API tools faq
paste
Advertisement
waliedassar

"REP: PUSHFD" Anti-Tracing Trick

waliedassar
Jan 4th, 2013
621
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 0.63 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //An anti-tracing trick that works against OllyDbg v1.10. Prefixing "PUSHFD" with "REP:" can fool
  5. // OllyDbg v1.10 into thinking it is not a PUSHFD instruction.
  6.  
  7.  
  8. #include "stdafx.h"
  9. #include "windows.h"
  10. #include "stdio.h"
  11.  
  12.  
  13. int main(int argc, char* argv[])
  14. {
  15.     unsigned long eflags=0;
  16.     printf("Welcome\r\n");
  17.     __asm
  18.     {
  19.         __emit 0xF3
  20.         __emit 0xF3
  21.         __emit 0xF3
  22.         __emit 0xF3
  23.         __emit 0xF3
  24.         pushfd
  25.         pop eax
  26.         mov eflags,eax
  27.     }
  28.     if(eflags&0x100)    printf("Being traced\r\n");
  29.     else                printf("Expected behavior\r\n");
  30.  
  31.     return 0;
  32. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!