Results 1 to 5 of 5

Thread: Solomon's trick

  1. #1
    Risotto
    Guest

    Solomon's trick

    Hello!

    While readind some posts, i came across Solomon's trick - it prevents registers' clearing by putting break point on NTContinue. Actually i didn't understand what it's done for. Can someone explain me?

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hello,

    NTContinue is used by the kernel of WinNT/2K/XP to process SEHs. If the SEH handler of appz(especially packers/protectors) returns EXCEPTION_CONTINUE_EXECUTION, it will be called. ASProtect uses many SEHs(about 30) to do anti-tracing trick.

    NTContinue can not prevent debug registers from being cleared. It's just a quick way to bypass anti-tracing tricks implemented with SEH.
    Last edited by Solomon; June 17th, 2002 at 02:18.
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  3. #3
    Dr.Golova
    Guest
    Hello,

    NTContinue can not prevent debug registers from being cleared. It's just a quick way to bypass anti-tracing tricks implemented with SEH.
    Yeah, NtContinue used for context switchin, it's recive one parameter - context pointer. And you can protect debug registers Create patch (e.g. in sofice) in start of NtContinue (use jump to some free place e.g. in dll header) add this code here:

    mov eax, [esp+4]
    btr byte ptr [eax], 04
    mov eax, original_proc_n ; get it from original code
    jmp back_to_ntcontinue

    Wow, now protector can't clear drx registers by SEH coz here is no CONTEXT_DEBUG_REGISTERS in CONTEXT.Flags structure.

    PS. Suxx, tomorrow a make mistake in this code (forget add byte ptr [] to btr command). Sorry.
    Last edited by Dr.Golova; June 17th, 2002 at 23:19.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Risotto
    Guest
    Yep, it's clear now, thanks.
    To Dr.Golova: могбы по-рус., я бы понял)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Risotto
    Guest
    G'day,

    And one more question: with the help of what API can SEH intructions be sniffed out just to fasten the search and not to do it manually? And what technic does SuperBMP apply?

    Agur.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Any trick
    By w_a_r_1 in forum The Newbie Forum
    Replies: 4
    Last Post: July 15th, 2009, 09:03
  2. How to solve this trick ?
    By linhan in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: November 9th, 2007, 23:30
  3. New antidebug trick
    By Opcode in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 27th, 2005, 05:50
  4. Maybe new Azpr trick ?!
    By Nigma in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: November 3rd, 2002, 21:27
  5. Thanks 4 the help guys (Solomon, Notme (risc)
    By Hexon in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: November 11th, 2000, 19:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •