Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //When debuggers call ZwSetContextThread upon its debuggee, the "nt!PspSetContext" function is called, which
- //filters certain EFlags out of the _CONTEXT structure e.g. Alignment Check. This can be used as
- //an Anti-Tracing Trick (also Anti-Debug). Tested on Windows 7 SP1 (64-Bit).
- //Credit: @nickeverdox
- //Description: http://everdox.blogspot.com/2013/03/2-anti-tracing-mechanisms-specific-to.html
- #include "stdafx.h"
- #include "windows.h"
- #include "stdio.h"
- int main(int argc, char* argv[])
- {
- unsigned long xXx = 1 << 18; //Alignment Check of EFlags
- __asm
- {
- pushfd
- mov ecx,xXx
- or dword ptr[esp],ecx
- popfd
- }
- //if the flag is lost, then code is being traced
- //printf("%s\r\n","Hope you are not tracing it?!!");
- unsigned long EFlags = 0;
- __asm
- {
- pushfd
- pop ecx
- mov EFlags,ecx
- }
- if( (EFlags&xXx) == 0) MessageBox(0,"Being traced!!!","waliedassar",0);
- else MessageBox(0,"Expected","waliedassar",0);
- ExitProcess(0);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
