waliedassar

Page_0x00000000 Anti-Tracing Trick

Mar 12th, 2013
373
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //@waleedassar
  3.  
  4. //OllyDbg v1.10 can't handle eip when it is zero as result of executing memory at address 0x00000000.
  5. //Can be used as an effective anti-tracing trick.#include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9. extern "C"
  10. {
  11.         int __stdcall ZwAllocateVirtualMemory(HANDLE hProcess,unsigned long* BaseAddress,
  12.                           unsigned long ZeroBits,unsigned long* RegionSize,
  13.                           unsigned long AllocType,unsigned long Protect);
  14. }
  15.  
  16.  
  17. int Handler(EXCEPTION_RECORD* pRec,void* estFrame,unsigned char* pContext,void* disp)
  18. {
  19.     if(pRec->ExceptionCode==0xC0000005)
  20.     {
  21.         *(unsigned long*)(pContext+0xB8)+=2;
  22.     }
  23.     else if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
  24.     {
  25.         *(unsigned long*)(pContext+0xB8)+=1;
  26.     }
  27.     return ExceptionContinueExecution;
  28. }
  29.  
  30. int main(int argc, char* argv[])
  31. {
  32.         unsigned long Size=0x1000;
  33.         unsigned long Base=0x3;
  34.         int ret=ZwAllocateVirtualMemory(GetCurrentProcess(),&Base,0,
  35.                         &Size,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
  36.         if(ret<0)
  37.         {
  38.                 printf("Error %x\r\n",ret);
  39.                 return 0;
  40.         }
  41.         else
  42.         {
  43.         __asm
  44.         {
  45.             push offset Handler
  46.             push dword ptr fs:[0x0]
  47.             mov dword ptr fs:[0x0],esp
  48.         }
  49.                 Base=0;
  50.                 *(unsigned long*)(Base)=0x00C30089;
  51.                 __asm
  52.                 {
  53.             mov eax,0x7ffe0000
  54.                         push ebx
  55.                         mov ebx,Base
  56.                         call ebx
  57.                         pop ebx
  58.                 }
  59.         //-----Code here won't be traced
  60.                 printf("Okay\r\n");
  61.         }
  62.         return 0;
  63. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×