找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( Y" N! s/ Q$ L2 c, T
<TBODY>  C0 B- ^4 `* I3 t: x: r8 A
<TR>( A7 k" O4 E" [* [
<TD><PRE>Method 01
9 b2 V# k; D" A  `$ i- \, \! ]=========
9 y- `# }; Z( `3 Z& K7 H
- p- d! }, v. Z8 W- H) G9 m/ LThis method of detection of SoftICE (as well as the following one) is
6 X1 g# j- e. P) O% {used by the majority of packers/encryptors found on Internet.
+ g  O5 `% O; sIt seeks the signature of BoundsChecker in SoftICE. `& |. a- X- I) e

9 L) A* S: H* t, |) {1 ^% d    mov     ebp, 04243484Bh        ; 'BCHK'% j, s* w/ a! C2 X
    mov     ax, 04h
7 T+ }& Y5 c1 q# _8 c    int     3      
) h5 b; e( R6 m9 A    cmp     al,4) ~; |, y* V4 ^- \8 C
    jnz     SoftICE_Detected
/ d1 V9 J; Z& Q& n. h. \( }& u
! B1 X' {& v0 T! f___________________________________________________________________________/ h% ^' p. l7 f
' M7 s- u9 m# u% m$ {
Method 02
' g3 p" a) ]" T0 ~& {=========
8 b1 O% A; p3 j0 A) O* R
; S9 J% _4 p4 I: jStill a method very much used (perhaps the most frequent one).  It is used5 V2 Q$ T& ~6 ]5 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* _& ^* \0 t) }. L& cor execute SoftICE commands...7 E1 B& L# ?7 c
It is also used to crash SoftICE and to force it to execute any commands  z  y) ], E1 G7 `! m
(HBOOT...) :-((  
* ]) W& v5 K& w' C; u4 S
! r; u& q& G1 S: V( yHere is a quick description:4 v% S9 ]' ?; G; Z8 p2 @0 R
-AX = 0910h   (Display string in SIce windows)
1 u: E0 Y) }: a" ^" l-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! a- s, x8 X- L" S0 A7 w-AX = 0912h   (Get breakpoint infos)
; \, K' |; k$ s-AX = 0913h   (Set Sice breakpoints)
3 y0 B: U1 p! H: S4 Y8 n( A) a1 t; ?-AX = 0914h   (Remove SIce breakoints)
- [' L1 h% y( b2 X" K. Z+ n; R0 |
. q, M# q* o5 ?# D! Z& NEach time you'll meet this trick, you'll see:- Z" Y% E  c. H4 q$ p) q, \2 d
-SI = 4647h
$ q# u* S( e: R5 U) l2 s( c, h-DI = 4A4Dh$ B& }  K* K9 r; v3 R; j
Which are the 'magic values' used by SoftIce.3 G5 C* ?9 L2 }- m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# s8 A+ v5 _0 q
$ q9 G4 s& I8 G) `Here is one example from the file "Haspinst.exe" which is the dongle HASP9 Q3 x( |( i; E+ U
Envelope utility use to protect DOS applications:
) N" ?( G4 b- I
3 Y& Z+ O9 L; U+ T0 m5 n4 @- |: P8 n5 p/ E" I: S
4C19:0095   MOV    AX,0911  ; execute command./ u0 u/ t3 N5 v9 _3 H
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) t, o7 H1 Z5 k- h2 s& D4C19:009A   MOV    SI,4647  ; 1st magic value.. H) ?9 i! w  O; D" o1 o8 H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; x4 e0 Z' c/ g  o, q1 s0 Y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* q( E+ y, Z* F# g+ d% Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute7 N, I# U1 G8 }" ~, B8 e7 Y& l( v( R
4C19:00A4   INC    CX" U. A2 \3 r1 B& ~$ z
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 I5 n2 `* |0 n( |7 P  g1 b
4C19:00A8   JB     0095     ; 6 different commands.
2 w3 J3 u3 c* {& \1 o3 k1 \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 }( F; ?. z: A6 b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
0 T! p, h) u3 q8 x
8 m0 {  m- j/ `( C: TThe program will execute 6 different SIce commands located at ds:dx, which/ O& S0 x# u- v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. o5 I% m  R6 J- L0 b+ @

2 e- K# R& L6 ]. D6 H8 B$ w0 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' Z  a. Z! p/ |, [9 W
___________________________________________________________________________
5 _2 C" ]; O( C
/ x! x1 I  K8 U, \! u5 @' T$ i; z8 a; U; j2 V
Method 03
2 f4 ]! Z) ^+ @& u7 y, `6 H=========
' _' G4 ^2 B( H; o! B& W# d8 m. E/ H& C3 M1 ~1 T7 k9 o5 D
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 [5 S- d: y: w8 w. y
(API Get entry point)
' ~. T  H! `8 R        
; ]% t$ ^( Z# {% a% A. q. D7 x) P, m2 S, ?9 ]2 I
    xor     di,di
, u; ~# ?+ [  I6 l* h    mov     es,di& P% t# ], u. [' c
    mov     ax, 1684h       ) E) ^, D0 M8 d5 L  r6 [7 r. _
    mov     bx, 0202h       ; VxD ID of winice9 \2 c- b( m, b7 l4 c+ E
    int     2Fh
; Y( C9 K- H! @6 A+ W( K4 |0 g9 @1 u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# I) v8 Q+ s7 H1 N* |1 Q    add     ax, di* c$ a' X/ v2 ]
    test    ax,ax  K3 U/ V9 Z+ B# e% x
    jnz     SoftICE_Detected# d6 K; g) j5 s5 b' T% E

4 l3 n* M0 M0 S# M: \! B) ^___________________________________________________________________________
0 u( ]/ C0 g0 a7 W. {0 j& A) W1 @. n# g& v( r  B) ]$ G' c
Method 04
/ F. d; T& r& Y0 a" ]=========% q# y2 k7 h; c0 ?$ v3 A! a1 \3 J! J
7 l3 }( }7 p% b  H% P& p1 t* M; U" {
Method identical to the preceding one except that it seeks the ID of SoftICE
8 k" @; v, x8 T5 JGFX VxD.
. B7 G2 O/ U$ T* R0 D- ~2 w1 X5 X. n
% i) C, w0 S) H1 L' G    xor     di,di
" O9 k0 }, e! ]1 T/ ^    mov     es,di
& G2 a, L2 k0 u5 v2 l' U    mov     ax, 1684h       0 y* m" ^" T* a6 _& b7 s4 {6 D
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; {* u! L# O. l0 I/ L* `$ a0 h9 o
    int     2fh. D3 R& J9 t9 S" q$ k4 Q7 t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 c$ `) a3 l; w& R! `    add     ax, di
( J8 a/ `7 F% n  Y/ K$ i    test    ax,ax
2 ?4 m8 k. e, M1 ^5 v/ e! u. U. f    jnz     SoftICE_Detected$ F4 E0 I$ L% M! D2 f

6 G( M/ Y( U' k; Z% v7 ^__________________________________________________________________________0 c  J! ]& _8 O4 t

6 s1 S% P* }6 ^9 E* z: y
# A! f9 W: g0 ~6 r$ f" K2 [2 a+ lMethod 05
+ a; a" p6 v' _! \+ s7 L=========
0 a; H) k1 d* r. _8 T3 A
4 R- Q- g# X5 D$ TMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 [3 Y9 @. |# a! b# P  v
debugger. It calls the int 41h, function 4Fh.
2 B3 j9 e3 o) X, ^5 B( _There are several alternatives.  
4 z! Z* _2 N+ w2 C0 Q- X" ^7 b) \
The following one is the simplest:( L+ U2 C9 H( V: d  T1 P) ?* m

4 w  r: o! D4 b& U    mov     ax,4fh
( A/ \" u- n0 Q, ]  |$ P    int     41h
% J5 ?4 F. k7 h    cmp     ax, 0F3866 f( }/ @5 v( P$ y- p1 V6 m
    jz      SoftICE_detected  _, Z/ u5 x# T' q1 j
% I1 L. I" m$ O% d; Z
+ q" h) j- z9 R1 m8 V
Next method as well as the following one are 2 examples from Stone's 2 M/ i7 `! m1 d- J  r
"stn-wid.zip" (www.cracking.net):7 P7 F1 Z" P, s3 i$ n% O' H( u0 V4 D" V

( S- k3 R  m$ g4 \    mov     bx, cs
) |3 S; ~4 K) F4 j9 d3 ?" b    lea     dx, int41handler2
% `3 L# B, L0 G4 q! k    xchg    dx, es:[41h*4]3 \3 D9 o/ ?2 d- j2 V( M
    xchg    bx, es:[41h*4+2]0 a1 Z7 S2 x% [+ R' h$ @
    mov     ax,4fh% ^: @0 l$ i- F1 R" I% z1 f
    int     41h$ q7 z$ V' P1 H. Q
    xchg    dx, es:[41h*4]
2 ^& j4 q' |% c/ h3 d% |8 x    xchg    bx, es:[41h*4+2]% o3 E: B$ i/ }- P! e( V  o
    cmp     ax, 0f386h" _, c8 \  w  X) B7 ?, x6 ^
    jz      SoftICE_detected- Z" X/ Z9 m0 I8 r! q! J
  ~6 _: f3 J& f3 p8 N
int41handler2 PROC
! L7 H- o% w& Y8 |( Z1 \    iret  r" H' L/ S3 F4 _6 c1 C* X
int41handler2 ENDP0 z( r6 q2 s" X' K4 J

5 J! c6 _9 h! ]$ j9 Z3 j. Z% \3 Q+ a
_________________________________________________________________________% L/ ]) D  S0 l- a5 w3 o

  }5 h1 N- v+ [7 q3 \7 C3 t* O, |% _) [8 [
Method 061 c- ~: I4 J0 e  C, [
=========
: M5 A, E" E; W1 g
- b* ~1 ]# m: d8 x7 K) x/ R! |6 J3 A  a9 M: s
2nd method similar to the preceding one but more difficult to detect:% Q) n. J; F. v& g! p

) N" E' F) T5 w# `& J5 t4 U; K. h1 B9 n8 C" L) n, s7 o3 ^9 f3 X8 V! J
int41handler PROC
6 C$ Q% P( t, j8 j    mov     cl,al
7 n9 v) G- L/ R: d& h    iret
9 o; @7 k, g: b* q5 w3 j/ r& aint41handler ENDP
" \( ]9 f9 L) j
# A3 ^' t- s0 p( Y  D9 o2 d! R( T1 D( u) B
    xor     ax,ax
6 H+ t4 L0 V9 z9 d9 l4 K' U    mov     es,ax
9 t6 `/ y+ G4 c" n7 i! ~6 f    mov     bx, cs1 E6 D$ p0 a3 b$ c6 r8 ^9 E
    lea     dx, int41handler
5 m+ d. t! j% x7 d7 g# d2 g. i7 z4 }    xchg    dx, es:[41h*4], i5 l9 }0 Y( ?" B, o
    xchg    bx, es:[41h*4+2]2 c6 B0 |6 @7 m/ U% a2 [0 t5 _! {+ w
    in      al, 40h" [* K* ]1 K, F3 q- O
    xor     cx,cx
* G- R% i% e+ w  ^( I& }+ V    int     41h8 n$ ^8 }2 F) N, F) B/ D$ v$ @
    xchg    dx, es:[41h*4]6 X5 x# D; f- w- J+ l
    xchg    bx, es:[41h*4+2]$ a8 P: D% A$ o
    cmp     cl,al
- T1 A! Y0 I: Y$ n/ k% r( v2 e8 y    jnz     SoftICE_detected2 A! L( }# L" |7 [3 z

* m& K9 k/ u2 o% w0 P/ U$ ]_________________________________________________________________________/ u( h# }; r5 z9 I3 o5 y

7 ^6 E$ w: u6 \& C% |Method 07
; ]4 R  j/ M, }, ~0 H=========5 `6 o$ H9 E) }- N9 l8 D  ?& {8 Q

! L% E) p9 }8 b5 ^Method of detection of the WinICE handler in the int68h (V86). G1 J: r8 Q; \
8 d7 L4 h7 U5 {
    mov     ah,43h2 g( X) c1 t0 c& I, U
    int     68h0 P0 z5 N7 ~( _) T$ ]
    cmp     ax,0F386h
, i; w, [* B+ U2 T5 x    jz      SoftICE_Detected
, r& y9 s4 x2 u3 U& M9 W1 `4 g+ I5 S- b; L' Z7 R  u
7 M; K6 Y  W3 \
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 Z6 p: K6 S( E, Y; L9 X   app like this:
, X1 L- O, I0 M9 j$ y" R# t; K0 }( o3 v
   BPX exec_int if ax==68
' B" `' @$ \/ _+ ?   (function called is located at byte ptr [ebp+1Dh] and client eip is6 O: h/ b, y% {! O5 s
   located at [ebp+48h] for 32Bit apps)
/ f9 v" E/ T( |# }, `__________________________________________________________________________- ~, a2 K; o/ F0 s: _( B

) D6 u5 \* S% {" x# H6 b& m* q% R: I# i1 t& P9 R7 _  X, |
Method 08
$ r' l$ ?/ ]: t! [8 J/ q; q, a=========
5 v0 e' T9 U; N: c1 \3 v! B6 e  M8 |. B1 [5 ~. y4 n) i
It is not a method of detection of SoftICE but a possibility to crash the
6 {/ E7 [/ ?( K. R- ?- ~system by intercepting int 01h and int 03h and redirecting them to another
9 N  s9 K: Y: }& f1 f) }4 [routine.
: K/ H9 N+ c2 p3 D# g4 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* K$ h$ D# O2 M) x6 K8 W( ?to the new routine to execute (hangs computer...)
5 a5 Y, F& ~, r" Y" p+ z/ M: l9 [3 _* S
4 i9 `3 I9 i2 G! h- b& P9 b5 O    mov     ah, 25h& `8 _. k5 y6 y+ Y& P$ S
    mov     al, Int_Number (01h or 03h)
* a/ q) x% y0 W& \6 J, y5 f, K    mov     dx, offset New_Int_Routine9 u: Z6 j. I4 a! S/ k, f
    int     21h
( y$ y0 C- Z  @$ y/ P! i
" }4 Y" m* C0 L8 u__________________________________________________________________________
  H; |9 y5 L2 a' K3 E
) U- J- \; p6 p. @) kMethod 09' R9 i* [5 H" Y1 Z! _
=========5 ?4 G+ m* l( K5 F
1 A4 R& C8 v! y' o" a! k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: B2 O4 }; G' ~& E% E) Tperformed in ring0 (VxD or a ring3 app using the VxdCall).* S4 \$ W4 K( x% C  `
The Get_DDB service is used to determine whether or not a VxD is installed; X, m- ]+ ~( U" r/ f7 A( f
for the specified device and returns a Device Description Block (in ecx) for+ Y& r5 u  p3 K0 D% o
that device if it is installed.
1 t) T% R1 u% x
, H. b% M: Y5 B5 ?   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. z3 g6 w+ o0 ^- ?$ u) j
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  C. z4 X  u7 W1 Z0 _   VMMCall Get_DDB
$ _! R; h2 A  Z) z+ C# Q$ p   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 C' w% R; _. Y! x
5 [; L9 x4 F& @6 o( O
Note as well that you can easily detect this method with SoftICE:. G+ B/ {  @# Q) O% S1 z' u! I
   bpx Get_DDB if ax==0202 || ax==7a5fh
1 \" K, T* I9 @$ B5 r* O
: |4 }& \, ^# U__________________________________________________________________________
0 y1 e$ d  x. H6 V& e: ~8 I: N' v" G- S$ o; V) S
Method 10$ ^' F$ v! n: D
=========
# p( c: W% D6 e0 j6 q
3 T; |) H# M; g3 i" Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
7 ]& \" p. T) l0 A  SoftICE while the option is enable!!
* S1 i3 |: i2 U; b* I, k. {* Q+ s7 g- \! l7 u0 _
This trick is very efficient:
% ]" T  Z  T. F/ W* e& S; o( j7 uby checking the Debug Registers, you can detect if SoftICE is loaded1 y, t& U) K! ]  b+ n9 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ {* V7 P% \) `there are some memory breakpoints set (dr0 to dr3) simply by reading their' M2 [  a7 W3 B0 ?9 n$ Q- M) H
value (in ring0 only). Values can be manipulated and or changed as well
3 W& c, A3 y% d. G6 a5 J(clearing BPMs for instance)
- C% X, J( U* x7 k, t
# Y9 ^0 s+ b. F; F, P2 w__________________________________________________________________________) [+ }4 ^1 [8 t+ B, z: }7 S
2 o& l8 f0 w, q- _
Method 11
0 @7 _- J/ \3 o) ^5 Y$ W% d=========. \/ M9 W: V6 U! H" g% _  H" Y  R
+ Y2 q2 @7 d/ x5 K0 \+ I7 g
This method is most known as 'MeltICE' because it has been freely distributed
2 h4 B$ u, L) h( A9 ?via www.winfiles.com. However it was first used by NuMega people to allow
# ^: x  A; x+ N( jSymbol Loader to check if SoftICE was active or not (the code is located; U9 l& \: k& H, V  z
inside nmtrans.dll).
. }3 R6 K; O! r; H
# h5 ?$ J& r5 r2 v& z9 p8 MThe way it works is very simple:# m/ ^& i2 b# j( ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. B' X- R% G$ ]/ ~WinNT) with the CreateFileA API.& G* Q2 W1 G% I2 V2 y, ^

' U! P  O, n* yHere is a sample (checking for 'SICE'):/ A: E* j$ W2 p" u! Q' \

) y4 i0 w2 U& P8 dBOOL IsSoftIce95Loaded()
- M4 M2 l4 y1 b. A( R{
( R( u, F' ^, J+ h9 o   HANDLE hFile;  5 C9 z" b/ U* b" R2 v; v2 b1 l/ K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& }8 Y7 g- Q5 w# A  h7 N
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 R8 e) C$ \8 P$ r" O; B# Q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ c  ]; I% ^" y* N- O% G9 b   if( hFile != INVALID_HANDLE_VALUE )! C5 }! s+ ^7 n  J4 i4 s
   {
0 y6 ^  o; y$ d" U7 U  N      CloseHandle(hFile);
& ]: |) M  F* w/ q5 V% ]; E' z      return TRUE;' a, f: F1 ]4 `  S4 c
   }5 I; o7 }2 d1 y* [4 d$ B
   return FALSE;: I$ H. l0 e6 V0 G5 X: |3 ^9 I* J
}
* j' f7 p- S: Z& x7 l4 X7 P
" P, J- F9 s2 m0 l& K, ~Although this trick calls the CreateFileA function, don't even expect to be# X6 [) F# R8 e) n' H
able to intercept it by installing a IFS hook: it will not work, no way!6 t9 c( {3 i/ g  P" _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) A& d) f4 Q! I% w+ k: q& m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& s7 m, M5 Y1 _: D2 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 @6 D2 ?4 G  R  {7 }; x4 ufield.
% `2 n0 {+ w, z$ e  e+ x3 n8 `9 FIn fact, its purpose is not to load/unload VxDs but only to send a " W/ [) n. ~  ^" L: b  T' L/ j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* ]" h& S5 @/ B# C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" V; Z7 U- ~+ r- N! X+ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 L  S  ^8 \  q3 r# E, r8 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ T3 g( N: _( u
its handle to be opened and then, will be detected.
3 S* f! \9 N0 c) _You can check that simply by hooking Winice.exe control proc entry point
1 @; L! X' e; }while running MeltICE.
6 F! G% A2 G5 h! G6 e
1 ?  c$ `/ U' g7 t2 k. Q5 i# I- x5 W: z0 A& j! i
  00401067:  push      00402025    ; \\.\SICE
: R) z$ G$ ^4 N9 \* N9 E- f. @" ?  0040106C:  call      CreateFileA
8 t$ D/ v% _: K6 ]9 E* Z1 Z  00401071:  cmp       eax,-001; [: l' q" |; O
  00401074:  je        004010916 @" k3 v0 P$ |* a3 ~

& {+ Q/ m# S% m0 L9 p; q7 _% H
( n0 S: U5 O4 J% q. v( KThere could be hundreds of BPX you could use to detect this trick." S1 k8 H/ w, z; V. F
-The most classical one is:
5 U+ ?- ], _2 O9 m( ^7 V1 u1 W/ `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 m: b4 H' n  A# N4 E- e8 ?( c, b    *(esp-&gt;4+4)=='NTIC'
( N+ S3 A9 N% s% w: y2 r
" v  B5 Y: h2 z4 q-The most exotic ones (could be very slooooow :-(* H/ p9 B2 ?2 ]
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 z9 A  A7 w/ z$ r% A' X0 X8 Y
     ;will break 3 times :-(4 t9 ^0 ?1 ~% V* U

, V! N+ W9 S& g$ B4 L8 N-or (a bit) faster: $ p3 N5 K) a- W  P! L5 w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ g6 n* N- o  H! z
+ G! H4 A. @. R/ a; E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / u8 ^) s7 J' X* m- N6 e
     ;will break 3 times :-(
, T; F2 D4 f$ ^0 _8 p  I/ ?7 n% [
6 U5 L+ X5 ~2 r  z5 d8 z, P2 G  n-Much faster:* o) y% I6 W+ s2 }0 w& ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ \& t" l5 k$ ^6 q5 o' Q4 Q
8 O, Q2 ~/ e% \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" n) i: V! w. h, z( l8 gfunction to do the same job:2 l; n) d, Z) v8 q% j+ w9 Z
9 @& r$ O$ B* E% {# l) l
   push    00                        ; OF_READ
7 l& A$ M+ E/ j, g   mov     eax,[00656634]            ; '\\.\SICE',0& z" r/ V/ y" {
   push    eax
! D; a( z' c+ a0 q. D, Q   call    KERNEL32!_lopen, k3 m/ I7 d) [1 i5 f0 d/ M
   inc     eax" V/ A: z# e& W7 N; G" j
   jnz     00650589                  ; detected
  C& \% r, T# j2 M   push    00                        ; OF_READ7 n0 p7 d1 @1 V; {
   mov     eax,[00656638]            ; '\\.\SICE'
, u; {' k4 s5 l0 k& z( M8 L   push    eax' j# @3 g, }4 Z9 `# [
   call    KERNEL32!_lopen# ~, l7 u* u* j9 ]+ L
   inc     eax" ~2 `6 p; L, U. e* O
   jz      006505ae                  ; not detected6 W% Q" R* N! {% ?* a
9 @, g$ N/ Z0 I  E4 Y, d$ Q" f
; [; B: I9 H$ k9 S, [
__________________________________________________________________________
! w+ @2 }; A9 t  a0 W" k- H% _9 x: Y' p0 S# V( e% l% E
Method 126 O$ V( Z$ `8 ~- i# v. N
=========
2 Z9 E7 c5 h: ]
% K( A( N) R; W) x& e( j5 N4 XThis trick is similar to int41h/4fh Debugger installation check (code 05
# l( O! F" s- }7 c0 s# o* X&amp; 06) but very limited because it's only available for Win95/98 (not NT)
5 @- l( V3 T% g; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ j* |( p) D- x+ N
( R. V" R. D8 Y
   push  0000004fh         ; function 4fh
' v3 M% l. ~1 C5 S  X   push  002a002ah         ; high word specifies which VxD (VWIN32). y/ F) P: _6 a+ s5 e9 y/ D' @
                           ; low word specifies which service* d4 U/ z% A' w2 _6 p2 y
                             (VWIN32_Int41Dispatch)
4 ^9 m+ h: h; a   call  Kernel32!ORD_001  ; VxdCall! S  V/ y: u: y; }) D: {" C
   cmp   ax, 0f386h        ; magic number returned by system debuggers  v: j3 h. }* S! H) \+ ~% o5 |
   jz    SoftICE_detected
) R3 w4 O( j0 V6 I4 W, v" A: l& d& e: k( h
Here again, several ways to detect it:
5 E$ c1 R& M) t" H
0 _2 N- c" P$ i& h/ R0 P7 T    BPINT 41 if ax==4f: m* `. Z/ ~0 b6 b8 ?
$ N4 b0 {* r7 v! I8 k7 j7 O, n+ e
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  r% y, t) h; _, b- j

. u) G, a( q# f$ ?    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: L) V# Z! N+ S& B5 ]6 ^$ |% X9 c3 T$ i0 e* u5 I4 i" C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' {. }, E- }; K) d2 M/ N. c

: y3 v9 Y' K5 z2 D__________________________________________________________________________( o. S5 r( i" M1 B: q& ~8 s

8 ]* x4 A' i# J0 {* sMethod 134 Q& z8 L+ h8 g$ Z9 Z) J
=========
7 D* W  f/ X1 k1 N+ O) H7 N( t) H2 F5 k5 e# G
Not a real method of detection, but a good way to know if SoftICE is
, f: [5 ]) @+ q' F* m2 {installed on a computer and to locate its installation directory.
- r4 m; K- X) L8 l* rIt is used by few softs which access the following registry keys (usually #2) :
* C. F  b2 K2 ^( L+ d+ K7 f3 \" x( R$ \1 ~5 Z( }1 L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ R; I/ O1 @. H7 @- m\Uninstall\SoftICE5 W9 a: y. ^2 ?+ f5 O0 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: m5 O' }2 |0 q: l* n, ~2 s! _( R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ k, s! A) h1 t. X
\App Paths\Loader32.Exe
# P& S9 P) h; V- S8 G7 r
5 |0 O1 Q0 J! J; e( f2 y3 R& L
- _# Y" `/ K1 Y7 a3 UNote that some nasty apps could then erase all files from SoftICE directory, ^. |+ `, Q7 e4 H8 O9 k. w
(I faced that once :-(2 q0 i- g* P6 v3 p: T9 z

- q' `% l* I% z' iUseful breakpoint to detect it:
  W* B( N2 i* h, D+ n2 y
: o, ?" t# S- r6 i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( L' w( J  a( o$ E; D! @9 s' [! q5 b5 f2 x
__________________________________________________________________________
, h2 \1 g! h% _! U7 h1 X  P; l' j0 x  C% z7 Q# z

3 d7 B. Z$ S( Q1 l3 P$ O) R& _Method 14 5 n1 j8 h  F8 b: t( V
=========; S8 e" L% T! A7 I5 w; ?3 m$ I

; {' K& r7 B$ SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 I: ~$ j2 j, s) i; a+ p
is to determines whether a debugger is running on your system (ring0 only).
1 O7 }3 k3 x4 g. ]% Z5 c  j/ j" M+ B; o! B5 x) q( I" a% h
   VMMCall Test_Debug_Installed& w4 j3 x  a1 n) b1 {& q9 x8 [
   je      not_installed
' ^2 b+ N" \+ T/ F: d0 l) @% F1 b' T% x
This service just checks a flag.' T; J: V  T- T/ A+ R" Y
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 21:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表