waliedassar

"Prefix+PUSHFD" Anti-Tracing Trick

Jan 4th, 2013
193
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Prefixing "PUSHFD" with 0x66 or 0x67 can fool OllyDbg v1.10 and v2.x into thinking the instruction
  5. // is not a PUSHFD. This can be used as an anti-tracing trick.
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11.  
  12. int main(int argc, char* argv[])
  13. {
  14.     unsigned long eflags=0;
  15.     printf("Welcome\r\n");
  16.     __asm
  17.     {
  18.         __emit 0x67
  19.         __emit 0x67
  20.         __emit 0x67
  21.         __emit 0x67
  22.         pushfd
  23.         xor ebx,ecx
  24.         push bx
  25.         pop eax
  26.         shr eax,0x10
  27.         mov eflags,eax
  28.     }
  29.     if(eflags&0x100)    printf("Being traced\r\n");
  30.     else                printf("Expected behavior\r\n");
  31.  
  32.     return 0;
  33. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×