Modify Softice to escape detection under 2000XP

Modify Softice to escape the testing method in 2000 / XP from here http://www.woodmann.com/upload/showthread.php?s=&threadid=1806 Here I want to talk about my own modification experience, in fact, basics The contents of the above posts are the same. Just adding a little ourselves in order to escape to Softice in 2000 / XP, we need to modify three files. Where ntice.sys and siwvid.sys are located in the% Windir% / System32 / Drivers directory. NMTRANS.DLL is located in the installation directory of Si First, we must understand which methods in 2000 / XP to detect Softice, the most important method is to detect Ntice and SiwvidStart in the way, which is 2000 / XP to open the device. Drive method. There is also the use of int 1 and int 3 and GF .... MJ check. Here, we only say how to escape the monitoring of these methods. As for the counter-step tracking, you need your own debugging skills, not in the scope of this article. Here is how to modify the three files, let our Softice have an Anti Detect feature. Reminder !! Two driver files ntice.sys and siwvid.sys must be modified to fix their papers and checksum, which can be done using Lordpe. Otherwise, the system starts will fail! NTICE.SYS modification 1. Find the GFU * F string, modified to XFU * f, the subsequent MJ modified to XJ 2. Find all Unicode strings / Ntice, modified to / XTice 3. Find Unicode string bchkd, modified to XCHKD 4. Find string / driver / ntice, modify to / driver / Xtice 5. Find Kernel32! UnhandlexceptionFilter, modified to user32! MessageBoxExw Siwvid.sys Modify 1. Find all Unicode strings / SiwvidStart, modify to / xiwvidstart NMTRANS.DLL Change 1 Find string //./ntice, modified to //./xtice to this, we have finished doing. Remind again to correct Ntice.sys and Siwvid.sys and! After the above treatment, your Softice's Anti Detect will greatly strengthen. But still hiding the detection method of INT 1. The method of escauring the INT 1 detection Softice is as follows: Type an IDT instruction in the Softice, we will get the value of the idtbase. It is always 8003F400 under my XP. Then d idtbase, you can see the character at 0dH is EE, and we modify it to 8E to escape int 1 detection. The EB 8003F40D 8E can be plus EB 8003F40D 8E under instructions on Softice's start-up operation, so that each Si startup has the function of Anti INT 1 detection. If you do anything, please confirm whether it is a fixed bit. If not, you only have modified manually.