waliedassar

PspSetContext Nested Task EFlag Anti-Tracing Trick

Oct 19th, 2013
451
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://www.twitter.com/waleedassar
  2.  
  3. //Trick originally discovered by @nickeverdox
  4.  
  5. //The following is an anti-tracing trick that depends on the fact that the "nt!PspSetContext" function
  6. //filters some bits/flags of the RFlags register. Among filtered Rflags is NT, Nested Task Flag.
  7. PAGE:000000014036B4D7                 mov     eax, [r8+44h]   ; EAX is now pContext->EFlags  (64Bit _CONTEXT)
  8. PAGE:000000014036B4DB                 cmp     r9b, r13b       ; PreviousMode
  9. PAGE:000000014036B4DE                 jz      KernelMode
  10. PAGE:000000014036B4E4                 and     eax, 210DD5h    ; Filter RFlags
  11. PAGE:000000014036B4E4                                         ; This is one nice anti-debug/anti-trace.
  12. PAGE:000000014036B4E9                 bts     eax, 9          ; IF (Interrupt Flag) is only set by Ring0
  13. //This means that each time the "SetThreadContext" function is called by the debugger e.g. during tracing,
  14. //the flag is cleared.
  15.  
  16. //Tested With Windows 7 (64Bit) SP1.
  17.  
  18. void main()
  19. {
  20.     unsigned long EFL=0;
  21.     __asm
  22.     {
  23.         push offset Handler
  24.         push dword ptr fs:[0x0]
  25.         mov dword ptr fs:[0x0],esp
  26.        
  27.         pushfd
  28.         pop ecx
  29.  
  30.        
  31.         or ecx,0x4000
  32.         push ecx
  33.         popfd
  34.  
  35.         pushfd
  36.         pop eax
  37.         mov EFL,eax
  38. next:
  39.         pop dword ptr fs:[0x0]
  40.         pop eax
  41.     }
  42.  
  43.     if(EFL & 0x4000)    printf("Normal\r\n");
  44.     else printf("Being traced EFlags: %x\r\n",EFL);
  45. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×