waliedassar

"REP: PUSHFD" Anti-Tracing Trick

Jan 4th, 2013
348
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //An anti-tracing trick that works against OllyDbg v1.10. Prefixing "PUSHFD" with "REP:" can fool
  5. // OllyDbg v1.10 into thinking it is not a PUSHFD instruction.
  6.  
  7.  
  8. #include "stdafx.h"
  9. #include "windows.h"
  10. #include "stdio.h"
  11.  
  12.  
  13. int main(int argc, char* argv[])
  14. {
  15.     unsigned long eflags=0;
  16.     printf("Welcome\r\n");
  17.     __asm
  18.     {
  19.         __emit 0xF3
  20.         __emit 0xF3
  21.         __emit 0xF3
  22.         __emit 0xF3
  23.         __emit 0xF3
  24.         pushfd
  25.         pop eax
  26.         mov eflags,eax
  27.     }
  28.     if(eflags&0x100)    printf("Being traced\r\n");
  29.     else                printf("Expected behavior\r\n");
  30.  
  31.     return 0;
  32. }
RAW Paste Data