久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      <small id="r7w9x"></small>
          <td id="r7w9x"></td><sub id="r7w9x"><menu id="r7w9x"><samp id="r7w9x"></samp></menu></sub>
        1. <th id="r7w9x"></th>
          1.  找回密碼
             注冊

            QQ登錄

            只需一步,快速開始

            About anti-SoftICE tricks

            [復制鏈接]
            1#
            發(fā)表于 2008-9-28 16:34:50 | 只看該作者 |倒序瀏覽 |閱讀模式
            <TABLE width=500>- i+ K7 S8 B4 r* O6 N/ M
            <TBODY>" o, \( y9 Q. }! Q9 G3 Q( ]% |* f
            <TR>
              A5 J* N! I, \0 t% k* \<TD><PRE>Method 01
            0 g) _- W8 X2 i/ p6 i$ ~- \1 ~3 R=========
            0 ]  _; P& B7 z( n# G  D; @; E. ~9 [
            # [6 E4 Z  C6 tThis method of detection of SoftICE (as well as the following one) is
            6 }& b) B  r1 k& Oused by the majority of packers/encryptors found on Internet.
            6 j" Y& `+ v6 C# }+ U9 Y3 D7 T' JIt seeks the signature of BoundsChecker in SoftICE
            $ S* K) z# \+ ]. q/ R
            + ?5 e/ f/ I( i2 N! @  y0 }1 M    mov     ebp, 04243484Bh        ; 'BCHK'/ m+ b  R5 p% A
                mov     ax, 04h8 l" B$ C! G  p$ r: W. F: l
                int     3       " f) g# c* z& k
                cmp     al,4
            7 @3 o( Q* \6 P4 e; o    jnz     SoftICE_Detected0 ^$ J, E" R+ K# u7 F
            ( a2 J. R4 k9 k
            ___________________________________________________________________________0 x; E/ ^2 U2 @) w& m

            ) Y; C2 T, \9 Y8 v: k' k0 _Method 026 h& G; t$ x/ G4 d+ r
            =========7 X+ Q. M& x9 c

            / n- Y# x& b. i9 n4 k% uStill a method very much used (perhaps the most frequent one).  It is used$ `# ~% V# C1 E4 ?" T6 p
            to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 N/ h" |# l4 L6 w4 Q) z" j+ f
            or execute SoftICE commands...
            9 W: E; U& M, V* _  }5 s! uIt is also used to crash SoftICE and to force it to execute any commands
            ; ^% t: Q0 D  Q5 A! D( i1 X(HBOOT...) :-((  
            ! g7 i" I4 u2 i$ g# V
            + B9 |  }+ u0 u5 UHere is a quick description:; L7 D, R" l& o" M
            -AX = 0910h   (Display string in SIce windows)) B" \* f* D) K. h
            -AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
              H( J; w# E$ ~1 G7 _2 e-AX = 0912h   (Get breakpoint infos)  @+ u. X" t0 K  t- K& G
            -AX = 0913h   (Set Sice breakpoints)( J% D- {9 O) u) t- i2 S' L8 ?
            -AX = 0914h   (Remove SIce breakoints)
            " C( N5 L$ R3 {% U* J' P4 ]6 d1 O, a; u! x, \7 S% i
            Each time you'll meet this trick, you'll see:& x+ X% B. j: x, t5 l
            -SI = 4647h& G3 k3 B7 U# V3 M7 r7 W: i- [! D
            -DI = 4A4Dh
            " i! R' e- b& S( I1 r+ VWhich are the 'magic values' used by SoftIce., c9 X0 Z, f. n9 G7 T  C" _6 c' x6 s
            For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' f1 i, X4 \& _# M, T4 n! N
              `; Y# d- o& c, p
            Here is one example from the file "Haspinst.exe" which is the dongle HASP
            ' C  y- d; @+ PEnvelope utility use to protect DOS applications:7 w8 o/ q: ^* D5 M5 K4 h( Z: A
            . x  k% S1 B( [9 q
            6 B# b2 [$ a# z
            4C19:0095   MOV    AX,0911  ; execute command.7 j2 ^0 c/ C! `' T. v
            4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 l0 G% O4 m$ [. M4 F" @
            4C19:009A   MOV    SI,4647  ; 1st magic value.$ c& F  M9 W- \0 @' E6 n. c9 O
            4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& C7 U4 m8 M/ q/ N/ ?
            4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# l) j9 Y) u4 x3 w/ s# z8 M
            4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ o) M9 i  y6 V% N3 F
            4C19:00A4   INC    CX
            $ G/ X- [& \+ S% G) E4 \& I4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
            9 `( j5 h$ n; v  I. Q+ Y4C19:00A8   JB     0095     ; 6 different commands.
            % I! K/ H4 M6 p, @) {) j, B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 b- I0 ~; \2 [, o
            4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); H# U) C. B& \

            ( z1 K: {! [3 Z# aThe program will execute 6 different SIce commands located at ds:dx, which4 n, v2 P& ]3 F9 s3 D4 g
            are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 e- |- ]; h* C9 N8 M, x$ ~
            8 \- R! i2 ?( I# W$ e  B5 g
            * the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
            0 b% Z9 X( o  L" T9 ^___________________________________________________________________________
              [$ z# T* k0 a: T, y
            ; Z, `! M# G( N/ Q, j" w) n( B: G& [: f8 d7 W8 O6 @6 T) L
            Method 031 ?) `# q- C/ ~2 P0 X$ z) J% y
            =========
            6 Q/ t! g/ k% D. [# q
            3 w( J' X6 X& v& qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
            + |! k4 s0 \; b5 E(API Get entry point)
            ( V$ m  e+ M! c! x- b  u# Y' }' y        : L3 ^9 D) T5 w% b! n9 l) l0 g
            / t, r  o, o& ~! W  C
                xor     di,di
            % F, ?, @2 g+ Z7 A* J+ o$ P  O7 V    mov     es,di
            + B0 s' L+ U7 s: `( E$ v    mov     ax, 1684h      
            # |  _$ f1 m/ P4 Z    mov     bx, 0202h       ; VxD ID of winice
            $ O5 z/ {/ ]) c: _. w    int     2Fh
            ' `0 U$ I$ C' |& ]& n+ N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
            ; p5 F% y% z5 l3 t' r9 X( C    add     ax, di, w- Q4 R- B- Z. l% s
                test    ax,ax
            ' C. v. M+ q: h2 b) S) G! I    jnz     SoftICE_Detected. ]. p# e, f% N& d# C; o. \
            : e( T( u% X$ }# T7 r2 {
            ___________________________________________________________________________
            + d- L, j  X4 D7 G0 K: S: f: ?6 m; v+ e
            Method 04
            9 K3 ?8 i; Z+ S$ D! h=========: g7 v, _. U( r

            # P/ @4 L& G. J$ D& e: `Method identical to the preceding one except that it seeks the ID of SoftICE
            0 B& ~! o; R6 Z* r  F3 Y3 aGFX VxD.
            9 a  F8 ]: x) W; u$ R0 {/ q& i- h* o9 n# L& a: M+ D" r
                xor     di,di
            % x+ w$ ^3 m; I1 T# Z    mov     es,di4 p/ f3 D6 g% G7 A
                mov     ax, 1684h       ( v0 s  k2 R8 Z, A: Z
                mov     bx, 7a5Fh       ; VxD ID of SIWVID
            9 \1 h! y! g3 O4 y    int     2fh5 J+ M+ D; D( j
                mov     ax, es          ; ES:DI -&gt; VxD API entry point$ u& X( q8 v, q
                add     ax, di
            6 e: N9 m) N! f3 m" m' O$ [    test    ax,ax# D2 M2 \: O* x" _9 O! V
                jnz     SoftICE_Detected
            ' b" F  x  A2 {# g7 b; X7 ], A" Z( r9 N
            __________________________________________________________________________
            3 d# l" d( @9 y& N8 L* ?1 m: d  {! u1 p( {+ d5 t

            5 I* v4 {. X; f+ o# }1 ]Method 05
            * P* d; c1 t, a9 T* s% G=========, G# D9 E3 H5 e2 q! ^
            1 V; W. L0 l' L
            Method seeking the 'magic number' 0F386h returned (in ax) by all system
            5 v" s$ |5 n( m8 e0 m3 a, Cdebugger. It calls the int 41h, function 4Fh.
            3 Z9 M* L; n1 ?+ b5 h6 U' d' l/ jThere are several alternatives.  " d% o! \5 |" P; Z

            + X* i$ ]' R: f9 i& e$ k2 F7 gThe following one is the simplest:% \+ o' c5 n' s% E2 R
            " @# {6 @: i' w2 O
                mov     ax,4fh
            8 W+ y2 o; A3 P4 Y* P( Y    int     41h7 ^+ B6 ]2 x0 U* @/ v+ |
                cmp     ax, 0F3864 T& H6 t; U. c$ ~
                jz      SoftICE_detected
            , i3 f$ h! c+ b! U' w4 @: j0 w' S9 r, G; f9 e5 i
            2 r* F* L% `7 p5 p- R
            Next method as well as the following one are 2 examples from Stone's # Y7 o+ C$ {" s3 |$ y
            "stn-wid.zip" (www.cracking.net):
            , P7 U) o- P. n5 A7 ]" y/ K# }8 C1 k( Z" \/ k: u7 u! v
                mov     bx, cs
            ' m, F8 ?0 t0 N. C) V6 H$ U    lea     dx, int41handler2! f  j1 n3 l7 p5 q3 U' \! s# O
                xchg    dx, es:[41h*4]1 n1 v# A2 L9 s5 R$ W8 ~
                xchg    bx, es:[41h*4+2]) E/ h8 c, p) b: n  y0 g
                mov     ax,4fh/ X4 b/ s7 d7 b/ S2 f
                int     41h
            ; J+ i& w4 j# `/ ]; ?; S  \0 m( W    xchg    dx, es:[41h*4]
            4 v' }# z( [" X' H    xchg    bx, es:[41h*4+2]
              I- D- r  N% o    cmp     ax, 0f386h7 R# h2 \% D, E, I5 Q( @' f
                jz      SoftICE_detected+ G' e1 Z4 S1 u  T+ V8 T7 z4 D

            / L3 P7 m1 l8 T0 @  I* f0 G* z& ?int41handler2 PROC
            $ j7 p' n! O' \8 q    iret1 U% V9 D  [" S# i! p5 p
            int41handler2 ENDP; o! ?( x  ~! E" v$ p

            : U2 T( o, j; _3 d, t9 N# N( M/ A$ I$ o. B6 b
            _________________________________________________________________________8 `  C$ _! l! z2 w
              @& j$ A6 `# L9 Q+ [
            6 _, Q! ?# |+ s4 e
            Method 06
            " q; w. X) ~+ q5 M=========- v8 B9 J- r8 p4 y% v8 E

            , B/ {. `3 @1 p7 C# }- U& i6 w9 F5 b* x
            2nd method similar to the preceding one but more difficult to detect:2 h( i8 Q  z4 z" |5 w! z% ^# u

            ' I4 g% b1 z/ r! ^4 P" o6 k# Z; F2 O: N
            int41handler PROC
            # V- _. r. L4 d  e    mov     cl,al
            ; |2 h5 H$ a& v8 i5 j4 T    iret
            2 j2 ~3 \: }0 k* m2 m. n+ C! `  W+ cint41handler ENDP. N' a& L* s& }0 Y0 F* A
            ; W$ t. j; i: Q8 |+ P

            * [5 H5 v' g; G. L( [2 [    xor     ax,ax
            ( h$ P( a2 T5 Z, O5 j    mov     es,ax4 }, w% `  \! J
                mov     bx, cs& k; r1 p$ Y  {2 H: E# N
                lea     dx, int41handler
            1 }9 t6 u8 \; F$ |' r+ J. j9 e    xchg    dx, es:[41h*4]- Q4 o: z0 v' u2 _
                xchg    bx, es:[41h*4+2]8 L4 Z" R1 p/ i) X
                in      al, 40h
            + z) ~+ [: ]9 K) u) a    xor     cx,cx8 Z$ k+ k% }8 c. g9 s! s
                int     41h
            9 V" |" t! @$ i0 y( V    xchg    dx, es:[41h*4]
            2 S: D9 k; f9 j, g    xchg    bx, es:[41h*4+2]3 }* h  |) S: [5 `
                cmp     cl,al
            % z4 Z  {8 A2 l2 o: E# ]8 H1 J2 `    jnz     SoftICE_detected; y- e4 O' [7 }9 u
            . {' K" {9 Z& z6 c+ @
            _________________________________________________________________________& Y- x( Q  O3 x& u9 V
            . n9 ?% d, _. r
            Method 07* Q$ d. {5 X7 K7 j
            =========7 N5 ?5 c; }+ B& C7 `$ U$ P% `

            4 U9 a( ~- ^  i4 \7 ?Method of detection of the WinICE handler in the int68h (V86). W2 o: L/ ~  r  [& ]/ r1 u! h# x

            5 G! T, ~7 ^" j; {6 V    mov     ah,43h& ]7 p) i9 o+ t; Q3 B3 `5 W4 Y
                int     68h7 R5 X, {% l; U
                cmp     ax,0F386h
            ' e. F$ Z- p1 v7 s1 @7 _! x    jz      SoftICE_Detected
            $ G+ A! S  D+ `; R5 ?: Q
            1 n* Z/ C% K6 `% r3 p# t' `$ U2 J
            =&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
            9 H8 h0 s( P! v& E$ R: c" c7 S6 q" s- V   app like this:
            8 a  H3 `' J- @8 ?- Q# z8 z7 ^# D# s: G  |+ q  S/ K  b
               BPX exec_int if ax==68
            $ \! Z8 q( W# ]& ~' y8 t- f   (function called is located at byte ptr [ebp+1Dh] and client eip is
            + B7 u5 Q$ V6 b* p   located at [ebp+48h] for 32Bit apps)
            7 \) m: f2 l. m' d1 O, k__________________________________________________________________________
            0 J: u- g9 A) g( u! s6 j5 q$ G* p1 I9 e, ]3 ~& o$ [& Z
            & ~- O: q3 h! s' y( E
            Method 08
            0 U2 D) T3 v* c# R=========
            , X# W8 y! A8 S) P3 o' C5 B+ x( [' W! k8 W* F- R7 x
            It is not a method of detection of SoftICE but a possibility to crash the
            % h5 a$ s$ b' M5 q, Hsystem by intercepting int 01h and int 03h and redirecting them to another
            0 o) _3 w; K! ^& Z9 T, g1 x& }routine.
            ) j; H% Y" a1 S; @) UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
            - o; q) _/ w$ u3 @2 Z) ]* P: n  Eto the new routine to execute (hangs computer...)
            . \  r/ a/ V( t- k8 [% X5 y
            + |7 y4 H. h: `) n+ X    mov     ah, 25h4 \* Y  w2 h$ M& V! y8 _8 Z
                mov     al, Int_Number (01h or 03h)
            3 A* u( t& K3 W" v" K3 o+ d    mov     dx, offset New_Int_Routine( R' L& \- W; z. f, c
                int     21h/ F! e7 S5 T/ x( Q, G8 S! K
            ! [8 n3 H& Q* {, n3 q
            __________________________________________________________________________
            ) D4 W! c8 L) V" `2 K7 S( A5 n0 W8 y. [$ K# a; a/ ^' j: x- F
            Method 099 P+ P! Y/ F5 x% Q* j8 h4 c; m
            =========. J: e& j: a, J. [

            7 @) J+ _: S% p" H4 z5 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
            # {4 Z& m/ O! F, {& p: ^* r+ p. uperformed in ring0 (VxD or a ring3 app using the VxdCall).
            2 o4 a- L- M/ W) n+ mThe Get_DDB service is used to determine whether or not a VxD is installed  b, d+ k4 j# c, q2 K# i
            for the specified device and returns a Device Description Block (in ecx) for6 h! F) q* |, w; V5 w$ o
            that device if it is installed.
            8 c5 K( L; x( t6 F4 q8 c  D, f/ ^1 m. ^' Q6 h/ _& T5 L% B
               mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
            4 B- Z! q2 D0 ^* E8 ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ j. t2 n- L! d
               VMMCall Get_DDB
            # `% W2 Q2 O- R$ Y, ^: K( R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
            & Y4 M7 y+ c$ Z# m1 o1 X( v+ \- a/ T
            Note as well that you can easily detect this method with SoftICE:% U: e' n* `0 t8 {
               bpx Get_DDB if ax==0202 || ax==7a5fh
            " c+ e& d+ v, Y: G- Y( [7 @
            . {' q. S3 {4 \__________________________________________________________________________9 T1 Z: Q' d3 Z+ I: \/ l

            0 O# X2 R: D4 z7 V3 d) f* sMethod 10, m: E5 H% i  E, d, y9 m/ `
            =========" n! r- q- a' U) Z9 f$ x9 k( i
            / O- i8 t' S. v! ^
            =&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
              w, f# h- d& X4 X- |) k7 X  SoftICE while the option is enable!!
              F  [# g0 T( t5 Y- o3 g1 j6 ~3 [) n- X" u3 b
            This trick is very efficient:. f8 X8 x, C+ t: p* {: h& Q. \/ e
            by checking the Debug Registers, you can detect if SoftICE is loaded
            ; E% G9 C* v( p+ K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 P( N3 L$ W) r1 b
            there are some memory breakpoints set (dr0 to dr3) simply by reading their
            " }8 }% p/ V7 \' m: Gvalue (in ring0 only). Values can be manipulated and or changed as well
            8 j. p' U9 t/ M) p+ e0 a/ s(clearing BPMs for instance)( y3 X2 h, k& Q4 w+ h

            + M1 W' S- X4 a" H: P4 I/ x__________________________________________________________________________0 m8 d- h+ ~; l& {3 E9 h
            $ Z  ^/ ^( P# |+ h7 U- Z
            Method 11
            ) S$ n: H1 W4 c; c- t: o0 m3 O=========3 }( Q1 `8 D8 a# P  _) I
            ' \5 a" R/ B6 s8 @
            This method is most known as 'MeltICE' because it has been freely distributed+ [) v9 t& \  b/ O7 \( Y6 T$ ^. b
            via www.winfiles.com. However it was first used by NuMega people to allow
            " Q$ `  R2 |" p, c% Q# @/ U, ASymbol Loader to check if SoftICE was active or not (the code is located; r8 z! r" G$ S0 E( D/ ^5 y6 N" h
            inside nmtrans.dll).! t! H9 ]1 K& h4 ]

            & N# T# e! k( @; w6 HThe way it works is very simple:5 _$ L9 z+ ]9 v2 g5 H! o
            It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
            3 O4 r/ \; k. ^1 e4 P7 T& y! ZWinNT) with the CreateFileA API.2 A% \; g9 t& {7 b$ G

            * M* [  {: b& n5 m) |Here is a sample (checking for 'SICE'):9 p7 s* U3 Q5 L" p. s9 q
            ) z/ P; u$ @+ v, ~) m7 X# O: N1 T% L+ P
            BOOL IsSoftIce95Loaded()7 B6 d8 f3 H/ @; O+ T! L
            {
            ! S9 d) Q/ C3 m5 k+ _! X: m4 q   HANDLE hFile;  
            0 e- @4 G# p6 P( A  J   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 A& |2 I, W- H( X
                                  FILE_SHARE_READ | FILE_SHARE_WRITE,! u2 z# s+ z; C% R
                                  NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
            : |0 Q+ l& ^/ k   if( hFile != INVALID_HANDLE_VALUE )
            ( O" C( \' j* \/ b   {4 R* J4 L1 t, y4 e5 ^
                  CloseHandle(hFile);
            7 G3 Z: C/ [( p5 a7 d( F      return TRUE;
            6 ^. R- n2 R, }+ l, z6 ?0 S8 a   }
            7 R  ~/ l4 L/ m6 i) u1 v   return FALSE;
            5 w/ b0 i* E$ x3 }/ D$ M}% O0 N5 E1 N/ I% l

            - O. y7 p, ?4 f1 p4 SAlthough this trick calls the CreateFileA function, don't even expect to be
            % [* G0 l" M7 V3 ~able to intercept it by installing a IFS hook: it will not work, no way!
            - b- m; |4 E6 P' L  g+ m. s7 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
            # ~8 R8 R5 i/ u+ c) n# ~- pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 n9 I' b: A4 c+ y8 c5 |+ D- }
            and then browse the DDB list until it find the VxD and its DDB_Control_Proc
              }6 [% F7 Q9 Wfield.
            7 S5 S1 s9 l; z& Q/ NIn fact, its purpose is not to load/unload VxDs but only to send a
            $ F$ v. e5 A, r7 a8 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  p) n' g: v6 n3 D" a8 l9 M+ b' q
            to the VxD Control_Dispatch proc (how the hell a shareware soft could try& H3 X& z# a, ^
            to load/unload a non-dynamically loadable driver such as SoftICE ;-).
            4 j! A/ g2 a* g$ rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
            ( h2 s2 m; V: U6 ^5 N7 _1 ?8 Tits handle to be opened and then, will be detected.
            ( w% L) R3 Y2 B: G1 qYou can check that simply by hooking Winice.exe control proc entry point* c1 b  d& m1 z7 C0 _8 u
            while running MeltICE.3 ]( A6 t$ U9 z* A9 @2 u, q; d

            * O7 r$ |1 I8 P- [( e4 h/ z! \) l9 b9 I+ y/ G2 V2 r
              00401067:  push      00402025    ; \\.\SICE
            & _# s4 y& X9 B, B  c! P  0040106C:  call      CreateFileA
            - n6 }7 r1 r7 m) R( P. N' {  00401071:  cmp       eax,-001! p& S- H0 ~8 J* t1 b
              00401074:  je        00401091" S8 I: n- |& ~  g. r# n: E0 M
              L( L4 F- C9 J1 o6 q' x4 ~

            & a! n0 B/ V  B4 x% @' JThere could be hundreds of BPX you could use to detect this trick.' H. o3 H9 }; j' J0 x
            -The most classical one is:  g( ]! e. m& ?! Q# q
              BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
            , i* s) N: P) Q6 j4 i% S0 [" [    *(esp-&gt;4+4)=='NTIC'
            7 b( `0 f! g# t" {$ r4 b$ F% [( h
            ! W+ f, {6 K5 s0 `2 W; I4 b$ c1 [-The most exotic ones (could be very slooooow :-(
            0 M3 ]/ K0 f! z3 w' Q( F! y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  3 }! ?# \  e" J7 a, v
                 ;will break 3 times :-(
            " k2 f, }4 Q8 m5 J* g: L" W- v0 ~+ X; \. G" w) S
            -or (a bit) faster: ' z% K* y. ?+ y
               BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
            ; P# p& V/ m7 m/ |3 T' S4 _; N, U6 G  m/ X% b9 e% W6 X
               BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 C. G/ y5 k) W/ Y* L1 H
                 ;will break 3 times :-(! e% Y! u) W" f+ \# t7 _
              ~  }; z% z9 E, z7 E5 Q
            -Much faster:
            & Y. U' q: R' J3 F+ O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', p" M8 }2 l( c5 }1 m4 D
            / f/ T, n( L& A( h! A7 i8 W: t' `
            Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 B# f+ I2 |$ L) b
            function to do the same job:1 ^$ X- A) S' v9 g/ f) q. B" i

            . P' H; E' m2 i. b8 x  X   push    00                        ; OF_READ! O% }+ T6 `( r$ g8 Y
               mov     eax,[00656634]            ; '\\.\SICE',0  G2 Q  ?0 d6 E+ S8 ~2 V
               push    eax
            - j" w, p" n* z( t% Q% q1 g3 ~3 I   call    KERNEL32!_lopen4 a( U. Y6 R% U5 p
               inc     eax
            5 Z: O7 j% Y' Y4 ]+ o   jnz     00650589                  ; detected
            - R) A( c! u# p; y$ T( V   push    00                        ; OF_READ, z) I9 z$ F0 B" v2 e
               mov     eax,[00656638]            ; '\\.\SICE'
            9 A. v1 S& }; k2 [7 V" F8 k   push    eax
            % p* P) ]' \1 b8 l: i   call    KERNEL32!_lopen
            0 o7 }' @+ p" Q/ k- ?3 H   inc     eax7 P0 V) f8 K* p+ p  n$ q- z5 y
               jz      006505ae                  ; not detected* `- g$ g0 q+ b) B! _9 L! K+ S

            6 Z% j# k! U* W1 x* G
            ; @  c0 H! |2 C; L4 b" Y" ~__________________________________________________________________________" W% |- t* O, ~8 [

            + h# {3 Z+ X/ N* tMethod 12
            % R: U4 ^+ b3 t2 L8 g7 y=========
            7 [7 Y! R5 E2 |1 m+ x
            + p, ~( ?/ k& m# E/ p0 \7 s6 `* }7 ]. A! }This trick is similar to int41h/4fh Debugger installation check (code 05
            - e# u9 ~) }1 I6 }1 K- z- k&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 q% a; \* e) O( x
            as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 d) j; o0 K' h  G
            7 d) c* o4 W" d# r/ s* J
               push  0000004fh         ; function 4fh
            0 x0 R2 x* D+ s( O! R) \( i   push  002a002ah         ; high word specifies which VxD (VWIN32)
            6 p' ~/ e$ v( n0 g" |/ F                           ; low word specifies which service: B9 s  }6 K, T( s" E% I- V" G7 ?- ^
                                         (VWIN32_Int41Dispatch)6 m9 M6 U6 b- r9 W  A  Y
               call  Kernel32!ORD_001  ; VxdCall, T$ V* f# E* R
               cmp   ax, 0f386h        ; magic number returned by system debuggers6 X. I8 a; b: ]) {8 m& l& y
               jz    SoftICE_detected
            ( c! s5 N: [0 g' l# j1 @3 Y) J0 B3 ~9 Z1 k" M& F8 q  e
            Here again, several ways to detect it:
            ! I. V1 _2 L) B  Y
            7 H( c! N! X2 j1 T9 V, n    BPINT 41 if ax==4f
            ; u+ k" i1 v* N1 |
            3 S0 B# M1 v) ~" {- ~& b3 k    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
            9 r2 p; o' b8 d3 y2 n) f
            2 a8 ~# R+ y+ `% g! M, j$ y4 U0 i    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
            ' W/ w5 k. ^& R' e7 N, p, }9 d7 B% r! \5 A6 |
                BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, K% j2 I' _5 _. u
            - \# p' o( U# m' f  ?4 _
            __________________________________________________________________________
            * \+ v( X9 b. G# u' ~4 _* i3 D) R& \) i8 {# |0 M
            Method 13* ?& V; K& E: C. ?1 |' Z1 \, l
            =========  `2 t( s* K, I* g- G5 k8 K+ m
            ( S# \- J" I- W/ r. L( x6 D* d
            Not a real method of detection, but a good way to know if SoftICE is# r8 N$ Z0 s& K8 N9 g, t
            installed on a computer and to locate its installation directory.
            % V( l1 g- \( C1 N2 X% fIt is used by few softs which access the following registry keys (usually #2) :
            $ a/ |! S1 T2 C$ P1 H
            $ u0 M9 h4 ~+ `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
            % d: P! ]/ Z, P* c1 x\Uninstall\SoftICE
            9 U9 S% i( ^+ d7 n# c+ @" y1 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- U; U6 k: O; M( K
            -#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ V8 c4 M1 S+ Y+ ?! D
            \App Paths\Loader32.Exe
            0 \6 d2 D# a8 e. _6 l, {
            4 l7 }# M9 o1 u$ r6 J) b3 j, |. b6 F  b* t- C# \
            Note that some nasty apps could then erase all files from SoftICE directory/ F% L- W7 r. X, ?
            (I faced that once :-(0 N" ?  y& p7 R7 {2 K# \3 g  Q
            0 X# m& @: y, {6 P, \; X$ X! h) _" b- w
            Useful breakpoint to detect it:
            & o: Q/ f, x" d5 M5 n3 L
            % z% A2 W9 k8 g& @* n& K; p* H     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& w9 A8 J, d5 M) B: a
            0 x' f- D3 ~" d7 g5 ]3 b% c
            __________________________________________________________________________+ z& z! g* b" l$ B4 O8 I

            " L; s" I% _: o/ @% G
            ; h* |6 t( l8 m% H9 I; f9 EMethod 14
            9 B( [) W* a. R; q' s3 J=========
            ' L6 I- x% O* X' n: Y% F* b, M2 d% \+ a  c  Q+ I! B; @, ]7 T
            A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( \" J0 m( |5 ?# J" w7 v
            is to determines whether a debugger is running on your system (ring0 only).
            ' j4 b/ g0 W% a$ X  ?3 M9 ?$ U$ ?! T0 P& V1 \& _; G% H6 I
               VMMCall Test_Debug_Installed7 K0 f. V) d$ P- {
               je      not_installed; w+ _+ G) v( p6 ~, e/ U$ c

            $ W+ E5 S! l  ?( Q0 C; ?This service just checks a flag.$ O8 ~( _+ \' |# X1 s& \
            </PRE></TD></TR></TBODY></TABLE>
            您需要登錄后才可以回帖 登錄 | 注冊

            本版積分規(guī)則

            QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港 ( 魯ICP備19052200號-1 )

            GMT+8, 2025-6-24 20:39

            Powered by Discuz! X3.5

            © 2001-2025 Discuz! Team.

            快速回復 返回頂部 返回列表