Advertisement
waliedassar

INT 2E / Anti-Tracing Trick

Oct 24th, 2013
920
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.23 KB | None | 0 0
  1. Credit: @angealbertini (For discovery of this method for getting EIP value).
  2.  
  3. //Tested with Windows XP 32Bit
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #include "stdio.h"
  7.  
  8. int __cdecl Handler(void*,void*,void*,void*)
  9. {
  10.     printf("Incompatible System\r\n");
  11.     ExitProcess(0);
  12.     return ExceptionContinueSearch;
  13. }
  14.  
  15. void main_2E()
  16. {
  17.     unsigned long realPC=0;
  18.     __asm
  19.     {
  20.         push offset Handler
  21.         push dword ptr fs:[0]
  22.         mov dword ptr fs:[0],esp
  23.         xor eax,eax
  24.         xor edx,edx
  25.         int 0x2E
  26.         nop
  27.         mov realPC,edx
  28.         pop dword ptr fs:[0]
  29.         pop ebx
  30.     }
  31.     printf("EIP is %x\r\n",realPC);
  32.     if(realPC==-1) printf("Being Traced\r\n");
  33.     return;
  34. }
  35.  
  36.  
  37. void main_2C()
  38. {
  39.     unsigned long realPC=0;
  40.     __asm
  41.     {
  42.         push offset Handler
  43.         push dword ptr fs:[0]
  44.         mov dword ptr fs:[0],esp
  45.         xor eax,eax
  46.         xor edx,edx
  47.         int 0x2C
  48.         nop
  49.         mov realPC,edx
  50.         pop dword ptr fs:[0]
  51.         pop ebx
  52.     }
  53.     printf("EIP is %x\r\n",realPC);
  54.     if(realPC==-1) printf("Being Traced\r\n");
  55.     return;
  56. }
  57.  
  58. void Test_Trace()
  59. {
  60.     unsigned long EFlags=0;
  61.     __asm
  62.     {
  63.         xor eax,eax
  64.         xor edx,edx
  65.         int 0x2E
  66.         pushfd
  67.         pop eax
  68.         mov EFlags,eax
  69.     }
  70.     if(EFlags & 0x100 /* TF */) printf("Being Traced\r\n");
  71.  
  72. }
  73.  
  74. void main()
  75. {
  76.     main_2C();
  77.     main_2E();
  78.     Test_Trace();
  79. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement