Page_0x00000000 Anti-Tracing Trick

//http://waleedassar.blogspot.com
//@waleedassar

//OllyDbg v1.10 can't handle eip when it is zero as result of executing memory at address 0x00000000.
//Can be used as an effective anti-tracing trick.#include "stdafx.h"
#include "windows.h"
#include "stdio.h"

extern "C"
{
        int __stdcall ZwAllocateVirtualMemory(HANDLE hProcess,unsigned long* BaseAddress,
                          unsigned long ZeroBits,unsigned long* RegionSize,
                          unsigned long AllocType,unsigned long Protect);
}


int Handler(EXCEPTION_RECORD* pRec,void* estFrame,unsigned char* pContext,void* disp)
{
    if(pRec->ExceptionCode==0xC0000005)
    {
        *(unsigned long*)(pContext+0xB8)+=2;
    }
    else if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
    {
        *(unsigned long*)(pContext+0xB8)+=1;
    }
    return ExceptionContinueExecution;
}

int main(int argc, char* argv[])
{
        unsigned long Size=0x1000;
        unsigned long Base=0x3;
        int ret=ZwAllocateVirtualMemory(GetCurrentProcess(),&Base,0,
                        &Size,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
        if(ret<0)
        {
                printf("Error %x\r\n",ret);
                return 0;
        }
        else
        {
        __asm
        {
            push offset Handler
            push dword ptr fs:[0x0]
            mov dword ptr fs:[0x0],esp
        }
                Base=0;
                *(unsigned long*)(Base)=0x00C30089;
                __asm
                {
            mov eax,0x7ffe0000
                        push ebx
                        mov ebx,Base
                        call ebx
                        pop ebx
                }
        //-----Code here won't be traced
                printf("Okay\r\n");
        }
        return 0;
}