API tools faq
paste
Advertisement
waliedassar

"Prefix+PUSHFD" Anti-Tracing Trick

waliedassar
Jan 4th, 2013
628
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 0.66 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Prefixing "PUSHFD" with 0x66 or 0x67 can fool OllyDbg v1.10 and v2.x into thinking the instruction
  5. // is not a PUSHFD. This can be used as an anti-tracing trick.
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11.  
  12. int main(int argc, char* argv[])
  13. {
  14.     unsigned long eflags=0;
  15.     printf("Welcome\r\n");
  16.     __asm
  17.     {
  18.         __emit 0x67
  19.         __emit 0x67
  20.         __emit 0x67
  21.         __emit 0x67
  22.         pushfd
  23.         xor ebx,ecx
  24.         push bx
  25.         pop eax
  26.         shr eax,0x10
  27.         mov eflags,eax
  28.     }
  29.     if(eflags&0x100)    printf("Being traced\r\n");
  30.     else                printf("Expected behavior\r\n");
  31.  
  32.     return 0;
  33. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!