国产十八禁AV网站,欧美日韩亚洲国产综合乱,亚洲国产aⅴ成人精品无吗,秋霞午夜福利影院合集


      汶上信息港

      標(biāo)題: About anti-SoftICE tricks [打印本頁]

      作者: hbhdgpyz    時(shí)間: 2008-9-28 16:34
      標(biāo)題: About anti-SoftICE tricks
      <TABLE width=500>( j/ l4 N; S! T; k- t
      <TBODY>
      ) m6 A, ]& [/ W& d<TR>
      . s, d4 H/ f7 j4 E<TD><PRE>Method 01
      % @+ [8 E( J  |5 W=========
      ) s% q5 S6 _, A$ o3 k4 f+ m, c$ L
      * Q' }, N  K( k3 z* u; [  ~  AThis method of detection of SoftICE (as well as the following one) is- w0 X7 o8 Q# K% h/ Y: e
      used by the majority of packers/encryptors found on Internet.: L/ j7 z& j& H. I1 M' ?
      It seeks the signature of BoundsChecker in SoftICE7 I6 k( \2 l4 C2 w5 d: m

      2 l8 Q) m& R# p& Y! h    mov     ebp, 04243484Bh        ; 'BCHK'  t) C5 X6 Y' u2 n
          mov     ax, 04h
      ' a% @) V, d, t) Z    int     3      
      ! L( O( s4 b& S) a% `! x    cmp     al,4
      + }1 o( i1 K2 ~3 R  Z8 [    jnz     SoftICE_Detected
      ' r6 X- S4 k1 g6 U
      ' ^# v  A, {7 B___________________________________________________________________________1 k7 |2 I' L& M' C* `- ]% s
      # d9 \; o9 b( M. L
      Method 02/ u1 g( L. b2 @2 a2 P) S
      =========
      6 d" A6 y- H. j+ X$ B3 Q7 I0 z8 Q) b) [, B) s1 p; h9 G; t0 y# V" r2 o
      Still a method very much used (perhaps the most frequent one).  It is used
      , Y! v* ?/ T# p7 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints," E' u$ f! d+ S% B7 K: O) f; n) [
      or execute SoftICE commands...# ~5 p& Q( ^% T6 H
      It is also used to crash SoftICE and to force it to execute any commands
      ( D, t7 R# i; d3 H! t(HBOOT...) :-((  
      ; S6 d8 p, {- a, c, H( ^5 T  ~" }' d7 z2 u5 e6 P; H: S. p
      Here is a quick description:$ W: o* h  C: E* h
      -AX = 0910h   (Display string in SIce windows): t1 u6 ]8 \) d! T7 p
      -AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 `' Z1 o- F  |+ l% W9 ~
      -AX = 0912h   (Get breakpoint infos)' g) d3 o1 o$ S# K, C- Z
      -AX = 0913h   (Set Sice breakpoints)  B0 h" T2 p# f' {! f* H
      -AX = 0914h   (Remove SIce breakoints)
      : N" Y! c5 V4 i8 ~
      ) F# z% v: k6 \( D/ jEach time you'll meet this trick, you'll see:. P9 z! n) @; A' N" P
      -SI = 4647h
      - D. o8 F0 L$ n1 f( _' P0 l-DI = 4A4Dh0 [" e" {" d5 q0 o
      Which are the 'magic values' used by SoftIce.
      2 {& P, T0 {% i! K0 ~( `: m8 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
      : u- [7 a# y2 D1 N8 }" P* v
      " u8 J+ e8 v1 K4 U3 C6 }Here is one example from the file "Haspinst.exe" which is the dongle HASP
      * [7 D2 m, q7 f( Z& S3 E. I. UEnvelope utility use to protect DOS applications:( A7 W1 m/ m/ a+ ~6 S5 T# d

      ; d; j0 N6 T# F! b0 z4 R
      ( ^6 l2 p; L; `. d: @4 J4C19:0095   MOV    AX,0911  ; execute command.
      - G, y( O; r' }5 N; I- P8 v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
      9 N- [; d: l' h( s6 Z$ V" o4C19:009A   MOV    SI,4647  ; 1st magic value.
      0 j2 s8 v' T: @! p, R9 L5 T; |4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
      : n9 l  v7 c: i  ?( ~* {4 [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
      2 k/ Q$ z$ l1 Z: n) Z; N3 X1 {4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
      4 v: p  {; M" W  `: A8 v% a4C19:00A4   INC    CX' ^5 A7 U5 P' k. E! ]
      4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 ?0 V3 \9 v* r: ~: Y& }
      4C19:00A8   JB     0095     ; 6 different commands.2 z& q2 Y+ z! m; G  r3 @% Z
      4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
      3 a1 Y# Q" o( ^( t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 x0 S( ?& G; @' ~

      5 X1 f8 T- }8 QThe program will execute 6 different SIce commands located at ds:dx, which
      4 ^- j  W; \; C2 }5 R. v$ care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
      ( ^% w2 {0 ]0 M( v* T' V
      ! h. g2 j* D9 q; S& M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 M8 t% \4 @8 W) Q9 W: A
      ___________________________________________________________________________  A1 M6 r) N; d$ G* f# @

      9 q  b5 q% q5 y) `7 L/ _+ x6 t( W# [7 e5 d6 f  a
      Method 03
      $ f2 h, t* c) @+ Y9 u! m" r8 d=========
        S+ t  a( ~. P
      % d1 m- A9 i* @& W7 H& c+ E# _# y/ OLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
      . R5 Z8 c" K! C: X) Q8 }(API Get entry point)$ q' m! L  `! A( [) C) C9 q* S% Z
              7 q4 B4 r7 }  I0 C( B# W

      $ ]6 m8 n! A9 G0 U- J/ s" f    xor     di,di
      + T- E- A% }# w4 G    mov     es,di
      6 N4 U6 O7 u  i7 i$ u, V0 D    mov     ax, 1684h      
      / b# I* K# D0 V) ]  L4 w    mov     bx, 0202h       ; VxD ID of winice+ D3 x5 x* z+ W( n
          int     2Fh
      8 @% q# W1 E& k6 Z- l1 O    mov     ax, es          ; ES:DI -&gt; VxD API entry point
        Q8 R( k/ e% C    add     ax, di
      # J8 U+ k0 \) F" r6 [9 r& g# s3 \    test    ax,ax, o1 U) ^! e# v/ O+ L* e
          jnz     SoftICE_Detected" X$ O$ @! n9 E5 n
      % G0 L+ n2 \1 m, `9 K! l
      ___________________________________________________________________________) v' I, `4 @) @
      0 E8 {4 h& u8 {3 L/ E; {1 T! c3 H
      Method 04
      # `) c- c$ C/ x=========
      , f  _; \' Z" q
      8 z3 F( W) s, n+ LMethod identical to the preceding one except that it seeks the ID of SoftICE& l. M+ E; J8 @' C; n1 X
      GFX VxD.
      & L' }; A8 W) G  U. L: m1 A2 b. w0 V5 t
          xor     di,di
      : l2 x. s1 O# y- i" F! z    mov     es,di
      ! c/ e4 L+ ~) M3 A' _" j    mov     ax, 1684h      
      : m- B4 }& V1 `. h4 J    mov     bx, 7a5Fh       ; VxD ID of SIWVID" S" L2 Y7 ^/ y
          int     2fh
      7 Q/ J7 Z1 y, U' c. ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point; I) m1 L% N9 K) ]% e. w
          add     ax, di  @3 m: m9 c' ~+ i5 ?! H+ v+ h
          test    ax,ax3 c* d& A& b& F' W" F
          jnz     SoftICE_Detected6 J, }5 {" A& a' R8 q
      2 m  u5 b! h( h  d: ^
      __________________________________________________________________________1 u+ z' a1 p! g
      / }, B# W) v2 J8 }8 t

      ( g8 z: l" u$ KMethod 05
      , [. w+ e6 O9 R, E. C/ T3 O" @=========
      ' y" [) u6 n& H3 @
      7 |6 z, z8 ?& X; S1 D! A1 Q. E* AMethod seeking the 'magic number' 0F386h returned (in ax) by all system% Q6 E; ~* j( J3 V% {, q9 I# {+ a
      debugger. It calls the int 41h, function 4Fh.
      5 H- q% B0 f, B' q1 E+ c& X; C5 SThere are several alternatives.  9 E4 q6 j) Q! W0 I
      9 J) N$ w. B% @! M: }  O8 q
      The following one is the simplest:0 _0 z( a4 ]; l* o/ r7 k. u. R
      7 z' c( X% W0 j& b9 C$ P1 A- m+ \
          mov     ax,4fh( {1 y0 N, F" K/ ?
          int     41h
        U  \- F5 O# d! T4 K  U    cmp     ax, 0F386
      * J- p$ K) @! N5 P% e    jz      SoftICE_detected1 E/ c. t( G; g6 a
      1 I1 o3 u" ?) j2 Z/ ]% P

      6 |. ~4 M) r) I9 H3 D+ ~6 fNext method as well as the following one are 2 examples from Stone's / Z$ o1 @9 C: K/ A
      "stn-wid.zip" (www.cracking.net):
      " k# ~2 X0 s- ~& @6 `: U
      4 n/ ^- P$ @  m: J: |  R. [5 n0 ^    mov     bx, cs" r4 v& q+ _( }$ ]
          lea     dx, int41handler2" i+ N" L: l& X9 ^! [8 Z
          xchg    dx, es:[41h*4]' M7 C: Y) I3 n7 l
          xchg    bx, es:[41h*4+2]
      9 R. r0 j* m) `$ {$ B' m    mov     ax,4fh# {& o" e- o9 G0 f
          int     41h, R9 T! D$ b+ \2 y1 F( F
          xchg    dx, es:[41h*4], `' f& e6 y6 C/ ?
          xchg    bx, es:[41h*4+2]1 ^. j' {( ?0 {
          cmp     ax, 0f386h
      . y/ P% \# E; b" R& }, k    jz      SoftICE_detected
      6 z' J# R* L- m6 ^+ M
      0 b2 p( `: P6 r9 Y+ ^! o( zint41handler2 PROC
      : {7 A" n" c, i  v$ a2 V    iret
      6 [  V% v8 p7 p+ Bint41handler2 ENDP
      1 G- q' H" _  M# ?" ]. {& o+ g( y: T% [( a$ T2 O
      2 @9 h6 l: M0 c  m6 @% n
      _________________________________________________________________________8 k% ]0 }5 Q& D9 R4 B
      . r3 {( ]: K' o8 V( h" i4 R' D' A5 B* F
      ; t3 n& w0 {9 D; P8 k/ ]$ n0 y2 `
      Method 06
      3 ^) V; i* o/ N8 z5 r! N=========
      % {2 J8 Y7 I  K* S$ t( j
      7 d+ y/ m3 X% k4 B: m% Z% a  W$ F( m8 j
      2nd method similar to the preceding one but more difficult to detect:4 @; o9 o& L4 r1 }* f
        P: B- U: d- c) @, n* s# ~. W
      ' u7 m+ E) Q/ a% o: u# V; ]
      int41handler PROC
      4 o: G8 N4 w, E6 L2 V6 \    mov     cl,al
      % n1 [9 p3 B& Q6 T& d% W9 M7 y    iret
      2 Z" O8 l$ T* s: m" I. U1 Oint41handler ENDP
      ; ]( C; }  O$ _' p6 H9 D3 J# ]9 k* `* Y9 s/ s
      & d2 w+ g+ V# \
          xor     ax,ax
      ' G; \) {- d- @5 R    mov     es,ax9 H, K* h. W5 t) f) C  A5 ~, i
          mov     bx, cs2 u: c. g$ `  e+ b/ `
          lea     dx, int41handler3 I" K$ l) T2 t: r' D7 j
          xchg    dx, es:[41h*4]
      % J; W+ k0 s  l! U; Z    xchg    bx, es:[41h*4+2]
      ) B$ g7 V* V. ^' @- `* i4 R# g    in      al, 40h
      ! o# W6 o9 K1 `5 x7 E    xor     cx,cx1 O; R5 A' D; {4 ^* i
          int     41h8 ^) q! {+ W% t! n" B
          xchg    dx, es:[41h*4]
      : m: O+ h% _3 r    xchg    bx, es:[41h*4+2]9 x& x$ |  N. G  c
          cmp     cl,al  {% [6 Q& D6 I! e, m; Y5 K7 O
          jnz     SoftICE_detected/ A& a9 E0 y* X6 Y! }! G- {4 m
        P6 I8 w. }- E8 Y
      _________________________________________________________________________
      $ c4 @2 A) E+ u. A
      ( e& L- f4 K" S9 }Method 07& s6 w% T, b1 U" x. ^0 L; F# n! k" J
      =========
      / l; S  \) I3 X. f+ M3 E% a$ I# d; O2 S' E# P7 z
      Method of detection of the WinICE handler in the int68h (V86)
      % ~& T( I1 g' q; a
      # s: ~3 }( W7 I+ w    mov     ah,43h- T2 ?9 t, A7 ^  B, f4 ~% H
          int     68h- ^: _, V. r$ y1 o: }3 Z. }4 f! d
          cmp     ax,0F386h
      & R) V) F/ D% c1 D; }2 Z/ ?    jz      SoftICE_Detected
      7 |; [2 l% \; Y) I* [- C% [/ \( R9 _( ]7 Z0 d, a0 A

      - r3 A1 r1 W& H6 }4 D) I8 B=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
      4 y: l7 R: L+ N# b: g! t   app like this:
      4 {( @8 N6 x/ x6 ~5 F+ o' h  X5 j! [, t) f4 O& U% C3 L+ Z4 A
         BPX exec_int if ax==68) ~0 b( v2 U, t5 n1 I, `
         (function called is located at byte ptr [ebp+1Dh] and client eip is
      1 Q) u8 l& ~. D1 A   located at [ebp+48h] for 32Bit apps)
        k' M5 a9 g! L' x7 r+ A__________________________________________________________________________
      5 n5 H/ O: K$ K9 X, e1 {0 p9 C  q+ n/ y
      9 y; j% l, i3 X+ |* g' G/ K5 q6 S
      Method 085 {9 N0 T* P2 g, ^" s6 r
      =========; X0 Y" m7 k! n8 X3 X/ q) e
      ( ?% `/ r# g/ r% a9 Z1 S5 T$ P
      It is not a method of detection of SoftICE but a possibility to crash the
      ; T0 \! |- m+ t9 J5 usystem by intercepting int 01h and int 03h and redirecting them to another
      ) \) L: c. n4 Y! q8 e: Troutine.
      1 z& {6 Q7 W3 W6 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ n# D# c" L2 S: r1 j+ ~9 |! I/ l
      to the new routine to execute (hangs computer...)2 A8 z" z0 O' O% C
      ! e' l4 U6 f/ d- r
          mov     ah, 25h( N, d4 R4 i' v( r) i3 `
          mov     al, Int_Number (01h or 03h)7 p! n- r- f- P5 H
          mov     dx, offset New_Int_Routine, g# ^  p9 C4 T6 ~8 [, m* v3 R/ g' J
          int     21h
      + q2 A" a5 ?( F% T, u# k; B
      " q7 S- d' v# `  u0 f  o__________________________________________________________________________# R  g! B: V; S6 x2 n
      0 {) Q2 u2 l/ ]$ T  R8 E4 f) Z4 f
      Method 09
      7 C$ K/ q0 d9 j: u) f=========
      7 X( R( S2 {7 O# A. W: ]. ?. F$ R
      This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
      5 B2 T" c; u( L$ Operformed in ring0 (VxD or a ring3 app using the VxdCall).
      1 y6 V7 b2 c8 R% Y6 ~8 R; k# A; nThe Get_DDB service is used to determine whether or not a VxD is installed
      7 L6 B0 {. m* {) D9 y3 _for the specified device and returns a Device Description Block (in ecx) for' O) _- u# Z9 P! T+ S3 C* u+ W
      that device if it is installed.( [1 z6 y0 A  s* j4 F9 z6 {
      ' ]# L2 o3 e* C8 F; P6 }0 u
         mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 M& U- \6 d  k/ I
         mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 y$ D& V9 x  H/ P: y
         VMMCall Get_DDB
        l$ T. |1 ~1 O/ ?, \- y. T" O- w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, }$ P7 J2 I* C* q

      $ Q  F5 L3 a2 A3 |) p) L# qNote as well that you can easily detect this method with SoftICE:
      * X/ h! l. j  g$ l5 Y+ S   bpx Get_DDB if ax==0202 || ax==7a5fh
      ; O* b- P9 L4 b/ x" Y7 {3 A
      0 [( J. ~4 r5 H$ }5 l__________________________________________________________________________
      1 T$ T  @" ~. [; V8 R5 G0 b. d% T- `% h* a# [- ]; @
      Method 104 q. t( M1 j( z$ G& Q9 Q) i
      =========, D! ?( o0 H4 X7 y

      ) |8 Y; c2 u3 `% s% ~0 J# y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
      ! I6 m. R8 A; C  SoftICE while the option is enable!!
      : `  ^  k% B7 R: J  e5 O- y, w9 r( |% R3 R5 Q/ `( ?
      This trick is very efficient:
      2 `0 v0 V! ]! ~, H0 S+ F" _' Nby checking the Debug Registers, you can detect if SoftICE is loaded
      $ t* N! p1 Y2 l% F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
      + [5 e0 a) N) N1 t1 _; e: c% Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their& C6 ^" ]* |- i, u
      value (in ring0 only). Values can be manipulated and or changed as well. X8 }( Y! H5 ?# Z
      (clearing BPMs for instance)6 I3 G1 G# }) a6 ], x; O
      1 T: \. S1 ^/ p
      __________________________________________________________________________
      / A' L/ ?6 C* O1 t, _: C( S: n0 k3 _
      ! k, v; q- E  y& |Method 11$ P/ [3 p1 E4 m; R7 Y& G+ q
      =========
      6 }( Q& Y& X# M$ Q* A, M" _$ ?5 L: e& y, t; q
      This method is most known as 'MeltICE' because it has been freely distributed' o4 ^' H/ f6 t" j) @) C
      via www.winfiles.com. However it was first used by NuMega people to allow! P+ ~% \; S  u  Y
      Symbol Loader to check if SoftICE was active or not (the code is located0 y) [! h$ o4 A+ g, `& n5 b5 Q
      inside nmtrans.dll).% d  i0 m& s% y" d" [0 g/ m, R9 u
      ) i" {% e0 f7 K- N( ^# N5 h
      The way it works is very simple:3 E3 s5 H# Q8 j2 ^3 n' y
      It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
      2 i" M9 r- d3 W: ]( WWinNT) with the CreateFileA API.
      * P" r/ S2 q, ]; H2 y: q  h3 m5 V, U1 q7 v" h# j7 P
      Here is a sample (checking for 'SICE'):
      5 P" P) a7 J3 r6 }  L
      9 Q- r+ H8 r3 SBOOL IsSoftIce95Loaded()
      , _: b6 V% D8 n: B/ i{
      / }  i, k" l+ n& z   HANDLE hFile;  0 f5 x" r1 f6 I5 c! Y
         hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
      ( Q! P& A2 R9 G8 n; t! p' j                      FILE_SHARE_READ | FILE_SHARE_WRITE,* R- _. x" J5 b( i2 H
                            NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 V; @3 V9 M' {0 j
         if( hFile != INVALID_HANDLE_VALUE )
      9 g+ `! M0 {- Y4 p. D7 z   {3 L  F5 _5 u. @! }# Z* r( q5 Z
            CloseHandle(hFile);  ~. q4 g- {; X! H, W
            return TRUE;
      ! h6 Q5 ^2 J+ K5 ^9 f- o- l8 ~   }( P' U9 Y% G: j) V- Q' w/ Z* w
         return FALSE;# _9 B$ t* i; T5 }( A
      }: Q7 s1 r9 V4 {" y. a" A3 z& f
      ; [$ \- w, s" s+ }. g( X( O
      Although this trick calls the CreateFileA function, don't even expect to be/ W, |; j2 h, y$ G* a, j0 r' L
      able to intercept it by installing a IFS hook: it will not work, no way!+ A2 z* X9 a& k% s( u" @
      In fact, after the call to CreateFileA it will get through VWIN32 0x001F
      % ^5 U/ A8 ]) S; F5 P- O; K2 ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
      9 ]1 B. i! g% Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc* Z: z1 ^! y% c( g3 B2 Z2 s
      field.
      0 \# }: z# n( i0 z; I8 ^' ]% zIn fact, its purpose is not to load/unload VxDs but only to send a 4 n) Y$ \; @4 @# V
      W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ x4 W2 ?+ h& }0 T3 t& o  ~
      to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 A! S, Z3 f- P/ J
      to load/unload a non-dynamically loadable driver such as SoftICE ;-).& }, N- U, h7 V. ^; |
      If the VxD is loaded, it will always clear eax and the Carry flag to allow
      % l, y8 [* Q+ u  F0 H( E- }its handle to be opened and then, will be detected.
      ' [1 p2 K: T& G4 ZYou can check that simply by hooking Winice.exe control proc entry point0 B1 z/ n- V) x7 y
      while running MeltICE.6 `9 X' \7 H$ k1 x8 h0 L

      # v2 Q" J& x1 L: m0 P9 [0 D4 l6 J1 |
        00401067:  push      00402025    ; \\.\SICE
      2 U' X$ H1 ~* E) G  0040106C:  call      CreateFileA
      " A) `( z. `6 S9 j  00401071:  cmp       eax,-001
      / T: F0 M4 ]7 m3 L* K  00401074:  je        004010911 P% P# H" Q5 w/ x5 G; [# K! f
      8 C$ ^& S, L8 r  a  |
      . I2 x; S# Y8 W# t) s0 x& t( F
      There could be hundreds of BPX you could use to detect this trick.9 V; e( M, _4 i5 c1 b; ^0 E
      -The most classical one is:' Y" \' _( w6 R+ W
        BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 w; k3 C5 N8 z+ a
          *(esp-&gt;4+4)=='NTIC'+ p) v7 E- [  E0 @# _  ?

      0 s. G* b" O6 j-The most exotic ones (could be very slooooow :-(1 x: W( V# A) Q, ^2 a! K$ `- _0 Y
         BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
      " A) E4 N$ s5 g     ;will break 3 times :-(
      6 X: P' B; {0 M+ G2 a: P9 m. M3 Z/ i4 U( T
      -or (a bit) faster: " c- M1 R8 ]" a+ T! i
         BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
      3 G! C2 L; o9 R, ?& c
      + N4 N& ~( q- \& f   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    Y& Y3 R/ S% P9 m' k4 `3 h. P
           ;will break 3 times :-(
      / P" t1 Z- Y9 f. C0 h. d5 j( N/ X7 a& ?1 ?7 W, O$ m
      -Much faster:7 J' u; v( S. r5 J5 [
         BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
      3 I! }" S: R# \- Y- `
      4 z/ Z5 l2 X2 W' d; k! ^* eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& e0 |: B  T! r4 g4 a
      function to do the same job:
      $ T, b0 A7 y6 \3 r% [& L& A, l0 A5 j. {0 V- P$ G  b6 r# R
         push    00                        ; OF_READ
      $ m; Z" g, L+ [" a   mov     eax,[00656634]            ; '\\.\SICE',0
      5 H! S! H( b6 X; k% R   push    eax0 b, K  L4 |- e9 v
         call    KERNEL32!_lopen$ Z2 v( F8 a# I! G1 T8 d
         inc     eax, K  j6 N0 J* X8 x5 d3 @8 W# o
         jnz     00650589                  ; detected
      . }  L, [2 V. L% a   push    00                        ; OF_READ0 u6 `2 }& t& Y' _! X7 Z
         mov     eax,[00656638]            ; '\\.\SICE'
      ; R/ z7 T4 Q: i  B3 c   push    eax  @) S: y7 j# n' X- e7 d( W+ ?8 ~
         call    KERNEL32!_lopen1 L- `# \1 G+ K3 P
         inc     eax# z1 L; k( c' o+ K
         jz      006505ae                  ; not detected
      ; P/ n7 k1 o* ^' e" b; a5 D5 U& x
      " O+ I7 w. V6 Q. M
      __________________________________________________________________________* n$ q( ]5 ~+ N8 C  Q) l7 A  J

      1 k5 w/ t2 {4 j3 PMethod 12
      # |4 y, b4 j9 d* f6 X3 K3 h: P=========5 W0 ?& \( f$ K. q) M1 V+ o

      . ?" b9 H8 y3 y$ w: S0 @This trick is similar to int41h/4fh Debugger installation check (code 05+ V% A; |2 X3 `* T; A2 z4 H4 y6 K
      &amp; 06) but very limited because it's only available for Win95/98 (not NT)) s( {3 `: g: [! u+ V
      as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* {  n0 A1 q3 F# n% L: y4 k

      6 Q# g+ l2 O  c7 E3 V! `% G   push  0000004fh         ; function 4fh
      9 \# x( O9 M. h   push  002a002ah         ; high word specifies which VxD (VWIN32)' L# P; E8 Z! k" F: Y* j( c
                                 ; low word specifies which service
      2 r' f4 ^# }$ a1 s# _1 L                             (VWIN32_Int41Dispatch)" ~5 z& y# I& s4 z9 F% G
         call  Kernel32!ORD_001  ; VxdCall) f2 @8 M! k0 U) H3 v0 Q- `
         cmp   ax, 0f386h        ; magic number returned by system debuggers
      ) e# l" w# W' Z4 J/ ^   jz    SoftICE_detected
      1 D8 h  T- {8 X% o
      ( t4 ~1 ^. q- D  ~9 MHere again, several ways to detect it:: L: D3 g% \, O- H' [3 v
      % Z/ h; k9 L8 U: e" `
          BPINT 41 if ax==4f
      / c7 t* b! V: N% D) _0 ?' p6 `, U9 @, o/ X5 \
          BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 Y: K) m9 D" O* V* p# V' q/ F
      9 f6 ?" M, P8 S2 \
          BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" |( ]9 r; V% N9 C9 J6 e! h$ ]
      . w) \9 ]6 H( c; w
          BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( J. a# o, x3 w! E+ @
      - b& _6 N, l+ y; x0 \
      __________________________________________________________________________: N5 \* X; w: D" j+ q

      1 U, T8 n% w0 hMethod 13$ V, ?; ~$ {5 o& N, x8 [. d
      =========. t( y6 t- z! N! \; b9 Z7 I: H
      5 b) j3 y9 k9 X
      Not a real method of detection, but a good way to know if SoftICE is& w" `1 Y7 z+ G. e6 I0 N& ?0 m
      installed on a computer and to locate its installation directory.
      $ f6 B  R- c) G; b6 C$ M5 k7 q$ i# JIt is used by few softs which access the following registry keys (usually #2) :
      3 m! f. a2 d  x% {
      * _; V# Q8 f8 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: z6 r0 r$ C5 |- U1 n
      \Uninstall\SoftICE
      6 ]. K0 e# V2 X0 F* d% {9 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
      # n% {5 j! C' J8 C0 ~3 \; E2 H7 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      . O9 X. `3 `* D! o\App Paths\Loader32.Exe0 v' F8 i; ~) I& Z- F/ q

      , m/ d5 c, v: B+ y" b" z. Y/ Q3 b5 d
      Note that some nasty apps could then erase all files from SoftICE directory
      * z" K9 o% Y% [: G! P8 c(I faced that once :-(
      4 R! S7 R+ n6 |" v% H$ u' {. Q+ Y9 S* m% y$ Q/ X% W1 `$ N
      Useful breakpoint to detect it:
      6 G5 ~  Z1 g) A# W2 Y2 e" Z( a- i2 e+ L" ?7 m1 C6 I& z8 a* z
           BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'( |; Y0 s* V  X; M/ Y6 b1 D% I

      5 S6 V9 F/ H0 Z__________________________________________________________________________
      $ j; n. q6 y0 [9 I9 F' w$ x
      * L6 r& b; |$ q/ V
      5 J- |) }# {0 H% k7 vMethod 14 ; q+ a9 r* K- G( ^* h& Y+ J- h0 r
      =========
      ! P0 R) h5 x2 ^  |) t" ~$ a+ z
      6 a7 }* m) R  L1 s  _- hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ o$ Y& z! ^. L+ G0 i0 N
      is to determines whether a debugger is running on your system (ring0 only).
      & {* p  N" F/ \8 f1 w( M4 I* f
      - N/ Q) T2 q2 t2 W" m/ @0 g: w   VMMCall Test_Debug_Installed7 `6 |; K/ j  Y
         je      not_installed
      % V6 ~0 ^- |* O5 K3 X. D! D6 S; e' a7 b) @  P) e
      This service just checks a flag.
      - X3 C9 L; ~9 B' ]</PRE></TD></TR></TBODY></TABLE>




      歡迎光臨 汶上信息港 (http://yh18.cn/) Powered by Discuz! X3.5