Patches updated for Driver Studio 2.7

SoftIce Anti-Detection patches, as per +Splaj's walkthru. ALL Credits go to +Splaj, small credits to myself for creating the patch.

Once again, Int 1 detection NOT patched !

Tested on Win2K vanilla ( No Service packs).


-nt20

Hi Tesla:

Nice work! One quick question though: I did create a 2.6 anti-detect patch based on +SplAj guidelines and it works fine. Only that in the SoftICE Log I always get this "KeExceptionDispatcher.....<blah> <blah> etc" but it works fine. Do you observe the same thing with 2.7 patch.? Maybe I patch the ExceptionHandler part wrong...

I'll try to install 2.7 on some machine here and test the patch

Signed,
-- FoxThree

Yes, I saw the same thing in the 2.6 patches I made.

I didnt see it in these patches now though - mainly because I could not find a reference in the file anywhere to "UnhandledExceptionFilter". It just wasnt there. Which is probably a good thing!

-nt20

Could someone please tell me where to find this +Splaj walkthrough?

lazy "noobie" search the threads ....

I believe the unhandled you are looking for is at offset 4DF95

oooh ahhh interesting,

I just moved from 98 to 2k and have found the softice detection
methods have changed/grown etc, so im working a small .sys
and it all works apart from one check im ahaving trouble with,
after reversing ntice i found softice puts a 0CCh on
UnhandledExceptionFilter, but masks it, put 90 90 on the first
2 bytes and exit and go back to softice and amusingly theres
55 90 there now, anyway, trying to think of a way to fix detection
of this kind in my .sys, or maybe patching ntice.sys, anyway
ideas anyone?

I tried the zip provided above out of curoisity and my softice display seem to stop showing its self , i havent tried it again
since im more interested on working on my own solution and
understanding the bits and pieces atm.

'+Splaj's walkthru' has been mentioned, ive searched for this but
failed, could someone point me in the correct direction thanks,

regards,
yates.

[yAtEs]:

"Softice" on the left side of the search page and "+Splaj" on the right will get you to a thread titled "In Win2K how to defeat the anti-debug trick of Asprotect?". It's from 9-24-2001 and is found at:

http://www.woodmann.net/forum/showthread.php?s=&threadid=1806

Caution: Note for those without experience, (not intending to include [yAtEs] in this category) do not blindlessly patch at the addresses shown because these things can change in different version of Softice than the one being discussed, so "search" your version and don't forget to read the entire thread for one additional thing to patch. Also check out +Spl/\j's "detect" tool to see if you patched the correct things.

Regards.

Hi JMI,
Are you slave of [Yates] ;D.
Some ppl complain about me telling ppl to search the board
well Who CARES :ddddddd

ah ok, after another search engine battle session i managed
to find that. thank you for the link, much appreciated.




yes he is my slave, but its ok i pay him well.


regards,
yates.

[yAtEs]:

If I keep up the good work, any chance I could get a small raise this decade???

Regards.