ARTeam: xADT eXtensible Anti-Debug Tester V 1.2 [Archive]

View Full Version : ARTeam: xADT eXtensible Anti-Debug Tester V 1.2

Shub-nigurrath

August 24th, 2006, 10:44

Hi all,
version 1.2 is ready to go out.

You can find it at http://releases.accessroot.com/

I tried to improve the tool even more fixing all the bugs and adding several options, see the detailed history in the readme inside or here too for further details.

A detailed history follows, but mainly I fixed some bugs, added internal tests, improved users and plugins interface, added some more free examples with sources, added several interesting new plugins.

version 1.2
main program:
-fixed initial working directory bug which prevented to load the xADT.ini file correctly (e.g from OllyDbg Bar)
-fixed several selections bugs from the list of available tests. Now works in all cases
-fixed a bug into the export browsing routine for plugins with more than one test inside, which prevented multiple plugins
to work
+improved stability of the program for plugins not correctly exporting all functions as foreseen
-fixed tooltips, now it displays the string returned by _about export, when mouse is over the line of a test
+added tooltips with result of the test: now the tooltip of the result column contains the string returned by the test to xADT.
+added keyboard interface: see readme for details
+added horizontal scroll for panels for longer descriptions
plugins:
+improved previous plugins and added an example plugin with several tests inside
+added support for optional _about exports for plugins, now it can be used to specify credits, the string is shown as tooltip
-fixed driver unloading problems in SIDT plugin
new-plugins:
+added RDTSC and INT3 plugin (inside FindWindow_and_Time.dll)
+added GetSystemTime and INT3 plugin (inside FindWindow_and_Time.dll)
+added some anti-SICE plugin (inside FindWindow_and_Time.dll)
+added Find Complex test (inside FindWindow_and_Time.dll), a very complex plugin which perform a lot of interesting tests.
It's also a POC on how plugins might have their own interface
+added SICETricks (SICETricks.dll) plugin which perform several SoftICE Specific tests
+added 3 tests by ap0x: EnumWindows, GetProcessHeaps and PageGuard (into xADT_ap0x.dll)

Contributions and comments are welcome!!

dELTA

August 24th, 2006, 16:09

Nice, really good work from you guys as usual, keep it up.

JMI

August 24th, 2006, 19:24

And, as usual, thanks for sharing it here.

Regards,

Apakekdah

August 30th, 2006, 02:09

http://accessroot.com/ <= what happend with this forum ?
why they're down... ?
thats a nice forum nice people...

Silkut

August 30th, 2006, 04:24

Quote:

[Originally Posted by Apakekdah]http://accessroot.com/ <= what happend with this forum ?
why they're down... ?
thats a nice forum nice people...

This problem was already discussed here: http://woodmann.net/forum/showthread.php?t=9442

Shub-nigurrath

November 5th, 2007, 12:46

Hi everybody,
there's out the new version of xADT, version 1.3

The client is the same as version 1.2 but I added several tests other people sent me and some example to develop new plugins. Thanks a lot to guys who sent me them, greetings into the readme!

Code:

version 1.3

	-xADTplugin_delphi_source sources of IsDebuggerPresent dll test in Delphi (10x 2 rudikkin), use them as sample to write Delphi plugins

	-sources of DBG_PRINTEXCEPTION_C a novel detection method developed by MOID/TSRh

	-several plugins developed by ChuPaChu. The same tests are also available into the testbed_chupachu.exe program I included too

h!!p://arteam.accessroot.com
RCE Releated > Tools > ARTeam Tools

upb

November 6th, 2007, 00:35

hmm, run from explorer on win2003 enterprise SP2 ENG

Code:



Will display WARNING, POSITIVE Results

------------------------

Test: ChupaChu debugger test v0.3 *final public-plugin edition*

Message from test function: Nothing

Result: Debugger detected

------------------------

Test: ChupaChu_TICK_TIME_TRICK

Message from test function: Nothing

Result: Debugger detected

------------------------

Test: int_hooks

Message from test function: Nothing

Result: Debugger detected

------------------------

Test: ZwQueryObject DebugObject Testing

Message from test function: I cannot access to the DebugObject, this makes me thinking something is going wrong

Result: It's possible that I'm debugged

Shub-nigurrath

November 6th, 2007, 03:22

actually
the "ZwQueryObject DebugObject Test" is indeed not stable and from times to times gives false results..

dELTA

November 6th, 2007, 03:28

Thanks as usual Shub.

(even though some of the tests seem to be a little over paranoid according to upb's report

)

Upb, are you running as admin when you perform those tests? Especially the last reported message makes me suspect that something related to user rights may be a cause of this...