Page 1 of 4 1234 LastLast
Results 1 to 15 of 49

Thread: Avoiding INT1 detection of SoftICE under WinXP

  1. #1
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127

    Avoiding INT1 detection of SoftICE under WinXP

    Does anybody have a tool or tip to avoid INT1 detection of softice (WinXP)?! As it stands now, SI just treats the INT1 as a NOP.. or if you use I1HERE it breaks but doesn't execute the exception handler.

    Thought I'd ask, before trying to patch SoftICE myself...

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    Yah!

    In general you must NOT DO "F8" (single step) on this instruction & exception handler will work!

    BTW, this is not subject for this forum.

  3. #3
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Originally posted by evaluator
    Yah!

    In general you must NOT DO "F8" (single step) on this instruction & exception handler will work!

    BTW, this is not subject for this forum.
    Really? I thought (plain/unpatched) SI would just skip the instruction.

    I'm almost certain SI handles the INT1 a bit differently than when no SI is present.

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    I know about difference & how to...

  5. #5
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    I'll just hook INT1 and check if the exception was caused by an INT1 instruction, if so.. pass it on to the old INT1 handler instead of giving it to SI.

    Shouldn't be too hard to do..

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    so happens without your "help":)

  7. #7
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Originally posted by evaluator
    I know about difference & how to...
    So do I now

    8...4->C...5

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    not enaf!
    find ^DAEMON^ 's home page, download "sice detector" & make test.

    Bye!

  9. #9
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    'SICE_NOT_FOUND' is enough for me

    ^DAEMON^ 's "sice detector" doesn't detect my SoftICE when I use I1HERE ON and then 'X' when SI breaks.

    But my new and improved version does..

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    you not understand fully trick,
    but this is because of not enauf implementation by ^DAEMON^!

    I just upgraded his prog, so it will detect NTICE in 3 kind!!!

    So I need ^DAEMON^'s permission for publish it:(

    ^DAEMON^,^DAEMON^! where are U!?

  11. #11
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    I understand it perfectly.. don't worry

    Anyway my original beef was with an SD executable, which uses INT1 as a first SI detection. Changing the exception code resolved the detection.. so problem solved..

    But.. you speak of 3 methods.. I only count 2, so guess there's one more way. Feel free to share it.

    1) eip +2
    2) exception code
    3) ?

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    as already wrote: single stepping(F8,F10) on INT01.
    This not implemented in "SiceDetector", so if you trace program in ntice, it "not founds".

    also there is another easy detection for ntice:)

  13. #13
    ^DAEMON^
    Guest
    hi,

    my page is currently down... i don't know when it will go online again...

    u can release it of course

    (btw. i don't know when i'll update my page the next time
    i've other projects running currently)

    ^DAEMON^
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    Hell_to_you DAEMON!

    OK! Here is UPGRADED INT01_SICE DETECTOR.
    1. Detects single step on INT01 instruction
    2. Detects if INT01 is trap (so NTICE is here)

    2-nd case self-intends error code kind (80000003 or C0000005), so I not included test for it.

    BTW, I have only XP, so test it on W2k, nt..
    Attached Files Attached Files

  15. #15
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    Might as well make it complete and add:

    ..to exception handler
    mov eax,[ebp+8]
    mov eax,[eax]
    mov [exception], eax
    ...


    Then test in main code:

    cmp dword [exception],C0000005
    jnz .sice_found



    section .data
    exception: resd 1

    ---
    At least that will even work when *NOT* single stepping the target in SoftICE.

Similar Threads

  1. Avoiding a HASP-3 dongle
    By serpeal in forum The Newbie Forum
    Replies: 11
    Last Post: May 20th, 2009, 11:22
  2. INT1 question
    By 0rp in forum The Newbie Forum
    Replies: 7
    Last Post: December 23rd, 2004, 14:24
  3. Help! Random reboot using SoftICE for WinXP!
    By Moddie in forum Tools of Our Trade (TOT) Messageboard
    Replies: 18
    Last Post: January 12th, 2004, 21:14
  4. Avoid INT1 detection of NTICE under 2k/XP
    By pasha in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 23rd, 2003, 15:13
  5. WinXP: SoftICE breakpoints dont work?
    By Vaboc in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 25th, 2002, 06:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •