\tif<\/span> (!<\/span>CheckReg("HARDWARE<\/span>\\\\<\/span>DESCRIPTION<\/span>\\\\<\/span>System"<\/span>,"SystemBiosVersion"<\/span>, szBuf, BUF_SIZE)) return<\/span> true<\/span>;\r\n\tif<\/span> (STR::<\/span>Pos("VBOX"<\/span>, szBuf)) return<\/span> true<\/span>;\r\n<\/pre>\n<\/div>\nSeems like it only checks the registry. Good to know , but I wish they went into more depth. Check out the fill file here<\/a> or the whole thing on
\ngithub<\/a>.<\/p>\nI recently discovered the holy grail<\/a> of anti-debugging techniques. 150 pages of awesome and I’m trying to go through it all. <\/p>\nI’ve also figured out how to do the EBFE trick in my C programs:
\n<\/p>\n
\n#define jump2self __asm _emit 0xEB __asm _emit 0xFE<\/span>\r\n<\/pre>\n<\/div>\nThe “emit” pseudo-function lets you insert 1 byte at a time into programs. It’s a bit more graceful than just jumping to a random place in memory and crashing.
\nThis allows me to insert asm instructions which may or may not be recognized by the compiler, but are accepted by the CPU. ICEBP<\/a> comes to mind (0xF1).
\n<\/p>\n\n#define iceBP __asm _emit 0xF1<\/span>\r\n<\/pre>\n<\/div>\nThis of course works best with Pelles C compiler. It’s a bit different when using something like MingW with CodeBlocks as it has to conform to *nix standards. Since there is no ‘__emit’ function \/ keyword on Linux, you have to do the following:
\n<\/p>\n
\n asm<\/span> __volatile__<\/span> (".byte 0xEB"<\/span>);\r\n asm<\/span> __volatile__<\/span> (".byte 0xFE"<\/span>);\r\n<\/pre>\n<\/div>\n<\/p>\n
\n asm<\/span> __volatile__<\/span> (".byte 0xF1"<\/span>);\r\n<\/pre>\n<\/div>\nAside from that, my work continues on my anti-virus program with strides being made in the driver. Expecting an alpha release just in time for blackhat \/ HOPE (which I am presenting at).<\/p>\n
![\"1219376966785\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2014\/05\/1219376966785.jpg\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"