waliedassar

INT 2E / Anti-Tracing Trick

Oct 24th, 2013
478
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Credit: @angealbertini (For discovery of this method for getting EIP value).
  2.  
  3. //Tested with Windows XP 32Bit
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. int __cdecl Handler(void*,void*,void*,void*)
  9. {
  10.     printf("Incompatible System\r\n");
  11.     ExitProcess(0);
  12.     return ExceptionContinueSearch;
  13. }
  14.  
  15. void main_2E()
  16. {
  17.     unsigned long realPC=0;
  18.     __asm
  19.     {
  20.         push offset Handler
  21.         push dword ptr fs:[0]
  22.         mov dword ptr fs:[0],esp
  23.         xor eax,eax
  24.         xor edx,edx
  25.         int 0x2E
  26.         nop
  27.         mov realPC,edx
  28.         pop dword ptr fs:[0]
  29.         pop ebx
  30.     }
  31.     printf("EIP is %x\r\n",realPC);
  32.     if(realPC==-1) printf("Being Traced\r\n");
  33.     return;
  34. }
  35.  
  36.  
  37. void main_2C()
  38. {
  39.     unsigned long realPC=0;
  40.     __asm
  41.     {
  42.         push offset Handler
  43.         push dword ptr fs:[0]
  44.         mov dword ptr fs:[0],esp
  45.         xor eax,eax
  46.         xor edx,edx
  47.         int 0x2C
  48.         nop
  49.         mov realPC,edx
  50.         pop dword ptr fs:[0]
  51.         pop ebx
  52.     }
  53.     printf("EIP is %x\r\n",realPC);
  54.     if(realPC==-1) printf("Being Traced\r\n");
  55.     return;
  56. }
  57.  
  58. void Test_Trace()
  59. {
  60.     unsigned long EFlags=0;
  61.     __asm
  62.     {
  63.         xor eax,eax
  64.         xor edx,edx
  65.         int 0x2E
  66.         pushfd
  67.         pop eax
  68.         mov EFlags,eax
  69.     }
  70.     if(EFlags & 0x100 /* TF */) printf("Being Traced\r\n");
  71.  
  72. }
  73.  
  74. void main()
  75. {
  76.     main_2C();
  77.     main_2E();
  78.     Test_Trace();
  79. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×