upcoming icedump features

["The Owl" <theowl@...>]

hello everyone,

i normally spare you from having to read potentially offtopic
announcements, but this time i think at least some of you
will get interested. namely, i added an automated tracer
engine to icedump. i won't go into too many technical details
here, you will get the source code at the release anyway and
can examine it, but i can tell you that the following PE
protectors can be happily traced (i tried it on the protectors
themselves ;-): pelocknt (2.04), pecrypt (1.02 rc1, which was
publicly released and i had access to), peshield (0.25).
obviously less enhanced compressors/protectors should present
no problems either but i personally didn't try too many (petite
and upx come to mind).

the tracer engine is a multithread aware state machine that
emulates 'sensitive' instructions, it is able to trace into
structured exception handlers, and can automatically detect
and trace all threads in a process as they're created. code
that executes in ring-0 is not traced, and i don't plan to
add support for that either.

now, my request: if you know of and are willing to share info
on win32 specific anti-debugger/tracer tricks (instructions)
that need emulation for a successful trace, please let me know.
the current list includes pushfd/popfd/iretd/sidt.

regards,
         the owl

ps: this will probably start yet another cat&mouse game which
i don't mind as long as it is kept at a friendly level. please
bear that in mind when you comment/bitch on/about stuff (this
being my first attempt at such a creature means that it's
probably less than perfect/decent ;-).