找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# x; X2 H1 F% x; f% p3 D  Z<TBODY>$ B  N# X' q# t7 C: M" V( A
<TR>- {+ {4 l8 w3 F: V/ t
<TD><PRE>Method 01
- D$ e! G, k  e=========; c3 u3 y( h! O/ u2 j$ W0 D
; E% o! m  b3 u  }. w
This method of detection of SoftICE (as well as the following one) is2 ^. Q, N( z9 S( h5 C. M$ j
used by the majority of packers/encryptors found on Internet.5 R) K9 B) B$ v3 n& p1 v
It seeks the signature of BoundsChecker in SoftICE' s7 P. d# L& N+ G  r8 F1 g
+ x% w7 j$ U& n7 b& A- k% r
    mov     ebp, 04243484Bh        ; 'BCHK'/ u* m5 \" l" f
    mov     ax, 04h, F9 @& z3 {; Q
    int     3       % r' d. D/ x9 \
    cmp     al,4; C; ?/ d$ W8 a. E* V$ O# E
    jnz     SoftICE_Detected- r6 z  ?" @8 G; w1 R' A2 o+ Q$ _8 c
  s# m0 G  h2 Y4 K) r* V6 w
___________________________________________________________________________: N- D+ g4 n# a

% P5 ~% b/ g; y7 oMethod 02  `6 i$ O1 X( Y; Q& a
=========6 O! O9 T- ~5 G0 S$ \4 }
- X' {4 P: y7 t2 u5 \! I5 X
Still a method very much used (perhaps the most frequent one).  It is used
: L! W5 M6 y+ {5 i! {2 H, Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 S7 H9 h- H1 a, Kor execute SoftICE commands...6 a( T" c" A, ^
It is also used to crash SoftICE and to force it to execute any commands6 G( u6 h$ q) C- I  H& s8 S& @4 k
(HBOOT...) :-((  3 _$ {# B6 M, T+ |8 o8 Z$ E

5 a5 ~: A) ]" h+ y0 M9 `Here is a quick description:2 Q1 [) d& s6 Q- P/ x
-AX = 0910h   (Display string in SIce windows)
# w" q0 Z7 y0 a6 Y1 w: Q9 W2 y) p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 w: P# M. I! ~3 T7 H5 T( |$ }& Z-AX = 0912h   (Get breakpoint infos)6 n( O4 H: h/ Q; ~/ e. `
-AX = 0913h   (Set Sice breakpoints)
) }) B  V8 y: i/ c0 H-AX = 0914h   (Remove SIce breakoints)  W% Y5 H( i" Y  }( D  r7 h
: G1 F$ p0 ?4 w+ J1 L
Each time you'll meet this trick, you'll see:' T9 c8 _, t) O" T4 I# ?8 P
-SI = 4647h& T- }$ `+ n) p; n2 a0 H
-DI = 4A4Dh- ~0 m5 J/ C) \: ]' T' o, ~
Which are the 'magic values' used by SoftIce.
0 P" S+ G9 }! S0 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ b: @2 j) \$ L8 `8 v, U
$ P/ C' U( t3 D, ]& S# }- ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP* c+ k( m2 k7 s; ?2 O
Envelope utility use to protect DOS applications:
( y6 f: n) T  A" B# f5 l
8 _! E1 C( H$ h5 M6 I* T3 R: O+ v" c
4C19:0095   MOV    AX,0911  ; execute command.
# Z4 X: U) Q5 P+ A4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 _7 L6 N6 d1 w$ X" ^
4C19:009A   MOV    SI,4647  ; 1st magic value., G7 A' F4 P+ t. \' C2 z! ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- |) ^& b- u& J0 I9 C6 E, j+ ^, y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), ^0 n7 P  ]# u8 ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 q. h) w# _& `
4C19:00A4   INC    CX( a: ^  B/ ^2 K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 j9 F. R# O8 x  s4C19:00A8   JB     0095     ; 6 different commands.: E/ a  ^; |' M6 ~  c. Y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 ^3 p2 ]8 x' F1 S' |2 d& T4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- ?. F6 f7 x" V; S  Z( q
& o- O+ d6 p' Z+ G1 G3 i8 r2 o6 IThe program will execute 6 different SIce commands located at ds:dx, which
' l/ W. g4 Z) W  @5 P6 Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# p: n; b# P" C% @
) E9 n) y0 m* n" k' z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ?, I' d! i- M( t
___________________________________________________________________________
) Y, d8 q! Q$ A" J2 C# B6 e4 w' x

( B9 P) @. }/ l# G- L  L' F1 }Method 03
$ v& \$ u8 n' b# P=========/ b$ `9 t4 T3 U' z3 V2 X5 V! ^

& F5 f2 K6 N2 P  V( n8 R2 X" g" O3 QLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! y* V8 Q# A1 f& B% Y" |; b/ ~(API Get entry point)2 A; M3 R+ M; D% Q2 z/ [
        7 v+ P( N  n; o/ o8 i

; I, s# }* K9 R! R* \) ?    xor     di,di2 K7 G. v' N% g+ G( Z6 v! e8 z+ W
    mov     es,di9 m" I8 j% j2 F  Z; W
    mov     ax, 1684h      
! O: q# P6 k4 V    mov     bx, 0202h       ; VxD ID of winice
( y6 U, A# Z) I    int     2Fh
. e# q5 m# q2 i8 q    mov     ax, es          ; ES:DI -&gt; VxD API entry point  v: O) X( a3 l, S; N
    add     ax, di4 ?4 H' ^5 U8 h, S
    test    ax,ax
6 z7 v  R* b/ O* N' B5 m    jnz     SoftICE_Detected4 O2 E; f5 ]7 p2 r

- L* Y; W5 s6 D& n) y6 z/ `/ D  J, ^___________________________________________________________________________- C# J3 C6 q9 `; m+ h2 z

0 T2 |/ i2 H( N$ V# YMethod 04
" R0 I, V  v4 h7 G2 p$ ]6 b=========, X' A5 o& @8 J& u$ T

$ _0 u0 R+ \4 @4 a  u! M7 V$ }9 s1 UMethod identical to the preceding one except that it seeks the ID of SoftICE5 ]9 r% q9 X5 V. p
GFX VxD.
5 x3 k) {8 ]2 b+ r, w0 m, r
$ r" ~: P  g) U    xor     di,di7 z: H6 Z: x( A$ }, a3 P
    mov     es,di2 P" N1 j% _" c0 Y. V
    mov     ax, 1684h      
4 {3 L; r) o" v3 K0 P  k    mov     bx, 7a5Fh       ; VxD ID of SIWVID. |( Z2 g1 L- N& @/ R
    int     2fh# \2 [: q' j( \
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: _) ]+ V0 c& d4 U  ?3 ^    add     ax, di
2 H, f% ^6 F2 L4 e    test    ax,ax
: {; E) L$ G' J' _0 j    jnz     SoftICE_Detected
" }9 h( x# O+ k* E7 p6 d+ ~) ~1 n$ P# q1 c  T5 @; M% q
__________________________________________________________________________. B, G0 h: t* t& J6 O; @  C" L& r
/ N  n# t+ x( ~: x; y
$ w7 H& X/ \& c
Method 05
- }! B* T; Q# d/ Q% z=========( G/ C6 c! F& o9 L
6 L# `7 _' \6 x) V# }' Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 u$ x0 }: D: h0 q' g6 Z5 ^' Y0 c6 w; Idebugger. It calls the int 41h, function 4Fh.
$ k( u* Z2 z( v; j6 T7 f* sThere are several alternatives.  2 n3 j' g3 |) T# O' \* E- y+ [: T4 W
5 {& Z- `9 ?, i  J) Y2 c& L4 z& q
The following one is the simplest:
0 F2 k- \! z) F* e1 R; ]) I2 l
$ b. I: `8 W7 U    mov     ax,4fh: M- R9 i2 O7 H% b! Z
    int     41h4 c# J! X; g  M0 ?7 c+ ?5 W
    cmp     ax, 0F3863 C. x  p" }  W1 _" q" |
    jz      SoftICE_detected
* z3 L7 i( `. X) N, |8 N" n1 w. o5 F9 E3 V- r" e
% k. ~" `8 D' W$ o# r) m
Next method as well as the following one are 2 examples from Stone's   M$ _+ |  j6 b& [  C( H+ N" f
"stn-wid.zip" (www.cracking.net):
  N7 Q7 t1 D  S' R- k( L0 _7 J
' R+ q, ~! O3 i/ T7 [    mov     bx, cs  Q% R1 ?) w, Y# |; j) ]7 Y
    lea     dx, int41handler2, u) v, k0 O+ R
    xchg    dx, es:[41h*4]
3 d1 K8 M: G- h+ [5 ~+ c9 V, ~6 P    xchg    bx, es:[41h*4+2]
* B$ X/ k" W% V% t7 ]. n    mov     ax,4fh5 L6 E3 ~6 w+ P$ i6 j0 K
    int     41h: O! x1 K) `$ v: }
    xchg    dx, es:[41h*4]8 ~3 o' {, d$ J* D5 c
    xchg    bx, es:[41h*4+2]
' p. G1 {/ L0 j1 N5 X9 |: }" P    cmp     ax, 0f386h
) M" f) y$ L( c) p1 n; a1 w    jz      SoftICE_detected
8 m- I4 J* F+ P
' M, n  @* C' H. Oint41handler2 PROC+ P8 [3 s  ?6 O# j" Z
    iret
# i3 `" g0 v7 `( V8 }: T; `int41handler2 ENDP
) U: T. P. I9 u! y6 `
" O4 |+ [# Z+ M7 f4 s) A: h9 S1 m
, V5 ^' `' y( e_________________________________________________________________________: }( p, h) K/ u

2 o4 Z% B# r' P% B* q, Y, V
8 ^4 y& N2 D. E) D, l: FMethod 06; Z8 h2 \# w$ m2 t. q
=========+ B/ C% _3 m+ N3 \* t

1 z$ {+ x. M- ]6 J$ c3 Z. b. u1 X* R( n3 S. T
2nd method similar to the preceding one but more difficult to detect:4 ^+ @  B0 Q" [8 O# K; Z
5 `+ w0 H$ ~0 e( _; D- `- M4 x
. @: ^9 j& {( E; q0 |; ~! }
int41handler PROC# H3 Y) w' T1 s" {
    mov     cl,al- O! q; C% w; u# x  z
    iret  S8 e/ o* c6 z& S2 w
int41handler ENDP
& }! E1 R" L1 F' @" r
3 q, _, |1 P) m1 ^" I  ]. o$ M' d' {+ \& K) D0 B+ C; I
    xor     ax,ax
" P! I7 i0 J- [! q# x( I/ h6 u    mov     es,ax
1 t' J! P+ n' m4 ^/ p- Q9 k5 y' ~    mov     bx, cs& b7 r" J* D5 f3 y
    lea     dx, int41handler8 x( n1 j2 {* p" h, {
    xchg    dx, es:[41h*4]/ q( f6 ]1 g9 \. V
    xchg    bx, es:[41h*4+2]
) d  K/ g/ `7 P    in      al, 40h
6 ~# H& ^+ H. |$ F    xor     cx,cx
3 {& }& e, B/ M8 W    int     41h5 n3 k6 t/ \5 M& p1 f) [
    xchg    dx, es:[41h*4]
2 T) H$ V4 O3 |  N- c4 c$ v    xchg    bx, es:[41h*4+2]# L/ i4 f7 V, [: G6 J6 A
    cmp     cl,al$ Y7 ]  Z' h7 z3 @  W
    jnz     SoftICE_detected
9 h' t. @" o) I  u2 F" Z% N* R
2 t6 d9 S  p5 S) a# \& ^+ L5 __________________________________________________________________________7 a& C: w1 r+ H$ u9 j. D

/ e+ H0 [0 i) X& U" w& V5 q" EMethod 07& }. k# B3 v6 |) w
=========% q1 e$ D" O4 ?) h) _

7 n1 r1 {% c  a9 q# K4 FMethod of detection of the WinICE handler in the int68h (V86)
" q" ^- Y; \0 S2 p8 E# _; j% D
  D  @( \. |) w6 K5 U4 X3 Q: ]    mov     ah,43h
: g9 d- I* h4 k1 [3 V, J  v- @* R    int     68h
2 p' a: n2 K" c8 D  ?    cmp     ax,0F386h/ b7 k7 S5 j! g8 \: a4 i
    jz      SoftICE_Detected) e6 c) ^, S. z% }3 H  I

/ Y. |( V0 T$ a9 l* |# o
/ F% I, T- ~2 L; p8 ?# v$ ?=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; c3 u8 t, t* D/ M; c   app like this:
& e, L  ^8 v, ^; t2 `
( M: `# q  A9 h5 m0 _   BPX exec_int if ax==68
% ^0 Z; X2 J9 }- ?6 ^4 G# I/ G   (function called is located at byte ptr [ebp+1Dh] and client eip is/ u) ?; ~5 J+ p& P) P: n8 z1 q
   located at [ebp+48h] for 32Bit apps)
6 o. z3 @1 _6 i, I' `0 D__________________________________________________________________________
$ b" x/ ^" |& r8 V0 {7 G; N9 t* d9 V4 E; T8 a/ @
" {1 U8 b! ^0 x/ d( ~
Method 08: S3 H: B4 m' |$ a2 t  @% e
=========
0 k6 g" T8 E! p6 U; B8 \- q! N( k8 T# Z% `. @: ?+ H
It is not a method of detection of SoftICE but a possibility to crash the' n5 e& L2 \  E: R$ K
system by intercepting int 01h and int 03h and redirecting them to another
) G% r( G9 _4 Z+ P' B8 M5 c1 ]3 proutine.
* W2 x! m1 s0 G9 v- zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ m; |# v% N% w1 [to the new routine to execute (hangs computer...)
4 c$ v9 V/ I% G8 Z; g) u5 {- b  [) l
    mov     ah, 25h
# ^. V+ [8 W& i$ ?7 ]$ b$ `% h    mov     al, Int_Number (01h or 03h)
+ z, n3 P3 N) g" j% r8 j- _5 D3 s    mov     dx, offset New_Int_Routine! Q2 s9 S  }' u- y. d
    int     21h
) N- U5 u* s9 }0 B4 ?. C' I8 z# l1 F- s# m# x/ n
__________________________________________________________________________
$ ?" X# [% c, }0 p/ C: g. n+ g4 p! m/ L. I; i
Method 09
+ V% j8 T% u/ E: ?1 g=========/ i4 ^2 u5 [$ _2 N6 F! U0 E5 ~& n

2 w8 ]: q4 o+ C" ^# {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Y  x1 y; f! f( vperformed in ring0 (VxD or a ring3 app using the VxdCall).
, p: I: E, h1 x, ^, HThe Get_DDB service is used to determine whether or not a VxD is installed
: h- a. Z7 D' l5 Dfor the specified device and returns a Device Description Block (in ecx) for
; x" O) u1 X4 _: Othat device if it is installed.
( E5 H* @- h& M. L1 d. z
% |! U, ?! L) L$ @7 Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' I  w) n  k# @1 m9 F+ B; d
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  t# R' J+ \/ G& T7 O4 t4 q   VMMCall Get_DDB
8 M9 i7 g) N4 s1 |6 i; J3 \0 h3 v   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& }' M7 c' z9 W2 h; K( R. t2 y! }6 b9 Z* I' k
Note as well that you can easily detect this method with SoftICE:1 S' \& m) v6 l) Q' R- {
   bpx Get_DDB if ax==0202 || ax==7a5fh& W. I( s. K+ m1 y: J9 x# V/ \
. @2 j  M% q5 K6 X) c/ g- v; b
__________________________________________________________________________
/ i+ r9 U" A5 i( g6 x. [' N9 K% J4 S( M4 R- r
Method 10
( u# A0 A( B7 v0 |% J4 B1 @=========
+ o, ]* i/ ?" t7 u3 h) x  q( f  m1 V1 `
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 a! O1 s9 U$ A# _) }) [! F  SoftICE while the option is enable!!. |+ m! g! `. L; |
1 P+ a9 L) L' K# T( Y& b* p1 R9 i
This trick is very efficient:" N1 i, _) Y8 f& Y* V0 K  X
by checking the Debug Registers, you can detect if SoftICE is loaded
* P8 H* Z. H. A: b; ?) s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( N- J8 C/ O9 M4 x% G& j) P
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 }; [' `8 q2 a
value (in ring0 only). Values can be manipulated and or changed as well! P& T# B" E6 S* N5 i& q; r
(clearing BPMs for instance)" h8 c3 x9 h' k$ `- h' b

$ y. k6 Q+ I% L8 m# p$ `" J9 B__________________________________________________________________________: \& \$ o4 }0 t

( I! [2 b, v; LMethod 115 C" k% U2 M: h( }/ u
=========8 Y( h% ^3 b0 b/ q

- \3 ^4 M( e. f, ]8 FThis method is most known as 'MeltICE' because it has been freely distributed
$ n0 K  t/ i# P% J/ G% G. }via www.winfiles.com. However it was first used by NuMega people to allow& S  l; f8 L: L# }& ?
Symbol Loader to check if SoftICE was active or not (the code is located
1 m* N$ m/ k) d* M& {' Xinside nmtrans.dll).
0 Y( H/ z$ M( Q& s: o6 C0 G$ X; d0 N: r
The way it works is very simple:
( x' o; s+ u) C/ YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" _" L  u( R1 Q" S( g" ]" e' J
WinNT) with the CreateFileA API.
$ c2 ~6 B& h6 u) P# I  M3 S. X9 @; X" J  H- H4 @; ~
Here is a sample (checking for 'SICE'):
- Q( h9 B7 R$ W) O  q) m. o
) e! Q: w" u: t5 ]- j6 sBOOL IsSoftIce95Loaded()% p6 B* i$ v9 ~( C
{
) ^$ K+ g6 q) f8 `# y  g   HANDLE hFile;    E9 x# l4 e; h' o4 U+ f
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 o7 p$ N6 B: u' H' b3 K. P                      FILE_SHARE_READ | FILE_SHARE_WRITE,# g/ D3 a3 ?% K( a7 }2 u4 [7 |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 Y6 o; F" r1 V$ W- o1 I+ o: U  D) @
   if( hFile != INVALID_HANDLE_VALUE )
" Z2 R- N7 O3 z$ v0 _; y1 a   {( K" h5 l- w0 \9 g8 A( [
      CloseHandle(hFile);
: e4 \- k$ b/ X) W      return TRUE;4 R4 v) h. X, N
   }6 q, Y  u. W7 y+ a3 ~1 h* n
   return FALSE;, V! t7 e) X7 z
}
# q$ y6 ~9 l/ Z% z1 N  Y! Q
6 U" k. ]2 e9 o: Y. D" B6 Z# sAlthough this trick calls the CreateFileA function, don't even expect to be3 _: B* V, t; o; S3 j
able to intercept it by installing a IFS hook: it will not work, no way!
; ]; ]3 H0 S) c7 j; y/ F* LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 r/ o: s: \. _5 e: E& v- [6 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- j2 x- p  L* |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ g/ N( r8 U5 k9 }2 f8 a- efield.0 E, A3 x9 g& K! a
In fact, its purpose is not to load/unload VxDs but only to send a
+ C- C* e" V" Q; ~, l) ?( ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 y8 s5 k3 K. w; o" C% _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ?6 K, D$ e6 m  Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).. ]4 M/ ?: T: v- |6 X* Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) t. p! z1 R; l  }! O  [% Gits handle to be opened and then, will be detected.
0 ^, j  a# |1 QYou can check that simply by hooking Winice.exe control proc entry point
( K/ r: h0 g7 q& u4 `while running MeltICE.5 O, I/ N" g/ j: \! K

8 K  ?4 G* q% N7 A  i
2 t& O' [3 Q$ P5 O- b  00401067:  push      00402025    ; \\.\SICE
1 ?2 I& n1 D, {+ d0 f0 I3 l  0040106C:  call      CreateFileA- B% Q6 j# z# S# M; L4 v
  00401071:  cmp       eax,-001
& b6 B3 }) o" {* K1 f8 G  00401074:  je        00401091& h. P) F; ?' J6 i6 D9 h
" T5 B/ K% ]. G* D! F6 J0 E

! m$ j! ]/ t( @2 _There could be hundreds of BPX you could use to detect this trick.
$ A& z( G1 Y/ i& R-The most classical one is:
/ D# c5 {( U0 n- k  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* ^3 A1 R- Z( C    *(esp-&gt;4+4)=='NTIC'0 T! U8 M  \. C; M' A$ ]- a

! c9 t7 J, ?* _0 z-The most exotic ones (could be very slooooow :-(
$ k! g+ b+ W0 S4 Y  `/ `   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" X5 i7 l) N& w6 {/ l     ;will break 3 times :-(
8 r0 `1 ?2 g3 f" g; q: I2 ?( |7 }; B/ o+ [! v/ d  t- b
-or (a bit) faster:
+ U# V8 ^7 ^% b+ r& L1 t9 K0 d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! }% O5 K4 ]1 o( M2 Q

# ~/ @# O+ T0 B" F" \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  d; r, j% J, V; W     ;will break 3 times :-(
7 K* R3 Y5 ~4 l. l' X/ V+ h5 L( G- b, N4 t5 \0 u
-Much faster:8 X5 N4 }% U8 O5 ~
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% [. v. p- _0 V! A6 W. d; [
% T7 u  W  f" F% yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 N4 a( Q2 N: n+ |5 g5 w
function to do the same job:
  V: e; Y% `/ ]: M* z# W& b
- \$ R4 u& h. j/ |! J# P   push    00                        ; OF_READ) I# p2 u! a5 X8 `# _+ c/ e/ T* U
   mov     eax,[00656634]            ; '\\.\SICE',0% d7 M, W. N4 W: Q: _: b" u
   push    eax
* [7 L/ S2 k. d: C$ K# P1 W  e   call    KERNEL32!_lopen
9 ~# w! t3 E  c+ H5 `   inc     eax
& j! a/ A& O8 l  h- _7 N) s   jnz     00650589                  ; detected
! }! x2 T7 B+ e- c& t/ k   push    00                        ; OF_READ0 k+ m$ F1 J& I
   mov     eax,[00656638]            ; '\\.\SICE'5 r+ _& g0 g: d' k+ N6 L
   push    eax
( g# o, C2 I  \/ O7 h- @   call    KERNEL32!_lopen
2 _) p4 h. m; K0 B: S, q+ y. P) Q/ I   inc     eax5 A, u* g* j5 Q3 P4 R4 q
   jz      006505ae                  ; not detected
% U! i: R/ E; G4 {. C. @# S' y% m  L8 k7 _5 P
. \5 v  V8 @* I# \* U5 D7 G3 \- r
__________________________________________________________________________
+ D' I: l  j- Q2 S0 F- f" n) x
: q, n+ l1 ]% W" JMethod 121 S' U3 o* {9 U, b& ~- R
=========
1 F' `% A8 n0 k3 R* w( R$ S/ E+ |4 N9 M0 v$ w+ Z1 N7 r3 |4 x3 t
This trick is similar to int41h/4fh Debugger installation check (code 05
2 j- i8 L( |% ^2 C) [& Y&amp; 06) but very limited because it's only available for Win95/98 (not NT)  l) F7 t; n9 O9 C# g" o3 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 C! f9 V. Q6 t) |& _* L% x) _
- a' ]/ n: P2 R6 u6 @. j/ R- I
   push  0000004fh         ; function 4fh* q2 G! k$ T/ `1 q2 O
   push  002a002ah         ; high word specifies which VxD (VWIN32)# r# `8 a+ A6 |: }$ y9 a
                           ; low word specifies which service  F8 r. x4 _4 W  g9 X) _
                             (VWIN32_Int41Dispatch)
3 @" f, z; U% W! N5 R. w   call  Kernel32!ORD_001  ; VxdCall1 U' b) g, Q" a) y3 {1 ]
   cmp   ax, 0f386h        ; magic number returned by system debuggers
! M8 M% v" U8 g$ i) `! a   jz    SoftICE_detected
( e! k* a) L/ L1 M% J; F: C/ ^. }, l0 k: w
Here again, several ways to detect it:
  ~7 p6 l: U5 c) O) v  @5 [# w' a9 f  h3 Y
    BPINT 41 if ax==4f# B2 ]! @2 X/ H' d& n2 I8 m7 R1 A
' g$ C! J1 Y. f; N( [
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 x( Q) _+ f% |5 d+ I' S) O& A; E8 G
( f  c5 u$ D5 n% S' e
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 V' l6 _# b6 D" j  E7 m3 P. i% D

. r; E0 i) c3 g# d5 U6 x    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# _0 s/ |+ k+ g1 ^4 o2 Y; F! m; Y5 r( Y. l
__________________________________________________________________________
3 V# |! b& l; f% T1 [" a( I# g( j0 v0 Q
Method 13% j" Z, y' h/ N7 K! }0 M) ?
=========' ?3 K0 x9 s7 ]/ R* a
. P* [" T8 p$ C
Not a real method of detection, but a good way to know if SoftICE is  T4 s5 b  ~; i3 O
installed on a computer and to locate its installation directory.
$ A% a! Y" [7 [9 r) z( F- E- h( lIt is used by few softs which access the following registry keys (usually #2) :
  r- w5 O3 ?8 `- A
' q3 s; a; T# l: w1 Y$ F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 a  l% ^% S; W$ H( @
\Uninstall\SoftICE7 j, B" B6 c9 B  I/ e1 `8 v7 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 \7 k5 y" C% `* l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K1 O* q9 x+ O( b+ d& V\App Paths\Loader32.Exe$ ^# U1 |" D/ N* s! }# l

( a( s( r5 T. ^( t: O" U4 y5 K# Z7 Y- X! N' v6 L
Note that some nasty apps could then erase all files from SoftICE directory/ \( Q) x9 W9 ^
(I faced that once :-(
0 M4 b  J1 Y& X% }
6 O5 h+ c" U' A0 J* M: JUseful breakpoint to detect it:
: h) a' {5 u4 J9 Y- a
. x# j' f! {4 F: T( ^/ _  `9 b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, P3 f, z" E# U. u; W
$ x" Y1 F- O3 j5 P__________________________________________________________________________
  W' @: I' l- R" [) k- V8 T; o, d7 A1 C
' R( e. t3 ~! |. N1 @- o' C
Method 14
' m* _* L+ u1 g" I; x7 W' }=========
3 J# r! W+ o' i3 H4 Z3 N6 q) Z' V/ E* {9 g# S) l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* `4 Q3 c8 U) @* ?! \& L
is to determines whether a debugger is running on your system (ring0 only).
8 C4 D4 ]+ z! s& o' K4 p& d4 N6 ^; Z2 `' V& R
   VMMCall Test_Debug_Installed( M; r- m& C, j  d2 y; Y
   je      not_installed
. }; Y( S2 l% V# s, X# ~& x9 q! P9 G+ a( p$ Y5 W8 W7 O8 H0 I
This service just checks a flag.# k  Z5 K$ Z% S, N6 Y# M- k1 b
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-5 18:52

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表