久久综合伊人噜噜色,日本三级香港三级人妇电影精品,亚洲中文色资源,国产高清一区二区三区人妖

    1. <sub id="9pxky"></sub>
    2. <small id="9pxky"></small>

           找回密碼
           注冊

          QQ登錄

          只需一步,快速開始

          About anti-SoftICE tricks

          [復制鏈接]
          1#
          發(fā)表于 2008-9-28 16:34:50 | 只看該作者 |倒序瀏覽 |閱讀模式
          <TABLE width=500>- i+ K7 S8 B4 r* O6 N/ M
          <TBODY>" o, \( y9 Q. }! Q9 G3 Q( ]% |* f
          <TR>
            A5 J* N! I, \0 t% k* \<TD><PRE>Method 01
          0 g) _- W8 X2 i/ p6 i$ ~- \1 ~3 R=========
          0 ]  _; P& B7 z( n# G  D; @; E. ~9 [
          # [6 E4 Z  C6 tThis method of detection of SoftICE (as well as the following one) is
          6 }& b) B  r1 k& Oused by the majority of packers/encryptors found on Internet.
          6 j" Y& `+ v6 C# }+ U9 Y3 D7 T' JIt seeks the signature of BoundsChecker in SoftICE
          $ S* K) z# \+ ]. q/ R
          + ?5 e/ f/ I( i2 N! @  y0 }1 M    mov     ebp, 04243484Bh        ; 'BCHK'/ m+ b  R5 p% A
              mov     ax, 04h8 l" B$ C! G  p$ r: W. F: l
              int     3       " f) g# c* z& k
              cmp     al,4
          7 @3 o( Q* \6 P4 e; o    jnz     SoftICE_Detected0 ^$ J, E" R+ K# u7 F
          ( a2 J. R4 k9 k
          ___________________________________________________________________________0 x; E/ ^2 U2 @) w& m

          ) Y; C2 T, \9 Y8 v: k' k0 _Method 026 h& G; t$ x/ G4 d+ r
          =========7 X+ Q. M& x9 c

          / n- Y# x& b. i9 n4 k% uStill a method very much used (perhaps the most frequent one).  It is used$ `# ~% V# C1 E4 ?" T6 p
          to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 N/ h" |# l4 L6 w4 Q) z" j+ f
          or execute SoftICE commands...
          9 W: E; U& M, V* _  }5 s! uIt is also used to crash SoftICE and to force it to execute any commands
          ; ^% t: Q0 D  Q5 A! D( i1 X(HBOOT...) :-((  
          ! g7 i" I4 u2 i$ g# V
          + B9 |  }+ u0 u5 UHere is a quick description:; L7 D, R" l& o" M
          -AX = 0910h   (Display string in SIce windows)) B" \* f* D) K. h
          -AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
            H( J; w# E$ ~1 G7 _2 e-AX = 0912h   (Get breakpoint infos)  @+ u. X" t0 K  t- K& G
          -AX = 0913h   (Set Sice breakpoints)( J% D- {9 O) u) t- i2 S' L8 ?
          -AX = 0914h   (Remove SIce breakoints)
          " C( N5 L$ R3 {% U* J' P4 ]6 d1 O, a; u! x, \7 S% i
          Each time you'll meet this trick, you'll see:& x+ X% B. j: x, t5 l
          -SI = 4647h& G3 k3 B7 U# V3 M7 r7 W: i- [! D
          -DI = 4A4Dh
          " i! R' e- b& S( I1 r+ VWhich are the 'magic values' used by SoftIce., c9 X0 Z, f. n9 G7 T  C" _6 c' x6 s
          For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' f1 i, X4 \& _# M, T4 n! N
            `; Y# d- o& c, p
          Here is one example from the file "Haspinst.exe" which is the dongle HASP
          ' C  y- d; @+ PEnvelope utility use to protect DOS applications:7 w8 o/ q: ^* D5 M5 K4 h( Z: A
          . x  k% S1 B( [9 q
          6 B# b2 [$ a# z
          4C19:0095   MOV    AX,0911  ; execute command.7 j2 ^0 c/ C! `' T. v
          4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 l0 G% O4 m$ [. M4 F" @
          4C19:009A   MOV    SI,4647  ; 1st magic value.$ c& F  M9 W- \0 @' E6 n. c9 O
          4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& C7 U4 m8 M/ q/ N/ ?
          4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# l) j9 Y) u4 x3 w/ s# z8 M
          4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ o) M9 i  y6 V% N3 F
          4C19:00A4   INC    CX
          $ G/ X- [& \+ S% G) E4 \& I4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
          9 `( j5 h$ n; v  I. Q+ Y4C19:00A8   JB     0095     ; 6 different commands.
          % I! K/ H4 M6 p, @) {) j, B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 b- I0 ~; \2 [, o
          4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); H# U) C. B& \

          ( z1 K: {! [3 Z# aThe program will execute 6 different SIce commands located at ds:dx, which4 n, v2 P& ]3 F9 s3 D4 g
          are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 e- |- ]; h* C9 N8 M, x$ ~
          8 \- R! i2 ?( I# W$ e  B5 g
          * the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
          0 b% Z9 X( o  L" T9 ^___________________________________________________________________________
            [$ z# T* k0 a: T, y
          ; Z, `! M# G( N/ Q, j" w) n( B: G& [: f8 d7 W8 O6 @6 T) L
          Method 031 ?) `# q- C/ ~2 P0 X$ z) J% y
          =========
          6 Q/ t! g/ k% D. [# q
          3 w( J' X6 X& v& qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
          + |! k4 s0 \; b5 E(API Get entry point)
          ( V$ m  e+ M! c! x- b  u# Y' }' y        : L3 ^9 D) T5 w% b! n9 l) l0 g
          / t, r  o, o& ~! W  C
              xor     di,di
          % F, ?, @2 g+ Z7 A* J+ o$ P  O7 V    mov     es,di
          + B0 s' L+ U7 s: `( E$ v    mov     ax, 1684h      
          # |  _$ f1 m/ P4 Z    mov     bx, 0202h       ; VxD ID of winice
          $ O5 z/ {/ ]) c: _. w    int     2Fh
          ' `0 U$ I$ C' |& ]& n+ N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
          ; p5 F% y% z5 l3 t' r9 X( C    add     ax, di, w- Q4 R- B- Z. l% s
              test    ax,ax
          ' C. v. M+ q: h2 b) S) G! I    jnz     SoftICE_Detected. ]. p# e, f% N& d# C; o. \
          : e( T( u% X$ }# T7 r2 {
          ___________________________________________________________________________
          + d- L, j  X4 D7 G0 K: S: f: ?6 m; v+ e
          Method 04
          9 K3 ?8 i; Z+ S$ D! h=========: g7 v, _. U( r

          # P/ @4 L& G. J$ D& e: `Method identical to the preceding one except that it seeks the ID of SoftICE
          0 B& ~! o; R6 Z* r  F3 Y3 aGFX VxD.
          9 a  F8 ]: x) W; u$ R0 {/ q& i- h* o9 n# L& a: M+ D" r
              xor     di,di
          % x+ w$ ^3 m; I1 T# Z    mov     es,di4 p/ f3 D6 g% G7 A
              mov     ax, 1684h       ( v0 s  k2 R8 Z, A: Z
              mov     bx, 7a5Fh       ; VxD ID of SIWVID
          9 \1 h! y! g3 O4 y    int     2fh5 J+ M+ D; D( j
              mov     ax, es          ; ES:DI -&gt; VxD API entry point$ u& X( q8 v, q
              add     ax, di
          6 e: N9 m) N! f3 m" m' O$ [    test    ax,ax# D2 M2 \: O* x" _9 O! V
              jnz     SoftICE_Detected
          ' b" F  x  A2 {# g7 b; X7 ], A" Z( r9 N
          __________________________________________________________________________
          3 d# l" d( @9 y& N8 L* ?1 m: d  {! u1 p( {+ d5 t

          5 I* v4 {. X; f+ o# }1 ]Method 05
          * P* d; c1 t, a9 T* s% G=========, G# D9 E3 H5 e2 q! ^
          1 V; W. L0 l' L
          Method seeking the 'magic number' 0F386h returned (in ax) by all system
          5 v" s$ |5 n( m8 e0 m3 a, Cdebugger. It calls the int 41h, function 4Fh.
          3 Z9 M* L; n1 ?+ b5 h6 U' d' l/ jThere are several alternatives.  " d% o! \5 |" P; Z

          + X* i$ ]' R: f9 i& e$ k2 F7 gThe following one is the simplest:% \+ o' c5 n' s% E2 R
          " @# {6 @: i' w2 O
              mov     ax,4fh
          8 W+ y2 o; A3 P4 Y* P( Y    int     41h7 ^+ B6 ]2 x0 U* @/ v+ |
              cmp     ax, 0F3864 T& H6 t; U. c$ ~
              jz      SoftICE_detected
          , i3 f$ h! c+ b! U' w4 @: j0 w' S9 r, G; f9 e5 i
          2 r* F* L% `7 p5 p- R
          Next method as well as the following one are 2 examples from Stone's # Y7 o+ C$ {" s3 |$ y
          "stn-wid.zip" (www.cracking.net):
          , P7 U) o- P. n5 A7 ]" y/ K# }8 C1 k( Z" \/ k: u7 u! v
              mov     bx, cs
          ' m, F8 ?0 t0 N. C) V6 H$ U    lea     dx, int41handler2! f  j1 n3 l7 p5 q3 U' \! s# O
              xchg    dx, es:[41h*4]1 n1 v# A2 L9 s5 R$ W8 ~
              xchg    bx, es:[41h*4+2]) E/ h8 c, p) b: n  y0 g
              mov     ax,4fh/ X4 b/ s7 d7 b/ S2 f
              int     41h
          ; J+ i& w4 j# `/ ]; ?; S  \0 m( W    xchg    dx, es:[41h*4]
          4 v' }# z( [" X' H    xchg    bx, es:[41h*4+2]
            I- D- r  N% o    cmp     ax, 0f386h7 R# h2 \% D, E, I5 Q( @' f
              jz      SoftICE_detected+ G' e1 Z4 S1 u  T+ V8 T7 z4 D

          / L3 P7 m1 l8 T0 @  I* f0 G* z& ?int41handler2 PROC
          $ j7 p' n! O' \8 q    iret1 U% V9 D  [" S# i! p5 p
          int41handler2 ENDP; o! ?( x  ~! E" v$ p

          : U2 T( o, j; _3 d, t9 N# N( M/ A$ I$ o. B6 b
          _________________________________________________________________________8 `  C$ _! l! z2 w
            @& j$ A6 `# L9 Q+ [
          6 _, Q! ?# |+ s4 e
          Method 06
          " q; w. X) ~+ q5 M=========- v8 B9 J- r8 p4 y% v8 E

          , B/ {. `3 @1 p7 C# }- U& i6 w9 F5 b* x
          2nd method similar to the preceding one but more difficult to detect:2 h( i8 Q  z4 z" |5 w! z% ^# u

          ' I4 g% b1 z/ r! ^4 P" o6 k# Z; F2 O: N
          int41handler PROC
          # V- _. r. L4 d  e    mov     cl,al
          ; |2 h5 H$ a& v8 i5 j4 T    iret
          2 j2 ~3 \: }0 k* m2 m. n+ C! `  W+ cint41handler ENDP. N' a& L* s& }0 Y0 F* A
          ; W$ t. j; i: Q8 |+ P

          * [5 H5 v' g; G. L( [2 [    xor     ax,ax
          ( h$ P( a2 T5 Z, O5 j    mov     es,ax4 }, w% `  \! J
              mov     bx, cs& k; r1 p$ Y  {2 H: E# N
              lea     dx, int41handler
          1 }9 t6 u8 \; F$ |' r+ J. j9 e    xchg    dx, es:[41h*4]- Q4 o: z0 v' u2 _
              xchg    bx, es:[41h*4+2]8 L4 Z" R1 p/ i) X
              in      al, 40h
          + z) ~+ [: ]9 K) u) a    xor     cx,cx8 Z$ k+ k% }8 c. g9 s! s
              int     41h
          9 V" |" t! @$ i0 y( V    xchg    dx, es:[41h*4]
          2 S: D9 k; f9 j, g    xchg    bx, es:[41h*4+2]3 }* h  |) S: [5 `
              cmp     cl,al
          % z4 Z  {8 A2 l2 o: E# ]8 H1 J2 `    jnz     SoftICE_detected; y- e4 O' [7 }9 u
          . {' K" {9 Z& z6 c+ @
          _________________________________________________________________________& Y- x( Q  O3 x& u9 V
          . n9 ?% d, _. r
          Method 07* Q$ d. {5 X7 K7 j
          =========7 N5 ?5 c; }+ B& C7 `$ U$ P% `

          4 U9 a( ~- ^  i4 \7 ?Method of detection of the WinICE handler in the int68h (V86). W2 o: L/ ~  r  [& ]/ r1 u! h# x

          5 G! T, ~7 ^" j; {6 V    mov     ah,43h& ]7 p) i9 o+ t; Q3 B3 `5 W4 Y
              int     68h7 R5 X, {% l; U
              cmp     ax,0F386h
          ' e. F$ Z- p1 v7 s1 @7 _! x    jz      SoftICE_Detected
          $ G+ A! S  D+ `; R5 ?: Q
          1 n* Z/ C% K6 `% r3 p# t' `$ U2 J
          =&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
          9 H8 h0 s( P! v& E$ R: c" c7 S6 q" s- V   app like this:
          8 a  H3 `' J- @8 ?- Q# z8 z7 ^# D# s: G  |+ q  S/ K  b
             BPX exec_int if ax==68
          $ \! Z8 q( W# ]& ~' y8 t- f   (function called is located at byte ptr [ebp+1Dh] and client eip is
          + B7 u5 Q$ V6 b* p   located at [ebp+48h] for 32Bit apps)
          7 \) m: f2 l. m' d1 O, k__________________________________________________________________________
          0 J: u- g9 A) g( u! s6 j5 q$ G* p1 I9 e, ]3 ~& o$ [& Z
          & ~- O: q3 h! s' y( E
          Method 08
          0 U2 D) T3 v* c# R=========
          , X# W8 y! A8 S) P3 o' C5 B+ x( [' W! k8 W* F- R7 x
          It is not a method of detection of SoftICE but a possibility to crash the
          % h5 a$ s$ b' M5 q, Hsystem by intercepting int 01h and int 03h and redirecting them to another
          0 o) _3 w; K! ^& Z9 T, g1 x& }routine.
          ) j; H% Y" a1 S; @) UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
          - o; q) _/ w$ u3 @2 Z) ]* P: n  Eto the new routine to execute (hangs computer...)
          . \  r/ a/ V( t- k8 [% X5 y
          + |7 y4 H. h: `) n+ X    mov     ah, 25h4 \* Y  w2 h$ M& V! y8 _8 Z
              mov     al, Int_Number (01h or 03h)
          3 A* u( t& K3 W" v" K3 o+ d    mov     dx, offset New_Int_Routine( R' L& \- W; z. f, c
              int     21h/ F! e7 S5 T/ x( Q, G8 S! K
          ! [8 n3 H& Q* {, n3 q
          __________________________________________________________________________
          ) D4 W! c8 L) V" `2 K7 S( A5 n0 W8 y. [$ K# a; a/ ^' j: x- F
          Method 099 P+ P! Y/ F5 x% Q* j8 h4 c; m
          =========. J: e& j: a, J. [

          7 @) J+ _: S% p" H4 z5 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
          # {4 Z& m/ O! F, {& p: ^* r+ p. uperformed in ring0 (VxD or a ring3 app using the VxdCall).
          2 o4 a- L- M/ W) n+ mThe Get_DDB service is used to determine whether or not a VxD is installed  b, d+ k4 j# c, q2 K# i
          for the specified device and returns a Device Description Block (in ecx) for6 h! F) q* |, w; V5 w$ o
          that device if it is installed.
          8 c5 K( L; x( t6 F4 q8 c  D, f/ ^1 m. ^' Q6 h/ _& T5 L% B
             mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
          4 B- Z! q2 D0 ^* E8 ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ j. t2 n- L! d
             VMMCall Get_DDB
          # `% W2 Q2 O- R$ Y, ^: K( R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
          & Y4 M7 y+ c$ Z# m1 o1 X( v+ \- a/ T
          Note as well that you can easily detect this method with SoftICE:% U: e' n* `0 t8 {
             bpx Get_DDB if ax==0202 || ax==7a5fh
          " c+ e& d+ v, Y: G- Y( [7 @
          . {' q. S3 {4 \__________________________________________________________________________9 T1 Z: Q' d3 Z+ I: \/ l

          0 O# X2 R: D4 z7 V3 d) f* sMethod 10, m: E5 H% i  E, d, y9 m/ `
          =========" n! r- q- a' U) Z9 f$ x9 k( i
          / O- i8 t' S. v! ^
          =&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
            w, f# h- d& X4 X- |) k7 X  SoftICE while the option is enable!!
            F  [# g0 T( t5 Y- o3 g1 j6 ~3 [) n- X" u3 b
          This trick is very efficient:. f8 X8 x, C+ t: p* {: h& Q. \/ e
          by checking the Debug Registers, you can detect if SoftICE is loaded
          ; E% G9 C* v( p+ K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 P( N3 L$ W) r1 b
          there are some memory breakpoints set (dr0 to dr3) simply by reading their
          " }8 }% p/ V7 \' m: Gvalue (in ring0 only). Values can be manipulated and or changed as well
          8 j. p' U9 t/ M) p+ e0 a/ s(clearing BPMs for instance)( y3 X2 h, k& Q4 w+ h

          + M1 W' S- X4 a" H: P4 I/ x__________________________________________________________________________0 m8 d- h+ ~; l& {3 E9 h
          $ Z  ^/ ^( P# |+ h7 U- Z
          Method 11
          ) S$ n: H1 W4 c; c- t: o0 m3 O=========3 }( Q1 `8 D8 a# P  _) I
          ' \5 a" R/ B6 s8 @
          This method is most known as 'MeltICE' because it has been freely distributed+ [) v9 t& \  b/ O7 \( Y6 T$ ^. b
          via www.winfiles.com. However it was first used by NuMega people to allow
          " Q$ `  R2 |" p, c% Q# @/ U, ASymbol Loader to check if SoftICE was active or not (the code is located; r8 z! r" G$ S0 E( D/ ^5 y6 N" h
          inside nmtrans.dll).! t! H9 ]1 K& h4 ]

          & N# T# e! k( @; w6 HThe way it works is very simple:5 _$ L9 z+ ]9 v2 g5 H! o
          It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
          3 O4 r/ \; k. ^1 e4 P7 T& y! ZWinNT) with the CreateFileA API.2 A% \; g9 t& {7 b$ G

          * M* [  {: b& n5 m) |Here is a sample (checking for 'SICE'):9 p7 s* U3 Q5 L" p. s9 q
          ) z/ P; u$ @+ v, ~) m7 X# O: N1 T% L+ P
          BOOL IsSoftIce95Loaded()7 B6 d8 f3 H/ @; O+ T! L
          {
          ! S9 d) Q/ C3 m5 k+ _! X: m4 q   HANDLE hFile;  
          0 e- @4 G# p6 P( A  J   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 A& |2 I, W- H( X
                                FILE_SHARE_READ | FILE_SHARE_WRITE,! u2 z# s+ z; C% R
                                NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
          : |0 Q+ l& ^/ k   if( hFile != INVALID_HANDLE_VALUE )
          ( O" C( \' j* \/ b   {4 R* J4 L1 t, y4 e5 ^
                CloseHandle(hFile);
          7 G3 Z: C/ [( p5 a7 d( F      return TRUE;
          6 ^. R- n2 R, }+ l, z6 ?0 S8 a   }
          7 R  ~/ l4 L/ m6 i) u1 v   return FALSE;
          5 w/ b0 i* E$ x3 }/ D$ M}% O0 N5 E1 N/ I% l

          - O. y7 p, ?4 f1 p4 SAlthough this trick calls the CreateFileA function, don't even expect to be
          % [* G0 l" M7 V3 ~able to intercept it by installing a IFS hook: it will not work, no way!
          - b- m; |4 E6 P' L  g+ m. s7 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
          # ~8 R8 R5 i/ u+ c) n# ~- pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 n9 I' b: A4 c+ y8 c5 |+ D- }
          and then browse the DDB list until it find the VxD and its DDB_Control_Proc
            }6 [% F7 Q9 Wfield.
          7 S5 S1 s9 l; z& Q/ NIn fact, its purpose is not to load/unload VxDs but only to send a
          $ F$ v. e5 A, r7 a8 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  p) n' g: v6 n3 D" a8 l9 M+ b' q
          to the VxD Control_Dispatch proc (how the hell a shareware soft could try& H3 X& z# a, ^
          to load/unload a non-dynamically loadable driver such as SoftICE ;-).
          4 j! A/ g2 a* g$ rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
          ( h2 s2 m; V: U6 ^5 N7 _1 ?8 Tits handle to be opened and then, will be detected.
          ( w% L) R3 Y2 B: G1 qYou can check that simply by hooking Winice.exe control proc entry point* c1 b  d& m1 z7 C0 _8 u
          while running MeltICE.3 ]( A6 t$ U9 z* A9 @2 u, q; d

          * O7 r$ |1 I8 P- [( e4 h/ z! \) l9 b9 I+ y/ G2 V2 r
            00401067:  push      00402025    ; \\.\SICE
          & _# s4 y& X9 B, B  c! P  0040106C:  call      CreateFileA
          - n6 }7 r1 r7 m) R( P. N' {  00401071:  cmp       eax,-001! p& S- H0 ~8 J* t1 b
            00401074:  je        00401091" S8 I: n- |& ~  g. r# n: E0 M
            L( L4 F- C9 J1 o6 q' x4 ~

          & a! n0 B/ V  B4 x% @' JThere could be hundreds of BPX you could use to detect this trick.' H. o3 H9 }; j' J0 x
          -The most classical one is:  g( ]! e. m& ?! Q# q
            BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
          , i* s) N: P) Q6 j4 i% S0 [" [    *(esp-&gt;4+4)=='NTIC'
          7 b( `0 f! g# t" {$ r4 b$ F% [( h
          ! W+ f, {6 K5 s0 `2 W; I4 b$ c1 [-The most exotic ones (could be very slooooow :-(
          0 M3 ]/ K0 f! z3 w' Q( F! y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  3 }! ?# \  e" J7 a, v
               ;will break 3 times :-(
          " k2 f, }4 Q8 m5 J* g: L" W- v0 ~+ X; \. G" w) S
          -or (a bit) faster: ' z% K* y. ?+ y
             BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
          ; P# p& V/ m7 m/ |3 T' S4 _; N, U6 G  m/ X% b9 e% W6 X
             BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 C. G/ y5 k) W/ Y* L1 H
               ;will break 3 times :-(! e% Y! u) W" f+ \# t7 _
            ~  }; z% z9 E, z7 E5 Q
          -Much faster:
          & Y. U' q: R' J3 F+ O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', p" M8 }2 l( c5 }1 m4 D
          / f/ T, n( L& A( h! A7 i8 W: t' `
          Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 B# f+ I2 |$ L) b
          function to do the same job:1 ^$ X- A) S' v9 g/ f) q. B" i

          . P' H; E' m2 i. b8 x  X   push    00                        ; OF_READ! O% }+ T6 `( r$ g8 Y
             mov     eax,[00656634]            ; '\\.\SICE',0  G2 Q  ?0 d6 E+ S8 ~2 V
             push    eax
          - j" w, p" n* z( t% Q% q1 g3 ~3 I   call    KERNEL32!_lopen4 a( U. Y6 R% U5 p
             inc     eax
          5 Z: O7 j% Y' Y4 ]+ o   jnz     00650589                  ; detected
          - R) A( c! u# p; y$ T( V   push    00                        ; OF_READ, z) I9 z$ F0 B" v2 e
             mov     eax,[00656638]            ; '\\.\SICE'
          9 A. v1 S& }; k2 [7 V" F8 k   push    eax
          % p* P) ]' \1 b8 l: i   call    KERNEL32!_lopen
          0 o7 }' @+ p" Q/ k- ?3 H   inc     eax7 P0 V) f8 K* p+ p  n$ q- z5 y
             jz      006505ae                  ; not detected* `- g$ g0 q+ b) B! _9 L! K+ S

          6 Z% j# k! U* W1 x* G
          ; @  c0 H! |2 C; L4 b" Y" ~__________________________________________________________________________" W% |- t* O, ~8 [

          + h# {3 Z+ X/ N* tMethod 12
          % R: U4 ^+ b3 t2 L8 g7 y=========
          7 [7 Y! R5 E2 |1 m+ x
          + p, ~( ?/ k& m# E/ p0 \7 s6 `* }7 ]. A! }This trick is similar to int41h/4fh Debugger installation check (code 05
          - e# u9 ~) }1 I6 }1 K- z- k&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 q% a; \* e) O( x
          as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 d) j; o0 K' h  G
          7 d) c* o4 W" d# r/ s* J
             push  0000004fh         ; function 4fh
          0 x0 R2 x* D+ s( O! R) \( i   push  002a002ah         ; high word specifies which VxD (VWIN32)
          6 p' ~/ e$ v( n0 g" |/ F                           ; low word specifies which service: B9 s  }6 K, T( s" E% I- V" G7 ?- ^
                                       (VWIN32_Int41Dispatch)6 m9 M6 U6 b- r9 W  A  Y
             call  Kernel32!ORD_001  ; VxdCall, T$ V* f# E* R
             cmp   ax, 0f386h        ; magic number returned by system debuggers6 X. I8 a; b: ]) {8 m& l& y
             jz    SoftICE_detected
          ( c! s5 N: [0 g' l# j1 @3 Y) J0 B3 ~9 Z1 k" M& F8 q  e
          Here again, several ways to detect it:
          ! I. V1 _2 L) B  Y
          7 H( c! N! X2 j1 T9 V, n    BPINT 41 if ax==4f
          ; u+ k" i1 v* N1 |
          3 S0 B# M1 v) ~" {- ~& b3 k    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
          9 r2 p; o' b8 d3 y2 n) f
          2 a8 ~# R+ y+ `% g! M, j$ y4 U0 i    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
          ' W/ w5 k. ^& R' e7 N, p, }9 d7 B% r! \5 A6 |
              BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, K% j2 I' _5 _. u
          - \# p' o( U# m' f  ?4 _
          __________________________________________________________________________
          * \+ v( X9 b. G# u' ~4 _* i3 D) R& \) i8 {# |0 M
          Method 13* ?& V; K& E: C. ?1 |' Z1 \, l
          =========  `2 t( s* K, I* g- G5 k8 K+ m
          ( S# \- J" I- W/ r. L( x6 D* d
          Not a real method of detection, but a good way to know if SoftICE is# r8 N$ Z0 s& K8 N9 g, t
          installed on a computer and to locate its installation directory.
          % V( l1 g- \( C1 N2 X% fIt is used by few softs which access the following registry keys (usually #2) :
          $ a/ |! S1 T2 C$ P1 H
          $ u0 M9 h4 ~+ `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
          % d: P! ]/ Z, P* c1 x\Uninstall\SoftICE
          9 U9 S% i( ^+ d7 n# c+ @" y1 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- U; U6 k: O; M( K
          -#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ V8 c4 M1 S+ Y+ ?! D
          \App Paths\Loader32.Exe
          0 \6 d2 D# a8 e. _6 l, {
          4 l7 }# M9 o1 u$ r6 J) b3 j, |. b6 F  b* t- C# \
          Note that some nasty apps could then erase all files from SoftICE directory/ F% L- W7 r. X, ?
          (I faced that once :-(0 N" ?  y& p7 R7 {2 K# \3 g  Q
          0 X# m& @: y, {6 P, \; X$ X! h) _" b- w
          Useful breakpoint to detect it:
          & o: Q/ f, x" d5 M5 n3 L
          % z% A2 W9 k8 g& @* n& K; p* H     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& w9 A8 J, d5 M) B: a
          0 x' f- D3 ~" d7 g5 ]3 b% c
          __________________________________________________________________________+ z& z! g* b" l$ B4 O8 I

          " L; s" I% _: o/ @% G
          ; h* |6 t( l8 m% H9 I; f9 EMethod 14
          9 B( [) W* a. R; q' s3 J=========
          ' L6 I- x% O* X' n: Y% F* b, M2 d% \+ a  c  Q+ I! B; @, ]7 T
          A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( \" J0 m( |5 ?# J" w7 v
          is to determines whether a debugger is running on your system (ring0 only).
          ' j4 b/ g0 W% a$ X  ?3 M9 ?$ U$ ?! T0 P& V1 \& _; G% H6 I
             VMMCall Test_Debug_Installed7 K0 f. V) d$ P- {
             je      not_installed; w+ _+ G) v( p6 ~, e/ U$ c

          $ W+ E5 S! l  ?( Q0 C; ?This service just checks a flag.$ O8 ~( _+ \' |# X1 s& \
          </PRE></TD></TR></TBODY></TABLE>
          您需要登錄后才可以回帖 登錄 | 注冊

          本版積分規(guī)則

          QQ|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港 ( 魯ICP備19052200號-1 )

          GMT+8, 2025-6-24 20:39

          Powered by Discuz! X3.5

          © 2001-2025 Discuz! Team.

          快速回復 返回頂部 返回列表