Zeroday 01100100011010010

follow me on Twitter @zeroday

« MS Vista, degenerative technology analysis (part 1)
Impressions from Beyond Broadcast »

A sample evasion technique

The following code creates the file c:\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\breakstuff.txt on a real computer running a real copy of Windows.

unsigned char idt[6];

__asm
{
sidt idt
}
if ((0x00 == idt[0]) && (0x08 == idt[1]))
{
fp = fopen(“c:\\donothing.txt”, “w”);
fclose(fp);
}
else
{
fp = fopen(“c:\\breakstuff.txt”, “w”);
fclose(fp);
}

CREDIT: /Arne

This entry was posted on Sunday, March 4th, 2007 at 8:09 AM and filed under Digital Warfare, Interesting Tech.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License Weblogs at Harvard
Powered by WordPress & designed by Scott Allan Wallick.

Protected by Akismet • Blog with WordPress