waliedassar

PspSetContext Anti-Tracing Trick

May 9th, 2013
464
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //When debuggers call ZwSetContextThread upon its debuggee, the "nt!PspSetContext" function is called, which
  2. //filters certain EFlags out of the _CONTEXT structure e.g. Alignment Check. This can be used as
  3. //an Anti-Tracing Trick (also Anti-Debug). Tested on Windows 7 SP1 (64-Bit).
  4. //Credit: @nickeverdox
  5. //Description: http://everdox.blogspot.com/2013/03/2-anti-tracing-mechanisms-specific-to.html
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11. int main(int argc, char* argv[])
  12. {
  13.     unsigned long xXx = 1 << 18; //Alignment Check of EFlags
  14.     __asm
  15.     {
  16.         pushfd
  17.         mov ecx,xXx
  18.         or dword ptr[esp],ecx
  19.         popfd
  20.     }
  21.  
  22.     //if the flag is lost, then code is being traced
  23.     //printf("%s\r\n","Hope you are not tracing it?!!");
  24.     unsigned long EFlags = 0;
  25.     __asm
  26.     {
  27.         pushfd
  28.         pop ecx
  29.         mov EFlags,ecx
  30.     }
  31.  
  32.     if( (EFlags&xXx) == 0)  MessageBox(0,"Being traced!!!","waliedassar",0);
  33.     else    MessageBox(0,"Expected","waliedassar",0);
  34.     ExitProcess(0);
  35.     return 0;
  36. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×