so if i understood, when you launch processes in a debugger, it will walk the list of functions and instantiate them.. this means you could craft a bit of cleverness to detect whether app was launched from a debugger with minimal overhead, by tripping up an uninitiated pointer.<p>none of this works for debuggers which attach AFTER the process starts though.. so if I were a MALware creator, this might be a handy trick to force different code paths while someone is snooping my newest creation. the only way to know it was going on would be to do a static analysis (which i imagine, is more effort).
My history is with CPUs that don't have a separate system stack, so my first thought was that interrupts could stomp on the stack. But not so on Intel.