Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page New Protector
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #7  
Old 08-31-2003, 08:17
Lunar_Dust
 
Posts: n/a
Ugh...


Found SoftICE detector quite easily, just NtQuerySystemInformation with NTice.sys, easy to get around..

I'm still having trouble finding normal debugger detector. I know it called GetProcessTimes() twice, and if the times are zero, or they don't match it says "Debugger detected" - to elimiinate tracing not doubt. But even so only called GetProcessTimes() once when I debug with Olly, and then Exit MessageBox.

Thought it was calling ZwQueryInformationProcess, but doesn't look like it now after all (calling with ProcessDebugPort). API only gets called twice, once from GetprocessTimes (argument is 4, which is processtime), and another from windows DLL itself (argument is 26, ProcessWow64Environment, which is always zero). Never called with argument 7 (ProcessDebugPort). And of course I"ve already "edited" the bytes at fs:[30] away to eliminate PEB debug detection.

Any hints? Maybe a way to detect that I haven't heard of yet?

-Lunar
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Best software protector: Themida or Enigma Protector? smartins General Discussion 13 04-27-2010 17:58
Has anyone seen this protector used yet? Nalpeiron Protector JCB General Discussion 0 10-02-2005 01:50


All times are GMT +8. The time now is 03:19.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )