Log in

View Full Version : Avoid INT1 detection of NTICE under 2k/XP


pasha
March 23rd, 2003, 03:28
greetz

first of all my apologies to be starting another thread under the same heading. as much as i hate to do this, i wanted to know some info on int 1 detection from the gurus.

as i read from the previous posts on the same heading. there are 3 ways to detect NTICE using int 1

1) Check if INT1 is trap gate - if so NTICE installed
2) CHECK exception code of INT1 - C0000005 if NTICE installed
3) EIP+2 - INT1 DPL=3 then NTICE installed

okay, now my question is how do i change the exception code so that the (2) method is defeated. do i need to hook KiUserExceptionDispatcher ??? or is there an easy way out ?

awaiting a reply...

best regards
pasha

the_analyst
March 23rd, 2003, 07:29
Hello,

I may be wrong, i just woke up
But as far as my sleepy brain can think, i would tend to say that the exception code of INT 1 is pretty much related to the int 1 descriptor dpl.

IT does return C0000005h if soft ice is NOT here (EXCEPTION_ACCESS_VIOLATION)

now if Soft ice IS running, you have 80000004h.
(EXCEPTION SINGLE STEP)

So if you have Ntice, Descriptor of INT 1 is set to DPL 3 and it returns EXCEPTION SINGLE STEP, else without sice, Its descriptor is set to DPL 0, and it returns EXCEPTION_ACCESS_VIOLATION.

Basically, detection 2 is related to detection 3
Hope it makes sense, im dragging ass.

Regards,

Analyst

pasha
March 23rd, 2003, 15:13
greetz

thnx a lot analyst.

best regards
pasha