找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% k0 K, t9 S+ Y" J! {# V<TBODY>+ {6 T& \7 C: L9 w! _1 X0 @
<TR>* b, T. k1 y& ?1 B
<TD><PRE>Method 01
/ T  U1 s& G+ h$ Q! n=========4 f3 Y6 C. L3 }5 G
- L7 l8 Y, a- Z
This method of detection of SoftICE (as well as the following one) is) i! t. o4 r; N% H; ^
used by the majority of packers/encryptors found on Internet.  n2 T* @0 g3 ^, K
It seeks the signature of BoundsChecker in SoftICE' D( Z% W; g8 D7 [% E, u, o+ B

5 R) c* q4 j$ `% J6 P1 C! A    mov     ebp, 04243484Bh        ; 'BCHK'
) s1 K7 z- I  s/ L9 w    mov     ax, 04h
2 V( z3 e: a' M5 h: S( z, `    int     3       * }( {9 C! I6 m
    cmp     al,4) ~+ {$ k3 q& t1 h0 X" N
    jnz     SoftICE_Detected( e6 i+ z( X" X+ J
2 z- u, {4 N2 X  I7 a5 {$ ~
___________________________________________________________________________# v: R! r5 M, T- @, F
6 [) d! f- w0 \9 P  }2 k9 K
Method 02
$ n0 G9 w- {3 w=========7 W4 u9 W/ @1 b" ]  S/ J, ?" k: s

( l& i$ M1 U) p7 w" y' ?Still a method very much used (perhaps the most frequent one).  It is used7 i! N2 ^* _( m/ B8 `. L/ o- X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 d* F+ S0 b7 Q% uor execute SoftICE commands...
# l3 d( A5 Q7 c: K8 E6 T7 c! UIt is also used to crash SoftICE and to force it to execute any commands
# p5 `  d% D" g) _% J# k  M9 u, ~(HBOOT...) :-((  
5 ?5 ?" @# a% i$ }/ \* u4 q, v/ w2 M6 O4 b; i, X
Here is a quick description:
# [! i& h+ O0 }7 o3 _% V7 m7 E-AX = 0910h   (Display string in SIce windows): y3 n1 ~; s4 L! [, N: T; q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), r8 i, Z8 f2 \$ J" o
-AX = 0912h   (Get breakpoint infos)
* \& i8 F2 z6 ^' g-AX = 0913h   (Set Sice breakpoints)
; f& ^- ~( L1 A0 a) l9 s6 q-AX = 0914h   (Remove SIce breakoints)
' }6 O1 R. z2 o  f1 K& P7 }
* o) ^. q# r  kEach time you'll meet this trick, you'll see:0 F3 R2 z' `+ a3 e5 o
-SI = 4647h
- q9 V% `" z' A( u( t-DI = 4A4Dh
( b2 T% b' x6 S# i0 S3 v/ G, QWhich are the 'magic values' used by SoftIce.( o$ s( V" ~' ~0 G, [# `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 s3 v/ G) u" F
$ k  n+ D" U5 {9 F! h5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 O, }9 d/ V: j/ E7 i7 wEnvelope utility use to protect DOS applications:
0 y9 g& o& O# J$ ~) f) s: R* G5 s5 H7 B  f& f& s8 j% K* D5 ~# t! W2 ~

" l# u/ A* m* c. n4 \4C19:0095   MOV    AX,0911  ; execute command.
- V9 \9 T8 r6 j& `' c2 y# `$ Q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" z+ b; d5 G; `) k4C19:009A   MOV    SI,4647  ; 1st magic value.% b: T$ [' O. s& D6 J# D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 P: \( R) ?6 A. E; E  v5 W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! u$ ~) m! w: H0 Q1 q( P4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ Z9 Q5 w  _" W2 @+ ~
4C19:00A4   INC    CX
6 f* S) ~' Y1 J2 R; L4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
+ l/ g* f5 F" H7 Z, @; T, S4C19:00A8   JB     0095     ; 6 different commands.: }: U3 n/ F- P' D6 F" v' }# i/ C, I
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# W, ~) p; M4 A/ ~- ~
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 y$ T" A. h' r! Q8 x
, W3 H. ^4 m# y- z- ]
The program will execute 6 different SIce commands located at ds:dx, which
+ t9 y& w6 ^' A* X( Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 y: U3 o' R8 W7 j. G7 A4 h; A* ~3 }( a9 P7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ g/ W% Z% y! |: T! I7 W" p% W
___________________________________________________________________________4 g7 V/ h$ A- \* U  ?; |4 G

; m8 J: o3 e5 r8 i
$ f* f/ v; o4 f. h8 b8 VMethod 03
  r9 K0 u+ T' [4 N6 ~" |=========
  ~5 a( v8 k+ b8 [
1 N: K5 V6 P6 w/ ~% C5 u5 O' xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" {) W. i: t) I- Y; Z7 M(API Get entry point)
; k8 A6 Q) ^- M1 A0 H+ C, i" Z        ) u0 G2 j+ ]8 x+ l- M4 _

) Z/ D2 j/ v' l    xor     di,di& R# s6 \3 }" F2 C' ~6 r  c
    mov     es,di
+ K% f( M8 a9 J' G/ V    mov     ax, 1684h       9 a8 Z4 d) X$ }' ~
    mov     bx, 0202h       ; VxD ID of winice# P- N7 C. P3 e! P+ h) X
    int     2Fh
" z$ ?" K- O  _1 v    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 \0 Q( R& o9 A1 }' Q( o( z
    add     ax, di7 b' Z) \3 W* p( D7 z
    test    ax,ax
1 H+ n' x+ p$ {+ K2 E% B$ Q; u    jnz     SoftICE_Detected
" }$ O" \& [0 \% C& n7 ~- ~" V9 t; T6 |1 r
___________________________________________________________________________
$ k5 y" `0 t. {9 Y0 M3 M2 _( `0 ^* E9 n3 G2 {; c
Method 046 q0 q$ |2 W$ T% C
=========
, V% r2 S& k: s, n- F
' L4 N' F. X. tMethod identical to the preceding one except that it seeks the ID of SoftICE
2 J# F) S# v, b) d" S+ L4 O  gGFX VxD.
1 ]; Q* O. h. _/ L5 K8 g4 s+ ]/ I7 ^0 w% w+ w/ v% a" b# S& E4 j9 D' A
    xor     di,di
7 u, u1 A+ U% t" V& c: I    mov     es,di
, s1 Q+ V4 @( c    mov     ax, 1684h       " x5 s1 k+ c$ `6 W* x) C
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) v: R2 Q% J/ p* \  c+ _+ j    int     2fh
4 ]9 N* H4 T- T9 c! L; e4 x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! I- ]- U3 x; r) }5 U    add     ax, di
3 |7 r7 \0 [1 G+ I+ A    test    ax,ax
7 B$ E1 _8 W# X. }* s5 M    jnz     SoftICE_Detected; K( ?/ H" k" W

7 _( N" Q" u* V: U8 L5 h__________________________________________________________________________
* v; T2 V+ [6 P# c2 o4 K9 m3 |9 Z1 w! |! l

7 d8 _) K; j7 O3 IMethod 05
* O/ r# G/ K/ A) A4 N=========
+ W8 D8 n6 V9 }: c1 V( W& O6 G; ^  v( j& w0 b. [* N7 Q$ Z! r
Method seeking the 'magic number' 0F386h returned (in ax) by all system) X2 C% P7 t* g! V$ }. f
debugger. It calls the int 41h, function 4Fh.
* V+ Y/ ^# w7 z1 {5 N- JThere are several alternatives.  
: j; r! b) ?" g9 b9 K
; A6 I4 x8 ?+ r: u  z: R2 @The following one is the simplest:. _3 d4 {  L5 F/ d

2 W! m6 v$ ~" l$ x+ y+ u# Z    mov     ax,4fh  k1 }+ {1 C/ N
    int     41h
8 s* e' U! V- }    cmp     ax, 0F3861 R$ X: A' v. p% x# ~
    jz      SoftICE_detected
7 i% G: d8 [1 k( P
, V: i4 C/ q! g* }
' k) S/ H9 E1 F, z8 ?8 z1 uNext method as well as the following one are 2 examples from Stone's
. S) y) f6 t+ E7 o% _: h: |"stn-wid.zip" (www.cracking.net):0 g5 J: Q6 ^  T& Q
1 L$ W3 [$ x! L; n
    mov     bx, cs2 j( J. p- F. Z& K# I5 @
    lea     dx, int41handler2
# I/ z9 C) d) W  `    xchg    dx, es:[41h*4]
4 r, f2 s4 A, K$ t9 d6 K    xchg    bx, es:[41h*4+2]
9 S$ @) u, t) H1 S( T    mov     ax,4fh
" f' J. }/ R- B% t    int     41h* x! Y& L) _+ c5 ]
    xchg    dx, es:[41h*4]( d0 T% ^+ O6 g$ }' Z, Q, [7 t
    xchg    bx, es:[41h*4+2]
& @: p! F! D- Y) f+ n    cmp     ax, 0f386h
) @0 }  o4 E. }    jz      SoftICE_detected8 I1 }" n. Y6 r; M: f

" ~- `% w0 N7 M% k# p- Xint41handler2 PROC3 [1 I1 S6 v- m3 U
    iret
# {, O) b/ G) ~int41handler2 ENDP+ l! e' n# e9 B9 F
$ b+ P+ j- n. H; B# p7 C

6 ]0 ~& v- L" V* `" O- l& d_________________________________________________________________________% S+ q  T, K9 l/ ]1 N

9 H: ]- _2 _/ a0 \0 T$ v, Z, L" m7 ~% u8 O4 w! ?7 G% D
Method 069 @) L% ^6 g, A' I' |9 u7 e7 z
=========
+ \' K8 a$ |, H; s9 `, t! [8 r& b& M* H0 q$ @5 j% E

- c; R: u/ T. b7 p+ g1 c. D2nd method similar to the preceding one but more difficult to detect:1 T5 I/ {7 K9 Z5 v
0 s- h) X6 s8 z  m" F! a6 z  c
- |1 @. H7 M. F* F, }; N) P4 F
int41handler PROC' F0 T7 g# h3 B% u1 Z% z# [0 `
    mov     cl,al* c+ U4 x, H! Q
    iret
# w+ c8 L1 w. T3 x  r$ ?  Nint41handler ENDP: s3 T% Z4 d9 D; _
9 o' h% C  M0 b( p+ ^2 ~
' \7 P  [2 U7 V
    xor     ax,ax7 M% w, d! i% k( h3 e3 w$ I8 J
    mov     es,ax
. ~' C9 B! q2 U6 c7 ~' g/ q    mov     bx, cs  B+ o2 D! M: e2 g3 k
    lea     dx, int41handler. J0 D0 y. F; U$ y5 n  Y& p
    xchg    dx, es:[41h*4]
; w1 u: t  L2 n3 r1 S    xchg    bx, es:[41h*4+2]
& ^. h, T# q" e5 ]    in      al, 40h' Y/ \5 u7 j0 S. o: N" [
    xor     cx,cx
0 a8 z1 }  M4 w1 c! d9 l    int     41h
  j6 _" E  t4 o( _) U    xchg    dx, es:[41h*4]
5 `( _& }) }% \$ u7 ?) X    xchg    bx, es:[41h*4+2]  P5 h4 {$ r' o' K, B5 W
    cmp     cl,al* V  f: T7 x; R/ f& e
    jnz     SoftICE_detected; C; C, }( t, C, C2 V/ y5 @0 E
, ]5 [+ f! W  k
_________________________________________________________________________, U1 m, e, A) |1 e; [) A

6 ]* x8 D: ^3 kMethod 071 e6 |* `6 _% U' \  ?( ?+ I3 r
=========
) q" _$ i, [8 I6 {& i4 `- n$ r! s4 ]2 _9 K3 ]
Method of detection of the WinICE handler in the int68h (V86)4 z6 n5 f4 O- P, c0 i- n; D8 \4 r
& @& o5 h" t# p" s
    mov     ah,43h
2 ?! |3 E% l) u: M3 d3 I, t    int     68h
# n( g+ k# p/ N! s+ B" Q    cmp     ax,0F386h0 M: G8 W7 q6 _
    jz      SoftICE_Detected- w" ~; o5 A' p- H  u! C3 J

/ |& }$ X( Z# o7 n: b' O2 \; \+ z: z( a: j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 k. g* V% ]% |8 v4 E1 G+ `
   app like this:
: I. R9 [4 n. @! D
; L, N$ V  Z& j5 _6 I   BPX exec_int if ax==68
1 Z6 Z0 P+ H8 r) z   (function called is located at byte ptr [ebp+1Dh] and client eip is
& h* d5 q; j& n2 }( W. s   located at [ebp+48h] for 32Bit apps)/ q3 E' L7 e6 v
__________________________________________________________________________8 O9 a& x; C! \8 q6 G
9 \3 b) k& M, ?; ]" b- \* @& d) p

; k9 C) N( S9 C6 V! U5 i$ g8 S, JMethod 08
. O) S6 D" X* z* t=========
# A4 C- A% z9 x5 N
) g2 x1 |( Q( z  Q7 hIt is not a method of detection of SoftICE but a possibility to crash the
' \8 Y7 R2 e9 X  T0 F/ H( ]system by intercepting int 01h and int 03h and redirecting them to another
+ G' b8 D7 b  j) y" \' eroutine.
- i* ?7 E# M% n, ]# S$ uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( p0 C' C8 d; e. i6 R$ @, T& |
to the new routine to execute (hangs computer...)5 ^. o" k3 B. P" A' `

" h4 Y/ \' r) X( T    mov     ah, 25h
- ^5 t; m" q- T0 J" A    mov     al, Int_Number (01h or 03h); t3 q( @3 ]6 O3 `1 }/ T
    mov     dx, offset New_Int_Routine- Q- d3 D. t+ O0 x
    int     21h: K3 o  H" v# ]2 K
+ U- b: g# J- z: H$ b& [
__________________________________________________________________________3 x% E( Z! R# M2 Y
! j# r; ]/ _7 Z
Method 09- ^' ~% I1 {& P5 J  v
=========7 _1 C- A6 j( N2 e

0 l  L2 z8 P* p) M: F% f2 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 v4 k6 [  ^5 x+ A4 w
performed in ring0 (VxD or a ring3 app using the VxdCall).8 x# Z; l$ [5 b( h1 ~/ m( F) l4 Z4 n
The Get_DDB service is used to determine whether or not a VxD is installed
6 M- P. B5 |6 K! s# Afor the specified device and returns a Device Description Block (in ecx) for$ ~: D& |) i0 H4 C9 b' b: T+ E
that device if it is installed.
# k4 X  i  I' u) x3 B, Z' T4 R' Q1 }9 E7 g( }
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) t- t4 [+ N" o: s: @8 [  E6 B# E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 ]$ s3 X- i8 N2 H
   VMMCall Get_DDB
: _4 e5 o7 I0 J% o2 V7 l   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 u3 f) ^; J3 t5 O
5 y2 N  d5 x4 p: Q4 k
Note as well that you can easily detect this method with SoftICE:+ j$ d9 `% \; }- C0 f0 w
   bpx Get_DDB if ax==0202 || ax==7a5fh
7 Y: C/ B3 n) a/ c2 t
) G! x' Z. e9 Q; z2 T  T__________________________________________________________________________
" g! b7 E  j8 U; J8 Q! t% C$ [: m1 l3 |, d1 F9 \5 y0 q/ d! h8 r5 k3 D
Method 10
8 v/ Q: e+ ~1 J0 ?/ N0 O1 V* m. Q=========3 o* j6 l( N8 `3 K7 j' o

& Q4 h' x! y+ }4 P7 T4 N9 \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- L4 T' n* C  l3 ]  SoftICE while the option is enable!!
* G; F% n+ T" y/ I8 |% t
' J9 a2 B0 `! R# X! K9 QThis trick is very efficient:
; {. `3 v) ?# A7 a) l, ?/ I0 P" \by checking the Debug Registers, you can detect if SoftICE is loaded
, ^2 |$ u2 e+ }- F; s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Q" h$ O9 h- C/ O! D
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ k1 B. {* m0 {. T" j7 G/ z
value (in ring0 only). Values can be manipulated and or changed as well
  j4 t4 \) l5 t# `, H(clearing BPMs for instance)7 Z7 g: D* d3 `9 i. d9 W
6 k( ]/ Z- ^: s. G
__________________________________________________________________________# x$ v- O3 N+ R; M9 {3 p$ F
/ ~8 ?% W5 P* H2 n3 L
Method 11/ y/ g# T! }7 d: F1 \, P: k5 A
=========' j1 v) W# [5 ?6 S- p

1 I! Q0 J7 l  R& i; ^This method is most known as 'MeltICE' because it has been freely distributed+ |0 s. J4 U" O9 N/ N$ a
via www.winfiles.com. However it was first used by NuMega people to allow, D$ g) S. p0 v  G
Symbol Loader to check if SoftICE was active or not (the code is located/ L. c: ~, n$ O; v; N9 T+ ]0 A
inside nmtrans.dll).5 v5 ?+ c9 b6 K# U5 }; o: |, @  @

& u) l2 B& O+ FThe way it works is very simple:
* L7 z, r7 L0 H& ?+ z' sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. \; d' `5 n- P# q+ K5 Y; A
WinNT) with the CreateFileA API.
) Q4 K$ ^3 l6 g: A0 ?
; @: R3 U! i. z& `Here is a sample (checking for 'SICE'):( k/ T1 z; Q9 l8 n) C0 K- e/ B
5 ^- i" ^2 V; X6 [8 S: i+ l, S
BOOL IsSoftIce95Loaded()
+ H$ J+ P* O' H. A{
9 r2 j- k3 L3 d; U( X9 G   HANDLE hFile;  
- G4 L, n* U7 c0 V   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' I! [) _% K) X+ v7 \7 O
                      FILE_SHARE_READ | FILE_SHARE_WRITE,! E3 c9 s6 V7 y4 y
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, s- g0 X: ?7 [: s0 z# i& `2 d   if( hFile != INVALID_HANDLE_VALUE )$ x/ a( p$ I! z: ^
   {
1 E/ A1 H: c9 f5 g: q8 b      CloseHandle(hFile);. ]( I" c3 w. H  M4 i3 q4 F8 p
      return TRUE;  l9 e7 ?3 V6 f: t8 q0 s5 d! R
   }
7 A; ~& c) X8 I* J2 Q   return FALSE;
, k- I0 f( b: H9 S0 K, p& i' V}7 Y( r: @  S" p$ w6 X

. n# O: H/ e( `4 ]" k5 sAlthough this trick calls the CreateFileA function, don't even expect to be* u2 E+ u; H7 ~- C6 B7 b3 v& V
able to intercept it by installing a IFS hook: it will not work, no way!
. Y% p- g. N; T# j8 R1 H+ rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, ]% p3 V8 P# O" N8 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 C8 f% }4 S: N. g( fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 ~- L( W" h1 y1 w5 p0 bfield.
" L9 h1 k7 Q/ O( RIn fact, its purpose is not to load/unload VxDs but only to send a 4 u  ~& [2 ~: o5 @: c- w( }8 ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& Z2 d+ p3 H; q- _! h7 Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* m$ U" u1 J! f; f% k5 x4 Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 W3 M  E; [4 ]1 D, ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; p: \8 E9 v; Vits handle to be opened and then, will be detected.
7 \6 s+ X9 |# V( s2 J7 SYou can check that simply by hooking Winice.exe control proc entry point
$ @0 Z. M& g" e5 Swhile running MeltICE.
3 u1 i6 H5 i1 R$ G, ^" E) L# Y& g' i

. K+ f2 B% A) d! T" ]4 b1 }: z  00401067:  push      00402025    ; \\.\SICE+ T# M5 k# C  o5 X
  0040106C:  call      CreateFileA
& c3 r( g, _, J  00401071:  cmp       eax,-001' F; v0 g6 t! z/ ~/ V
  00401074:  je        00401091* Y/ Z/ G2 x2 P: Z$ c1 P( G: Q

; b5 B. M4 M  m  V  @$ e$ y# b1 y
5 U! D7 \/ c6 n/ VThere could be hundreds of BPX you could use to detect this trick.+ ^6 D  p/ ~" t8 Z+ j  s
-The most classical one is:
% x+ o, a+ F) q2 f6 N  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ J! f1 P! x! o% w" _$ U5 j
    *(esp-&gt;4+4)=='NTIC'
2 ]' g( d6 B8 v7 m! V- V
. G4 F: ?3 `  i" R% v5 _-The most exotic ones (could be very slooooow :-(0 V1 Y5 b' R1 w) W: n4 e
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# e7 z) l; e9 Q; h     ;will break 3 times :-(- o- i7 g7 q! h' H2 ~

. O' J6 ^0 ~2 _' @-or (a bit) faster:
, _$ r% x2 w. o. |! ^1 ~" {. M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- R4 y' X# q' X! ?6 c6 a# j; s/ ]

2 p+ ]1 R- _; ^0 _   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) p  P' i8 J: a, f     ;will break 3 times :-(
  a0 N5 b1 f; v' ]7 d. Z5 d3 f) a' k, A; R- t" C; ]: `
-Much faster:
5 Z% v2 T9 G, j! X9 g: s   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 r% G6 m9 x! R% ?
( s' j( s0 K  ?+ a; R, n( T( W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ P2 L8 M2 g# x, x. i( xfunction to do the same job:
/ M0 k2 D* n8 f$ Q4 {& B
" C, L+ g- ~" r. C  {. `% l' ?   push    00                        ; OF_READ
: g1 I; K+ U7 q4 m9 \- }2 z- k   mov     eax,[00656634]            ; '\\.\SICE',03 @' d+ |, \/ M5 n  V* a4 S
   push    eax
; a& e# }, L. [" o# u   call    KERNEL32!_lopen
1 A+ A8 \& y) f& B9 ?+ Y   inc     eax" k. i7 a# T! x8 a7 O% D) i
   jnz     00650589                  ; detected
" F# j4 Q% V6 X1 H; v. ~6 o& J   push    00                        ; OF_READ& D! v+ i% @: R( |
   mov     eax,[00656638]            ; '\\.\SICE'  ^- S- g5 a8 t( I/ p$ @
   push    eax
% ]3 h% F0 p2 L/ h0 B3 W$ ?. i   call    KERNEL32!_lopen
# n; A0 @5 f8 o   inc     eax$ _( z6 j! S! F% W
   jz      006505ae                  ; not detected, S7 [& O2 ?3 l
: R1 f) b* Q# h5 A1 I) @: F3 y

: s8 h! d" H/ f__________________________________________________________________________; O  s* g- h4 E( J4 i) n
" ^, U9 p3 F2 @$ H/ k, E* W% @
Method 12: h: z' R3 c; |* r4 ?  v0 D
=========
; b% [" i: h. o: K2 H7 A; w9 D1 Y( F& B: S; l# r" L1 p9 _2 L
This trick is similar to int41h/4fh Debugger installation check (code 05
3 U$ ]7 M$ D! E7 B8 S&amp; 06) but very limited because it's only available for Win95/98 (not NT)( v2 G! z& Z- ?* o; L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 i0 P8 {: V8 a/ c/ q1 M* b" E. r* `6 N, _' u! a  [
   push  0000004fh         ; function 4fh7 u+ y  X( h# z) }1 r
   push  002a002ah         ; high word specifies which VxD (VWIN32)
: }7 Q2 D9 w# G/ m% n1 g+ F1 d. e; |                           ; low word specifies which service# T2 {, W* m. G6 b
                             (VWIN32_Int41Dispatch)
7 ?2 h- }8 e$ p2 _) w1 X0 H7 h; f   call  Kernel32!ORD_001  ; VxdCall$ d! {# _- I1 F1 D4 t. y
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 `7 S3 m; c  T6 }) Z   jz    SoftICE_detected
8 T2 w. d  h9 i2 }+ |
/ U: w  ?- o9 uHere again, several ways to detect it:' l/ v  x- p5 p) Z  O

0 Z" M8 b7 y2 X8 H) w) {    BPINT 41 if ax==4f
: p4 t/ o3 ~8 j' U. V7 |' }: f% `& g) o: p$ D
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- S; U; d% k& B* I' x9 B5 H
8 ^9 u( `7 }  f  h! }0 \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A) z# I3 J# I/ @" Z

5 @* N& B. z; r1 y2 z1 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( F6 o! J% L( h4 y
3 q" T/ {; Q' X1 U! {__________________________________________________________________________
/ X$ M, w' U, H& c) x7 d
0 U) V# H5 ~! L* N8 ^9 ^- B( zMethod 13
4 w8 C' G- e" I7 @=========
8 Y4 ^3 Q' G7 z* e1 }7 O1 _8 k
7 _2 v" V( x8 o6 o, O# o; ENot a real method of detection, but a good way to know if SoftICE is
% k7 i9 e: l7 Y+ k, L3 cinstalled on a computer and to locate its installation directory.( |# l3 g5 L, E# D9 Q& u
It is used by few softs which access the following registry keys (usually #2) :
- i0 `. P1 X) t! S# y3 @: o) e, _) L2 m& _8 K( V8 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 x' ]( `7 r+ w) Z, f) p* B) |
\Uninstall\SoftICE* Z/ Q3 }- X: e5 u" k' {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- a' @% O' O1 s) j, U& b# Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]5 F  h) k' F" I1 E9 _1 E
\App Paths\Loader32.Exe
# ^2 B7 F8 ~9 o% i+ v* Y
; C3 }! f" p$ p' O( U0 ~: @
0 A+ O! k9 ~: d+ I+ ~" wNote that some nasty apps could then erase all files from SoftICE directory  q) a; ?2 b  c
(I faced that once :-(
# Q: ~: }9 I5 J
+ t2 h6 z9 E6 [  J0 S% S# GUseful breakpoint to detect it:, ]5 h. f4 k* b  h

: S9 _; h" o2 Y: Q. f- M     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  @+ a! G& N8 I$ y6 y  l: Z
7 \! `  ?, w/ o/ B5 W6 d, ?
__________________________________________________________________________
; V; |. Q. M# [# i
: \' H) X* s' N9 w# Y& P* a1 w
, i" Y/ c- C1 [Method 14 : J  e" L" x% G0 Y
=========
* w6 F9 @4 E: E
( U7 M* @& U) C# f5 A. H" X+ CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' H. l7 _8 ?/ Y5 y9 W
is to determines whether a debugger is running on your system (ring0 only).+ O, u/ s3 J' u$ G1 p" r9 V
2 r# K# ^7 v3 ]+ ?" k0 t5 s9 u
   VMMCall Test_Debug_Installed
% i; q# S/ a2 s/ O7 Y   je      not_installed
6 U  w( K3 G- E& s
1 H: E% E6 I7 u' M; j4 @2 BThis service just checks a flag.+ x* q2 q. ^8 o* `' L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-19 10:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表