Hi,

I am reversing the debugger detection for safedisc v2.8. It uses a lot of anti-debugging tricks but there are some I cannot figure out.

The isdebuggerpresent, createfileA \\.\sice, createfileA \\.\NTICE, INT 1h, INT 68h. These are the known ones. But I also found a check for CCh on all the functions it uses of kernel32. So setting a breakpoint on any of these functions is generating a debugger found message.

For windows NT there are also two routines which call createfileA secdrv and if it returns 1, they jump to "debugger present". Does anyone knows what secdrv does and why it detects softice under NT?

There are 6 more anti-debugging routines I did not figure out yet, but I am trying to understand them