Zeroday 01100100011010010 » A sample evasion technique

A sample evasion technique

The following code creates the file c:\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\breakstuff.txt on a real computer running a real copy of Windows.

unsigned char idt[6];

__asm
{
sidt idt
}
if ((0×00 == idt[0]) && (0×08 == idt[1]))
{
fp = fopen(”c:\\donothing.txt”, “w”);
fclose(fp);
}
else
{
fp = fopen(”c:\\breakstuff.txt”, “w”);
fclose(fp);
}

CREDIT: /Arne

Creative Commons License

The A sample evasion technique by Zeroday 01100100011010010, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

This entry was posted on Sunday, March 4th, 2007 at 8:09 AM and filed under Digital Warfare, Interesting Tech.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.