                Anti-SecuROM single step detection plugin
                                        deroko of ARTeam
                                        

SecuROM uses manipulation with SS to disable interupts for 1 instruction.
At this point TF can't be cleared by debugger, nor pushfd can be emulated.
This is IA32 feature where interupts are disabled so ESP can be filed with
new stack address.

SecuROM code:

        push    ss
        pop     ss      <---- disable interupts for one instrucion
        pushfd          <---- this one is executed as if there was no TF
        mov     eax, [esp] <---- eax gets eflags with saved TF and execution
                                 stops here (interupt is generated)
                                 
This plugin is very simple, and patches eflags on stack when this scenario
occurs.

Syntax:

!srom on
!srom off

Engine is not MP safe, but it can be if instead of IDT patching, inline hook
is used since each processor has it's own IDT pointing to same addresses in
ntkrnlmp.exe


To load it you have to copy extension.sys to C:\windows\system32\drivers\

and add 3 lines to the NTICE registry key:

"KDExtensions"= REG_EXPAND_SZ extension.sys;
"KDStackSize" = DWORD:0x00008000
"KDHeapSize"  = DWORD 0x00008000

Now fire up loader1 and plugin will be loaded. 
              
For more info you may check Kayaker's guide on creating SoftICE extensions,
at http://www.woodmann.com/forum/showthread.php?t=7097


                                                deroko of ARTeam  