久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

      <small id="r7w9x"></small>
          <td id="r7w9x"></td><sub id="r7w9x"><menu id="r7w9x"><samp id="r7w9x"></samp></menu></sub>
        1. <th id="r7w9x"></th>
          1.  找回密碼
             注冊

            QQ登錄

            只需一步,快速開始

            About anti-SoftICE tricks

            [復(fù)制鏈接]
            1#
            發(fā)表于 2008-9-28 16:34:50 | 只看該作者 |倒序?yàn)g覽 |閱讀模式
            <TABLE width=500>, b+ T4 J( \% V) k
            <TBODY>
            + L6 @1 @' e1 q& H<TR>
            : T" s8 D# K8 u0 g2 {; Z# D% A<TD><PRE>Method 01
            6 U: n7 B0 `) U) Q2 {=========
            / X2 Z5 T( z/ E6 X+ u  c) S  c1 M* F) t, T& ]: b, n0 A  [
            This method of detection of SoftICE (as well as the following one) is
            ' K7 K# Z+ O. H$ f: t: Pused by the majority of packers/encryptors found on Internet.' `" x" |$ O9 o( \
            It seeks the signature of BoundsChecker in SoftICE5 m0 ]  W6 y. t- u

            7 y$ V9 ?" H0 R: }# V. h4 G9 T    mov     ebp, 04243484Bh        ; 'BCHK'
            % m$ ?# x2 Z7 B6 u" d7 I( [+ s    mov     ax, 04h! a9 |- D9 Q" d: h
                int     3      
            $ D& y7 n8 E& W1 f( H    cmp     al,4
            . d4 ~- F3 B0 p3 d7 S4 p! D    jnz     SoftICE_Detected
            5 ]0 ?+ c& d  m9 P7 h1 r- [! x/ _+ A6 @
            ___________________________________________________________________________
            9 N  H* a: `- R3 {6 [7 q
            + k1 N) g* {' l0 A' b: z; AMethod 02
            7 ~* P" V6 I1 e0 X+ f=========
            * B+ `7 q4 Z5 ?& g! n3 j8 p2 ~; h- w8 h+ H! [7 S
            Still a method very much used (perhaps the most frequent one).  It is used. D& t% A' @$ P, e6 H: g2 y9 A
            to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ K( q  f, t. G: E: f1 o( }' v9 M* V
            or execute SoftICE commands...
            / b8 R+ r5 l8 h+ W% H5 Y, \It is also used to crash SoftICE and to force it to execute any commands
            5 q2 j: J# t' H& l: d# g/ L(HBOOT...) :-((  
            ; _7 o; b$ s# j  j9 f8 z% r4 t9 n
            . C6 Q) A+ j7 B( aHere is a quick description:, O0 m& F' d3 A6 P9 p8 n: y
            -AX = 0910h   (Display string in SIce windows)
            " ~' R: n$ e5 e; W3 V/ \-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), [: J  f$ W- V) v* v
            -AX = 0912h   (Get breakpoint infos)( B" `+ D2 ~( q+ L* M0 w1 J
            -AX = 0913h   (Set Sice breakpoints)
            , _+ A) F& ]8 `$ A8 ~2 W$ }- ]-AX = 0914h   (Remove SIce breakoints)
            - T: E3 @% h$ d7 V! W5 r9 u0 i5 \) `6 k6 k# ]
            Each time you'll meet this trick, you'll see:" T0 O. W0 N; k$ @' ^& e
            -SI = 4647h% s% H& S4 ~' S* w" o
            -DI = 4A4Dh+ e( G7 x: x1 \  W; ?) X; J. N
            Which are the 'magic values' used by SoftIce.
            $ L3 H& |/ n/ K+ P; UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 y% m" f$ y. B. X& B' A4 P
            2 s8 Q& E5 E" J5 y4 i
            Here is one example from the file "Haspinst.exe" which is the dongle HASP" H) `8 t2 |& N
            Envelope utility use to protect DOS applications:; l3 s8 c/ E0 W: ]; z/ g
            5 R' h+ X7 U; A) R
              v( z8 A% p* n7 `6 L# ?! K+ J
            4C19:0095   MOV    AX,0911  ; execute command.
            * }& }* ^4 D1 y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 Y5 v5 c$ _* E1 N% |* ~% G) u4 {1 G
            4C19:009A   MOV    SI,4647  ; 1st magic value.
            * T) @/ O& d" i1 x2 k5 M9 y4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ Z) |( M* ]' U0 S: Z- m0 K
            4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). T1 [* a8 c9 U# v9 u$ y! g( _
            4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
            $ @- H, }4 ^/ u6 ?4C19:00A4   INC    CX& d7 U( N" R4 `/ F: d, V- w8 g
            4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
            2 v/ v- |) O4 g. L# o4C19:00A8   JB     0095     ; 6 different commands.
            0 x8 X4 @6 p7 V4 s4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* V' C7 h: E" g1 c4 z# j7 Q, j5 z, F
            4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
            % u& s( `' P: v2 _6 \0 q7 U# D# A
            $ M, C/ ]1 Z* WThe program will execute 6 different SIce commands located at ds:dx, which
            . Y8 {. b5 ]+ D& B9 l- z6 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: T3 r' ~" Q8 Y2 N9 U  G

            . ^+ c# O) @4 i! ?$ y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' a) D+ s  @, I) L
            ___________________________________________________________________________: s, ]" X+ n7 @( ^
            * Z# d% j4 F# b
            & [5 u, L2 S( g5 s
            Method 037 \/ t# g2 y" G, f  m6 Y' I
            =========
            ' }3 J3 Z# O' D4 b: B- t
            2 w& s8 }  }. J$ t5 o3 ZLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 S7 n7 ^( }' ]9 o
            (API Get entry point)
            : O( Z# w4 d/ K+ i        
            + k  w9 Z+ h# M
            ; D; S/ g  z( g" h! r    xor     di,di
            ( j3 y% J4 U- ]) Q    mov     es,di
            * w. U6 p; g  [8 {$ z- o    mov     ax, 1684h       & ^8 m5 C& J( p' @/ N  p
                mov     bx, 0202h       ; VxD ID of winice+ H+ J' e: \( w: r4 y" W' o; }
                int     2Fh8 ~" y$ D' W' W3 ^! t1 {* _) M
                mov     ax, es          ; ES:DI -&gt; VxD API entry point3 O  Y8 n, O. s
                add     ax, di) `/ ?- X, U7 q  T" w
                test    ax,ax
            * \# h8 ?8 n2 m    jnz     SoftICE_Detected6 V% r* X( X/ g; s2 ~

            * }. S% |# L1 K$ J___________________________________________________________________________0 K7 _$ z. i9 [& X

            ; j. K: y' k" _7 b! f/ d2 QMethod 042 N4 s! k" J* Q. W; M
            =========
            4 G/ e6 u5 I9 Q6 t8 o* f  f$ x. `5 d6 z) Z$ \
            Method identical to the preceding one except that it seeks the ID of SoftICE1 J1 _9 q- j" V9 b' n- e  k
            GFX VxD.4 a" a, ^7 [1 B4 @$ u7 O

            * x, b: x) w, J* `/ V* R) K; I, d    xor     di,di9 ^' D( u" _& _5 d" V2 S. Y
                mov     es,di1 T% h$ N" I" u1 R! G" U3 S! y0 s( h3 E
                mov     ax, 1684h       3 j; I& l) R+ l! c
                mov     bx, 7a5Fh       ; VxD ID of SIWVID
            + {4 ]5 ]/ s9 \& W! D4 F' P0 o7 z7 X2 _' g    int     2fh% @/ D6 \3 j8 k& K
                mov     ax, es          ; ES:DI -&gt; VxD API entry point
            9 X! i# @( o6 f9 _) ?    add     ax, di
            5 P8 ?  @: b! P5 o2 ~4 i6 y    test    ax,ax
            . l" w' I$ y/ {    jnz     SoftICE_Detected. B- i( O' m- Z9 K3 _9 v5 k5 U

            ' _* C! ^' l: ~& f9 w__________________________________________________________________________
            " f# M' [$ e3 b5 u- T5 U
            # I; v! l+ G6 }" a% @5 Y
            2 Y3 t$ f. X/ C6 h4 mMethod 051 S/ s( ^  ^, W2 M1 K, [+ K
            =========
            ! y8 Z" y- e9 n% C; p0 |7 ^8 \1 m/ l
            - E! @& }2 J3 {0 e8 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
            8 ^& \' I7 F, c4 x, R# v, {debugger. It calls the int 41h, function 4Fh.
            6 h- N6 {& V* i: U8 h2 q- z1 G* ~There are several alternatives.  
            5 Q7 {( U6 A1 P8 T. w: l
            3 n+ q! ?. e  V% e9 p9 F/ S6 b: T8 aThe following one is the simplest:  h) J$ \* X8 F

            8 a2 @  c/ [9 M! L8 E' D  c    mov     ax,4fh
            ' W1 y% `7 J1 x    int     41h
            " j' n% H6 {5 ^7 o) @9 [1 G: w    cmp     ax, 0F3869 b5 c9 d7 {. q- e$ W4 q2 l$ Q( O) Q% X
                jz      SoftICE_detected4 a! Y' \, j+ Q( q  G
            4 D5 x6 Y, g/ e6 Y7 S1 x
            . {3 Q) k/ p; r0 C
            Next method as well as the following one are 2 examples from Stone's 8 }9 e3 a5 _0 s6 L$ }
            "stn-wid.zip" (www.cracking.net):
            $ d) T: u: |! g
            " m! ^; E8 p5 s    mov     bx, cs
            ( y- g) B. y% Z    lea     dx, int41handler29 r8 z+ X6 e$ i+ d
                xchg    dx, es:[41h*4]! a) V2 T2 T( O
                xchg    bx, es:[41h*4+2]' f8 c+ k: a7 m2 R3 p
                mov     ax,4fh
              i8 h* ]3 ^( u/ z    int     41h
            # N' ^/ M+ E3 ?' X% A    xchg    dx, es:[41h*4]
              L8 v5 @& |5 g5 W6 R+ j    xchg    bx, es:[41h*4+2]# H, }- z  T/ Z8 F8 y& Q
                cmp     ax, 0f386h
            2 S4 p) X; I. u. E- q, g    jz      SoftICE_detected, T& k  c& [/ Q- M' Y! ~) t" }0 K0 Q1 J

            , T; U1 s9 A+ p" t2 }9 T' Uint41handler2 PROC
              ^$ Q1 F6 C( c+ Y3 Y2 |! V* v    iret
            " G; w& g- |" {int41handler2 ENDP
            3 n7 b: G5 R% Z5 t& P  L+ O9 C* o
            9 Z8 y! b  Z1 L, k. W3 \9 T( j+ X* e
            _________________________________________________________________________3 T- q/ h8 `9 M: U

            9 a$ y1 ^: h% H
            ' L' j' O1 n, [; ^+ E: E6 TMethod 06" `5 Y  W2 J. w! i" G. z2 Q, W( C
            =========0 }; h: D/ f& b" V9 B; g3 s! q/ X
            - Y* F' m. G; q8 v9 r

            % b0 ?( ~5 U  K2 m2nd method similar to the preceding one but more difficult to detect:
            ! Q3 _( l, h: y2 \& d% z6 b" U# T8 x  s2 M6 I7 _. N% C

            0 {& w- g2 e) H% W+ uint41handler PROC9 {9 c$ M/ K7 o/ U
                mov     cl,al# v9 m; U' o# t. w5 w$ |
                iret
            * [% [0 W2 A4 b: Z$ G8 Rint41handler ENDP
            8 w7 C) `& k6 ~% Z% Q* q/ P) r7 @6 O) k. Z4 ~! {+ L3 F

            0 O, J! `1 T. d" h+ w    xor     ax,ax% E. x% |/ u# h* L& O( l
                mov     es,ax
            . [2 T7 I. x! O+ c6 }' c/ }7 K    mov     bx, cs
            7 S5 @1 v6 O9 {$ O    lea     dx, int41handler* }5 s( {6 r0 }2 w$ s- U. v, @
                xchg    dx, es:[41h*4]
            : {; Q) s$ Z! T& {* [) I; W    xchg    bx, es:[41h*4+2]9 p4 x0 M/ K4 ?" T: V' i
                in      al, 40h) C6 F) B: o* Z  Y, T1 [! O' e
                xor     cx,cx
            . G, U. e( M1 }& u1 B' x% S# a    int     41h
            7 c. C, T( p0 ~. S" Y    xchg    dx, es:[41h*4]
            * x6 i$ @* v: H. v5 K: Q    xchg    bx, es:[41h*4+2]2 E' t/ k0 L) A) X' C
                cmp     cl,al/ n  Y/ ?6 I& K# P) l% w
                jnz     SoftICE_detected! ?! S- q( F& A' u% f

            5 F4 y- Y0 ^) D$ O) ^: S  x7 H+ S_________________________________________________________________________
            0 F$ s. v1 t4 {
            2 s! [) o  _  C+ _; D8 eMethod 07
            ) i0 P" c! K6 V/ S" J. u( m=========0 ~/ ?3 A. s! i; R
            3 O' l* u7 D  n0 ^+ w: b* S& u5 _# a
            Method of detection of the WinICE handler in the int68h (V86)/ N' i( N/ O  `; Y" M+ y  |( e

            4 h" Q4 e* o' a    mov     ah,43h, a: V+ k& k. ?/ L3 q/ W
                int     68h* {4 s& Z) Q2 L& Z, S. K, _9 Q
                cmp     ax,0F386h
            0 d1 ^( N/ D; [4 {5 h  b1 J    jz      SoftICE_Detected" u- Z) P4 M8 K

            3 O* k7 M+ j5 h' g+ C# G. z1 k8 K$ ]% l3 z4 M8 f3 @. a6 B6 j
            =&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 g5 b  P3 ?& B7 t6 B
               app like this:
            ) w/ U" n5 i) u6 A
            + b- o4 M+ ^% }. Q+ u$ _   BPX exec_int if ax==68
            5 r7 B7 U, j2 x2 g; I   (function called is located at byte ptr [ebp+1Dh] and client eip is
            + e, J3 G- H9 G- d' a/ m   located at [ebp+48h] for 32Bit apps)
            5 b" j# h0 C3 n6 ]" J$ c__________________________________________________________________________
            7 h( w" R9 W/ `* E- a( `6 {7 z+ ^6 G# n

            ! ^$ e4 v6 O% x9 [8 uMethod 08; X3 ~) D: s) M$ f
            =========
            5 }& L' H- W5 |; p, v% [) z/ F7 Q2 z& F' K1 P  L
            It is not a method of detection of SoftICE but a possibility to crash the8 z3 H; _; r  n; P8 q
            system by intercepting int 01h and int 03h and redirecting them to another
            ( g  L/ k$ z& z7 {% Croutine.
            ( Q7 Q. f/ ]$ ]6 Z/ y; ]) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
            , I: {& v5 v6 T2 |8 ito the new routine to execute (hangs computer...)" b7 R2 b( l% W  L& g" ]6 d

            % b/ d; H9 o( C    mov     ah, 25h5 w/ v/ t% b0 |
                mov     al, Int_Number (01h or 03h)2 a7 i+ ~) z! u( r0 A" [4 p
                mov     dx, offset New_Int_Routine% }+ N' H3 B# Z0 X6 G6 N& R: B
                int     21h% T6 ~7 n1 e8 s. u; \- u

            8 V1 O& s7 \0 x; C6 t0 l7 [__________________________________________________________________________
            ( N  E8 v, F2 n0 {* t* t# l# ?* ~# X) c4 \1 S% X0 r
            Method 09
            ) l6 ^- y' r: S7 d3 d=========7 I, ]9 m6 U3 \( f* U* |
            8 [3 u+ }' c  i$ r
            This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
            % H6 z3 H' `7 o' ?! w" f* g7 H: L8 N  Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
            * R2 ?+ J) x5 t- U8 D5 U9 u, k& ^The Get_DDB service is used to determine whether or not a VxD is installed
            9 E3 _7 ]- L: r, wfor the specified device and returns a Device Description Block (in ecx) for( j& p0 m, \3 X2 g' Z
            that device if it is installed.
            " [0 @3 O6 M: ^! w7 M. L/ M1 F+ z" E. ^% Z) u4 H$ p2 [
               mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  j6 A- H8 G# X. G
               mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
            % u- {( q7 z% z' s! h' J3 R0 ?$ I   VMMCall Get_DDB
            % @1 x# Z% V& ~1 ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: `% y$ K" S5 `; Q
            % X8 z# j$ M4 d
            Note as well that you can easily detect this method with SoftICE:6 i7 e/ r- i. O% |, T! ?4 M# X# M9 w
               bpx Get_DDB if ax==0202 || ax==7a5fh
            8 b# J7 r. X3 g- }3 _: \+ Q
            3 k) I6 P- Z/ k) I! B0 ^__________________________________________________________________________
            5 W  J, }; N: a" t! j$ K
            + W. `# x1 t* h, G- lMethod 10
            ( g# X. v9 M3 c8 X2 q4 W- R9 i=========
            ' r2 R) @0 f9 u5 I6 W; s7 `( \  n
            7 `4 I9 z- S5 B=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
            7 t) z- e6 X  u1 K% T/ |  SoftICE while the option is enable!!
            " @) J! F+ [; s' w+ X2 r
            " h1 W7 i% l' n" o* g* DThis trick is very efficient:: p0 q9 R7 ]3 O
            by checking the Debug Registers, you can detect if SoftICE is loaded5 k6 w7 U* O1 ~. E! n& l
            (dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
            # r2 n6 M3 i" m$ B4 j: K5 J8 `there are some memory breakpoints set (dr0 to dr3) simply by reading their. l7 [' f' N. T: r% e& ]
            value (in ring0 only). Values can be manipulated and or changed as well% R8 V) g. [) K/ p" }
            (clearing BPMs for instance)
            5 d" B) x9 ]1 H$ _4 _* e
            ! {  I) {  o$ W5 T* a+ u; J__________________________________________________________________________
            - t" \1 @2 q! s, ~! x9 o# J) q: C3 T7 p
            Method 11. r- f4 K( Q# {
            =========* l& v# i2 l4 W
            " [3 O: I7 z( |& t  Y5 B' t2 U
            This method is most known as 'MeltICE' because it has been freely distributed6 _6 ?/ [4 p. R) `/ K! _: i
            via www.winfiles.com. However it was first used by NuMega people to allow
            # Y. W4 p& f% b. o4 w" sSymbol Loader to check if SoftICE was active or not (the code is located- k& M! e% o7 i# H5 c
            inside nmtrans.dll).
            % j* S6 f5 e" q; _8 F( h, J: U
            5 \/ y  m1 l7 @( p- ^% UThe way it works is very simple:0 ^5 p! _4 ]- a3 T! h' c
            It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
            3 b$ U' r* {6 K0 q& }4 |WinNT) with the CreateFileA API.% F/ v4 y( U8 ^* Y
            ) d5 h, k& z* X8 j$ U
            Here is a sample (checking for 'SICE'):
            8 ~/ ?) L, L% O3 U
            ! F0 Q" s# B7 `6 lBOOL IsSoftIce95Loaded()3 U+ [' f' i% K
            {1 c3 n# p& Y+ X# w
               HANDLE hFile;  $ b0 g2 v7 l1 q" `( {
               hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 r4 S" i& C+ l
                                  FILE_SHARE_READ | FILE_SHARE_WRITE,1 C- h5 S0 U0 r" J
                                  NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
            + }) y, X0 p, ]9 o+ x   if( hFile != INVALID_HANDLE_VALUE )
            5 K* \: l/ P4 W% j   {
            * ]; Z- Y% u% c! @      CloseHandle(hFile);
            ' d6 e; X4 @& d, m1 B; H      return TRUE;8 ^# m1 k6 |/ ]' `! g8 o5 e
               }
            8 ~7 s% c2 D6 O, L   return FALSE;
            " [& `# [9 k: ?( x$ T/ _. u) f}
              s* ^$ C% X8 O
            3 a8 G! M- \' ?; C. d" H/ o$ JAlthough this trick calls the CreateFileA function, don't even expect to be8 a" O3 Z3 G. I( W8 l2 B6 J
            able to intercept it by installing a IFS hook: it will not work, no way!
            ! F6 p4 K, w4 `' @0 X% t. TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ L& s7 c: G5 S7 G* D! P
            service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
            & ~8 p" i5 B# _" v) K  R; ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 Q% S8 F+ r" w& J7 h7 ?; N
            field./ p1 _: T. W1 o9 L+ ?, P+ H
            In fact, its purpose is not to load/unload VxDs but only to send a
            ' R- k0 A' }4 K5 |. PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
            * w% u3 c  V4 G$ ]  Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
            ) h* l# B" u% nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
              [( _1 z) v# E% H* U) H0 `, QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
            4 O( {9 h0 K5 }# O9 Rits handle to be opened and then, will be detected.
            ( \3 r/ z( M8 }0 b- BYou can check that simply by hooking Winice.exe control proc entry point( `+ D' H  E- R- v
            while running MeltICE.
            8 \+ ?/ g' n# ^6 Y: Z$ `& R. }  M& A

            $ A% a$ x9 U" D/ N$ g' _5 r+ v  00401067:  push      00402025    ; \\.\SICE# w1 a" u" y( ]1 f3 F
              0040106C:  call      CreateFileA' ~7 ]7 _- O" W; w) N6 U
              00401071:  cmp       eax,-0012 H# H1 Z6 F$ G, Y
              00401074:  je        004010919 j& I5 @  Q" G/ R, l) Y6 c9 U
            * ?2 e( c5 l% q' P) m. a* v: E* e6 i

            6 ?+ }# J; q# {& c% X$ ?7 cThere could be hundreds of BPX you could use to detect this trick.
            + v: M& a0 B1 S-The most classical one is:
            5 i. P% G8 M; g* `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
            9 Q% t$ |5 m, X! h. U: [0 k    *(esp-&gt;4+4)=='NTIC'9 P0 A8 {- ?" ?
            1 s  A& z. t5 N$ K7 H3 e
            -The most exotic ones (could be very slooooow :-(
            & T/ ]! J# O/ X0 J   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 B& D! u& b$ y! D
                 ;will break 3 times :-(
            - O! b! X5 P6 f- z5 w5 o# n3 Y- _' k6 @7 ~' _3 m$ @
            -or (a bit) faster: + C7 a+ T8 ^3 O+ u. \
               BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
            2 t/ c/ M( H" p3 q2 n- ~3 z& V- U, Q% l: a+ r
               BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
            $ v( p; r+ f5 X     ;will break 3 times :-(' ^3 n) l% Z" P& k+ u

            # W) t, j9 T! N% b6 J9 v: j-Much faster:# a; M) C4 _1 m7 y
               BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
            ' n: j* {1 T4 g/ @
            ) g3 ^* I" ?/ _7 F  s6 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
            9 C1 o( y1 ]4 ~: L' M  Rfunction to do the same job:- U7 v3 w/ J5 x% D
            ) J9 _+ K+ y$ }& C6 ]! }
               push    00                        ; OF_READ
            ) P6 U6 ^  r  t5 U+ y) U% d( `   mov     eax,[00656634]            ; '\\.\SICE',0; r5 C' t* b8 i- N, w. _! |
               push    eax" W. C7 O0 L+ S; u2 d: T
               call    KERNEL32!_lopen8 b1 X8 S& Z0 O
               inc     eax. ~% t6 t6 F0 V& F8 s8 F9 o
               jnz     00650589                  ; detected$ d1 F2 \0 C* I) Q. d' ~
               push    00                        ; OF_READ
            6 t, B7 c. s+ @3 i   mov     eax,[00656638]            ; '\\.\SICE'( h  y: e2 d4 Z" j
               push    eax7 H0 p% J9 I' g  V2 E
               call    KERNEL32!_lopen1 P2 P$ z3 l5 T- ?" ^
               inc     eax
            1 F- r6 m: d5 X3 }. i& Q   jz      006505ae                  ; not detected
            $ t/ b8 C" v8 p9 R! q; l' ]0 b2 {: {' S  Y' |  c  u5 Y
              y) n, e7 o" C( a% B
            __________________________________________________________________________' p" ^( t9 _) T' p

            ; ^% p% Y. ^/ H- }Method 127 z) G. o, w3 w) J
            =========0 u: G+ Q8 E. d# W3 m

            7 w8 E3 n4 m/ G. m4 M& R& V# ZThis trick is similar to int41h/4fh Debugger installation check (code 05
            " x4 ]$ }! {, I&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 b' h9 b: y! B+ s6 q5 p; o
            as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
            " T: c' g& ~7 ~; H7 N6 ]" t$ B, [2 `2 k, f2 u9 }8 I& @
               push  0000004fh         ; function 4fh% S. r2 P- N$ v2 S' E1 p$ S
               push  002a002ah         ; high word specifies which VxD (VWIN32)
            1 p- Y( Q, F# d6 A3 B% m/ X1 ?                           ; low word specifies which service
            * J! a4 O9 f6 ^! Q+ h% }$ j                             (VWIN32_Int41Dispatch)
            ! x, p. k$ `0 a   call  Kernel32!ORD_001  ; VxdCall8 u9 E: j+ H- N8 \7 Q' x" F. v
               cmp   ax, 0f386h        ; magic number returned by system debuggers7 a* n' |3 Z+ X! A
               jz    SoftICE_detected
            0 q3 B) w% o* O: q8 p2 W$ A0 ^2 M0 H0 e9 v2 F, f; c
            Here again, several ways to detect it:
            $ u- X7 q3 P7 C5 v( }4 m
            / y! @( m: \3 o8 B    BPINT 41 if ax==4f
            ' e: O* J' x- r8 q* h# f
              r  k( R* a" P- D- G7 U3 O( \) W4 O* g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
            - K, U: d* Z; T! j/ A2 ^, e8 B2 ~3 Q4 N& N3 q9 H
                BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
            ; L8 F1 O0 [8 j; r" C3 }" `4 N: V. _5 r2 O
                BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
            4 t) `+ h# d! F
            ' L  z0 \# b8 F7 E__________________________________________________________________________
            9 F& t( S; M8 o9 Z, x
            4 h5 s6 M# s1 ^0 @" u4 qMethod 13
            1 X- W5 J2 l- ]=========
            # w' p0 ?, k6 }- ?, _  {* K: J
            ; Y, f2 O5 Y6 ^Not a real method of detection, but a good way to know if SoftICE is
            & Z$ P* o+ w. H! V3 Z( minstalled on a computer and to locate its installation directory.7 P, l+ z5 ~! \( [: i& h0 h
            It is used by few softs which access the following registry keys (usually #2) :
            / h  T  p: D5 n/ R# }: c, ?# B6 \! q6 G! k8 ]) z
            -#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ]) T. t9 `; Q
            \Uninstall\SoftICE1 x3 b) z  ~$ l/ B1 O
            -#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 M( \2 ~9 l% {2 G( _
            -#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
            2 P+ v" r1 o9 W# e( y, c) K\App Paths\Loader32.Exe9 p: ~( \2 C- k5 c: @

            0 b" W1 E& i# _
            " X$ S' |  y5 g) j: SNote that some nasty apps could then erase all files from SoftICE directory
            0 g3 Q( @" i' b6 a0 T: r8 s(I faced that once :-(
            3 f5 h' I7 l$ F+ t
            - Q/ }9 I. o0 o6 G& EUseful breakpoint to detect it:% k+ \) v; \; E% |0 z* h7 d7 q

              \! v) `1 |, W8 T( u6 Q0 t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
            5 B& o8 L2 U$ [! o& n- O  h& N! Y4 i( a5 a3 E. ^9 n# Y
            __________________________________________________________________________# x' ^, P# v; f' S3 s) V: L# @
            9 V+ Z1 q  E4 C5 Q' l

            8 a5 u- r  o2 ^. U: r3 q5 ]: gMethod 14 : Q3 q4 X/ D; {$ i( ~1 W' s
            =========' S* Y3 s% T' ~' q; I2 }! J
            2 w6 V' i( c) v* p3 A% i, W
            A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 O5 ?/ }" @8 y
            is to determines whether a debugger is running on your system (ring0 only).
            5 y( ?5 a2 F7 f. d: W& E/ j* S( Q- Z, z3 e
               VMMCall Test_Debug_Installed
            7 |) k7 Y5 m  Q, Z! G; ^   je      not_installed* E6 C% L8 t: s+ N% a

              m8 a9 l" w. JThis service just checks a flag.
            ) ?+ h6 s! {/ Z2 l5 _- W</PRE></TD></TR></TBODY></TABLE>
            您需要登錄后才可以回帖 登錄 | 注冊

            本版積分規(guī)則

            QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港 ( 魯ICP備19052200號(hào)-1 )

            GMT+8, 2025-7-16 04:27

            Powered by Discuz! X3.5

            © 2001-2025 Discuz! Team.

            快速回復(fù) 返回頂部 返回列表