waliedassar

Resume Flag Support

Oct 14th, 2012
125
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Use this code to test if OS supports the RF (Resume Flag).
  3. #include "stdafx.h"
  4. #include "windows.h"
  5. #include "stdio.h"
  6.  
  7. #define CONTEXT_ALL 0x1003F
  8.  
  9. int dummy(int);
  10. unsigned long gf=0;
  11.  
  12. int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
  13. {
  14.     if(pRec->ExceptionCode==0xC0000096)  //Privileged instruction
  15.     {
  16.         //---------------------Installing the trick--------------------------------------
  17.         *(unsigned long*)(pContext)=CONTEXT_ALL;/*CONTEXT_DEBUG_REGISTERS|CONTEXT_FULL*/
  18.         *(unsigned long*)(pContext+0x4)=(unsigned long)(&dummy);
  19.         *(unsigned long*)(pContext+0x8)=(unsigned long)(&dummy);
  20.         *(unsigned long*)(pContext+0xC)=(unsigned long)(&dummy);
  21.         *(unsigned long*)(pContext+0x10)=(unsigned long)(&dummy);
  22.         *(unsigned long*)(pContext+0x14)=0;
  23.         *(unsigned long*)(pContext+0x18)=0x155; //Enable the four DRx On-Execute
  24.         //---------------------------------------------------------------------------------
  25.         (*(unsigned long*)(pContext+0xB8))++;
  26.         return ExceptionContinueExecution;
  27.     }
  28.     else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
  29.     {
  30.         //*(unsigned long*)(pContext+0x14)=0;  //Clear DR6
  31.         if(gf==1)
  32.         {
  33.             MessageBox(0,"RF not used","waliedassar",0);
  34.             ExitProcess(0);
  35.         }
  36.         gf++;
  37.         (*(unsigned long*)(pContext+0xC0))|=0x00010000; //Set the RF (Resume Flag)
  38.         return ExceptionContinueExecution;
  39.     }
  40.     return ExceptionContinueSearch;
  41. }
  42.  
  43. int dummy(int x)
  44. {
  45.     x+=0x100;
  46.     return x;
  47. }
  48. int main(int argc, char* argv[])
  49. {
  50.     unsigned long x=0;
  51.     __asm
  52.     {
  53.         push offset Handler
  54.         push dword ptr fs:[0x0]
  55.         mov dword ptr fs:[0x0],esp
  56.         STI; Triggers an exception(privileged instruction)
  57.     }  
  58.     dummy(0xFF);
  59.     MessageBox(0,"RF used","waliedassar",0);
  60.     return 0;
  61. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×