久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

    1. <sub id="9pxky"></sub>
    2. <small id="9pxky"></small>

           找回密碼
           注冊

          QQ登錄

          只需一步,快速開始

          About anti-SoftICE tricks

          [復(fù)制鏈接]
          1#
          發(fā)表于 2008-9-28 16:34:50 | 只看該作者 |倒序瀏覽 |閱讀模式
          <TABLE width=500>' K; i* [1 p4 ^
          <TBODY>- Q* t, j+ O) M7 q6 [, O- W  s8 r
          <TR>
          3 c9 B- ?$ W* v6 Y4 K: b9 {<TD><PRE>Method 01
          - w1 V4 ~6 Y- G7 x0 u3 N" Q=========& o4 j1 }3 R; S) a1 Y$ S9 ~4 \# H- b

          * r; [$ E7 h; L% C9 z, y  o- jThis method of detection of SoftICE (as well as the following one) is' B* I! _) W6 w$ s* C
          used by the majority of packers/encryptors found on Internet.
          9 z3 |' T( F) ^3 ]0 MIt seeks the signature of BoundsChecker in SoftICE. D! s$ Y2 P$ K9 v( X6 b+ }

          7 U: [+ L; M) v7 M- V. ~    mov     ebp, 04243484Bh        ; 'BCHK'
          8 `- d9 u3 Y  c% u6 ]: v    mov     ax, 04h
          1 M% q  f1 d/ R2 h! \# P% Y, n& B& u% O    int     3       ( W' j* @8 n4 `' q- O8 ^6 k/ \$ c
              cmp     al,4
          + |; m+ I6 K4 d% U    jnz     SoftICE_Detected9 s1 E. E1 F# i+ b. w3 I- F

          & w) V3 y4 s9 D% g___________________________________________________________________________
          . P9 s9 p0 Y2 f* B4 Y! a0 p/ X- k! d+ A3 \$ ^7 D
          Method 02( @" k, ?+ M# v2 q' ?
          =========
          / C( q) N( s$ ?+ [
          ' R$ F) I$ \5 k) w6 rStill a method very much used (perhaps the most frequent one).  It is used
            A! p) ~) l7 `" x" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 S' h7 J2 Z4 O% Z
          or execute SoftICE commands...
          + w0 Y) o+ G1 ~) }0 l4 A: zIt is also used to crash SoftICE and to force it to execute any commands7 {- V9 f/ N/ p) C
          (HBOOT...) :-((  0 l% w' x# T- Q4 e

          7 V1 ^* M, u4 ?- X% O# }Here is a quick description:
          ' W; l% a; Y. `2 N8 _+ e$ f-AX = 0910h   (Display string in SIce windows)1 J: F* t/ I! Z0 O2 S
          -AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
          ! d+ m( p0 [# N: V- l-AX = 0912h   (Get breakpoint infos)8 g& |* ^, j( l+ v" o5 j
          -AX = 0913h   (Set Sice breakpoints)
          7 O8 Q) O. {5 L9 O-AX = 0914h   (Remove SIce breakoints)- k. p, L$ z! x7 L! G

          2 R, ]( `3 V$ x' N0 C1 G; K6 d! ]Each time you'll meet this trick, you'll see:
          " d/ |" Q4 m" l-SI = 4647h- ]% J9 I) Q+ N- k  `7 z% M2 B3 @% o
          -DI = 4A4Dh
          ( P+ d0 K3 o$ D& U) F  r( }1 IWhich are the 'magic values' used by SoftIce.
          8 L+ c4 H$ ]+ U# iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
          ' q. D# x8 j1 o$ K2 Y! [
          " z0 q0 S* Y/ M, o8 k( RHere is one example from the file "Haspinst.exe" which is the dongle HASP
          4 E  \2 L5 L% e, fEnvelope utility use to protect DOS applications:# [9 X- y/ g% q; h, o/ l& N

          5 G: {4 r. B4 v1 i* H* Y+ @# X
          - q0 r8 W5 d8 ]) j4C19:0095   MOV    AX,0911  ; execute command.# u$ G2 d4 Q& E7 `& h
          4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
          5 I  a& j& h% a# m4C19:009A   MOV    SI,4647  ; 1st magic value.
          ; E8 W* g+ h: M" Z& N6 M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 P2 B: e7 [1 k
          4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 [) G2 E' h+ Q: D
          4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. ]" z6 z' q9 z  z# U; \8 u
          4C19:00A4   INC    CX* H) w/ |; {$ N' [' t' e
          4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
          " a8 a' D' {+ y" v7 c: j5 O: `4C19:00A8   JB     0095     ; 6 different commands.
          ; [. C0 U3 P7 G4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
          : P, B: N3 D3 D  @5 y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
          * z8 c. o: C( Z7 Q3 b& e
          + A. L3 N. R9 L4 B  X# `3 ?- AThe program will execute 6 different SIce commands located at ds:dx, which0 X, _  A5 _; i' J
          are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# w! q5 l7 a/ C/ K1 p% t8 [' ^

          " o- ]/ z+ u# a+ ]# l7 Z" y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
          $ a. |% }$ j5 w: X. W: j___________________________________________________________________________
          + F0 x% w4 e0 I& j8 J4 [: s& X9 l, |0 n$ J# L( w% j

          9 }% Z4 u9 ]4 J2 t% N  `2 `0 Z: ~Method 03
          ; j8 a* Y) ?: ~$ ?" I$ v3 r0 R=========4 ], t* b& K5 h3 B% z
          - s6 J8 V0 N4 c9 O/ L: I- ]% l
          Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  E0 E% M% x( b+ X# R
          (API Get entry point)5 W( x) r- o& H  i- |
                  
          * O' R7 a; r  R
          % a0 o; K* L9 z0 u    xor     di,di& H/ B9 Y$ c5 N( l% ]' W" r
              mov     es,di
          0 u- F4 h' I) ]& W5 N    mov     ax, 1684h      
          2 z5 M+ \* ^. G# I" ]* t    mov     bx, 0202h       ; VxD ID of winice
          & f+ T) e# ~( L    int     2Fh
          . v1 f7 r6 F9 ~( S) \    mov     ax, es          ; ES:DI -&gt; VxD API entry point
          5 Y& [$ @5 n2 a% x! G# w, y8 B; y    add     ax, di- g- S9 o$ g' U! Z
              test    ax,ax
          2 k$ k) k# F/ b% j" N$ ?    jnz     SoftICE_Detected
          . o$ p0 a& T. _
          1 ~1 f% A+ ^" z# K___________________________________________________________________________! w# g+ f0 ]. @; r( `4 s/ [

          - t9 C' J5 ], \9 N  YMethod 04
          ) X* p' G' m) j3 @8 \=========
          7 ?4 b/ w& |1 S% y& i1 }
          ) f6 p' x6 s. W! `8 T% dMethod identical to the preceding one except that it seeks the ID of SoftICE/ E/ v9 q" C: G2 N7 X
          GFX VxD./ @6 b3 B+ E! |- W

          0 V/ J' R/ x) h8 ?    xor     di,di; [& u3 R( o' h% o$ V: h* E% J
              mov     es,di
          5 a% N& ?$ T5 v2 Y    mov     ax, 1684h       9 w/ B6 I' K( ?# A+ P* M7 [
              mov     bx, 7a5Fh       ; VxD ID of SIWVID5 [$ E! l3 D8 }7 h" t5 Z
              int     2fh; i4 }' b. a/ C; f
              mov     ax, es          ; ES:DI -&gt; VxD API entry point+ o1 i, |. g2 w: f, ?" j6 t; s2 p
              add     ax, di
          7 \7 x) {' y- ?2 _    test    ax,ax5 \; J* L, C$ d1 [2 f
              jnz     SoftICE_Detected
          ! u/ l' B0 k# ~/ V0 C2 F
          ! ^1 X3 {; k" `# q2 `& L' v) O; I__________________________________________________________________________( i- x+ ^: h% J+ R2 G, e. O

          " ?9 W0 b0 D, M! q2 t. f; N- p( s) r- D# C
          Method 05! Y1 t- G+ V/ E$ A# c: U  _- \* j
          =========4 j0 g! M8 P6 x" F' y  B
          1 T5 e7 N8 J* t- Y
          Method seeking the 'magic number' 0F386h returned (in ax) by all system
          4 P2 w- z$ h$ |" O. p3 Adebugger. It calls the int 41h, function 4Fh.
          # f- q, H( a* s3 aThere are several alternatives.  1 u8 `) H8 y# C5 }- a9 p. B
          - v( H, Q4 W# o- x  o
          The following one is the simplest:
          & V8 L1 I1 x7 j& s( r, D4 w; a6 l, k* m
              mov     ax,4fh5 [" Z7 Q* `4 H' i9 B1 Q
              int     41h
          3 D& [! @) g) p4 i! \    cmp     ax, 0F386
          " P+ S, v. ^8 {" E1 I$ F  x    jz      SoftICE_detected* d- C3 i4 I' {
          8 ^$ q! X: i9 N+ K0 @" P1 X
          9 |( R7 S5 y+ S2 B  T/ z
          Next method as well as the following one are 2 examples from Stone's
          ( U, o& t. K5 f* p"stn-wid.zip" (www.cracking.net):
          8 q4 A% v* j9 |' Y! @/ q6 `& B  w3 u7 p5 _% V3 L9 D; ^- I0 o% ~* K
              mov     bx, cs9 j( B5 c7 r& q* C1 E) D$ `
              lea     dx, int41handler2
          0 J+ ~2 g" L$ `  j! L4 o% I) I    xchg    dx, es:[41h*4]
          3 o  a# J  g* G    xchg    bx, es:[41h*4+2]+ ^: W3 U5 h/ u" [# v
              mov     ax,4fh- ^& Q  C: V+ x2 j3 m
              int     41h
          ' Z% {) J- F1 f: }2 Y    xchg    dx, es:[41h*4]& N( ?) B5 t: A" t# `. T" T6 c1 H
              xchg    bx, es:[41h*4+2]  k, ?! V& G" {& X; \- T
              cmp     ax, 0f386h
          8 B# M  f1 s  g- R    jz      SoftICE_detected
          : `2 y- U6 A6 c$ J3 ^' f0 f9 `! O1 C! D! ~0 x4 g2 ^' M
          int41handler2 PROC
          7 l" c3 }$ f& x8 a    iret
          / h8 I/ Q0 d0 f6 C/ q7 v+ O0 K8 Vint41handler2 ENDP7 u8 S& |1 ~  @9 i# J4 J
          7 H% F) E( Q5 \

          ' r5 u$ ?1 S: x. {1 L! [5 n1 z5 __________________________________________________________________________
          * H( f9 C& _7 W% p; _0 J  H+ s* ]& Q& Z; ^4 q# Y7 Z
          ( c* y" L+ C* S! S" d
          Method 06
          * Q/ b  E* A/ O2 g=========' ]- e7 T5 n; R, m6 D$ x& n
          # c, a$ }0 P+ \

          * `0 I- `3 P  M. g/ B, o5 Z2nd method similar to the preceding one but more difficult to detect:* [0 W* s6 m/ b# F" i7 o

          ! ?1 O9 {* P1 Y, X
          ) A. x) a" D  i) I7 Z: g/ K: Qint41handler PROC
          ! r7 l5 s9 |0 P/ H! `+ f    mov     cl,al
          ) }2 Y- }% D# e+ [& F; M    iret
          : ~1 P8 h" ^; nint41handler ENDP; ?4 o& N1 p; @  o  |5 A

          7 O- d0 W! a) W. z4 K; N; b6 K* s( e
              xor     ax,ax
          1 T  D5 a; s1 r& @    mov     es,ax
          * @5 B4 g( ^- D/ ~$ ]2 M    mov     bx, cs  ^* q  j" g1 A' \
              lea     dx, int41handler0 M; b2 h6 {" }# g
              xchg    dx, es:[41h*4]
          $ s8 g# p) t4 z$ z2 X8 ]    xchg    bx, es:[41h*4+2]" M9 l/ n8 j$ P! ]* |+ l' i/ q; `: ^
              in      al, 40h+ e  C) i( B' x) ?
              xor     cx,cx5 h4 y2 J% r7 |5 e5 v
              int     41h+ E3 n! z; C  V* \
              xchg    dx, es:[41h*4]
          5 K8 Q3 P: \% @/ j3 D# d% B% P8 J0 u    xchg    bx, es:[41h*4+2]+ h$ z. z8 o! B- X( C6 R
              cmp     cl,al
          # D% I% }, P: n    jnz     SoftICE_detected
          9 n/ G  I) u  U) M- c# w  Z4 X
          % m9 T- t$ c5 v3 M; ~* w( X_________________________________________________________________________5 m6 G1 D6 ^# b, W6 Y& i& o

          " d0 [8 H) I$ ZMethod 07& M" y( n2 G% Z. ?" l
          =========! b1 Q, u, T% Z' c# Z4 {

          6 x4 b) C+ s2 F3 H, g3 ?8 HMethod of detection of the WinICE handler in the int68h (V86)( G7 N7 X3 C3 \4 Q1 F4 H" B; h

          6 Z3 r$ h3 l0 X+ p/ s    mov     ah,43h
          ! k- l4 o# z  _    int     68h  @- p' E9 L* h
              cmp     ax,0F386h
          3 M2 Q7 i& e! |9 R    jz      SoftICE_Detected
          ; |1 d2 X2 l- ~( |4 ?  X; n( i2 D# D; ]/ W
          7 I. X6 ]& [: ~4 \1 r4 G4 \
          =&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ G! r0 U$ P* ^
             app like this:
          - p  s; `) G) d+ @3 B: h
          + G3 W/ g( t% r! y+ C   BPX exec_int if ax==68% F- Y2 A  G+ v9 q
             (function called is located at byte ptr [ebp+1Dh] and client eip is/ H  f. ?: u8 e; J6 y3 M
             located at [ebp+48h] for 32Bit apps)
          9 f. O% j9 P$ R: g( r__________________________________________________________________________
          1 L% I% C! W8 ?  X- H, X- A4 B( y6 x$ _- z* m

          - k: h' v# I8 }. I2 JMethod 087 x& n9 Z' T/ m6 @( I5 t
          =========4 e& s* b/ _' D. Z: R
          1 h( o; u% r- n9 ?. V5 W# ^" a
          It is not a method of detection of SoftICE but a possibility to crash the3 M" b6 ^3 d, W
          system by intercepting int 01h and int 03h and redirecting them to another$ @1 S2 i8 Q- a/ f3 [
          routine.6 q; Q; S% @: s1 w
          It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" D/ p, l: E3 C5 I
          to the new routine to execute (hangs computer...): {' T1 x  g( n+ y
          1 b2 \* T. q# H- n0 ?& s6 M: n  u
              mov     ah, 25h
          5 X5 s- r5 v9 S' K! v6 O; f+ D% R+ x    mov     al, Int_Number (01h or 03h)
          6 W% n5 U  Z' l7 S# G' S0 x) R    mov     dx, offset New_Int_Routine
          " N6 R& T9 Q: }& c    int     21h
          + B; T1 O2 o$ t* v0 I. O  O/ P/ F% s, |5 O3 {( r7 `' P
          __________________________________________________________________________. W  ?2 Z" _/ K9 i  s
          + Z6 a2 @+ D7 I% i+ U$ B0 w4 E# Z, Y
          Method 09* L$ R8 g7 K- \9 K5 w* [
          =========
          # l. m; w7 |! [$ U( @
          . A1 i8 ?8 g: EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
          # {( v# z1 o! n$ m, jperformed in ring0 (VxD or a ring3 app using the VxdCall)./ Q2 N1 Y0 @& I$ K+ `. L
          The Get_DDB service is used to determine whether or not a VxD is installed
          ) A# R2 {/ K, o0 C1 y3 P2 |for the specified device and returns a Device Description Block (in ecx) for
          ! t. m& i. ?" |- M5 S: n  Ithat device if it is installed.& E% e* Q/ p8 h
          1 Z  u& o+ n8 v9 s
             mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
          + Q& l0 \! c, z+ r- [: Y, r* c   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 W1 V9 m7 c( t) t
             VMMCall Get_DDB
          6 H) Q4 x5 p8 r; C8 u9 Q$ d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 [8 W  |9 {9 y; C+ x& h5 Z

          ( D, X, f. D; C* l9 z& o) kNote as well that you can easily detect this method with SoftICE:
          7 z% v+ B1 {! s' w$ B" H, E   bpx Get_DDB if ax==0202 || ax==7a5fh- k# e/ b+ n5 G0 j  d2 b
          5 J9 \2 @8 Z8 A
          __________________________________________________________________________/ ^; Q, c" G+ `
          : M1 ~: |) h* `  u0 D
          Method 10. {/ X4 U+ _0 G4 n/ U
          =========
          : N+ d% ~+ ^# j* E
          ' A  S2 [/ l* b, h% L=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 T9 U6 Q- Y: |! n
            SoftICE while the option is enable!!7 _4 M  g9 n- y9 W  e- w9 U

          7 ]' U' ]- }/ m& A2 NThis trick is very efficient:
          8 [5 C0 v0 ?: w+ A+ {' F, Uby checking the Debug Registers, you can detect if SoftICE is loaded
          ( m- O# O! {; U/ ]( X9 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, _' P* u3 i# V& \9 A9 a! l
          there are some memory breakpoints set (dr0 to dr3) simply by reading their) m6 L8 q: e2 v% ^" x$ P2 n6 o
          value (in ring0 only). Values can be manipulated and or changed as well
          , ]9 s; u( L7 i8 ^# G(clearing BPMs for instance)
          % _8 l- B" f% M$ ^& x) Q5 k
            a( }7 A9 t1 \__________________________________________________________________________
          & i; \( h6 a% r% e
          1 Q1 X" p; G; [& KMethod 11* `3 `0 v& s" f% s$ F" U
          =========4 G8 C' Q. q: \" p& Z- y8 m3 Z
          7 e/ U7 g# O; r. ~$ D
          This method is most known as 'MeltICE' because it has been freely distributed% g+ A' Y. d* k0 G
          via www.winfiles.com. However it was first used by NuMega people to allow# y2 j  s) J! {+ m  {4 _5 j
          Symbol Loader to check if SoftICE was active or not (the code is located
          # ^8 b( w# z8 c2 V$ m: G8 B& Uinside nmtrans.dll).1 Y! _& y+ I# ~
          " Y+ M4 ?% n$ T
          The way it works is very simple:
          # [! Z  c( w. t! e$ r! ~, k! E+ KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) H1 q+ q2 ~2 _/ \5 S  S  L
          WinNT) with the CreateFileA API.6 M7 X+ a6 H# A1 N" H9 ?
          : \! ^% u( A3 E/ z$ s
          Here is a sample (checking for 'SICE'):
          , w% G- C; B# [6 z) c: s- A/ p
          1 x5 g1 C+ ~6 h  ~: R3 f) TBOOL IsSoftIce95Loaded()
          3 |3 w0 b6 Z* z9 p+ P& _{
          / v& \4 q1 p' w, q" D- A   HANDLE hFile;  + r# e& @$ H" m$ d& B9 b
             hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 Q/ t: d5 Y2 S  F1 p) g
                                FILE_SHARE_READ | FILE_SHARE_WRITE,
          / p' v$ ]6 k  O8 F3 I+ F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
          1 z# x2 q- J1 c: `1 D3 m   if( hFile != INVALID_HANDLE_VALUE ): z4 Y6 K7 U1 \, _7 u6 a# y
             {$ f' w* h* b+ h
                CloseHandle(hFile);& J7 v! r) z7 ~0 h* v' @( Z6 ?) |
                return TRUE;* S; m+ K6 E+ ~- M# j( h
             }& F# P; O% v" ]  a* F  V* w1 N
             return FALSE;* x# R" M3 o/ h9 S2 K0 L9 y
          }; V! X1 [( Z/ p6 u) v: z

          ( p7 U0 N: z$ `/ n' UAlthough this trick calls the CreateFileA function, don't even expect to be2 _' u- @8 |! W
          able to intercept it by installing a IFS hook: it will not work, no way!8 v& D2 f4 O. E
          In fact, after the call to CreateFileA it will get through VWIN32 0x001F
          0 h5 s9 z9 C8 \) H$ ]0 K5 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
          . l: Y$ [9 E" Y1 n- M2 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc* _, c* R5 L% ^( t& ]" F$ p3 y
          field.2 q% Z+ E9 w) T6 v( c' u; p/ |
          In fact, its purpose is not to load/unload VxDs but only to send a 7 a. ~$ e; A0 x2 z. L- Y  ^
          W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
          5 \+ e6 W) J; M" j. n7 ^4 p8 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
          & V+ J: \- M! q. ?+ v" hto load/unload a non-dynamically loadable driver such as SoftICE ;-).. e3 ~" m5 E8 ^+ U& A" S) \- K
          If the VxD is loaded, it will always clear eax and the Carry flag to allow
          : f2 `/ A, N1 k2 v* v" B6 u, O1 y2 Eits handle to be opened and then, will be detected.: Z# J/ e+ Y5 Q& t& f5 M% W7 L0 s
          You can check that simply by hooking Winice.exe control proc entry point
          ) ]) H3 S3 v% a  \while running MeltICE.
          6 f. r) ?0 c& \* p! j+ e4 F. h$ d( D& N% N4 Z
          # r* ~1 |+ m8 x4 g" q
            00401067:  push      00402025    ; \\.\SICE
          # P* G& [6 E) A0 b0 _' l  0040106C:  call      CreateFileA
          7 T0 ^. J5 [2 \" V0 M3 H# I& h  00401071:  cmp       eax,-0017 U2 ~1 Y, v' D/ H9 J) R8 U
            00401074:  je        004010911 p: G) n0 o- B3 ], F7 `
          # X+ K% l7 T4 a6 i
          + {! l$ r1 T5 z! G
          There could be hundreds of BPX you could use to detect this trick.2 [5 a% o4 C: F6 S+ \
          -The most classical one is:9 b  A/ V9 @" d' o" Y
            BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
          7 T3 r) u, j1 k$ }% g4 S    *(esp-&gt;4+4)=='NTIC'3 p- S) m5 r- q+ h; R

          - R6 O8 p4 Y9 `7 B-The most exotic ones (could be very slooooow :-() J; V) _8 o/ [. D
             BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 Z! R$ l' L$ W; S" r# f2 o, n
               ;will break 3 times :-(' l, L& ?/ u! E: g& o* B1 Z* U7 x
          7 g8 j5 }6 ~1 j0 N; Y- T
          -or (a bit) faster: 2 p, s/ W9 Z, j5 q. c
             BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
          ! r# ]$ m* V- {. Q3 K
          6 [0 I! H0 d6 K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
          / B1 [' ]+ V. Q6 f+ l     ;will break 3 times :-(- i& z+ g" d4 f5 V9 E
          ! M0 f( G9 V* e# V: N, M
          -Much faster:
          2 H0 c! N! o0 q; B" p- J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
          % l6 ~) r  P) w* u. q' R% b
          4 g7 Y+ v! ?6 @1 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 c' I' A* o+ \& i( [' W/ f& Y  q
          function to do the same job:
          8 u4 ]$ r- [+ y* G# O4 ~$ f# i; ]$ t& ]
             push    00                        ; OF_READ/ G0 D  g" u& B5 R
             mov     eax,[00656634]            ; '\\.\SICE',0
          # T# e  _2 b0 E   push    eax* r& C3 \; @5 ^: m  }9 }
             call    KERNEL32!_lopen9 i* a5 k( Q& |. _; F3 \
             inc     eax
          . f# z* n) {4 W9 j9 r   jnz     00650589                  ; detected& M' j" o& Q& `: b9 m# S# x& q
             push    00                        ; OF_READ
          . e2 d$ M7 y8 A& x   mov     eax,[00656638]            ; '\\.\SICE'
          ( ?+ ^9 M* A* t, k   push    eax$ v# i2 e. K1 p) b
             call    KERNEL32!_lopen
          " N; `" u3 y" E4 y) i   inc     eax3 U+ I8 K2 z( G$ y0 I: f$ S
             jz      006505ae                  ; not detected
          2 Y' |/ X/ X: o; m/ K
          6 D/ p- B6 h, Z. e  F  \5 ?+ E. h8 W' b9 i- \
          __________________________________________________________________________
          / l+ ~  g, ^2 p5 A) Y: f# ~0 R# ^3 i6 L8 c
          Method 12
          ( d% w% {& b, _  ~=========
          / `$ R2 }4 ^% y( q' W4 W8 h  L$ ~7 D8 k$ X  |: Q* U6 Q& _) p
          This trick is similar to int41h/4fh Debugger installation check (code 05! }, n& P: L, b" x& c0 U# d5 K2 }
          &amp; 06) but very limited because it's only available for Win95/98 (not NT)
          0 ~2 ^3 H* t" [4 b; H, K) ~# Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
          % T. h+ m. X1 V
          # G4 b* Q# D* j9 q2 m: A   push  0000004fh         ; function 4fh
          6 d! N% k* B6 x) f4 S( M! P   push  002a002ah         ; high word specifies which VxD (VWIN32)
          % j& l% J' G4 h                           ; low word specifies which service# D4 x, _* E; C% a  c3 O, r
                                       (VWIN32_Int41Dispatch)/ `3 L# C. Z) b  C! p7 t8 I! I
             call  Kernel32!ORD_001  ; VxdCall9 ^/ G, U+ v" a5 h9 s
             cmp   ax, 0f386h        ; magic number returned by system debuggers
          + n+ o7 D, e9 u! q1 k1 F9 W" n: q   jz    SoftICE_detected
          & |$ j# y  O9 ^/ r, i& z( E/ ]% o1 d
          Here again, several ways to detect it:
          - S5 e& H) d0 ^0 J
          . t  ^6 a* d0 K" L4 Y/ T' w/ O    BPINT 41 if ax==4f
          9 `  g0 p- _( ?- Z: K& \7 y9 Z" ^! ]" y# l# ~
              BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
          ) x9 O) N; }& j2 o; g  {$ b, t' [! o1 j3 k- B$ J  B
              BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
          ! T: K+ F& m( |! D6 j/ n1 y$ i( O' j) _/ j* z0 ^% b
              BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) P% D9 c6 f: J7 X
          1 |4 c' i: W9 g& @: ?
          __________________________________________________________________________
          % }5 d/ ~" O1 ~  C7 [
          * u& o+ O& x. x) M$ e: HMethod 13
          4 Q6 L) s- d+ V- K0 d; Q0 K=========6 z) S5 v+ H- L3 j
          4 h" m9 A! J7 N  T" I- n, Y5 ~" P
          Not a real method of detection, but a good way to know if SoftICE is
          5 r1 s6 u9 b; k: T4 A# S; Vinstalled on a computer and to locate its installation directory.! r8 s8 t9 P( ?/ V
          It is used by few softs which access the following registry keys (usually #2) :
          : s5 e* a4 v) N* k# b  M1 Z& a5 t8 g4 T& w* x7 v- \$ ?
          -#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ @2 ^: n4 P- B8 w) Z9 m3 u
          \Uninstall\SoftICE9 @. q' h  i7 R* s6 V
          -#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
          ) L. F# S4 r7 p/ K6 ?; x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @% r- l, }. x( C  y; J3 ]
          \App Paths\Loader32.Exe3 K" S& D" J/ H1 _
          . L# \2 l4 i  B, D

            N7 X; [4 N! B' w: \9 N/ mNote that some nasty apps could then erase all files from SoftICE directory$ G- v# S, E4 i/ w$ f/ s
          (I faced that once :-(7 S0 K1 _/ q) E# |

          4 `5 D) |' }4 m6 G% l9 JUseful breakpoint to detect it:1 g5 E: ~* r. `' H3 y, Y
          " O% H  B$ n- x0 S7 |' K! ^: Y: O5 t
               BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
          ( _4 D5 J2 G: L: G$ V4 ?- G" @3 J6 o
          __________________________________________________________________________+ b) j1 t$ k' G4 Q' y9 ~

          * r* o  w0 T7 h8 W9 |
          - h* O, E! x( Z% M$ W7 {( [+ gMethod 14
          1 M9 f# p7 e* s* e3 G0 Y* T=========! C8 G' D: E6 C2 e  f! u
            T% O0 ]: z! C2 c9 d6 e
          A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* H2 @# B# f# A' `" Z
          is to determines whether a debugger is running on your system (ring0 only).
          . h( g6 `/ i. y) \/ E
          4 x, J1 K* s" {( o0 z   VMMCall Test_Debug_Installed
          3 _4 h7 M1 Q. j8 q$ q3 r; |2 g6 @( |   je      not_installed9 E7 ^( \! Q2 z

          9 `) J( ?; f2 s# {+ ^! x* ^' iThis service just checks a flag.& |1 D/ n$ {" @. a; \4 n8 U
          </PRE></TD></TR></TBODY></TABLE>
          您需要登錄后才可以回帖 登錄 | 注冊

          本版積分規(guī)則

          QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港 ( 魯ICP備19052200號-1 )

          GMT+8, 2025-6-6 12:19

          Powered by Discuz! X3.5

          © 2001-2025 Discuz! Team.

          快速回復(fù) 返回頂部 返回列表