waliedassar

PspSetContext Nested Task EFlag Anti-Tracing Trick

Oct 19th, 2013
473
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://www.twitter.com/waleedassar
  2.  
  3. //Trick originally discovered by @nickeverdox
  4.  
  5. //The following is an anti-tracing trick that depends on the fact that the "nt!PspSetContext" function
  6. //filters some bits/flags of the RFlags register. Among filtered Rflags is NT, Nested Task Flag.
  7. PAGE:000000014036B4D7                 mov     eax, [r8+44h]   ; EAX is now pContext->EFlags  (64Bit _CONTEXT)
  8. PAGE:000000014036B4DB                 cmp     r9b, r13b       ; PreviousMode
  9. PAGE:000000014036B4DE                 jz      KernelMode
  10. PAGE:000000014036B4E4                 and     eax, 210DD5h    ; Filter RFlags
  11. PAGE:000000014036B4E4                                         ; This is one nice anti-debug/anti-trace.
  12. PAGE:000000014036B4E9                 bts     eax, 9          ; IF (Interrupt Flag) is only set by Ring0
  13. //This means that each time the "SetThreadContext" function is called by the debugger e.g. during tracing,
  14. //the flag is cleared.
  15.  
  16. //Tested With Windows 7 (64Bit) SP1.
  17.  
  18. void main()
  19. {
  20.     unsigned long EFL=0;
  21.     __asm
  22.     {
  23.         push offset Handler
  24.         push dword ptr fs:[0x0]
  25.         mov dword ptr fs:[0x0],esp
  26.        
  27.         pushfd
  28.         pop ecx
  29.  
  30.        
  31.         or ecx,0x4000
  32.         push ecx
  33.         popfd
  34.  
  35.         pushfd
  36.         pop eax
  37.         mov EFL,eax
  38. next:
  39.         pop dword ptr fs:[0x0]
  40.         pop eax
  41.     }
  42.  
  43.     if(EFL & 0x4000)    printf("Normal\r\n");
  44.     else printf("Being traced EFlags: %x\r\n",EFL);
  45. }
RAW Paste Data