久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      <small id="r7w9x"></small>
          <td id="r7w9x"></td><sub id="r7w9x"><menu id="r7w9x"><samp id="r7w9x"></samp></menu></sub>
        1. <th id="r7w9x"></th>
          1.  找回密碼
             注冊

            QQ登錄

            只需一步,快速開始

            About anti-SoftICE tricks

            [復(fù)制鏈接]
            1#
            發(fā)表于 2008-9-28 16:34:50 | 只看該作者 |倒序瀏覽 |閱讀模式
            <TABLE width=500>+ D& m  G0 b; W: X+ y
            <TBODY>
            2 @0 a7 Y$ s$ f2 l+ |; M<TR>6 S  w3 h/ N" v; M8 u
            <TD><PRE>Method 01 ) S' L5 e) `4 i- ?) Q% [
            =========
            % R& ^7 T  |+ d; I; x: G; e/ a3 P! ?+ w4 k: W! n  t& ^
            This method of detection of SoftICE (as well as the following one) is8 g, Q! H$ ]1 n
            used by the majority of packers/encryptors found on Internet.
            " Y- d" G$ f* S* G8 T& wIt seeks the signature of BoundsChecker in SoftICE
            * u% ^8 P: b: W# q# c* N% j
            ; w' S$ D! w( a& k    mov     ebp, 04243484Bh        ; 'BCHK'! s) B; o( O# z7 t" t9 z
                mov     ax, 04h
            . {8 G% g, R9 o$ Z9 N% }2 v    int     3      
            7 H- P9 @% F8 I  Z    cmp     al,4; v1 R; P% q0 [$ }/ D' J
                jnz     SoftICE_Detected
            4 g7 M5 @# q6 u0 o' t( S: k: W+ [
            " F3 K) x) H) Y___________________________________________________________________________5 x% Q* ^' }+ n) _/ F/ Q- |( I% U

            9 H6 ^3 B- H- U9 ~! x  |! GMethod 02- h% X; R) u2 x& @
            =========; u. j# O7 S+ l* Y. D5 z  B- E
            % F& ~; _9 {# W- R+ n
            Still a method very much used (perhaps the most frequent one).  It is used
            + n% }! w( y* Q' k' Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,  d+ w- L: G6 j( v1 _$ P
            or execute SoftICE commands...5 b2 Z2 o' A. k* C% {6 y
            It is also used to crash SoftICE and to force it to execute any commands
            & U7 b* Z) N/ _3 K2 B* c(HBOOT...) :-((  
            * L( M- I( I8 e/ r1 ~
            , c% C2 |9 C- W" aHere is a quick description:4 N! G' F! Q1 f& W7 o
            -AX = 0910h   (Display string in SIce windows)3 y' \: z' N8 O8 W' T3 G3 F3 H4 T
            -AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
            - b2 g# {8 u* }- H-AX = 0912h   (Get breakpoint infos)
            8 k/ ?4 Z2 s/ r( F: P4 y' r-AX = 0913h   (Set Sice breakpoints)
            ) L, c! a/ L+ v6 j-AX = 0914h   (Remove SIce breakoints)2 Y5 t! r5 ?2 F0 q- t0 d
            4 g- V/ L2 N% C" Q3 M& J
            Each time you'll meet this trick, you'll see:7 }1 y- G: f# m6 `" v
            -SI = 4647h6 M8 ]0 g7 E+ ?) `
            -DI = 4A4Dh# T$ p% h9 C- \% r" |- V) d
            Which are the 'magic values' used by SoftIce., ^6 ?7 k7 |# K9 y) Z( ?
            For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 U3 d/ D6 Y* o3 {% n( d

              O$ w. z( Y+ L$ f8 n7 j' OHere is one example from the file "Haspinst.exe" which is the dongle HASP
            * k9 w/ x1 d+ e- C5 @. I# XEnvelope utility use to protect DOS applications:
            7 _- B% j$ e: G+ A5 l! g
            + A' [" w# o9 U+ K0 P, O% \; z* Z9 ~% \0 x9 I
            4C19:0095   MOV    AX,0911  ; execute command.
            $ l% V' O6 t' }4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
            2 C, ~$ k; P" W' l& z3 m% w4C19:009A   MOV    SI,4647  ; 1st magic value.0 D% x: x5 [$ c: @- [$ Q) D
            4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
            2 C' ]/ `/ |# j2 }+ i/ w4 y. ]% ?4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( O* K3 y) p# Y5 a! k% {8 a
            4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
            2 h4 U1 U! A, W+ v# N4C19:00A4   INC    CX
            ; [2 T& I7 {; N$ B2 Q) Z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. Y5 e2 I! I6 F# d) I
            4C19:00A8   JB     0095     ; 6 different commands.+ U  U5 Z. i$ K( t- }
            4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
            9 F, V1 H7 x2 e) d7 P; a) u8 b0 O, e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
            1 t2 X! z% G4 c" G! _6 ?0 ~0 E; V2 o3 v% W* y+ J
            The program will execute 6 different SIce commands located at ds:dx, which. W# r: x6 p+ k* [9 k  v
            are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 Q' V' N# s( t- R9 x
            2 g& p. k! F5 A4 H
            * the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
            ( v6 N7 H8 v0 w& N___________________________________________________________________________) X0 W3 f# h: @0 [

            3 ]6 K+ r1 v5 r6 q  w4 U- @8 @6 k9 w- K
            Method 03
            - G1 J0 y+ T9 [1 K; B% S6 R=========* Y% r4 ?9 I' f( N( n' `# m# w
            9 K5 F& S/ S( U* X: t
            Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
            ) |6 p$ Y/ c8 E8 _) Q(API Get entry point)0 ?  p; e( ^+ A2 @$ x- b# t
                    
            ' a4 O3 Z* t( g# t% F9 p
            / L; g$ Z% h9 e) t    xor     di,di
            2 M, o  U' o; k  Z% ?+ Z) ~    mov     es,di- y  z: z! i" S( u. Z. d) H/ b
                mov     ax, 1684h         I0 g: U7 T5 y- P8 u) a6 V
                mov     bx, 0202h       ; VxD ID of winice5 G) s) ?( w; Z6 v
                int     2Fh' w2 D, Z! e; B
                mov     ax, es          ; ES:DI -&gt; VxD API entry point
            : L2 s4 ]' A3 o% x3 R/ F    add     ax, di
            / [; H# F9 j1 O( d9 L" d6 A+ r; D    test    ax,ax5 N7 |$ v. v- o  ~* i- t! h
                jnz     SoftICE_Detected
            ( p$ ]/ E4 \) K/ k+ e
            - P( w& L( s0 t/ _# i" z___________________________________________________________________________
            # s1 A7 o. o! ^* x/ W1 C0 y! e2 L/ Y3 F0 L, C4 e
            Method 04
            1 u, k+ C7 ]& j0 K. w=========
            : y7 Q: U. I% z5 g9 R
            : N# A6 G7 e  Q7 vMethod identical to the preceding one except that it seeks the ID of SoftICE
            : `' G/ j( c9 z5 b0 [& N9 wGFX VxD.$ B. U  V1 x4 e6 G- \2 C- h

            * |% }6 b) C! c- j/ G8 Y4 d    xor     di,di6 ^5 Z! P  w0 @4 u! M/ O
                mov     es,di3 _* N& _2 d4 S" t& q9 C
                mov     ax, 1684h       4 @+ `- I# K! H3 O
                mov     bx, 7a5Fh       ; VxD ID of SIWVID
            8 \' |4 g9 e3 \$ I+ d( E* v1 W    int     2fh# @- j: j4 v' W, z' c  F- D; X- h- J7 r
                mov     ax, es          ; ES:DI -&gt; VxD API entry point) @2 u; J5 o$ s& u4 S2 g4 G% l
                add     ax, di
            ' t1 w! C- o& I, h    test    ax,ax6 O' Q! j/ K2 S6 @- u& J# ?; `
                jnz     SoftICE_Detected# j1 A" Z% N. Q* J; [. y, P

            8 [# O& ?6 J+ Z__________________________________________________________________________3 F9 U6 m0 N- l5 ^' {8 j; J) q

            + b7 Z& V! z4 Z. I" u2 Q! s$ ~
            - G: @2 G7 a- o0 l2 c0 ?Method 05
            - o3 ^$ J5 Y' d# d( o7 A5 o$ F=========/ o3 ^( L! T3 s9 ]( c+ }2 |. ~
            ; E5 H7 x4 w: A$ w; Q0 h0 y
            Method seeking the 'magic number' 0F386h returned (in ax) by all system9 P7 c# b( m' D6 T9 M6 ^+ r) @
            debugger. It calls the int 41h, function 4Fh.
            ; \; I$ }$ h- E0 z1 q2 |% R9 sThere are several alternatives.  
            7 c$ m) R% X+ K& {; L6 e
            * X: X9 W4 l3 R6 w; T! @3 X3 RThe following one is the simplest:; H; w$ c/ D% Y# U$ N! h+ n
            7 N; R; f+ a1 A* C) y
                mov     ax,4fh
            ) h6 m5 K# W3 Y8 G& z    int     41h
            $ S5 `- S: k# A7 |( K    cmp     ax, 0F386
            5 ^% I/ b9 i8 Y' @/ u    jz      SoftICE_detected3 P1 O" r- d- T' B  v8 V) o
            % J! m9 h) n  i+ \8 O  `0 O
            ( W1 c& W. G) w# Q; `
            Next method as well as the following one are 2 examples from Stone's ! _" m( f' x' `0 `+ L9 M
            "stn-wid.zip" (www.cracking.net):
            8 w5 x* w: c  X% G9 k0 y# N' E. w2 W% p+ t2 `* d0 C. h, v9 p) b
                mov     bx, cs
            ! o0 A0 V5 G' z! p+ \: F# f( \# h  o    lea     dx, int41handler2
            0 f2 V" U) d1 w4 X! _7 O# b. X    xchg    dx, es:[41h*4]6 W- c' x0 B$ h9 B# `
                xchg    bx, es:[41h*4+2]
            $ I2 G' N% C; w# s, L. N' u    mov     ax,4fh' d9 o" S% t$ v
                int     41h
            1 ]" p  r8 w# J( Z2 s( z, a: c    xchg    dx, es:[41h*4]
              |1 J$ }' h" ~$ @    xchg    bx, es:[41h*4+2]0 o% N% y9 f! [* q; V. r
                cmp     ax, 0f386h
            , h' `4 _( R; r4 ?* H% U" Y    jz      SoftICE_detected1 J. Z6 Q# q" W, [7 A  R$ N: b+ U$ H

            # N" a7 }+ W. v2 Qint41handler2 PROC
            4 d5 F0 U$ S0 D    iret; E" _  {) m3 ^5 F# _
            int41handler2 ENDP3 |/ I. D/ o1 l; `  v
            + C! U" P" b7 h4 f4 s2 h
            : z0 _5 d$ y) Z
            _________________________________________________________________________
            * r2 G! O# L0 o  G% m
            ! j1 W8 o" J2 y3 v, N* u, D7 W% j: J
            Method 061 H* S9 L6 G: y. W4 [
            =========' v5 t1 s# t& E/ K; H' e+ i
            + g# e; d' i- M" S( @

            5 N# E' k% d2 h# D( }& W( h+ R' n2nd method similar to the preceding one but more difficult to detect:
            8 w1 m# J% G) {" U" C1 |5 \; R% z8 H

            ( l5 A- {: E$ X) ?& G& p2 ]int41handler PROC
            9 ]  k3 r! z$ ]: Y- T, y3 j    mov     cl,al
            ) g9 W, X# J& z+ ^    iret
            & b7 v6 R+ k. P* Iint41handler ENDP
            8 W& |) d, x3 H
            ! ]+ X" Z3 p- J& p  }4 ~( H4 ]- {. Q2 {. s/ t2 K7 h7 X
                xor     ax,ax
            ; x2 ^* h- M) N/ b5 E# K$ G3 _    mov     es,ax6 D# r0 S3 g& H
                mov     bx, cs
            ( ^) u. D. R9 a    lea     dx, int41handler7 z# y, f# r$ A- M( Z1 x" n
                xchg    dx, es:[41h*4]( ?" l/ h' `) B$ m
                xchg    bx, es:[41h*4+2]3 h% }7 S7 j; r* K9 |6 ^
                in      al, 40h0 O) c  J! v. ]) B0 R8 G4 M
                xor     cx,cx+ n4 }4 n: l/ {- u( z; m
                int     41h
            0 y) M2 y% [; y; m- q% j2 m    xchg    dx, es:[41h*4]
            # s: V' R" ]' Y: d. ^9 d4 G" c+ A7 n    xchg    bx, es:[41h*4+2]
            - i3 N8 ?' X, o% z6 Z5 I% ]    cmp     cl,al% C& G7 u5 F# k7 P
                jnz     SoftICE_detected
            3 F+ E, a, Y5 r; |
            5 k" Z! j* ], j9 P6 D1 q_________________________________________________________________________
            . _8 l6 Q4 ?7 H8 n" r* l+ K( @; N: A8 x) P  q1 z( B6 w5 H
            Method 07; b! t! I3 _  C: Z( j1 H
            =========
            0 a- y6 c9 y# O: d( X3 Q# j4 S. }+ Y4 u) A4 |2 J' \! u, q
            Method of detection of the WinICE handler in the int68h (V86)
            5 K& |: H1 q# {5 s$ b
            0 F! D3 d1 }8 x4 K0 i: @3 @    mov     ah,43h
              Y% `/ Y: @# m( ~* P+ F; h- x    int     68h5 [8 h6 k/ Q) P$ O  n
                cmp     ax,0F386h8 f- q4 g. Z8 e3 X4 ^, Z3 {3 E, H
                jz      SoftICE_Detected0 T: K$ Z, I8 v: v# b! ^' g0 ~

            & W9 h" K8 y" y/ x  [9 I' ]
            7 U' L) B6 X4 h=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) d  ?  w4 A! j% J! R
               app like this:
            ' ~! R2 `" P! W2 Y, a. x: S* ~: e0 w$ r& C
               BPX exec_int if ax==68# I9 u/ n2 h9 v) j4 v
               (function called is located at byte ptr [ebp+1Dh] and client eip is" }6 X6 X! J. A9 f( W/ x
               located at [ebp+48h] for 32Bit apps)
            8 N5 j- R$ Z& w9 G) l$ r__________________________________________________________________________
            6 K  m3 u  i" S4 m$ F. H( I: s) \8 u4 H& Z, f
            ! D9 l; Y7 k, r& S/ F6 S- D( C8 K: \
            Method 08/ |. _. P0 Y' x' s; u0 ?5 C5 }
            =========4 k& m' ^' W0 K2 l- q
            % U4 C) b8 n1 J4 _
            It is not a method of detection of SoftICE but a possibility to crash the+ d3 J5 f# g9 ?8 @
            system by intercepting int 01h and int 03h and redirecting them to another2 m- z4 `' _% G7 `/ q) ^% T
            routine.: j" S/ C, }. |4 G5 p2 M: _% _3 N! n
            It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
            ( g7 O: n4 c9 S9 cto the new routine to execute (hangs computer...)& K5 o$ S0 I9 ^1 q0 X
            7 |6 @0 F+ q+ J8 p) ~7 b) ^; A
                mov     ah, 25h( P& f4 J' ~$ I' P: c6 g
                mov     al, Int_Number (01h or 03h)  {# d, M9 N1 D) U
                mov     dx, offset New_Int_Routine  x9 g* L; @8 m+ D7 Q( h
                int     21h* a/ O/ A7 A1 n  k' t! _/ z

            6 W3 c' t( H- B9 q& _! A: L' b  `__________________________________________________________________________
            6 e  q* k/ }  O% P3 A% ]. j5 e
            ( `9 M0 d6 B" r  I) S3 E& DMethod 09
            6 u) w6 i8 [9 c& [=========9 N( G" S" ?$ ~6 G( h0 d

              R( m) d4 Y2 ]0 c$ kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
            ; O* Z, m( q1 b. N) C2 s2 F2 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
            4 e1 S, t4 [2 Q- i8 ]The Get_DDB service is used to determine whether or not a VxD is installed1 C2 c; H$ v: K2 l' y
            for the specified device and returns a Device Description Block (in ecx) for
            : V% ?$ e' L1 U' M' M" g7 [1 I0 ^that device if it is installed.
            ( R' J1 Y+ h" k' j6 P9 w4 ~+ Z+ |4 P. A2 a: ]0 t
               mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
            + G. \  S' e6 P/ h5 d& N; S) E   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* {$ y9 b8 b2 i* C+ E% H, U
               VMMCall Get_DDB
            3 w9 p8 Y8 N5 N) j  m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed  ]* {5 F% K6 ^# ~2 w2 }
            ; D' j1 t' B# ?
            Note as well that you can easily detect this method with SoftICE:
            * b$ A$ y# x$ b0 N- ~+ w   bpx Get_DDB if ax==0202 || ax==7a5fh
            + I% J5 ~+ o/ q; |8 d5 s4 l  l+ D! R
            __________________________________________________________________________! x. `( @" I! D. ]: `

            , \' J4 T( ?, |$ xMethod 10
            & o4 u+ ~! D* T. j! U=========
            ' k. ?. A& w, m( Z3 Y+ b; G0 s* M
            =&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
            3 K7 A  A5 Z$ a8 j4 x  SoftICE while the option is enable!!( W8 ]; |9 P6 h% s1 G

            % `3 C/ X  p( lThis trick is very efficient:' ^/ i+ Y9 T& Z. J( V$ q
            by checking the Debug Registers, you can detect if SoftICE is loaded% ~9 s) z1 O+ y6 D  b4 ^
            (dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 S9 o. c3 ?. H) D. i! m2 M
            there are some memory breakpoints set (dr0 to dr3) simply by reading their
            ; i9 |! i' i: j7 Lvalue (in ring0 only). Values can be manipulated and or changed as well& @3 T' Q5 ?0 @8 j* F
            (clearing BPMs for instance)8 b( n8 ~9 U$ o. H& f  C9 X
            2 r! o, K! P6 {/ W
            __________________________________________________________________________
            " P+ I/ @: L" j. v
            3 }4 @: y: A4 V& zMethod 11/ a7 U: C) e9 ?
            =========" t6 v1 o: b6 F

            , Z# Q1 R  E* _$ CThis method is most known as 'MeltICE' because it has been freely distributed
            3 a3 m5 V- \2 f( k# q* E: ]' q7 Vvia www.winfiles.com. However it was first used by NuMega people to allow) c! [& w6 F  Y- d/ E
            Symbol Loader to check if SoftICE was active or not (the code is located5 O# R- N% T+ ?2 F& {  F3 ?( T
            inside nmtrans.dll).
            : q* ?' {/ [, |8 e: Z9 S/ f, y0 w
            The way it works is very simple:$ e& e9 n& q: H. Z7 h: Q
            It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 a2 \* h8 G& ~) f  y
            WinNT) with the CreateFileA API.
            . W/ N5 i  z2 T$ b' u2 t* ?- l. \7 z3 a, {- j* |! Y: V
            Here is a sample (checking for 'SICE'):: Z! {) d% t$ ~7 ]8 @! U
            & m4 m$ Y& X, x: B) s( z! {
            BOOL IsSoftIce95Loaded()4 l* N' {; R( U" L
            {$ h7 a- ]6 a! d) B5 ^
               HANDLE hFile;  
            + P( F0 z6 o+ z& {* ?: r# j   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 C' {6 ]7 T1 A3 V; n5 k
                                  FILE_SHARE_READ | FILE_SHARE_WRITE,8 R1 f8 S- Q5 T  a! ?8 g6 x: n, f
                                  NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
            ) |' w  ~; z+ X) n' x: R; A   if( hFile != INVALID_HANDLE_VALUE )
            0 n* |5 N' ]' \% b% V" |1 g   {" b7 V+ O2 p/ N. ?# j
                  CloseHandle(hFile);
            & z8 `  \+ y7 V& n3 i- O( v      return TRUE;8 V0 T, `+ l3 G- x5 x  G
               }
            4 h% e) I1 L! W& b. n& b   return FALSE;6 a& i" u  z8 {
            }3 v, e# h" H* _; z
            6 ^$ m1 u9 f4 q' S7 J7 Q% x
            Although this trick calls the CreateFileA function, don't even expect to be
            1 V6 C2 I2 _. C0 [able to intercept it by installing a IFS hook: it will not work, no way!% r' T0 w$ z/ Y
            In fact, after the call to CreateFileA it will get through VWIN32 0x001F
            : Q* T1 e) T$ N( tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 }  U# M" D( ]3 x9 I5 j0 v
            and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 P+ k1 V' `9 e/ e" R8 `
            field.
            - f, w9 u+ P3 e4 FIn fact, its purpose is not to load/unload VxDs but only to send a . e) D' b0 q% l/ w, a
            W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 |* L7 H- X5 F; I! ~; [
            to the VxD Control_Dispatch proc (how the hell a shareware soft could try
            ( t- T$ ~# ?" dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
            $ A8 A- Z- `! z. |8 I1 t. RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
            8 w% |' u1 d5 A7 l, d: u5 z3 eits handle to be opened and then, will be detected.
            & r6 ~! p  [2 I- P# P1 L7 Y  \8 |% BYou can check that simply by hooking Winice.exe control proc entry point
            # S9 B9 M' X2 U5 y0 O; g' |3 Awhile running MeltICE.' @$ u$ G6 u+ ^$ P  W" k# M8 p* h
            1 A6 b" \) C0 @6 }2 c. i/ B4 A
            3 M7 v0 ?8 t9 n) p
              00401067:  push      00402025    ; \\.\SICE
            7 @# g1 W. _9 I. {$ F2 {; z! T7 m) B; p  0040106C:  call      CreateFileA
            ( c3 N: R1 n7 p  00401071:  cmp       eax,-001) B% [, A, B( v& i1 d1 Y, ?
              00401074:  je        00401091+ Y" |3 x( V0 d& M$ p' @
            ) W8 i7 g( e5 S& X" J
            + {; m+ v; S2 _! n. \  P
            There could be hundreds of BPX you could use to detect this trick.3 u! o1 A$ G& \& l7 q& P
            -The most classical one is:
            + ^# K2 }( o3 q/ [. @  r0 f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. Q; U6 [8 s1 B4 m9 u- z9 d# u* X
                *(esp-&gt;4+4)=='NTIC'
            . ~" ^' v+ I' n- o: g
            ( s& U9 H, v- a, r3 ^' D7 o-The most exotic ones (could be very slooooow :-(" p  g# f- E# s$ P: w
               BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
            7 l- s  \: X; v! y: H     ;will break 3 times :-(- C$ d: A( `- C. w4 t

            $ Q0 W7 A9 J2 p7 I7 O7 i; A-or (a bit) faster:
            ; }# ^; X+ G4 {0 Z  L  h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
            8 l, s1 w% S8 I) Z3 k. ~( N- @) K" q( T. \
               BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 M6 s6 _) u. d9 }4 R* }
                 ;will break 3 times :-(2 n+ r7 _4 {' Q( B

            7 Z1 g9 h& g9 X: g% E7 A-Much faster:8 o2 C" t; g: m8 j( m
               BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
            % T# B+ u# e; j8 s' ]
            8 e$ H! x8 \/ ]# e6 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! y; b/ R4 j  c# \  b
            function to do the same job:; `/ U! g" _3 e: i6 c! {
            9 N/ P" Z  K0 W( e9 A- C
               push    00                        ; OF_READ3 ]( |  D% r- L0 z' x
               mov     eax,[00656634]            ; '\\.\SICE',0
            " _0 \+ A. I8 V9 ]4 \  a   push    eax
            5 ]1 I) ^* M% _# z) c   call    KERNEL32!_lopen
            7 V" b; r! u4 a$ c2 `' F: p   inc     eax
            # ~6 R% F6 p+ d3 a( I8 H7 v3 D   jnz     00650589                  ; detected
            & P& c' n. f8 ?6 t" ~   push    00                        ; OF_READ' U% o' Z% }( s# |3 P# \- ^; O7 ~- h
               mov     eax,[00656638]            ; '\\.\SICE'8 I4 z$ j, h* h2 t
               push    eax
            * y% X: E  b+ D" v0 z; d  n   call    KERNEL32!_lopen
            ( c* f5 j6 F5 h- \; ?0 F$ c   inc     eax
            - M9 \/ G% |* f  @, @   jz      006505ae                  ; not detected% O. \2 x9 S. \* x2 _& R8 D
            ) v. [/ `) G/ Y/ U3 W

            7 w* j6 O& z" K__________________________________________________________________________
            3 `# j% S$ n1 ]- C( m8 B
            " o! ?* t" W, q% q- |Method 12
            & P. I/ w7 ?: u; H7 d=========
            ! u; Z7 N5 [+ v1 D9 ~" @2 g+ Q5 p( ]8 m9 p% g, W7 s
            This trick is similar to int41h/4fh Debugger installation check (code 05
            " r4 Y4 g9 X5 g, c/ B6 s' I&amp; 06) but very limited because it's only available for Win95/98 (not NT)
            9 e0 ~! L2 i: A' y: F1 e! Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.# y$ {, G9 k+ P0 d
            5 J5 ^% s; |! p6 q* r& q. k
               push  0000004fh         ; function 4fh* n6 t& A% ^* K
               push  002a002ah         ; high word specifies which VxD (VWIN32)
            ( S1 T4 S" J+ @7 b                           ; low word specifies which service
            4 U0 \9 }& y( T4 y& d/ {  m* V                             (VWIN32_Int41Dispatch)8 n2 m5 }% K' ?* v+ ~# r4 m8 t4 `9 y
               call  Kernel32!ORD_001  ; VxdCall
            & D8 D! M' p# d0 P& G   cmp   ax, 0f386h        ; magic number returned by system debuggers* V. A; M% c8 J6 h) t
               jz    SoftICE_detected
              T3 |/ o6 ^. o! n6 |& K
            1 x. o9 W( H% SHere again, several ways to detect it:  P$ A3 }5 ^" Q; F

            ( _  J) u  }, l0 u5 U' V    BPINT 41 if ax==4f
            8 T, @4 |$ ^9 e. n+ `6 @' \. k5 F4 P3 Q7 ~1 X
                BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
            2 V* k" |& H, P* s8 k* q: P/ y
            * Y9 n5 [! ~+ L$ {* l3 U2 |    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
            % A, F; ~' b( E3 j; c: h
            " {% }) g& Z0 d2 _( T+ e    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* a4 \  s  L$ Z- L

            3 k8 s4 F8 u; i2 ?9 T* m/ \__________________________________________________________________________: Y) d( `4 J0 i+ W/ T4 z4 \6 i* ^

            , I+ d# x" G' F8 v5 f2 x, t  yMethod 13
            7 P+ J. L% C* O0 i=========
            & R1 [0 w) _( Q) W# K7 m/ \! g3 n5 |3 |! @  M& V# i
            Not a real method of detection, but a good way to know if SoftICE is
            + }* e" R7 Y$ dinstalled on a computer and to locate its installation directory.
            ) I8 C. `: b6 p( [It is used by few softs which access the following registry keys (usually #2) :
            $ T8 E% w3 q& o( N
            , Z5 r; B; b  }9 D9 e. l" L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
            ; U1 O( U7 p" `\Uninstall\SoftICE
            - a) Q! v5 n! p( }1 z+ f: k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
            0 q, n3 x' k% [: l9 X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 U0 p, ?; l8 @% i. G* k
            \App Paths\Loader32.Exe) g' O% F- P+ r9 A) o7 Z# v
            9 U- F1 K; n1 E3 O

            # d; ]2 q6 }, d0 INote that some nasty apps could then erase all files from SoftICE directory% |; U9 z  ?/ t2 b" T! X
            (I faced that once :-(0 V6 B3 F( E3 L: g& b4 K9 w
            3 ~' O2 [, q" _9 Z% z% E
            Useful breakpoint to detect it:
            4 B# s% Y6 g$ S6 F  q: Y8 V. z/ G3 v* J
                 BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 w9 O( C5 r( X; o
            4 B/ |! @# }% Z% _, u% F4 W
            __________________________________________________________________________
            4 T; D* D2 |" s. t1 d) w* ?5 B2 {- B& }7 m8 S, E' S+ q

            ( Z1 m% f7 |; E3 ?0 c) b. e' L6 fMethod 14 # V1 Y: q; F* o. h
            =========$ Q6 o) K) Z' b! i
            7 f* t. l" S, |  r
            A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 f1 `* F1 C1 c1 G5 s
            is to determines whether a debugger is running on your system (ring0 only).) @( T, \( B8 O8 A$ m& R

            ) a0 s* _, q' N  Y   VMMCall Test_Debug_Installed4 p$ g! k. P$ y# u+ Y; R
               je      not_installed
            ( y% o1 m! p3 V, j9 }/ @& M
              Z# g6 s. _& x! Y* I# {+ @This service just checks a flag.' W1 ^* Y& Q. V$ g( }5 q1 R3 m
            </PRE></TD></TR></TBODY></TABLE>
            您需要登錄后才可以回帖 登錄 | 注冊

            本版積分規(guī)則

            QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港 ( 魯ICP備19052200號-1 )

            GMT+8, 2025-9-16 07:41

            Powered by Discuz! X3.5

            © 2001-2025 Discuz! Team.

            快速回復(fù) 返回頂部 返回列表