The next thing to do is develop a code that forcefully causes an exception. We have a few known ways to do that:

• Use debug breakpoints (INT 3 / INT 1)

• Access inaccessible memory spaces

• Divide by zero

The aim of an SEH anti-debugging trick is to direct the debug analysis to an error. This makes an analyst try to trace back to what might have caused the error, eventually wasting time. And, if the analyst is familiar with SEH, it would be easy to pinpoint where the handler is and set a breakpoint there.

Step debugging works because of Interrupt 1, while breakpoints are set using Interrupt 3. When the execution of code encounters an INT 3 instruction, a debug exception occurs. To invoke an Interrupt 1 exception, the trap flag has to be set first.

When reading data from inaccessible memory, a read error occurs. There are already known memory regions, such as the kernel space, that are not allowed to be directly accessed from the user-mode process. Most of these regions are protected with a PAGE_GUARD flag. The PAGE_GUARD flag can be set with a VirtualAlloc or VirtualProtect function. That means we can produce our own inaccessible memory region. Typically, the region from offset 0 of the process space is not accessible. The following line of code will cause an access violation exception:

mov al, [0]

In mathematics, doing actual division by zero is an infinite task. The system explicitly identifies this kind of error and causes an exception. An example line for this is the following:

mov eax, 1
xor cl, cl
div cl

What the preceding code does is set the eax register to 1, set the cl register to 0, and then divides eax with cl, causing a divide-by-zero exception.