久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      <small id="r7w9x"></small>
          <td id="r7w9x"></td><sub id="r7w9x"><menu id="r7w9x"><samp id="r7w9x"></samp></menu></sub>
        1. <th id="r7w9x"></th>
          1. 汶上信息港

            標(biāo)題: About anti-SoftICE tricks [打印本頁]

            作者: hbhdgpyz    時(shí)間: 2008-9-28 16:34
            標(biāo)題: About anti-SoftICE tricks
            <TABLE width=500>
            # C9 Q0 T( P+ I1 C" K5 Y" K5 l' T$ N<TBODY>- P0 N- S' ?$ b1 R/ H
            <TR>1 t5 S4 K, ?$ c  R- ?+ v: z7 |
            <TD><PRE>Method 01
            # a9 o6 ^& H- D8 {=========
            7 H0 {# ^3 D: U) V0 U; D  j0 }3 j3 b. t# @- Y$ @5 S7 p4 f; z
            This method of detection of SoftICE (as well as the following one) is+ @, t# {5 @7 ]" f" ]9 ]; g
            used by the majority of packers/encryptors found on Internet.. e8 G& g9 r$ T3 A/ D  ?+ X+ {
            It seeks the signature of BoundsChecker in SoftICE/ p% N9 q" H) D1 Q5 Q

            2 f/ u  E# B. a1 d/ i1 |( _    mov     ebp, 04243484Bh        ; 'BCHK'
            + _& k! E  N0 ^  ]    mov     ax, 04h9 ~/ Y- U/ p( Z4 C6 u
                int     3       / ~$ F, x5 a: E
                cmp     al,4
            6 ]" N3 H# q( L! q, D    jnz     SoftICE_Detected
            ' d$ ]  b; l: x) H2 W% \0 @5 ]' W* w5 F/ S" l. W5 H
            ___________________________________________________________________________2 I" R7 w( S4 Z4 w4 D3 t5 l, V
            + i1 i. d3 ?' A7 u4 l) t
            Method 02- ?) f( U1 x6 }: w# a
            =========3 T- E# Z9 c# x" v
            7 p6 V4 Z: P# O6 r, K/ ?8 u
            Still a method very much used (perhaps the most frequent one).  It is used
            # D/ ^  P  S6 i) ~0 m' F, d) \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 q! J6 O4 `. v/ \* O# p
            or execute SoftICE commands...
            6 G1 O# @$ R' Q9 s( rIt is also used to crash SoftICE and to force it to execute any commands
            , H9 m; v+ a' @! D! t, E% m! Q(HBOOT...) :-((  0 p; C9 I" }0 B( ^8 T8 |

            5 \- A' L/ v; O$ W6 Y& s7 wHere is a quick description:3 z3 q' t* N7 z5 i' [  I
            -AX = 0910h   (Display string in SIce windows)
            / \% ?$ J& B! k: N-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
            , ^7 [. _% G: t/ D) ^9 E. b-AX = 0912h   (Get breakpoint infos)
            & k- c; ^( N: X2 T& O8 R0 [-AX = 0913h   (Set Sice breakpoints)
            * x. _# \2 l1 D% V1 S% K-AX = 0914h   (Remove SIce breakoints)
            ! C& e6 ]# U, w4 l5 t- g. u9 J$ G: A7 f
            Each time you'll meet this trick, you'll see:1 S% ^& }- J0 S& {  Q: x
            -SI = 4647h( r, v) @; I7 ?" b% n
            -DI = 4A4Dh
            $ _; x' t* A3 ^. V3 W+ O& R7 eWhich are the 'magic values' used by SoftIce.# o, t' A  k: k! {6 s, r/ ?+ j' Z% X
            For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
            8 T' p% M$ i8 ]4 y7 w6 D% Z6 H5 ^8 c/ t3 o# W! x6 ^
            Here is one example from the file "Haspinst.exe" which is the dongle HASP  ]- W5 D) d6 o' C
            Envelope utility use to protect DOS applications:2 Z' G# G3 L& O# _
            * n, T( n, [0 l8 H! T2 v+ l  q" D6 B
            ) N3 u6 Q( \) @
            4C19:0095   MOV    AX,0911  ; execute command.( _( {# ~/ p5 q9 I. O9 b: f0 p
            4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' \. k+ w# s7 D7 G/ ^+ o
            4C19:009A   MOV    SI,4647  ; 1st magic value.7 [( F7 `* Q; [' ~
            4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: X. j, D! F4 N, ?
            4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
            ! B6 M' D5 y4 Y* v5 ]5 ~4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
            7 a7 b- |; B, I+ R4C19:00A4   INC    CX5 g3 m4 ]0 `# w
            4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 W# }5 q- g+ D  t8 [2 \' u
            4C19:00A8   JB     0095     ; 6 different commands.
            5 W* b) ^/ n1 {9 {+ X4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
            . g( i1 d7 y: H9 K3 Z- p4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* X, x" f( R/ b% ^, G2 v. z  Q& c- a

            7 [: j( k4 k8 }6 s2 w; y( CThe program will execute 6 different SIce commands located at ds:dx, which+ A1 `3 k5 ?1 ^$ D3 X
            are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
            ! G& V+ C9 G5 Q1 g
            " v; m4 w3 \7 `1 R' D3 P- @0 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
            # j5 V8 \; j' j+ m' V- U___________________________________________________________________________' W4 Y7 r- ]  {' s: U1 |; Q
            + b$ l/ |) C/ B( z. u
            ' r! u5 T  f1 [
            Method 030 ~+ k" _3 _0 m5 y, r9 u6 b
            =========7 I2 F2 Q+ Y4 T! b+ y) D
            6 F+ r7 x, T6 ?5 q% M7 p) G" Z6 ?
            Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
            % w% Z7 `) J4 R$ C(API Get entry point)0 g+ h6 F6 q7 X, `4 T& `
                    1 z6 `& H- ^9 }8 {% k

            4 {" T/ i+ @# f    xor     di,di" Q6 n0 G+ M* K! C
                mov     es,di
            3 t: ]& S4 A9 y, G: z    mov     ax, 1684h      
            5 }# s! M' {( |% p$ a    mov     bx, 0202h       ; VxD ID of winice
            : G& u3 Q) J. O8 [* k8 z    int     2Fh* I- A) W) Y6 b  ?- s
                mov     ax, es          ; ES:DI -&gt; VxD API entry point
            , y$ p9 u0 P9 M( B5 d    add     ax, di
            ) X  I4 P/ q% ]% }8 c    test    ax,ax
            ; K8 A, v" w- V" ?3 x$ Q- ^4 ?    jnz     SoftICE_Detected
            3 @/ C# x/ M. t% o
            9 J% l; p/ y2 \7 O' A___________________________________________________________________________& g- J# ~  d3 X6 w% R: A/ p
            * O- Z* v4 c& T4 C6 s+ r
            Method 04& J- w0 W9 ?7 h6 S" j6 c5 B, S) `7 x
            =========
            + f1 |% N1 Y3 O, f
            . T: |( l2 `- A9 QMethod identical to the preceding one except that it seeks the ID of SoftICE
            % w0 H& T! V1 z& {0 s0 [GFX VxD.$ P  d3 W) t( y& U  y

              Z. s2 @8 I* Q5 e" }3 Q    xor     di,di# R' K5 w2 f. k; X
                mov     es,di
            , {$ x0 e. A3 O. A, m+ w    mov     ax, 1684h       * Y4 y/ {& }  o; c
                mov     bx, 7a5Fh       ; VxD ID of SIWVID$ G8 L7 u" {4 d$ t* e
                int     2fh5 s( ]) S0 I* y& Y1 L2 P
                mov     ax, es          ; ES:DI -&gt; VxD API entry point1 K! `4 a6 r% t! D( r: p
                add     ax, di
            0 G; K3 G' h2 g% [6 X( L7 S    test    ax,ax9 m8 F  j, |& `7 k, O% Q. ?4 F9 A
                jnz     SoftICE_Detected
            - x9 M, v8 k3 V& h% ]( K
              Q  ^& P) d: L4 a2 s+ L__________________________________________________________________________
            " _) V% l' ~6 p8 Q( f2 q6 `4 a/ q% q, Z

            8 t1 u- g( ~  tMethod 05
            0 e( u# O% u. j/ n% U=========
            . `5 j  }0 O: z: H9 l
            2 {3 X8 P  X; v& UMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 [: m% N/ l7 n+ @
            debugger. It calls the int 41h, function 4Fh.
            8 T9 O) ?2 A% ]3 wThere are several alternatives.  , P; r' t5 S& A" t& d) _$ u5 w
            ) z- h; k2 w* g, K4 t- p' y) k% s5 `. H1 \
            The following one is the simplest:/ N  S" g. w. g. C

            8 a: L0 W3 ]2 l: s4 Y9 D$ H    mov     ax,4fh
            ' v8 ^6 }$ y4 \+ U: a    int     41h  U. c  }& K" l
                cmp     ax, 0F386
            , g/ t: O7 S4 d% b, H    jz      SoftICE_detected( b1 X1 F! L  ?6 c2 f+ \: ~

            , [" c  Y( {* g! _' L& q: `: C0 z1 |# }+ j# p& k) R
            Next method as well as the following one are 2 examples from Stone's 8 `& ?6 N* ~: H! t4 u' M
            "stn-wid.zip" (www.cracking.net):3 ?6 {# @' X1 s$ O9 Q! w
            2 q* \# s! u# `1 y: H: g7 l
                mov     bx, cs8 ?4 K0 U1 p0 x' y
                lea     dx, int41handler26 w, k/ ~) I! u; _! a0 m
                xchg    dx, es:[41h*4]
            ; K5 O0 B, t4 _0 V) u5 N    xchg    bx, es:[41h*4+2]
            . R6 i6 H& @" b8 V: C    mov     ax,4fh
            " n& L4 s% ?& B    int     41h
              {! L# m# n$ I; y% T0 [    xchg    dx, es:[41h*4]" \# n6 ^" N' S) N4 }5 s
                xchg    bx, es:[41h*4+2]& \3 s. n3 m9 s- J6 i( h- Q
                cmp     ax, 0f386h
              t1 f' s' B7 n2 S" E/ y    jz      SoftICE_detected( L' H& i. ~! _( o# Q
            0 i: }4 E* k" Y. f! v( N& _
            int41handler2 PROC
            : O. J( I( u" q0 _% @7 G/ I* \    iret2 ?5 o8 W1 t) z$ c# }2 O, Q
            int41handler2 ENDP- q* `/ F  e# F

            2 P& i1 e6 z( O& p) f* L7 X( K' k& `" m) O/ X& p, U/ R" d6 x1 E; D# \2 Z
            _________________________________________________________________________
            8 Q& R1 V; l* x' n
            , G# p8 ^4 t4 u+ k1 ]( h8 v9 B  Z1 Z5 C3 U# s
            Method 069 l* T/ L8 ]8 P5 K
            =========
            / Q1 @! @& n* }+ h% N: C$ p
            $ }9 C. p& V: B3 p# J* g! O% X3 z3 @" J. n6 @' M" h# [$ |' ^
            2nd method similar to the preceding one but more difficult to detect:  m# X; }% t; x; H3 h
            + f1 o$ ^7 i" X9 p% [
            . r5 A0 W( {. X* L
            int41handler PROC
            . k: C4 U% U: b* S" j6 T+ L    mov     cl,al/ D' _5 C# C( w. \8 r
                iret
            ! `. D% L6 d! T- U6 u( _8 X) tint41handler ENDP. G3 z5 t. |1 D. Z/ ^7 C: e' ^
            4 z8 Q" F/ }2 |( L! Y- k# G) V* e

            8 r' {$ p7 C8 J  |    xor     ax,ax! d7 y( r+ K6 a/ D
                mov     es,ax! V8 U3 U2 w1 S, m1 ]
                mov     bx, cs" z3 k% k( v0 U9 u1 w  ]6 i1 R
                lea     dx, int41handler
            $ h5 u6 P. e! _1 B( c+ R1 e. r    xchg    dx, es:[41h*4]4 P" K: A" z# u; x
                xchg    bx, es:[41h*4+2]
            3 X' D: i" P: z8 t0 j; S0 R! r$ M    in      al, 40h
            : n, Z- B5 _, I' O/ |    xor     cx,cx
            2 `3 d, r3 ?4 P. z% S, z% P3 z    int     41h9 _% }6 c3 R1 ], [: o3 ~/ S
                xchg    dx, es:[41h*4]3 S5 J% k  `8 d4 G$ m, R
                xchg    bx, es:[41h*4+2]
            7 _  i7 i+ X0 Q+ f4 T3 x    cmp     cl,al7 R0 {* M+ b- L, H* }3 v
                jnz     SoftICE_detected' h# C3 B% ]0 Z6 b/ v. g9 m& j
            1 A- `" H0 b9 i' ^, E7 k
            _________________________________________________________________________6 S! e5 z' |1 q
            # Y/ Y" w0 g) k6 u% _1 w1 L
            Method 07! q5 Y; |, v* J. L
            =========
            % P* Z# s0 F5 b! \* i% j) R
            1 [2 a0 q; {5 Q, Y' G# BMethod of detection of the WinICE handler in the int68h (V86)
            ' @( x7 o* g/ d  c2 ?+ o! j4 m7 |9 G: t9 E
                mov     ah,43h7 _& B, {0 ^$ f" V2 O4 C9 B
                int     68h
            5 i# F, p% }* w8 ?  u    cmp     ax,0F386h
            ; y; z: v- O* P, q6 u    jz      SoftICE_Detected
              B: p( ?6 R/ E3 G$ I* m* i( M  ~4 N
            6 ~) u* V. I, w0 b& _0 b) q6 r, ^6 E" G! N7 D# f3 t6 G
            =&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( q6 a# W/ ~$ V$ e" K. |4 M! K* R
               app like this:+ R5 P7 n* ^- _9 K1 U

            5 n3 d1 c8 q9 h% a   BPX exec_int if ax==68
            ( T/ n7 {6 B# R1 h" h! ]   (function called is located at byte ptr [ebp+1Dh] and client eip is' r" I/ d" y7 Z" V& o* z; j* T3 }) _
               located at [ebp+48h] for 32Bit apps)* a) b- b% k9 ]& d1 D3 ?
            __________________________________________________________________________
            $ m- F- `6 P! y0 G+ A0 i
            $ }, Q/ d* t# b" w: a, E8 k) K; `; e" H0 V% {, v- j
            Method 08
            ( P2 I1 B3 c# E3 h=========
            & j" P+ |1 V& X) `; ~' ?* @) a9 n% \4 F8 U4 w9 _1 B
            It is not a method of detection of SoftICE but a possibility to crash the. @" k) ?' o: c3 q
            system by intercepting int 01h and int 03h and redirecting them to another  N" h* A* _& p' W; o" b
            routine.
            / R& u; w. z4 `5 O0 e6 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% F' I5 G( T* V8 k
            to the new routine to execute (hangs computer...)0 Y  E2 a' ~8 i+ ?" r2 [! m6 o
            + B7 ~* t  r1 `" _5 i4 Q; {5 L+ n) i
                mov     ah, 25h: x; c$ {, y' b( A
                mov     al, Int_Number (01h or 03h)- Q/ l8 R) W. ~  g; V% I$ I
                mov     dx, offset New_Int_Routine" Q- _9 h7 {* v- ]7 s) ], R
                int     21h$ Y6 q$ w: g5 @# s8 s5 H

            / {8 Q8 j0 G/ b9 d+ A0 g6 U__________________________________________________________________________
            3 R# k$ O2 L. b( P5 O+ w" M) N3 Y
            & A+ _7 R) G6 {Method 096 ?3 D  V$ g6 @# ^* V0 [. V" \
            =========4 w) Z4 S3 k, A4 h  u
            & Z: i3 Q7 r' w5 K, Q
            This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
            ; z; x- j- v3 \$ J$ F% z7 x% d! eperformed in ring0 (VxD or a ring3 app using the VxdCall).3 k+ n' }$ T: Y5 L$ `" _& l
            The Get_DDB service is used to determine whether or not a VxD is installed
            + ?/ M" E" I: d* P8 Ofor the specified device and returns a Device Description Block (in ecx) for
            - [4 z" L5 G  W9 zthat device if it is installed.
            ) }# l4 }: O' d: }) b9 [
            * n. G( q9 L" D6 q' Q( t. H, V2 S   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 ~4 ?* X8 S4 M, H! D* j: H4 X
               mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) [  f: N3 s3 {+ j
               VMMCall Get_DDB
            ' U2 ~1 U+ d7 M7 j  R3 L3 y; R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; C# `! Q+ E5 y# w

            ( f6 e$ ]! b; E8 o" g; YNote as well that you can easily detect this method with SoftICE:  ~& c6 U& k4 A3 I% I
               bpx Get_DDB if ax==0202 || ax==7a5fh3 I" B1 a3 A* I
            ! ^; S" s, D" Z* ?* ^
            __________________________________________________________________________3 i# X$ _: C$ y
            & ^6 k1 e& ?; R' p, ~4 }; G
            Method 104 R0 l4 ^  h9 Y% }& \" f
            =========5 M8 u, R' k& g4 A! K

            6 V. S2 O6 s8 l/ d1 n9 Q. s0 c=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 A# M. Y3 _# m* h( j
              SoftICE while the option is enable!!
            . X, V2 ]: L( U2 j) K2 w- s
            6 y- }/ L8 Y1 v2 d. r- E% `8 d0 SThis trick is very efficient:% M$ S1 @5 f7 i3 @8 q
            by checking the Debug Registers, you can detect if SoftICE is loaded- ~! V8 p4 Z5 k; x7 U5 i0 Y2 [. O' V( a
            (dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ r, K" A; }2 V1 p% Z& f5 A7 \2 c) Q
            there are some memory breakpoints set (dr0 to dr3) simply by reading their
            & C8 v8 u( M* [) F+ t( }value (in ring0 only). Values can be manipulated and or changed as well4 f: M& i% B0 S
            (clearing BPMs for instance)
            9 T8 ~2 m) t( V* t# A( R8 E8 D0 v
            4 r5 w5 q  h% ]7 Y7 D__________________________________________________________________________5 E" F" Z3 Z6 \; y

            ! U' q7 Z, A' g- PMethod 11
            + J7 D' Z4 Z. D  x4 E=========: M, q" ?! U) W
            8 |! e  e4 t& P6 B  a1 r; F8 q
            This method is most known as 'MeltICE' because it has been freely distributed6 x  s2 `2 F7 Q5 @: h
            via www.winfiles.com. However it was first used by NuMega people to allow8 u4 m5 `' Y- n3 s: V0 m
            Symbol Loader to check if SoftICE was active or not (the code is located1 i! P9 H. _9 b: C8 C! G3 Z5 {- r& z- y
            inside nmtrans.dll).
            : {. g  h( D% x* b8 b
            # b- K1 B# r8 g. e: d5 t/ ZThe way it works is very simple:0 @7 E0 \. p' S- b3 r; t7 o5 G
            It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
            " r: X  V$ A: KWinNT) with the CreateFileA API.
            : K) b) {& u' t0 z" g8 c2 e$ e$ K0 u5 z0 i; w0 E- j
            Here is a sample (checking for 'SICE'):
            + ]% d. r9 b' p( I- d& ]
              }# l- Z6 E# s8 N3 n$ s# k- I6 {BOOL IsSoftIce95Loaded()
            8 z; G6 A* L, P{8 k3 b  c; w; U0 R( v; N/ L
               HANDLE hFile;  
            ' H3 v/ ?  x7 b7 a   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' @) j5 P( ]: o+ J% ?
                                  FILE_SHARE_READ | FILE_SHARE_WRITE,3 |5 C9 z8 y# \8 z& {) r
                                  NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
            - x/ d# ?1 g, V: M, ?1 E! A( f   if( hFile != INVALID_HANDLE_VALUE )
            ( I' `5 m9 k8 C) I+ K: u: q   {
            , s, n: U. R# y( ^% }- v      CloseHandle(hFile);& u: {4 u1 J% i
                  return TRUE;& S! A6 ^5 X" @* T& _
               }
            ) _) k6 f$ D3 V$ h) n- D; {8 B   return FALSE;4 W/ G7 C, c. @$ Z
            }
            2 N( O9 R- N9 B! _- q% t0 b& C- k1 T" z: E8 p2 w/ o! y# B3 \
            Although this trick calls the CreateFileA function, don't even expect to be1 b" F/ s. E7 z3 p
            able to intercept it by installing a IFS hook: it will not work, no way!6 V; t' |0 O9 e
            In fact, after the call to CreateFileA it will get through VWIN32 0x001F; R: m. r3 z1 X( c) K4 x
            service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
            $ {/ O$ c) Y# {8 P% p8 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc) I+ h: {6 s$ F) @0 `; J
            field.: D! }6 n" h2 a) l- @
            In fact, its purpose is not to load/unload VxDs but only to send a
            - g% e5 g) h+ S: w( U! f) m: W/ QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 t0 E; J9 k. e! W8 O) C7 Y
            to the VxD Control_Dispatch proc (how the hell a shareware soft could try: k2 K  {5 l8 q( j8 ]- Z
            to load/unload a non-dynamically loadable driver such as SoftICE ;-).
            ! O. c# L4 I. C. SIf the VxD is loaded, it will always clear eax and the Carry flag to allow
            # d, n# Z' F9 P+ ^# j* ]) lits handle to be opened and then, will be detected.* J9 m0 a6 ?1 ]/ {
            You can check that simply by hooking Winice.exe control proc entry point
            3 u1 H4 w4 K9 D' F, t7 Y5 ]while running MeltICE." E" @# E% X( e, H5 v+ h2 f  b
            ' a. K  {% C8 j3 G4 B
            8 ?! _( i3 Y) l9 F$ ~
              00401067:  push      00402025    ; \\.\SICE! {% ?6 F( ^6 P4 o; ]* D- x8 _
              0040106C:  call      CreateFileA3 d! F' t4 g) c& W% `* T
              00401071:  cmp       eax,-001
            * Z( J& Z  R+ R% T% _  00401074:  je        00401091, O; l# ]" n+ K2 U5 N( h
            7 [8 N) p) j9 L7 R! [
            9 X, F' a  k' m9 @
            There could be hundreds of BPX you could use to detect this trick.- _8 A8 d1 r6 J* }, e
            -The most classical one is:
            3 A8 j. W* m) _- d2 a. D7 z- A4 v" a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
            : |# P7 Q/ ^2 _- i7 _6 O/ z( ^) E& b) r    *(esp-&gt;4+4)=='NTIC'+ B: [3 c/ W1 ^1 q6 ~1 e9 {
            ( O) s9 h6 }$ p8 T" ^
            -The most exotic ones (could be very slooooow :-(
            - f0 S2 Y7 a$ n/ {3 i( \   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " J. a, l6 g* V3 u! W5 Y
                 ;will break 3 times :-(# t& x6 H2 {4 D9 t+ f
            8 O# O# n  k) E4 ~& t; D
            -or (a bit) faster:
            $ r0 M" e  p) N! d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
            ) F2 _$ q5 X3 v3 @) }7 y! |
            ) T/ `$ e+ P" w9 s9 v0 A   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
            ' I2 ?2 f3 z+ A, Z& k     ;will break 3 times :-(
            2 L: H: l0 g- W; K, ~$ ~
            ' Q8 G$ t$ r) }-Much faster:! S4 S6 w1 o, t5 H5 h! Q: ^
               BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 \6 `( \8 U0 y3 |

            & [' _$ @4 A! m" e5 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
            + j, \+ q! \$ ^% M6 m9 ^: Ffunction to do the same job:4 O' k: @& n4 e8 D$ F/ R% L

            ) A( L" V& U- v" n* n/ L   push    00                        ; OF_READ
            . f8 @, d9 r  z' H. B   mov     eax,[00656634]            ; '\\.\SICE',0
            / i0 R, `5 r7 C. E6 H* i   push    eax8 o7 z4 y. k3 O/ o% y
               call    KERNEL32!_lopen
              z. W% Y5 ^9 S   inc     eax
            $ y: g1 I0 C- ^   jnz     00650589                  ; detected# m: N  {% _% b4 {) f
               push    00                        ; OF_READ
            ( A( [$ M9 S( Q* S7 r% L   mov     eax,[00656638]            ; '\\.\SICE'1 E% t5 q( k7 v2 Q9 L
               push    eax
            6 B4 O2 l: @# Z  _   call    KERNEL32!_lopen7 L3 D# N# u6 g5 Y" \+ `
               inc     eax
            9 R& K+ O8 Y+ ^* a! t0 T/ T   jz      006505ae                  ; not detected5 w: {# s- g; P' h$ R, ]

            2 o7 N3 u: T' l3 n
            , u3 d* J: M( k+ O5 h; q) v__________________________________________________________________________
              s! w: d0 ~) _
            " j4 P# B, S3 Y+ n+ g4 h( b  xMethod 12
            # |% p/ s- K' }=========
            0 A$ Z' [! g/ `% P( \8 V5 _% J$ m0 c8 Z
            This trick is similar to int41h/4fh Debugger installation check (code 05
            ) `; r9 m6 q  U3 }&amp; 06) but very limited because it's only available for Win95/98 (not NT)" w0 j2 m* @) `. Q
            as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
            * C4 [* J$ Y- y  j* R
            ' {8 q+ `, n- |   push  0000004fh         ; function 4fh
            : V- V6 [* E$ R+ `, z, ]0 E   push  002a002ah         ; high word specifies which VxD (VWIN32)+ W  b% Q. E6 Z8 f' [
                                       ; low word specifies which service+ N" c: u' f5 e) K, m* O: D
                                         (VWIN32_Int41Dispatch)
            / |5 T% d5 A/ |, Q* f   call  Kernel32!ORD_001  ; VxdCall
            0 s  G: C3 m6 v" A1 G   cmp   ax, 0f386h        ; magic number returned by system debuggers
            9 |  Q" E# l4 S2 D5 D% h/ X" {   jz    SoftICE_detected
            6 `. w: {1 D( Q. P- [% p
            % e( J+ o% G& V  a! {Here again, several ways to detect it:7 l0 b/ Y' h: K' w
            - o$ u: U' k2 O) a7 b! u% b: E" j
                BPINT 41 if ax==4f( L7 ]& ?  R  s. m4 j& k
            ' c: A) _9 w( C, i8 y
                BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
            2 A( x( \' a: ]& S: `
            ! E+ p9 I& g8 s5 ?    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- Z7 y2 k" ]; C3 X  m

            / H! {' H% b$ d) I8 z6 a. l$ z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* S  q9 V- e. x# s/ d- d9 j
            : I' g7 W  k' R  F5 v$ i$ E) S
            __________________________________________________________________________
            & N9 m; K0 `' A7 P- q
            8 C4 X0 d3 e: x: sMethod 13+ y+ w& k" A! |
            =========8 O6 t$ M9 {/ x5 l
            1 j3 S( b7 n4 d# U* h& g
            Not a real method of detection, but a good way to know if SoftICE is6 b8 z+ g3 Y" ?5 U  }' `
            installed on a computer and to locate its installation directory.
            ! y( o/ |1 s# F- L1 wIt is used by few softs which access the following registry keys (usually #2) :6 q# S  g" G  P* C) Y4 b! P
            * s  S5 b! j0 R% y1 I" z  V
            -#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ?7 v: @  d% s- s
            \Uninstall\SoftICE
            ( D6 J7 r! E7 _4 J; K) k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& {6 Q* Q; E- k
            -#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 Q2 u: u; G! s9 q
            \App Paths\Loader32.Exe8 `( t7 X: R( Q2 _# M7 a7 E

            : r. T$ F- A' g$ s$ y4 Z7 m7 e/ u
            : D' Y* S# \4 n5 a6 MNote that some nasty apps could then erase all files from SoftICE directory. h  ~& e2 @1 ]3 `, m3 a
            (I faced that once :-(
            ( H; M3 G, y; |
            6 z  y. J* g& H& x" t8 jUseful breakpoint to detect it:
            9 F+ w0 O0 l% ~6 w  Z* a6 \1 w$ M' P# X8 R
                 BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'8 i$ A" W% H( X# l

            % L0 k; h7 M5 u5 c/ q6 I__________________________________________________________________________3 ]+ s7 E. G) ?; l; U/ T

            6 s* Q( a" Y7 J- y8 X
            - A8 ?8 h- o- m: rMethod 14
            1 Z0 M' s, ?; ?: v=========* _0 ~( ~' S4 }; N" x
            5 p/ c* Z7 s3 H. E  `  C
            A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
            ; Q6 t6 b/ c4 B3 Ais to determines whether a debugger is running on your system (ring0 only).
            + t& _5 f, }* q
            : b4 g$ l& A1 T   VMMCall Test_Debug_Installed
            1 w& R% Y6 s5 D( c1 R2 g; J   je      not_installed
            ( y& S* v4 [9 n  {% [! e0 r( d" ]1 K$ d1 I
            This service just checks a flag.
            + x4 b( J, {! A- [% I" ]</PRE></TD></TR></TBODY></TABLE>




            歡迎光臨 汶上信息港 (http://m.junkejituan.com/) Powered by Discuz! X3.5