waliedassar

OllyDbg v1.10 INT3/POPFD TRICK + PAGE_EXECUTE_WRITECOPY

Oct 1st, 2012
163
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. #include "stdafx.h"
  3. #include "windows.h"
  4.  
  5.  
  6.  
  7. #pragma comment(linker,"/incremental:no")
  8. #pragma comment(linker,"/entry:main")
  9.  
  10. int __cdecl Handler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void* disp)
  11. {
  12.     (*(unsigned long*)(pContext+0xB8))++;
  13.     return ExceptionContinueExecution;
  14. }
  15.      
  16.      
  17. #pragma comment(linker,"/SECTION:xyz,ERW")
  18. #pragma code_seg("xyz")
  19. int main2()
  20. {
  21.             __asm
  22.             {
  23.                 push offset Handler
  24.                 push dword ptr fs:[0x0]
  25.                 mov dword ptr fs:[0x0],esp
  26.             }
  27. //-----------------The following x86 asm sequence force Olly to WriteProcessMemory---------------
  28.             __asm
  29.             {
  30.                 pushfd
  31.                 int 3
  32.                 popfd
  33.                
  34.                 pushfd
  35.                 int 3
  36.                 popfd
  37.  
  38.                 pushfd
  39.                 int 3
  40.                 popfd
  41.  
  42.                 pushfd
  43.                 int 3
  44.                 popfd
  45.  
  46.                 pushfd
  47.                 int 3
  48.                 popfd
  49.             }
  50.             __asm
  51.             {
  52.                 pop dword ptr fs:[0x0]
  53.                 pop eax
  54.             }
  55. //-----------------------------------------------------------------------------------------------
  56.             void* base=&main2;//????
  57.             MEMORY_BASIC_INFORMATION MBI={0};
  58.             VirtualQuery(base,&MBI,sizeof(MBI));
  59.             if(MBI.Protect!=PAGE_EXECUTE_WRITECOPY)
  60.             {
  61.                  MessageBox(0,"BeingDebugged","waliedassar",0);
  62.                  ExitProcess(-2);
  63.             }
  64.             return 0;
  65. }
  66. #pragma code_seg()
  67.      
  68. int main(int argc, char* argv[])
  69. {
  70.             main2();
  71.             MessageBox(0,"That is okay","waliedassar",0);
  72.             return 0;
  73. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×