首页
社区
课程
招聘
IceExt 0.70的使用[求助]
发表于: 2007-1-1 23:49 4355

IceExt 0.70的使用[求助]

2007-1-1 23:49
4355
IceExt 0.70的使用
7.0里面
如何隐藏..呢?

//////////////////////////////////////////////////////////////////////
eXTreme tRaCer engine is an additional set of commands for IceExt plugin under
SoftIce. These are "!trace", "!trcinit" and "!trccode" by which you can execute
step-by-step code tracing while tracking the conditions needed.

So, how to use this stuff:

!TRCINIT

First, initialize the tracer by "!trcinit" command. As a parameter, the given
command takes the condition at which the tracer will stop. Currently, as a
condition you can use:
- all registers names (eax, bx, dl, etc.);
- comparison signs (<, >, >=, etc.);
- logic operators || and &&;
- brackets which set the action execution order;
- work with pointers *(dword *), *(word *), *(byte *);
- strings in right part of condition 'some_string';
- symbol names loading in Soft-Ice;

For example,
!trcinit (eax == 5 && (ebx >= 0x6 || ecx != edx)) || al < ah && ecx == 7

The condition parcer is insensitive to the register of letters. Also you can
save on short SoftIce' command line, not using spaces.

For example,
!trcinit
(EaX==5&&(eBx>=0x6||
ECX!=edx))||
al<AH&&ecx==7

Though you can use brackets for setting action execution order, remember then
when not using the brackets the priority of operations executing goes the same
way as in C. I.e. "&&" operation has the higher priority rather than "||"
operation.

For example,
!trcinit eax != ebx && *ecx == 'MZ' || dl == 5 && esi >= MessageBoxA
condition will be equivalent to
!trcinit (eax != ebx && *ecx == 'MZ') || (dl == 5 && esi >= MessageBoxA)

All numbers in a condition parcer perceives as sexadecimal.

With the pointers you can as to work as in C-lanquage
I shall result possible examples:

*eax == 'some_string'
*esi == 0CD,2E
*eax == 1,2,'some_string',0D,0A,'some_other_string',0,20,20
*eax == *eax
**(byte **)eax == al
**(word **)eax != *(word *)ebx
dl != ***ecx
*00401000 == *edx
*00402000 == MessageBoxA

In the following condition - !trcinit *eax == dl - The right part of expression
will be expanded to type dword. If you want to compare directly with dl-register
you need to result types, such as

*(byte *)eax == dl

!TRACE

Well, now you should start the tracing by "!trace count [eip_when_P]"
command. The first parameter of this command is the number of instructions to
trace. The second parameter (unessential) is the address above which
(or at which) the tracer will execute the "P" SoftIce command.
If not specify a second parameter, the tracer will keep tracing any address
met.

For example,
!trace 10000 0x77000000
or
!trace 10000 MessageBoxA

When a stop happens, the tracer shows the number of traced commands in decimal
format.

The sequence of checkings is the following:
- the condition set by you is being checked (on "yes" the stop happens)
- similarly, the number of traced commands is being checked
- the current value of eip is being checked for executing "P"

!TRCCODE

The given command created merely for debugging. The fact is that the "!trcinit"
command compiles the condition entered by you directly in executed code which
is called from int1 handler at its beginning. But with "!trccode" command you
can see the compiled code.

If say you will write a condition, which (and you are sure about it) necessarily
will be met by the tracer, and the tracer don't want to stop at this at all,
it means the condition entered by you had been compiled incorrectly. In this
case please let me know about it at godness@omen.ru

And now some abstract things should be noted:

- Even if you will write wrong tracing condition, the minimal code to provide
   the normal tracer functioning will be compiled. Therefore, you can start the
   tracer AT ANY CONDITIONS.

- At present, "P" commands are being executed by SoftIce, not the
   tracer, so for tracing procedure the corresponding records are being added
   to the SoftIce' log. As a simple experiment revealed, "P" command executing
   slows down the general trace by 30 times.

- Generally to use a command "P" it is not recommended (it is left only as the
   special feature) since if function will not come back that SoftIce will lose
   control above a code, well accordingly and tracer.

- "P" command executing the tracer considers for one traced instruction.

- If you do not want to expect while tracer will finish job you can stop it as
   follows. Press Ctrl-D, Sotf-Ice will pop up on the screen and then to stop a mode
   of trace simply type "!trace 1"
////////////////////////////////////////////////////////////////////
看了帮助说明,不是很明白呀!!

谁能详细说一下呢?
1.
C:\>iceext -s
IceExt has been successfuly started.
2.
CTrl+D
!trcinit (eax == 5 && (ebx >= 0x6 || ecx != edx)) || al < ah && ecx == 7
是这样操作的吗?

怎么隐藏不了呢?

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 47147
活跃值: (20410)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
2
!PROTECT                隐藏SoftICE

更多请用!HELP命令获得
2007-1-2 09:43
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
KanXue 大哥
还是行呀
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
!PROTECT ON
提示
unable to patch UnhandleExceptionFilter
UnhandleExceptionFilter protection is OFF
基它几个都是  ON
不过,还是会被发现,
有没有什么新的办法呢?

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
2007-1-2 14:43
0
游客
登录 | 注册 方可回帖
返回
//