Advertisement
waliedassar

"Prefix+PUSHFD" Anti-Tracing Trick

Jan 4th, 2013
554
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 0.66 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Prefixing "PUSHFD" with 0x66 or 0x67 can fool OllyDbg v1.10 and v2.x into thinking the instruction
  5. // is not a PUSHFD. This can be used as an anti-tracing trick.
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11.  
  12. int main(int argc, char* argv[])
  13. {
  14.     unsigned long eflags=0;
  15.     printf("Welcome\r\n");
  16.     __asm
  17.     {
  18.         __emit 0x67
  19.         __emit 0x67
  20.         __emit 0x67
  21.         __emit 0x67
  22.         pushfd
  23.         xor ebx,ecx
  24.         push bx
  25.         pop eax
  26.         shr eax,0x10
  27.         mov eflags,eax
  28.     }
  29.     if(eflags&0x100)    printf("Being traced\r\n");
  30.     else                printf("Expected behavior\r\n");
  31.  
  32.     return 0;
  33. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement