[BUGFIX] Fixed Trap Flag simulation (Issue #69)

AntiDebug.cpp

@@ -231,23 +231,34 @@ namespace AntiDbg {
 
 VOID AntiDbg::InstrumentFlagsCheck(INS ins)
 {
-    INS_InsertCall(
-        ins,
-        IPOINT_BEFORE, (AFUNPTR)FlagsCheck,
-        IARG_CONTEXT,
-        IARG_THREAD_ID,
-        IARG_END
-    );
-    if (m_Settings.emulateSingleStep) {
+#ifdef _WIN64
+    const char* POPF_MNEM = "popfq";
+#else
+    const char* POPF_MNEM = "popfd";
+#endif
+
+    if (util::isStrEqualI(INS_Mnemonic(ins), POPF_MNEM))
+    {
         INS_InsertCall(
             ins,
-            IPOINT_AFTER, (AFUNPTR)FlagsCheck_after,
+            IPOINT_BEFORE, (AFUNPTR)FlagsCheck,
             IARG_CONTEXT,
             IARG_THREAD_ID,
-            IARG_INST_PTR,
             IARG_END
         );
     }
+    else {
+        if (m_Settings.emulateSingleStep) {
+            INS_InsertCall(
+                ins,
+                IPOINT_BEFORE, (AFUNPTR)FlagsCheck_after,
+                IARG_CONTEXT,
+                IARG_THREAD_ID,
+                IARG_INST_PTR,
+                IARG_END
+            );
+        }
+    }
 }
 
 VOID AntiDbg::InterruptCheck(const CONTEXT* ctxt)

TinyTracer.cpp

@@ -1193,16 +1193,8 @@ VOID InstrumentInstruction(INS ins, VOID *v)
                 IARG_INST_PTR,        // Instruction address
                 IARG_END);
         }
-
-#ifdef _WIN64
-        const char *POPF_MNEM = "popfq";
-#else
-        const char *POPF_MNEM = "popfd";
-#endif
-        if (util::isStrEqualI(INS_Mnemonic(ins), POPF_MNEM))
-        {
-            AntiDbg::InstrumentFlagsCheck(ins);
-        }
+
+        AntiDbg::InstrumentFlagsCheck(ins);
 
         if (INS_IsInterrupt(ins)) {
             INS_InsertCall(