Windows C++ / Trap Flag
| Author | External |
| Platform | Windows |
| Language | C++ |
| Technique | Trap Flag |
Description:
Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp
Code
#include "pch.h"
#include "TrapFlag.h"
/*
This technique is similar to exceptions based debugger detections.
You enable the trap flag in the current process and check whether
an exception is raised or not. If an exception is not raised, you
can assume that a debugger has “swallowed” the exception for us,
and that the program is being traced. The beauty of this approach
is that it detects every debugger, user mode or kernel mode,
because they all use the trap flag for tracing a program.
Vectored Exception Handling is used here because SEH is an
anti-debug trick in itself.
*/
static BOOL SwallowedException = TRUE;
static LONG CALLBACK VectoredHandler(
_In_ PEXCEPTION_POINTERS ExceptionInfo
)
{
SwallowedException = FALSE;
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
return EXCEPTION_CONTINUE_EXECUTION;
return EXCEPTION_CONTINUE_SEARCH;
}
BOOL TrapFlag()
{
PVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);
SwallowedException = TRUE;
#ifdef _WIN64
UINT64 eflags = __readeflags();
#else
UINT eflags = __readeflags();
#endif
// Set the trap flag
eflags |= 0x100;
__writeeflags(eflags);
RemoveVectoredExceptionHandler(Handle);
return SwallowedException;
}Created
June 22, 2022
Last Revised
April 22, 2024