Elnino
June 12th, 2004, 08:52
I'm looking at Starforce 3 and have some questions, especially about anti-debugging tricks:
1) I've debugged at boot prohlp.sys / prodrv.sys and found something like that:
D29B9A93 mov eax,01
D29B9A98 xor edi,edi
D29B9A9A call [Get_DDB]
D29B9AA0 mov [ebp-54],ecx
D29B9AA3 mov eax,[ebp-54]
D29B9AA6 test ecx,ecx
D29B9AA8 mov [ebp-0A4], ecx
D29B9AAE mov eax,ecx
D29B9AB0 je D29B9AC3
D29B9AB2 mov edx,2A
D29B9AB7 cmp [eax+06],dx
D29B9ABB je D29B9AC3
D29B9ABD mov eax,[eax]
D29B9ABF test eax,eax
D29B9AC1 jne D29B9AB7
...
After execution of the Vxd Call at D29B9A9A, I get ecx=C0011360 (address in VMM).
First time at D29B9ABD, eax=C0011360 with [eax]=C00334C4 (address in VMM).
Second time at D29B9ABD, eax=C00334C4 with [eax]=C002F3A4 (start offset of Winice).
So I replace, the second time, just after D29B9ABD, eax by the corresponding value without Sice.
But it doesn't avoid anti-debugging tricks.And putting ecx=0 just after the Vxd Call causes an error code C0000001, and after the loading of window$ the message:
"You must reboot your computer to finalize installation of drivers".
What does really make this routine?
2) How can I detect access to IDT? I can't put a bpr in IDT and that's logical because softice uses some interruptions. And there're some SIDT instructions in the code, which are not used.
How can I proceed to detect access to IDT without tracing the whole code ?
3) Are anti-debugging tricks only in prodrv.sys or in the two drivers?
If someone could help me or give me clue, that'll be great.
Best regards,
Elnino
1) I've debugged at boot prohlp.sys / prodrv.sys and found something like that:
D29B9A93 mov eax,01
D29B9A98 xor edi,edi
D29B9A9A call [Get_DDB]
D29B9AA0 mov [ebp-54],ecx
D29B9AA3 mov eax,[ebp-54]
D29B9AA6 test ecx,ecx
D29B9AA8 mov [ebp-0A4], ecx
D29B9AAE mov eax,ecx
D29B9AB0 je D29B9AC3
D29B9AB2 mov edx,2A
D29B9AB7 cmp [eax+06],dx
D29B9ABB je D29B9AC3
D29B9ABD mov eax,[eax]
D29B9ABF test eax,eax
D29B9AC1 jne D29B9AB7
...
After execution of the Vxd Call at D29B9A9A, I get ecx=C0011360 (address in VMM).
First time at D29B9ABD, eax=C0011360 with [eax]=C00334C4 (address in VMM).
Second time at D29B9ABD, eax=C00334C4 with [eax]=C002F3A4 (start offset of Winice).
So I replace, the second time, just after D29B9ABD, eax by the corresponding value without Sice.
But it doesn't avoid anti-debugging tricks.And putting ecx=0 just after the Vxd Call causes an error code C0000001, and after the loading of window$ the message:
"You must reboot your computer to finalize installation of drivers".
What does really make this routine?
2) How can I detect access to IDT? I can't put a bpr in IDT and that's logical because softice uses some interruptions. And there're some SIDT instructions in the code, which are not used.
How can I proceed to detect access to IDT without tracing the whole code ?
3) Are anti-debugging tricks only in prodrv.sys or in the two drivers?
If someone could help me or give me clue, that'll be great.
Best regards,
Elnino
