two code blocks is executed. |
==> |