Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   secdrv question for safedisc v2.8 (https://forum.exetools.com/showthread.php?t=2122)

kade 04-29-2003 01:52
secdrv question for safedisc v2.8
 
Hi,

I am reversing the debugger detection for safedisc v2.8. It uses a lot of anti-debugging tricks but there are some I cannot figure out.

The isdebuggerpresent, createfileA \\.\sice, createfileA \\.\NTICE, INT 1h, INT 68h. These are the known ones. But I also found a check for CCh on all the functions it uses of kernel32. So setting a breakpoint on any of these functions is generating a debugger found message.

For windows NT there are also two routines which call createfileA secdrv and if it returns 1, they jump to "debugger present". Does anyone knows what secdrv does and why it detects softice under NT?

There are 6 more anti-debugging routines I did not figure out yet, but I am trying to understand them :D


All times are GMT +8. The time now is 16:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX