waliedassar

Page_0x00000000 Anti-Tracing Trick

Mar 12th, 2013
386
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //@waleedassar
  3.  
  4. //OllyDbg v1.10 can't handle eip when it is zero as result of executing memory at address 0x00000000.
  5. //Can be used as an effective anti-tracing trick.#include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9. extern "C"
  10. {
  11.         int __stdcall ZwAllocateVirtualMemory(HANDLE hProcess,unsigned long* BaseAddress,
  12.                           unsigned long ZeroBits,unsigned long* RegionSize,
  13.                           unsigned long AllocType,unsigned long Protect);
  14. }
  15.  
  16.  
  17. int Handler(EXCEPTION_RECORD* pRec,void* estFrame,unsigned char* pContext,void* disp)
  18. {
  19.     if(pRec->ExceptionCode==0xC0000005)
  20.     {
  21.         *(unsigned long*)(pContext+0xB8)+=2;
  22.     }
  23.     else if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
  24.     {
  25.         *(unsigned long*)(pContext+0xB8)+=1;
  26.     }
  27.     return ExceptionContinueExecution;
  28. }
  29.  
  30. int main(int argc, char* argv[])
  31. {
  32.         unsigned long Size=0x1000;
  33.         unsigned long Base=0x3;
  34.         int ret=ZwAllocateVirtualMemory(GetCurrentProcess(),&Base,0,
  35.                         &Size,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
  36.         if(ret<0)
  37.         {
  38.                 printf("Error %x\r\n",ret);
  39.                 return 0;
  40.         }
  41.         else
  42.         {
  43.         __asm
  44.         {
  45.             push offset Handler
  46.             push dword ptr fs:[0x0]
  47.             mov dword ptr fs:[0x0],esp
  48.         }
  49.                 Base=0;
  50.                 *(unsigned long*)(Base)=0x00C30089;
  51.                 __asm
  52.                 {
  53.             mov eax,0x7ffe0000
  54.                         push ebx
  55.                         mov ebx,Base
  56.                         call ebx
  57.                         pop ebx
  58.                 }
  59.         //-----Code here won't be traced
  60.                 printf("Okay\r\n");
  61.         }
  62.         return 0;
  63. }
RAW Paste Data