Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page secdrv question for safedisc v2.8
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-29-2003, 01:52
kade
 
Posts: n/a
secdrv question for safedisc v2.8
Hi,

I am reversing the debugger detection for safedisc v2.8. It uses a lot of anti-debugging tricks but there are some I cannot figure out.

The isdebuggerpresent, createfileA \\.\sice, createfileA \\.\NTICE, INT 1h, INT 68h. These are the known ones. But I also found a check for CCh on all the functions it uses of kernel32. So setting a breakpoint on any of these functions is generating a debugger found message.

For windows NT there are also two routines which call createfileA secdrv and if it returns 1, they jump to "debugger present". Does anyone knows what secdrv does and why it detects softice under NT?

There are 6 more anti-debugging routines I did not figure out yet, but I am trying to understand them
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Safedisc 3.0 gunterg General Discussion 4 09-23-2004 16:45


All times are GMT +8. The time now is 19:34.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )