Emulated Breakpoint Debugger and Data Mining using Detours

The ability to do dynamic analysis is a powerful tool in the arsenal of a reverse engineer. Sometimes a piece of code such as malware can employ anti-debugging or packing measures to make dynamic analysis difficult. The authors have instrumented Microsoft Detours into a stealthy debugger to emulate a breakpoint rather than using "INT 3" or DR0-DR7 hardware registers. Understanding code and data flow at a functional level can now be achieved by using an IDA Pro plug-in and the data mining feature that has been extended to Detours. 'IF' is the tool that incorporates the emulated breakpoints and data mining capabilities.