找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: h5 a  Q0 @0 R7 o7 P<TBODY>0 k/ G. |/ b; G9 L+ X- C! f5 a) |
<TR>
7 G$ y) C8 |, q6 a( o) C4 D% @: Q9 @<TD><PRE>Method 01
9 @/ l- ~! ?8 t$ k5 q& |. D7 Q- M=========6 v- A4 v, G, B7 J# y  T3 _  d, c

6 r# a" L, k4 [9 u0 u# O, W3 qThis method of detection of SoftICE (as well as the following one) is' m5 v9 @5 z) ^! C2 I' e( R+ E
used by the majority of packers/encryptors found on Internet.
- t5 C# Q  L  a* f3 L, uIt seeks the signature of BoundsChecker in SoftICE
& Z9 ~( c. A" K, u: j& G2 m3 n! }
    mov     ebp, 04243484Bh        ; 'BCHK'( B9 T& ?1 M; K9 i- K1 D
    mov     ax, 04h
7 A" o3 |& |5 h6 x4 k6 E    int     3         i; z" N0 r6 Z! _1 @1 B/ f; r7 n
    cmp     al,4
2 L( s' V0 |# Z% n8 w1 g    jnz     SoftICE_Detected
; W* q4 u2 H1 c8 P- K+ k, s- d2 ]4 d
2 _, D% B4 F/ H7 T+ P( X' r, w5 g___________________________________________________________________________9 q  ?) \8 Q8 v! _  b5 d( _0 }
; M# g* ?" ~" J# p# h+ u: Z
Method 02  E% ]& ~1 n7 b3 X1 K
=========7 ?) T* A+ {9 b* z9 Q- h9 Y

* H% S3 W8 u' @( ^2 jStill a method very much used (perhaps the most frequent one).  It is used( E5 H2 D" ?. a; g1 X# C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# `$ d2 c# L8 `, f3 u* ^0 xor execute SoftICE commands...
: p, g9 a- _& c5 JIt is also used to crash SoftICE and to force it to execute any commands' c8 i' ]% a7 C& f% C& z
(HBOOT...) :-((  3 c' W  y2 ~1 p" C3 t; i1 F/ y0 P
5 V& @8 {1 i' `
Here is a quick description:
2 x' l2 p2 E" E+ n9 s  R4 k2 N-AX = 0910h   (Display string in SIce windows)
1 f8 O: s7 P2 B3 l9 U-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 |: c: ?0 z# n/ I/ O-AX = 0912h   (Get breakpoint infos)
, n& {! t! t5 i; T-AX = 0913h   (Set Sice breakpoints)/ i* G& ]4 a, r3 d
-AX = 0914h   (Remove SIce breakoints)
% B2 H- e4 D: b5 S5 j/ I- l$ p$ J5 C7 M' {! t# r2 B. Y9 y" H
Each time you'll meet this trick, you'll see:2 k8 ^+ l. r/ J* k4 i9 p" F
-SI = 4647h" x: C4 ^2 s! M; l0 k9 q+ X
-DI = 4A4Dh
  r2 H: }4 f) P5 z# {Which are the 'magic values' used by SoftIce.- H6 R8 V9 k- A: T( f) N0 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 z* }; C5 U8 Z8 T& B% _. S
0 g6 i2 O% @8 B# M8 m2 g* X
Here is one example from the file "Haspinst.exe" which is the dongle HASP. [0 c" {1 n. S; ?& `* k
Envelope utility use to protect DOS applications:
3 h# v( p! A2 b( D# `3 I; }- F9 R9 P1 L- I2 X
  b# _; u* H% x3 C) E, _# @
4C19:0095   MOV    AX,0911  ; execute command.
! a' R8 N: D0 Z. H6 O8 a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% {9 X5 S( W) {0 R4 F4C19:009A   MOV    SI,4647  ; 1st magic value.
/ w, `/ J% c" C4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ N7 @6 g( Z6 D0 c
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 K- _! b* b+ N1 _0 Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute) U7 ~" h9 x' a3 z8 t% u
4C19:00A4   INC    CX
- g$ Y/ k+ {7 o& ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' u3 g: e! G# [3 m3 I, o
4C19:00A8   JB     0095     ; 6 different commands.
, J; k, M! I6 K( n3 e$ i4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* o) t0 f8 D( r4 ^4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" p2 ]% @+ q5 Q- z6 P
# A- s1 L# f( w8 d: T! zThe program will execute 6 different SIce commands located at ds:dx, which
& Y6 ?: f8 C; J- Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  n& l- N: ^% z$ m0 Z

( x7 [3 [, }- o1 z* Z4 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 X' g. s+ [8 u3 O6 E5 O___________________________________________________________________________
" {9 }: y, h, E( ]9 d3 Z' F5 o% U3 W$ L1 g2 ^- P* J; K
( Y" y1 ?& r4 |7 v
Method 03
( Q+ Y' |% {0 R1 N2 n" g9 m=========  X7 d8 v2 `, \: T# x& Q0 \
$ |% ~4 J& ~4 f, c
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% S! g6 ?. p. v
(API Get entry point)9 g  i5 A/ O1 d3 n+ O* G
        
- g# e; `# p) K  V% s0 p7 l
4 k3 J8 P1 j4 P* j, B" d    xor     di,di8 t1 C2 ?( K" M7 K, }: R8 L' M3 ]
    mov     es,di
) Q; y( f% _# i: ]' B# P    mov     ax, 1684h       / p7 p: o( ^4 e. G; v$ u
    mov     bx, 0202h       ; VxD ID of winice
- j2 b- Q2 F5 D3 D* i( T    int     2Fh
+ ~2 A$ k4 N7 I    mov     ax, es          ; ES:DI -&gt; VxD API entry point) \( _- A& R1 @9 t, h2 d
    add     ax, di
. q5 Q( G. W1 m3 _+ }4 f# T    test    ax,ax
; L0 `0 l, o6 L* _% Q* Z    jnz     SoftICE_Detected) c7 x+ l5 G8 x) c# G$ K+ @3 j
9 c0 V4 r7 [# t2 g
___________________________________________________________________________
9 l4 C0 M# S- H  t! `: z) m4 \6 J$ f( g4 U8 ~2 x% n
Method 04* I5 h# ^. J! o8 x& M% U; W' X5 z
=========& {9 r: b, F) c: O2 P: X6 c

6 T3 C+ L. w# l) [Method identical to the preceding one except that it seeks the ID of SoftICE
- V/ u# _8 K. p, EGFX VxD.
2 ~/ }0 A/ F+ V; n# G6 B/ J* b0 M% f$ a7 y# ?  D4 Z' _1 g5 m3 C. `
    xor     di,di
) ]/ K- {) x; r% ?. P    mov     es,di
0 a$ ]* ^, O! @; R, U& D* U    mov     ax, 1684h      
! y( U/ e+ O  x% v, U9 \    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, j6 T  Q+ }# p7 \  b    int     2fh+ C& K# n# }8 s: j% n: J  X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 p6 @% O- t2 }, ]% |2 H+ G7 R9 W
    add     ax, di
% t5 Y- Z6 l7 s6 j+ n    test    ax,ax
3 p8 A* E) ~' n( O5 Q    jnz     SoftICE_Detected# \6 R! }9 B3 \8 b0 m
& @/ m2 b' p6 W" L$ [
__________________________________________________________________________& u) a- X, l* _6 W

+ a: W9 K8 f$ o$ _
4 V+ R( _; R7 p0 I. CMethod 05
* y3 q! |" ^: t; Y3 S=========3 m# V9 R3 K! U8 E

  r3 z- y; Y$ N" j) x" Y8 f$ QMethod seeking the 'magic number' 0F386h returned (in ax) by all system, T. j. q! ?* j( g9 j$ r
debugger. It calls the int 41h, function 4Fh.8 ]/ a/ `# R1 B. N, T- c
There are several alternatives.  
- t! ^/ ~. N' G$ k5 G7 w
( A* o+ Q" f' H) I( V: h8 o) g, RThe following one is the simplest:
( H% d0 n9 Y$ a1 u# B1 u/ s  Q( {) m6 w
    mov     ax,4fh
/ l5 }% f# i3 `3 M; p    int     41h' T* M; q, D6 z2 X1 @- u" W
    cmp     ax, 0F3869 j" }8 _1 k& h$ L- Z% g
    jz      SoftICE_detected9 w" r0 P" \$ N4 p; b  z/ S$ H
5 R0 e! u' c( X) J

' {4 O- ]! N$ ]+ y: i8 z5 jNext method as well as the following one are 2 examples from Stone's
  Z  Z  z/ E+ w"stn-wid.zip" (www.cracking.net):
9 C' b; g/ v- i" Y' S5 q' M
+ X6 A4 e* [; r& K+ v3 D( M    mov     bx, cs
' ?! x- V4 @1 K% }+ _& t    lea     dx, int41handler2
: X* \4 e; M" i3 H    xchg    dx, es:[41h*4]
: v4 R+ J1 S8 L1 @+ |3 s& c    xchg    bx, es:[41h*4+2]  z+ w; x% L, L; _2 A
    mov     ax,4fh
: n& M5 I! O5 g3 ^  M    int     41h8 `. }8 t8 S; t$ E
    xchg    dx, es:[41h*4]
+ q" P* Z* p3 Y3 M    xchg    bx, es:[41h*4+2]. r9 P1 @3 ^8 d0 h6 H# p9 a8 O
    cmp     ax, 0f386h
$ h- P- C1 V! W' l    jz      SoftICE_detected4 ?1 B% t+ `) H3 E4 N8 l* k7 [
. y5 {- g. s& Q+ }/ B: V2 F
int41handler2 PROC
. x! W2 M. G+ U$ `( `% M2 w    iret8 N( y  p) w- G2 H: X) q
int41handler2 ENDP( P4 Z6 d; L5 I* w
. d4 E. `& r7 c- m+ t$ i6 ~1 H
+ }9 a' t  q1 x+ y2 R
_________________________________________________________________________) `$ ]* y2 ?4 {

  X( d, R3 O/ ?: {1 `- v6 }) v; @, U. }
Method 06
6 `+ [, j% f% w" l=========9 j$ t& @1 y) P7 W$ `

+ I6 ?: I4 S" H9 Z% H: Q" V" B
3 r0 v7 e& w4 U2nd method similar to the preceding one but more difficult to detect:5 s& l' k. ?  `
; I$ [! l' O# z2 J$ c+ O+ O

, D  z) e/ M6 Y( {& S; m2 `+ ]- z4 p" Qint41handler PROC$ Q7 ]  X' C: U" W4 C, ~7 g
    mov     cl,al$ |) R# R& H) B+ T2 P* ?) ]& m- C
    iret
% u* v7 E- V, ^' B. x. uint41handler ENDP% M! O6 {, M) `) ]

1 b! F) l+ i( H  y( ]% `
) F' P: N1 J' q0 i  @- G    xor     ax,ax  K) l* V6 @& F  f* ], i
    mov     es,ax& L6 i( s; M2 W, w
    mov     bx, cs
4 z7 B3 Y. v7 @2 ]9 u    lea     dx, int41handler& G7 K( O( I% F$ B1 }# F7 ?% {/ q
    xchg    dx, es:[41h*4]( n0 S' N& }$ e  [: t& P
    xchg    bx, es:[41h*4+2]
6 M! `, V# v) b    in      al, 40h' |3 v, t9 j0 J2 h; X) F3 {. F" i
    xor     cx,cx5 M, l& \+ @/ W: w$ \" C- n$ h
    int     41h
% P4 L4 e* @# C& e7 X    xchg    dx, es:[41h*4]3 f! U7 F/ J- n( j) N2 {# c! D5 _- U: |
    xchg    bx, es:[41h*4+2]$ A9 S% K: w& ^7 @: A) G
    cmp     cl,al0 @+ b5 z* k* b! X. L
    jnz     SoftICE_detected
' c% V7 X3 m! i$ T& `( \
* b# l7 ~1 X5 `_________________________________________________________________________% a% M9 b, A6 v/ N

+ V5 |/ y" z; L/ Q! f, ?+ r( eMethod 07+ n8 w& s9 X3 u! F% M- j5 d" l+ L, B1 j
=========: C5 G# `. d* |. e
2 r/ j0 ~) Q6 `. `' @
Method of detection of the WinICE handler in the int68h (V86)
, F1 L; C0 b) I! c2 o
% `* G( _5 g- C, w+ S  L: ~    mov     ah,43h
3 t% n' k; V, ^! t' D    int     68h
+ F2 t- g2 h' v$ Z+ K    cmp     ax,0F386h
$ S5 K1 m3 h" T3 z; m    jz      SoftICE_Detected
: u$ z, p1 q4 ~/ g- D1 Z" l6 l
9 ?% b/ ~" ^6 v0 F. N6 q( {
  R  _6 w! n% e& }4 u=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# O3 a% w/ E0 k# |5 q
   app like this:# n) w. e* _7 Q+ Q3 K( A- Q

* J/ Y; h; @1 o( q   BPX exec_int if ax==68& `4 F7 a" }5 Y( D3 L
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 a2 [5 K2 ]% M8 \4 \   located at [ebp+48h] for 32Bit apps)
, a0 n" S% j2 F9 K8 X__________________________________________________________________________) A2 K" b. K0 l0 n. L3 R. H
3 D1 Q( a% r* d& j

( v; o8 R5 c* I, ]0 hMethod 08
) s$ r# a% v; Z, R& C& o=========
2 Y8 q1 @4 M: J4 f" h0 B9 E; q2 o$ x
It is not a method of detection of SoftICE but a possibility to crash the
1 N( @- y" ?5 o+ Gsystem by intercepting int 01h and int 03h and redirecting them to another. n. h, N( `. h1 Y  S5 h  _
routine.+ Y7 v# ?0 A6 ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! j1 B( q9 m6 W2 O8 h" z
to the new routine to execute (hangs computer...)& ~2 e. L( j% V' i8 m
; ~: @& C0 P2 T! _! h/ ^( i3 o
    mov     ah, 25h' A  r! J% z( L. T
    mov     al, Int_Number (01h or 03h)0 Q  x# A( `: `4 U
    mov     dx, offset New_Int_Routine+ }) ?+ {% q1 ?& V$ S8 |
    int     21h& T3 s+ O! d7 \

  D5 R# |. a7 {5 U3 d: ^+ ^__________________________________________________________________________
1 L$ i3 r, Z. `9 `# k0 E. m; b, t: d9 f1 t
Method 09
- _& [7 j2 x7 X' b5 G7 d=========
% a: H5 Z! U& \/ M5 [5 ^9 J- d! @/ A6 I' q* P1 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ p" O" r# ~  q7 w) ]performed in ring0 (VxD or a ring3 app using the VxdCall).
: y7 }, h2 K% p) \% j" j; @The Get_DDB service is used to determine whether or not a VxD is installed
+ Q; Q% d+ n4 \0 M' v" ]& Dfor the specified device and returns a Device Description Block (in ecx) for' j, u8 w- _, g, k5 H
that device if it is installed.
% k$ C$ C0 z) H' `( H0 m+ c+ _* k
# b, X0 W$ l3 t   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 g! q' w: D7 o1 y. e) n0 ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 ^' i$ a8 X# Y& ~: T6 h   VMMCall Get_DDB
  l/ n9 v, E( d' Z" t$ K6 c0 U4 r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ Y+ ~7 V' ^# P- r/ O9 Z
) f$ W! ?4 P6 j# L! ]0 c! C( yNote as well that you can easily detect this method with SoftICE:
5 U7 F* r; n: G" H( q0 v7 A( T0 \7 m   bpx Get_DDB if ax==0202 || ax==7a5fh) Q  g0 Z" m# Z4 y0 u' Y

+ H3 E+ g0 q" C5 z1 z! i1 u& \__________________________________________________________________________# g% ]2 u2 a% z% [; W8 F2 E) }
8 y% O- X! ^- k( Z
Method 10
: {6 Z* _) w+ v# U# V( h) w) i=========
' M8 Q( F% K$ o" D( |
, J/ O0 h. H9 [/ v6 a- e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, b* C9 M4 q( i. s
  SoftICE while the option is enable!!
5 G& J0 D, G# Q- H( Q
) z6 a- D  R/ V  e4 A$ t- M6 RThis trick is very efficient:9 b  F3 a( `% t" t4 t0 k; L$ f
by checking the Debug Registers, you can detect if SoftICE is loaded+ m% e3 D) e2 A- v/ V4 F' e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: x% h- c6 [- K, I2 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their: F, x. }2 T4 D( ^+ w4 H
value (in ring0 only). Values can be manipulated and or changed as well1 f( n! p. W# K" ~
(clearing BPMs for instance)) c* y* B' S. f

) U" w* X- H# T, h0 w__________________________________________________________________________
. ~. {+ r5 I2 V5 O# S; k% G8 m  }# x( r+ W4 j  I
Method 11
; W/ q) I) d% y- I1 W. h=========5 l- X" g1 b$ t7 W& g, n' z( T

5 w1 I4 z$ r% q# kThis method is most known as 'MeltICE' because it has been freely distributed2 X' j0 w. D* Z) x4 H7 n
via www.winfiles.com. However it was first used by NuMega people to allow  W" u2 M6 ?4 c8 ~5 P- a
Symbol Loader to check if SoftICE was active or not (the code is located
" I0 w( E  m- q6 ^& ^7 Finside nmtrans.dll).+ C: h0 u+ R; l6 V' C

: w* x! _( ?( w2 rThe way it works is very simple:) a5 b0 L8 B8 j( `+ }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 E$ F: t; @3 ~. f/ V
WinNT) with the CreateFileA API.! N7 g- a: J9 R" y- @+ D
8 e7 N/ z$ |6 P6 H+ q- s
Here is a sample (checking for 'SICE'):, H! S  P( P5 O6 F" ]* P# ~
: ~4 ^6 k3 s! b, N# P% C
BOOL IsSoftIce95Loaded()& r/ g% Q# D: X
{7 ~; g2 g& q* b/ C  Z: e9 J- s6 X
   HANDLE hFile;  - Z+ d! L3 A9 V) a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ m& ^+ K& a* y+ X# D# y, o0 F7 N                      FILE_SHARE_READ | FILE_SHARE_WRITE,; k' D: F, p% _4 J
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" a/ n0 H  d' ]) z4 J; r( l
   if( hFile != INVALID_HANDLE_VALUE ): ]2 R2 d. z: p( _
   {; M% T. d6 t. f3 C9 g8 a5 n
      CloseHandle(hFile);& p  H9 I' C2 o6 E$ e
      return TRUE;7 j$ I4 O2 Q5 p5 U7 N) R. p
   }
! t+ s( l" U/ |3 P5 r% t: S   return FALSE;& g# u0 z% [, ^- B4 \& ?4 ~0 v
}
$ P" E' E0 q, F: Z" Y/ ?5 N& \9 @/ X: U$ `9 L, t
Although this trick calls the CreateFileA function, don't even expect to be
. |% V5 ^/ G4 T! g1 jable to intercept it by installing a IFS hook: it will not work, no way!5 z8 S6 u, E. H7 J8 R& W; v* G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, K4 x8 ^( [6 ^& N1 e+ ^  y/ R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" @0 `- x/ h. R* k0 x9 U* eand then browse the DDB list until it find the VxD and its DDB_Control_Proc' }9 o1 \  l/ s4 t4 @
field.& U- o% T0 c% x0 e
In fact, its purpose is not to load/unload VxDs but only to send a
( M1 m0 b) X# w" ^& h+ ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 c& J& X7 q3 q9 ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& e. G; S/ f1 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" a/ k( N4 |7 J7 Z5 H6 }If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 n! y$ }/ k$ Hits handle to be opened and then, will be detected.
( w- X; W3 H5 A6 d  WYou can check that simply by hooking Winice.exe control proc entry point
0 ?5 f8 ^6 V" A. z1 W3 A% g* Fwhile running MeltICE.9 R9 ]! d( E3 ~2 ]2 y
: {8 o+ u( Z6 T* w+ v

$ ?9 o) D- w0 l5 p# o+ K  00401067:  push      00402025    ; \\.\SICE4 D, T2 x3 @, T" ~6 Z
  0040106C:  call      CreateFileA- C6 \. c* L) t7 A$ h6 V* ~9 y
  00401071:  cmp       eax,-001
8 E" M. y5 T" r( J# C  00401074:  je        00401091
- z6 h. @7 q8 r9 `. i) H/ E5 y  T* D5 f! r+ k0 S$ |2 ~

6 \$ y  W( d- b" BThere could be hundreds of BPX you could use to detect this trick.3 b$ }) L2 i0 q, Z$ j' g
-The most classical one is:
- D7 W: p! w' }# J5 `2 [2 ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! ]6 D5 _! W( u  B6 D! n8 J# A
    *(esp-&gt;4+4)=='NTIC'
  b. `" ?, e0 q) `3 l5 b1 B  \6 I& q) |6 Q1 I
-The most exotic ones (could be very slooooow :-(
, X' _* W& Z7 C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# h' B8 M2 D$ p! o" l; A$ t     ;will break 3 times :-(
0 g- [2 L) |, H" A  U- ]" J+ R
-or (a bit) faster: , R% o; p4 l6 g& W# K8 U/ M
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# Z4 V8 }4 y: }( Q: |* c3 x* f  q/ R# N+ y+ _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * ]4 N( a  y$ L& v
     ;will break 3 times :-(( X6 C/ R" [- F* U3 Z$ `
5 \! g; d6 d0 Q6 U
-Much faster:
/ S% _( l6 }; H   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  ^9 D1 q6 I, P5 ~, s4 u4 e9 u$ X! z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! ?( s" ~  i0 R7 D' dfunction to do the same job:
+ q8 i3 N6 k9 z% m/ O% q7 Y
2 k/ A8 L3 y7 H: K! H3 o0 V   push    00                        ; OF_READ
- K) S6 r4 `: S! i  }   mov     eax,[00656634]            ; '\\.\SICE',08 [1 }: Q1 W* w2 W" t0 F# |8 j
   push    eax' b6 T2 S- f% T! D7 r
   call    KERNEL32!_lopen5 `3 G3 c% j3 X; `
   inc     eax2 z7 J+ C0 C* H$ N! {  {
   jnz     00650589                  ; detected
$ h/ W$ P+ Y: E: L4 e: [   push    00                        ; OF_READ
6 \: V+ W$ R( O   mov     eax,[00656638]            ; '\\.\SICE'
% A& b" x" }: B   push    eax! }/ v* u5 i% X' r8 E* o1 W
   call    KERNEL32!_lopen5 ?- Q6 }4 @0 f: K  U4 o
   inc     eax! o/ o; J# I- z' u( j3 a0 ^
   jz      006505ae                  ; not detected
7 O7 h7 [0 M& r" O- n, ?* I1 M% v0 d9 W. t6 e

# d, g# M" e* ~; n__________________________________________________________________________
$ \" \3 r5 d: C. K6 g! D8 z7 k; |" D" Y. b; I
Method 12
9 v2 B* G/ k' Z% O. S* p# m=========  X" n7 R4 w" r8 N, o
/ [" @0 {7 c% e; l
This trick is similar to int41h/4fh Debugger installation check (code 05
7 Y8 h) w8 B3 y0 |6 r: x6 s8 t&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 J0 m5 w0 Y% ~7 m4 Z1 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo., ?. N! s0 {& o. u
0 d; e# r5 V" Y+ @6 T
   push  0000004fh         ; function 4fh3 |1 W' B% F7 l2 B& |
   push  002a002ah         ; high word specifies which VxD (VWIN32)
4 M+ f  ^: f9 F                           ; low word specifies which service2 u  d7 J1 x  r% u
                             (VWIN32_Int41Dispatch)
2 n( B4 x# [. D/ o   call  Kernel32!ORD_001  ; VxdCall
' G$ l. T6 f0 \( y8 o   cmp   ax, 0f386h        ; magic number returned by system debuggers8 f! \' f& J" m  k/ ?8 H' S
   jz    SoftICE_detected
' y. Y  ^. B) Y9 q0 W& E4 e
$ [% R$ X$ p* o7 ?/ ~Here again, several ways to detect it:) f+ ]# F4 l+ W2 g' z

6 o; Q. M! W$ ^% P    BPINT 41 if ax==4f0 m6 f  X: \- N" Z* s* I# ?

! s8 [. a9 W2 s" {+ J- ~5 o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ j6 |$ h6 j4 I+ M. v; Y9 b  {, d& r: a7 V2 }, k. x) M1 K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  u+ W  ~; q% p+ F8 U2 I* N, B! J( m: I1 \- U* x- a
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! s- h5 G0 @. \- [! B2 {$ {% P& d5 f

; e- ^; K6 G# U7 f! I! R' ___________________________________________________________________________7 l; i: _' q7 h! o* g

" b1 w0 U! S/ iMethod 137 j. y6 S' A, T/ U5 H# Z
=========
0 |: H$ k; Q1 i7 H
/ d* r1 M; O- ^& e! JNot a real method of detection, but a good way to know if SoftICE is
2 r3 H- T9 G" d8 ^! Vinstalled on a computer and to locate its installation directory.' x9 A) @3 j9 p! \- I8 F
It is used by few softs which access the following registry keys (usually #2) :( e' M1 v& }4 `4 q- B: g
- r0 y7 f; ]3 i9 L! R. t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ h! A! d; ~' m5 h\Uninstall\SoftICE
* g3 f( e" F6 y* W4 B! S8 `& h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( T$ A% u* }! k: l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; U) f! U$ V% t) r\App Paths\Loader32.Exe" j" c# c3 w' W3 ]  K5 l- A2 A
' [2 j- E8 y3 t* O( j2 @' P* }
9 [9 E& V+ U  r+ p
Note that some nasty apps could then erase all files from SoftICE directory
# D+ X8 Q0 w% N( d- |. ~(I faced that once :-(
5 D- h" w0 B# Q# V' A8 G+ Z4 K, }1 U9 ?+ b1 h* }% ?/ _" b
Useful breakpoint to detect it:  a: ^" d9 b0 Y9 i
, l& t0 E' y! s) [( n- Q. [
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 [  D: r: G/ e! ?& |+ {, G
  p! M. ?5 z. g, ^: Y' x  }" G
__________________________________________________________________________
4 u4 S. e+ E( P4 U& m
: g% |* S6 h2 k9 x0 M0 K% H) u
7 q, M4 d( Q, X2 NMethod 14 , z0 a# _( W- U; e
=========6 V  L+ S8 u8 j. r2 s9 m
, A) G! [* m# h8 Y: m& |: O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 V- [5 Z4 |; Nis to determines whether a debugger is running on your system (ring0 only).7 k! ^; O0 C) T$ r2 o7 b

3 T8 v) z( z! P- ?& x   VMMCall Test_Debug_Installed- R, T- H5 |) z0 g5 G
   je      not_installed4 a1 `; Z6 E1 ~% s
! @; s' X' n2 B* ?
This service just checks a flag.$ @5 M9 m3 t! {
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-30 04:24

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表