Zeroday 01100100011010010 » A sample evasion technique

You are viewing a read-only archive of the Blogs.Harvard network. Learn more.

A sample evasion technique

The following code creates the file c:\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\breakstuff.txt on a real computer running a real copy of Windows.

unsigned char idt[6];

__asm
{
sidt idt
}
if ((0x00 == idt[0]) && (0x08 == idt[1]))
{
fp = fopen(“c:\\donothing.txt”, “w”);
fclose(fp);
}
else
{
fp = fopen(“c:\\breakstuff.txt”, “w”);
fclose(fp);
}

CREDIT: /Arne

This entry was posted on Sunday, March 4th, 2007 at 8:09 AM and filed under Digital Warfare, Interesting Tech.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.