Normally, the time it takes for a program to execute lines of instructions from address A to address B would only take less than a second. But if these instructions were being debugged, a human would probably take about a second per line. Debugging from address A to address B would at least take a couple of seconds.

Essentially, the concept works just like a stopwatch. If the time it takes for a few lines of code is too long, the trick assumes that the program is being debugged.

Timing tricks can be applied as an anti-debugging method in any programming language. Setting a stopwatch would only require a function that can read time. Here are some examples of how timing tricks can be implemented in x86 assembly:

rdtsc
mov ebx, eax
nop
nop
nop
nop
nop
nop
nop
nop
rdtsc
sub eax, ebx
cmp eax, 0x100000
jg exit

In x86 processors means Read Time-Stamp Counter (RDTSC). Every time the processor is reset (either by a hard reset or power-on), the timestamp counter is set to 0. The timestamp counter increments for every processor clock cycle. In the preceding chunk of RDTSC code, the result of the first RDTSC instruction is stored in the ebx register. After a set of nop instructions, the value stored in ebx is subtracted from the result of the second RDTSC instruction. This takes the difference between the first and second TSC. If the difference is greater than 0x100000, the code jumps to exit. If the program were not being step debugged, the difference should be about less than 0x500.

On the other hand, GetSystemTime and GetLocalTime, which are API functions that can retrieve time, can also be used to implement timing tricks. To identify these tricks, the code has to contain two time-retrieving functions.