so if i understood, when you launch processes in a debugger, it will walk the list of functions and instantiate them.. this means you could craft a bit of cleverness to detect whether app was launched from a debugger with minimal overhead, by tripping up an uninitiated pointer.
none of this works for debuggers which attach AFTER the process starts though.. so if I were a MALware creator, this might be a handy trick to force different code paths while someone is snooping my newest creation. the only way to know it was going on would be to do a static analysis (which i imagine, is more effort).
Static analysis can be much more difficult, and there's a whole different toolbox for defeating static analysis. Often disassemblers can be attacked directly.
My history is with CPUs that don't have a separate system stack, so my first thought was that interrupts could stomp on the stack. But not so on Intel.
none of this works for debuggers which attach AFTER the process starts though.. so if I were a MALware creator, this might be a handy trick to force different code paths while someone is snooping my newest creation. the only way to know it was going on would be to do a static analysis (which i imagine, is more effort).