Hi!

Is there any way to avoid anti-debug trick such as:



or using lidt/change idt in 32-bit protected mode?

Sure, but it typically takes som manual labor.

With the 16-bit code just jump over the code in question, and then log all calls to int 21h. Looking at the new handler, it should be easy to see when an int 21h would proceed to protection code, and when it'll just jump to the old handler. Then reroute accordingly.

Basically, do the same with 32-bit code.

Fake

Thanx for your quick answer, Fake51!

But is there a way to know when the the real int21 is being used, and when is the 'fake'? Instead of doing it by hand (imagine, if thew guy is paranoid and has fullfilled all around with this stuff)

And in protected mode, is ther an easy way to access IDT?

Hello fjrp2 !

It looks to me like program executes INT 01 instead of INT 21 to prevent single stepping through the code.
So both INT 01 and INT 21 point to the old INT 21 handler. I don't know why you want to know when INT 01 and when INT 21 are executed, since they're equal, and I don't know what you want to do with it. If you plan to single-step through the application, you must redirect the INT 01 handler a bit. However, I don't know how to do this in SoftICE, but Turbo Debugger will handle this fine.

You should redirect the INT 01 to some memory location where you some bytes for your own code. (I use 9F?0:0000 most time)
At this location you place some code likeI didn't care about the flags here, but you can add some code to handle them if you like.

So when you're tracing code, TD's INT 01 will be called, but if you step over an INT 01 call, the original INT 21 will be called, since TD places an INT 03 after the INT 01 call and executes the INT 01 call normally. You can even set breakpoints with this.

Thank you DakienDX!

Just what I need .