Anti-Debugging ? ?

[LOUZEW]

Hi, all
I've unpacked an Asprotected App ( advanced registry tracer 2.01)and it work fine but when i run it with Softice active, i have a big problem when shuting down this App.
An art.exe process is active and it's occupying 99% CPU time, I think it's an anti-debugging tip and i've searched for common issues, searched on this board too but i can't find anything.

Note : This prob don't appear when i'm debugging with Olly, the process is killed when i close Olly !

Does anybody have an idea ?

Thank's in advance

Haven't you try IceExt hxxp://stenri.pisem.net

"IceExt v0.67 - Implemented as internal NTIce commands:
memory dumping, SoftICE screen dumping, tetris game,
kernel-mode MP3 player, online help. SoftICE anti-detection
technology: anti-MeltICE, MeltSiwVid, MeltSiwSym,
INT3 BackDoor, INT3 BoundChecker interface, INT1 single
step & EIP+2 detection, anti INT41 (experimental),
NtSystemInformation with SystemModulesInformation NTICE.SYS
check e.t.c. Command parser accepts expressions wherever
possible. Sources are included (use custom setup)."

It is also one of the SI hiders under NT/2K/XP/2K3 like FrogsIce was under 9x...

[TechLord]

My personal experience is that IceExt v0.67 tends to make the system unstable , especially when used on WinXP SP2...
In fact, i tend to do these types of troublesome cases on an old machine with Win 98 on it with the good old sice 3.25 ( Or some other 3.x version...I don't remember...)
This usually solves the prob as the FrogsIce is quite stable and dependably hides the sice.

Anyway I don't think the 99 % CPU usage is an anti-debugging measure...Since the app is a registry tracer, I think it maybe having problems with the way it interacts with ring-0 level drivers etc.

Also...You can do a runtrace in Olly WITHOUT SICE BEING ACTIVE and compare it with what is the sequence and the instructions executed WHEN ONLY SICE IS USED (with the olly not running of course) ,this time using the trace dumper in SICE ( forgot the exact name...) which performs a similar function with SICE as that of RunTrace wit Olly...

This should give you an idea if additional code is excuted when SICE is active, and not when only OLLY is used.

[LOUZEW]

Thank's dMITRO but my prob was finally a bug with DS 3.2 after a Windows update (KB867282)

BTW, unpacked advanced registry tracer v2.01 works and end its work fine under DS 27...

It's packed with old ASPR 1.23, so I didn't think it's some special anti-debug stuff. But seems M$ now adding to their updates anti-debug stuff to overload our CPUs.

I know the kernel has the directive IsDebuggerPresent. Is there a way to disable that even if you're not using olly. I've gotten this message to appear when I didn't have a debugger runnning.
I know this is one of the primary methods of Anti-Debugging, since most convential debuggers set this flag when started. I have IceExt, but I'd rather not have to load softice into memory when I'm not using it.

[MaRKuS-DJM]

you should patch kernel so itself resets the debug bit...