Checks whether command is somehow suspicious. Returns -1 on error, 0 if command is not suspicious and 1 if command is suspicious. Use only with program in memory, do not apply to file! Command is considered suspicious when:
·this command is erroneous or unknown, or
·it is potentially invalid according to active analysis options, or
·it sets single-step trap, or
·it accesses memory operand in unused part of stack (i.e. addr>ESP), or
·it is command CLI, or
·memory operand contains INT3 breakpoint set by OllyDbg.
int Issuspicious(char *cmd,ulong size,ulong ip,ulong threadid,t_reg *preg,char *comment);
Parameters:
cmd - pointer to the binary command code;
size - size of cmd in bytes;
ip - address of the command in the memory of debugged process;
threadid - identifier of the thread in which context this command will be executed;
preg - pointer to registers at the moment of execution;
comment - buffer, at least TEXTLEN bytes long, that receives explanation why this command is suspicious, or NULL.
See also: Disasm, Isfilling, Isprefix, Readcommand