PspSetContext Nested Task EFlag Anti-Tracing Trick

1. //http://www.twitter.com/waleedassar
2.  
3. //Trick originally discovered by @nickeverdox
4.  
5. //The following is an anti-tracing trick that depends on the fact that the "nt!PspSetContext" function
6. //filters some bits/flags of the RFlags register. Among filtered Rflags is NT, Nested Task Flag.
7. PAGE:000000014036B4D7                 mov     eax, [r8+44h]   ; EAX is now pContext->EFlags  (64Bit _CONTEXT)
8. PAGE:000000014036B4DB                 cmp     r9b, r13b       ; PreviousMode
9. PAGE:000000014036B4DE                 jz      KernelMode
10. PAGE:000000014036B4E4                 and     eax, 210DD5h    ; Filter RFlags
11. PAGE:000000014036B4E4                                         ; This is one nice anti-debug/anti-trace.
12. PAGE:000000014036B4E9                 bts     eax, 9          ; IF (Interrupt Flag) is only set by Ring0
13. //This means that each time the "SetThreadContext" function is called by the debugger e.g. during tracing,
14. //the flag is cleared.
15.  
16. //Tested With Windows 7 (64Bit) SP1.
17.  
18. void main()
19. {
20.     unsigned long EFL=0;
21.     __asm
22.     {
23.         push offset Handler
24.         push dword ptr fs:[0x0]
25.         mov dword ptr fs:[0x0],esp
26.        
27.         pushfd
28.         pop ecx
29.  
30.        
31.         or ecx,0x4000
32.         push ecx
33.         popfd
34.  
35.         pushfd
36.         pop eax
37.         mov EFL,eax
38. next:
39.         pop dword ptr fs:[0x0]
40.         pop eax
41.     }
42.  
43.     if(EFL & 0x4000)    printf("Normal\r\n");
44.     else printf("Being traced EFlags: %x\r\n",EFL);
45. }