{"id":210,"date":"2007-03-04T08:09:04","date_gmt":"2007-03-04T12:09:04","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2007\/03\/04\/a-sample-evasion-technique\/"},"modified":"2007-03-04T08:09:04","modified_gmt":"2007-03-04T12:09:04","slug":"a-sample-evasion-technique","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2007\/03\/04\/a-sample-evasion-technique\/","title":{"rendered":"A sample evasion technique"},"content":{"rendered":"<p><a href=\"http:\/\/www.ntsecurity.nu\/onmymind\/2007\/2007-02-27.html\">The following code creates the file c:\\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\\breakstuff.txt on a real computer running a real copy of Windows.<\/p>\n<p>unsigned char idt[6];<\/p>\n<p>__asm<br \/>\n{<br \/>\n    sidt idt<br \/>\n}<br \/>\nif ((0x00 == idt[0]) &amp;&amp; (0x08 == idt[1]))<br \/>\n{<br \/>\n    fp = fopen(&#8220;c:\\\\donothing.txt&#8221;, &#8220;w&#8221;);<br \/>\n    fclose(fp);<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\n    fp = fopen(&#8220;c:\\\\breakstuff.txt&#8221;, &#8220;w&#8221;);<br \/>\n    fclose(fp);<br \/>\n} <\/a><\/p>\n<p>CREDIT: <a href=\"http:\/\/www.ntsecurity.nu\/contact\/\">\/Arne<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The following code creates the file c:\\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\\breakstuff.txt on a real computer running a real copy of Windows. unsigned char idt[6]; __asm { sidt idt } if ((0x00 == idt[0]) &amp;&amp; (0x08 == idt[1])) { fp = fopen(&#8220;c:\\\\donothing.txt&#8221;, &#8220;w&#8221;); fclose(fp); } else { fp = [&hellip;]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272,274],"tags":[],"class_list":["post-210","post","type-post","status-publish","format-standard","hentry","category-digital-warfare","category-interesting-tech"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=210"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/210\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}