Hello!

While readind some posts, i came across Solomon's trick - it prevents registers' clearing by putting break point on NTContinue. Actually i didn't understand what it's done for. Can someone explain me?

Thanks.

Hello,

NTContinue is used by the kernel of WinNT/2K/XP to process SEHs. If the SEH handler of appz(especially packers/protectors) returns EXCEPTION_CONTINUE_EXECUTION, it will be called. ASProtect uses many SEHs(about 30) to do anti-tracing trick.

NTContinue can not prevent debug registers from being cleared. It's just a quick way to bypass anti-tracing tricks implemented with SEH.

Yeah, NtContinue used for context switchin, it's recive one parameter - context pointer. And you can protect debug registers Create patch (e.g. in sofice) in start of NtContinue (use jump to some free place e.g. in dll header) add this code here:

mov eax, [esp+4]
btr byte ptr [eax], 04
mov eax, original_proc_n ; get it from original code
jmp back_to_ntcontinue

Wow, now protector can't clear drx registers by SEH coz here is no CONTEXT_DEBUG_REGISTERS in CONTEXT.Flags structure.

PS. Suxx, tomorrow a make mistake in this code (forget add byte ptr [] to btr command). Sorry.

Yep, it's clear now, thanks.
To Dr.Golova: могбы по-рус., я бы понял)

G'day,

And one more question: with the help of what API can SEH intructions be sniffed out just to fasten the search and not to do it manually? And what technic does SuperBMP apply?

Agur.