Trap Flag

Created the Wednesday 22 June 2022. Updated 1 year, 9 months ago.

There is a Trap Flag in the Flags register. Bit number 8 of the EFLAGS register is the trap flag. When the Trap Flag is set, a SINGLE_STEP exception is generated.

Technique Identifier

U0131

Technique Tag

trapflag

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

BOOL IsDebuggerPresent_TrapFlag()
{
    __try
    { 
        __asm
       {
           pushfd
           or word ptr[esp], 0x100
           popfd
           nop
       }
    }
    __except(1) 
    { 
        return FALSE; 
    }
    return TRUE;
}

About Author Open Snippet

Author: External / Target Platform: Windows

Description

Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp

#include "pch.h"

#include "TrapFlag.h"

/*
	This technique is similar to exceptions based debugger detections.
	You enable the trap flag in the current process and check whether
	an exception is raised or not. If an exception is not raised, you
	can assume that a debugger has “swallowed” the exception for us,
	and that the program is being traced. The beauty of this approach
	is that it detects every debugger, user mode or kernel mode,
	because they all use the trap flag for tracing a program.
	Vectored Exception Handling is used here because SEH is an
	anti-debug trick in itself.
*/

static BOOL SwallowedException = TRUE;

static LONG CALLBACK VectoredHandler(
	_In_ PEXCEPTION_POINTERS ExceptionInfo
)
{
	SwallowedException = FALSE;
	
	if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
		return EXCEPTION_CONTINUE_EXECUTION;
		
	return EXCEPTION_CONTINUE_SEARCH;
}



BOOL TrapFlag()
{
	PVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);
	SwallowedException = TRUE;

#ifdef _WIN64
	UINT64 eflags = __readeflags();
#else
	UINT eflags = __readeflags();
#endif

	//  Set the trap flag
	eflags |= 0x100;
	__writeeflags(eflags);

	RemoveVectoredExceptionHandler(Handle);
	return SwallowedException;
}