Results 1 to 3 of 3

Thread: Additional process without name...

  1. #1

    Additional process without name...

    Target: Few apps (year 2004)
    Problem: App have some antidebugging tricks. When I execute it , it shows me messagebox with "Debugger detected!" error. So I bmsg xxx wm_destroy on it and I land in a code that don't have name in softice. I realized that app have sth like additional proccess with protection routine. The code of additional process is unreachable at start (app unpacks it.. I suppose). I can't dump it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries

    Something you might try, I don't know if it would detect the code section or not, is the Softice QUERY command to display the virtual address map of the process, specify either the process or the linear address of the code in question. Use ADDR to make sure you're in the correct context. The code might be executing in its own thread in which case THREAD -x might give useful info. Then there's the HEAP command, if the app allocates memory to run some code, it might pick that up (also shown by QUERY). Also, using the STACK command might be useful when you break into the code.

    I don't know if any of the results would be useful for you, but it might give some info. Especially if you compare with results from a "debugger hidden" run (Iceext?). If not, I think at least some of the information could be obtained from other tools without Sice running.


  3. #3
    ADDR will list out all running process,
    ADDR processname will switch to the desired process where you can patch, dump and take a look ard your cryptic process

Similar Threads

  1. process dumper
    By fr1end in forum Linux RCE
    Replies: 5
    Last Post: April 23rd, 2005, 18:46
  2. PEB of another process?
    By sonkite in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: August 9th, 2004, 11:25
  3. Dump process
    By Anonymous in forum Plugins (General)
    Replies: 4
    Last Post: November 20th, 2002, 02:08
  4. This process can't be dumped!
    By zampt in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: April 23rd, 2001, 04:08


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts