|
well...IMHO exeshield v2.8a downloaded from their server is NOT xprotected.
size of my exeshield.exe: 1111478 bytes (2003/08/18 13:21)
xprotector (v1.05):
- clears interrupt 1 (set offset to 0xFFFFFFFF)
- clears interrupt 3
- hooks interrupt 0e (page fault)
- hooks NT service 0xba (NtReadVirtualMemory)
- hooks NT service 0x101 (NtTerminateProcess)
- creates file %windir%\\system32\\drivers\\xprotector.sys if not exists
(ring0 driver)
- creates a lot of (20+) threads, beside the original ones.
Exeshield.exe have only 1 thread.
To bypass this exeshield.exe's protection, you only have to change
kernel32!IsDebuggerPresent API's return value.
See attachment.
I have WinXp, used windbg.
|