找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. q, l/ n2 J" K% L% x<TBODY>
0 @3 n. }% m( q5 A0 ~5 ^. A# M<TR>
0 D% B- u  w, H: G) K- X<TD><PRE>Method 01
* p4 C- W& a) Y* S=========
) \4 z! o- h2 {: y7 e9 ?- Z. D% o: ^, Z* @* _
This method of detection of SoftICE (as well as the following one) is1 E) r8 v& G2 W( U& o, P5 j! v
used by the majority of packers/encryptors found on Internet.
$ h' B4 ~4 Y& d( b# IIt seeks the signature of BoundsChecker in SoftICE
. B6 Z5 B9 E: j: V& ]) ^, y! [6 W) L4 e2 `. ^: s' l# @
    mov     ebp, 04243484Bh        ; 'BCHK'
8 V2 D9 j& x) y& t8 D* _/ a    mov     ax, 04h7 S8 o8 t, B8 [( @, {7 W/ N0 C  D
    int     3       7 A/ M! s  A+ ]
    cmp     al,4
* A0 i0 M# z# }% R    jnz     SoftICE_Detected
! o5 C+ k' m' N& L" l/ |1 X3 j5 ^9 V; r! }' L1 F# W
___________________________________________________________________________
1 q$ J* Z6 H1 L" X
) H; }" _, w5 C: }5 C- TMethod 02
7 L0 u6 Y6 {5 y- A=========
, N2 z) }6 [0 U) I9 {4 D; l, v5 o5 A, f$ ?7 y7 D  ^
Still a method very much used (perhaps the most frequent one).  It is used0 u5 F6 l* V( H' S, y+ |' {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 H; w9 |- x# T: C6 W1 a/ y
or execute SoftICE commands...
( s  c% r% I7 N% O3 c2 PIt is also used to crash SoftICE and to force it to execute any commands
5 ^$ I* P3 ^- K(HBOOT...) :-((  
  v5 H2 C8 }$ x, J0 ]
* o) ?, t8 b: Y* mHere is a quick description:; C( p/ U5 O6 U7 K7 y( R' A
-AX = 0910h   (Display string in SIce windows); o$ f; e/ _" h! O# p
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' H4 k" a) b0 `& N9 I-AX = 0912h   (Get breakpoint infos)" @, n% t9 i( q, F
-AX = 0913h   (Set Sice breakpoints): X( L3 B, |- Y' ]& F
-AX = 0914h   (Remove SIce breakoints)
9 [& f; ~( W/ z; n3 }0 Y; I' G& F
Each time you'll meet this trick, you'll see:2 z! s; o/ B) T  [% L' U6 S6 y( b3 q
-SI = 4647h' P! @3 T: w+ R# g' k
-DI = 4A4Dh+ H& Q. `; s, ^$ r  I8 W4 r6 R
Which are the 'magic values' used by SoftIce.* k* O3 V3 Y0 @4 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% i; \, t0 f8 {9 \
) U& S1 {, ~3 N* Y& T" L' LHere is one example from the file "Haspinst.exe" which is the dongle HASP
- z: |( i9 N# ^7 w! b- oEnvelope utility use to protect DOS applications:
! u) w2 m% b" q
, D3 S1 d3 c0 P1 O6 e0 R6 n6 \6 A0 e0 S" d' B
4C19:0095   MOV    AX,0911  ; execute command.
" A/ q6 R6 r6 r' ]$ ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ Q! J( |# _# e1 G8 Y4C19:009A   MOV    SI,4647  ; 1st magic value.6 ?4 _+ P  U8 M8 h+ W8 i
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ s1 `1 k. S$ i( U" C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 I+ P! ~1 b- {/ ?0 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 v, B7 p% l1 p/ W
4C19:00A4   INC    CX
8 w: k+ Z3 u9 t2 g+ ^6 J8 ^4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' R$ E8 b6 v2 V7 i1 X
4C19:00A8   JB     0095     ; 6 different commands., R4 j* j% K: m& x/ w# Q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ N+ @! x) k0 u2 ^
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 Z6 ~$ v6 L( N9 j
0 {0 ]1 c5 v  I5 A. K' ?) l( {
The program will execute 6 different SIce commands located at ds:dx, which! S3 |8 U: |4 P. d/ g1 Y7 r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 U! E1 K. v( q4 B$ e; \/ V
; X/ \1 x* y) k% w/ i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Y" f7 X& O, p6 R# c6 u___________________________________________________________________________* Q5 Q2 E3 I1 y+ I9 H/ M0 p
* H% ]6 ~5 [5 u4 u: l5 d
3 F5 c  u1 m7 E! u4 I' b3 ]+ x
Method 03+ f& L. V+ ~: m
=========/ X. h7 e% W7 S" D) O
' S" \) Z' Z, u( O6 x
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! ]) T3 ^0 P/ y  N$ z! \0 e(API Get entry point)% U- Y) p2 v/ W* [
        
6 |+ C3 B9 V* f/ t  u" n2 L1 S, H. c) p* X1 J0 @2 I
    xor     di,di
% Z! K% h3 N9 o4 `4 V% L    mov     es,di
% r/ g& h7 U" r) t( K$ s! @  W% o6 s    mov     ax, 1684h      
: X: R: ^" Q! I    mov     bx, 0202h       ; VxD ID of winice; A7 d" n, ^. v9 ]/ R7 H
    int     2Fh3 O; T- T& n  I6 W0 w" i; O8 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* x% k/ N/ r# F2 b, t0 G# s    add     ax, di* X. s: t! I# K
    test    ax,ax
( h2 l5 h4 c! d* Z4 d    jnz     SoftICE_Detected, B, N5 M/ k: M% I# U* `! A2 c/ ~6 `

* [, Y' P0 b: P" L2 ]8 Y/ `___________________________________________________________________________
9 l1 m" j- _4 F9 O! M4 U( p# `+ i9 D# p
Method 04
( o( v# N7 z* G=========% o! d1 U& T4 d) A, Z; Z# x2 ?
" b) k1 e5 i* P0 f8 u/ m
Method identical to the preceding one except that it seeks the ID of SoftICE
! r" B% u& K* V0 a& q0 Q& m: YGFX VxD.
7 y$ V4 N# k+ }7 O/ n3 S$ S- M- ^; e4 U3 o3 R
    xor     di,di
6 a9 t$ o' R9 f+ \    mov     es,di
; T8 o7 L; T1 J; j, u3 L    mov     ax, 1684h       + K8 }6 {9 N' t6 m* X
    mov     bx, 7a5Fh       ; VxD ID of SIWVID: g$ u) Q0 T  a# a) L# W
    int     2fh5 ?# a8 S5 F. _$ d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 o+ e/ C; x; ^1 f. c. Z6 d& f
    add     ax, di& [2 |: F3 V. B" M: o% ?
    test    ax,ax
5 S4 v4 b" `+ p) @& b: m: ^  E    jnz     SoftICE_Detected
( |3 k2 G& y9 M! u3 }3 ?. Q1 |1 A, u: H4 C
__________________________________________________________________________2 _1 ~9 P+ }1 T  v1 \

- Y/ b, O7 S1 w9 }4 x9 P
/ J* r( Z+ A: L* q9 r/ uMethod 05' `( e' m- R( s2 g5 T
=========
/ e! c  _: N/ w
8 Q/ }, k, L: C0 TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# d  {+ M) ^& n, Odebugger. It calls the int 41h, function 4Fh.( W' I6 ~+ w6 |2 X& P3 O
There are several alternatives.  
( m% C0 P! E$ S! a, k9 s: F* Q- \8 E( j( @% G' ^9 q
The following one is the simplest:& X" y) o% f  F3 v6 z# y
+ o* }3 S/ ]3 b6 F: @% t5 o
    mov     ax,4fh
/ C. y5 C) C9 v# }  V, o6 G    int     41h
! A' J3 Y; I7 A  C+ o    cmp     ax, 0F386
1 G- s% `& {( c% U* a7 i    jz      SoftICE_detected+ a/ i' i: O  h, @& G/ n6 ~) G

6 z; X7 ~% F5 d/ ?: ~: c- j; Q( n  q0 ]* d! D9 T- U. B
Next method as well as the following one are 2 examples from Stone's ! f4 m4 E% s! {, G$ ]2 Q: B8 o1 z
"stn-wid.zip" (www.cracking.net):2 b5 ~% F7 F; Z$ v, a
2 j3 S5 Z4 m$ `! J" Q  b
    mov     bx, cs
$ v/ K+ Z* f2 J+ {    lea     dx, int41handler2  D# F* q3 _6 X& W0 O, t. E
    xchg    dx, es:[41h*4]% ]3 |5 _' a* f2 c
    xchg    bx, es:[41h*4+2]* H( ^- H9 s  x6 c" k5 U- X
    mov     ax,4fh8 \5 j) N" b7 j- K' v! W$ W
    int     41h5 ?5 Q/ e. v0 q# {+ \1 A. J
    xchg    dx, es:[41h*4]' q" z; V7 n2 t! q. Q  i( g
    xchg    bx, es:[41h*4+2]
# L4 N0 |; w; Q# ?    cmp     ax, 0f386h
: ?3 \* C2 Z: z9 r    jz      SoftICE_detected
. X- L* X, U( a1 k2 N. o2 D2 p8 Y/ s/ d  t
int41handler2 PROC
# L$ ?8 H0 P1 _  `5 W6 k    iret
$ |: i, P0 @9 ]- @1 m* Vint41handler2 ENDP
% a5 N1 _8 q3 d' b, p  s. \0 _' c! ~7 s; j+ C; H% g, h
5 B% z' W' S) U* ?9 \, A! \
_________________________________________________________________________
$ C0 X4 Y, L) }! D* o. h9 b# k  v) e" |/ f  P- d- ^' Z3 P( O; E

$ R2 p5 `! U' U9 TMethod 064 w7 F/ g  q, @% g; l% O- a+ f
=========
; U; Q  ^4 q4 I. C' L) \
! C, W; K: A2 {$ q# w2 y/ R( ?0 B1 s, g; b9 \4 n7 D" O
2nd method similar to the preceding one but more difficult to detect:3 {" S+ k7 P. u# ~
# V. ^5 A& n& q& P  ]
, D0 J) E, V' z4 T9 [7 d! x
int41handler PROC; E" f$ a' A1 `" w! G& j
    mov     cl,al
! [+ \% Z. S* T& c2 G3 q. h2 V    iret
' k' Y5 _5 U" kint41handler ENDP
# N  K( S% t. `4 ~/ V
6 T$ J/ j' c6 @+ w0 F  J* p9 [. F6 N$ @2 h+ i+ a
    xor     ax,ax
4 ?. d# q% |$ t( W    mov     es,ax: B# \! r/ C. K! W1 O& I) N5 ^
    mov     bx, cs6 }9 H: Y- i9 w. {0 m4 b% V
    lea     dx, int41handler6 e9 r+ V; Q3 p# j% L5 W
    xchg    dx, es:[41h*4]  V  X5 g3 ^8 X4 d- m! N# \
    xchg    bx, es:[41h*4+2]3 }% c0 F; U# V! ^% w0 _0 P6 H
    in      al, 40h
$ i6 ?4 I4 n* k    xor     cx,cx: @5 U6 [9 Q$ S( D+ I
    int     41h
+ c% q8 U2 k  p  |. k    xchg    dx, es:[41h*4]
6 f8 ~, @1 u- {" U    xchg    bx, es:[41h*4+2]3 D* t& G7 o! y5 k9 D0 u
    cmp     cl,al/ U) N/ X- _3 T6 B  y
    jnz     SoftICE_detected
% Q# Z7 a  w" N# M# R: J: n) a+ S2 j2 H. V  c
_________________________________________________________________________0 t# a9 D7 M- O: [

/ d! I, D/ Z2 o  q, |Method 07
) i2 k& \7 ^( ], w' Q0 s& L=========% c& f" e6 `/ u) ^! l6 S
* @4 j1 R+ m2 I( m
Method of detection of the WinICE handler in the int68h (V86)2 u+ p" Q) N: E: k( ^: v( d; w
* g; m! R  ~% Q7 A+ q+ j
    mov     ah,43h* w6 }6 y( Q: V3 O3 x. x4 y) k+ c
    int     68h# p8 [0 N  P* r' A: {/ k/ @
    cmp     ax,0F386h6 n& H9 Q" U. K4 v/ I
    jz      SoftICE_Detected2 i' X: O& P% J4 r. [

' S8 G; ]; j! n: Z  B  d3 q% T( A9 S& F
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" ?: p. x5 D0 K9 l4 @
   app like this:
; H% j. g+ _4 P8 s1 n8 E; ?% @8 w# `/ S: z  o* B( K
   BPX exec_int if ax==680 B# b, [% H3 \$ O6 o. ~2 o
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 _. [+ b2 d! Y( ?, Y5 h   located at [ebp+48h] for 32Bit apps)- @6 N5 y8 v: X9 w1 X
__________________________________________________________________________
; j3 U4 ~: t) k1 g4 V, }
! q8 M( h& G) A/ Q% `! W: I/ U) ]& ?
Method 08
4 c8 g' t* Q% W& w" b=========) z, ]; ^  g9 }! ]; C* [

" S1 }/ m5 ~' Y+ r/ RIt is not a method of detection of SoftICE but a possibility to crash the& v$ y  m2 j. I) G8 s$ K& w
system by intercepting int 01h and int 03h and redirecting them to another, _) F% Q8 Z& ^5 L
routine.
% i3 F$ X3 p1 ]/ U" v- RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# ?$ z5 y6 X9 }7 P" L2 i6 qto the new routine to execute (hangs computer...)
( R. M. X' M2 _0 E, D3 Q& T
4 h+ J2 w9 Q; e# v3 m    mov     ah, 25h) _, t& f" @4 M8 h
    mov     al, Int_Number (01h or 03h)* W* n( z5 d( x4 \4 L
    mov     dx, offset New_Int_Routine
$ c* I7 Y! o, P. B    int     21h% d6 u, G: u0 D9 _2 P$ _/ e
  @! S7 N# n/ j* v! }, T
__________________________________________________________________________
2 X) H! O  H4 E, z/ ~, L) r
" H; j' k& b% B, y& k- FMethod 09
) j4 {; a7 }+ g=========
, ~2 N' Q; f4 K, g1 T
' F5 k5 m5 I! ]1 @( F1 W5 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" O: S7 b, Q5 Z7 ~performed in ring0 (VxD or a ring3 app using the VxdCall).. g9 e7 z6 O0 d1 A1 b3 W. [
The Get_DDB service is used to determine whether or not a VxD is installed
  ~3 q$ l. m; Gfor the specified device and returns a Device Description Block (in ecx) for+ {) @9 {* C: _( ?4 A4 Z" T. s4 n
that device if it is installed.2 \7 y" h: s1 u9 ~" A" _
5 l% ~' x5 N% S7 A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) y& k" r$ }& P9 Z. Z* d* w9 ]
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% U/ y* @3 \4 M* A   VMMCall Get_DDB3 T0 d: o" D1 V* p; e
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ {4 q' _8 u3 P
; c3 @) }8 X9 D# q7 y
Note as well that you can easily detect this method with SoftICE:  V5 @: m& u) |/ f4 }8 r) K6 D8 |
   bpx Get_DDB if ax==0202 || ax==7a5fh
7 i) z* F( ~' D+ c. y
& k9 p" M/ V, ^+ `% m. m__________________________________________________________________________
6 @" R; ~  Q) @1 _2 P# H1 q% u% c) d/ B9 T/ x  ?; \" r
Method 10
" d+ s  s0 c! Y# m& j=========
, s* |4 G$ {  u3 U+ S/ K- |3 F* N5 t$ {5 F
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 z( Q/ w: N" O/ `9 m' n
  SoftICE while the option is enable!!
0 ~( t) L( e! f3 N
! Z& Z9 w# u1 ]$ F5 \3 _This trick is very efficient:
; _) T9 u8 c6 n" S8 w7 Hby checking the Debug Registers, you can detect if SoftICE is loaded
% F" h/ I3 G/ D" B! W$ a! x4 H# K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; t* s( W/ L2 i. Q4 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their! `0 X" U/ j/ q# {" a$ m+ c* _
value (in ring0 only). Values can be manipulated and or changed as well& K3 g3 u2 M1 `- z9 F: p
(clearing BPMs for instance)4 z: p2 }; d* |  \6 ?3 i4 A

% W5 y- h. W" R6 Z__________________________________________________________________________
+ ~( u/ Q. g2 k& k9 p9 i2 K5 U# n% G; N
Method 11
8 a- p# I" u* [=========, H* T: h, R4 H; t3 y9 z* \  f
) ^; I9 p0 h7 j9 [; u
This method is most known as 'MeltICE' because it has been freely distributed
9 N9 k, Y/ ?% r# A/ j% Dvia www.winfiles.com. However it was first used by NuMega people to allow
9 l/ u7 }! @1 F9 i. E+ `; VSymbol Loader to check if SoftICE was active or not (the code is located; O3 T% k; }' L
inside nmtrans.dll).
: M" Z1 m# h: Y: @3 {6 [! |5 [1 @1 ~( n8 }4 r/ V. a
The way it works is very simple:: ~$ i* z5 |  ]7 r$ R, ~& y6 V. ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ j& k6 @1 ]5 P
WinNT) with the CreateFileA API.
- h% J& |) e# ?2 b2 d4 X3 [2 [" C' |+ a7 U
Here is a sample (checking for 'SICE'):
. P9 e% \6 D1 F) z- t( ~  t
$ J" s  }9 J6 W; Y8 T! G) P' uBOOL IsSoftIce95Loaded()
; P, j: t' [+ T8 ]( T. v+ G; C{" w4 o9 I9 y4 u9 i
   HANDLE hFile;  
6 [1 q8 W- Y; o   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' U; o5 x) m3 I9 U3 ?/ }" ^) S
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. _/ U, R3 @. B" s( \: m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ \$ _( m* X& A1 C, R9 w4 D1 ]4 F: b
   if( hFile != INVALID_HANDLE_VALUE )$ M; x! M- @' ]4 a4 H2 p
   {
! S; [' M# ^, a9 o" t0 w& X4 y      CloseHandle(hFile);$ Z+ `/ a3 e+ Z- N& M9 b
      return TRUE;, f  q/ ]0 C6 r, Q8 n& ?3 R! \
   }
# y7 T" p* s& E+ I6 K( C+ a. K   return FALSE;
2 h3 |9 n1 e8 t! b% ?8 J}
( d0 D0 Z0 o, {/ }' ~9 M0 x8 k& W# @& N6 W
Although this trick calls the CreateFileA function, don't even expect to be3 K3 R+ e, M& n9 t3 h. Q' j
able to intercept it by installing a IFS hook: it will not work, no way!! L/ _! g6 Q3 x3 R1 O% l6 f/ h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 G. s9 X0 c) o+ q3 l7 h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) A8 d0 @7 U' q( Z; {7 l5 q2 [and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 k& M* r4 @; C/ f3 x. D9 d7 @+ _
field.1 h  \- E. _( v1 L# g& X
In fact, its purpose is not to load/unload VxDs but only to send a
. p5 Y/ O* g) w: ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 ]& h, X- A$ Y: O# z9 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try( o, y+ M, e7 `: C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ I4 q3 ?& d- `4 W8 o4 `If the VxD is loaded, it will always clear eax and the Carry flag to allow9 W9 \% {1 g" b2 @7 \5 F0 Y! f
its handle to be opened and then, will be detected.
3 F4 d5 z: y4 E$ I& [3 eYou can check that simply by hooking Winice.exe control proc entry point
/ ]( H3 W2 s. C3 e  q$ ^/ }+ |while running MeltICE.& N- c* K2 m; [2 N0 u$ M8 s6 F

8 E0 y- k: s5 D3 H& H% m* }4 b+ F1 d
  00401067:  push      00402025    ; \\.\SICE$ c1 o7 @( X. u5 J* c, S
  0040106C:  call      CreateFileA; T2 V* r) B' |* {
  00401071:  cmp       eax,-001
+ ]: l2 ]: C& T6 M9 Y: L  00401074:  je        00401091; O) d! ^( Q! T

" q7 D6 M1 E% u! u8 J% }" j0 t! j% V9 F; c
There could be hundreds of BPX you could use to detect this trick.
' z0 z+ Y1 V" h- b2 c/ Z5 M-The most classical one is:9 {  w* M) N& g! n+ n# H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ J  \  a6 u2 P1 x4 [( C    *(esp-&gt;4+4)=='NTIC'& M5 L, x  z7 t8 n. i
( z" }5 V9 o% z# \7 _2 z
-The most exotic ones (could be very slooooow :-() ~7 A" E! \" k$ J! D
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
, ~. p# ?- v1 q7 u$ s8 Y$ S, C8 f     ;will break 3 times :-(& L$ P# Q8 C% _& A: ~  B

' I* @) @1 _  B, L- Y-or (a bit) faster:
) Y; j# K1 y0 Y( Y5 u   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); y" O% e% q% L6 z2 t2 @

/ H. f+ a- d+ B, A! g* [   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 Z5 n  ?; U6 M  F     ;will break 3 times :-(
3 b7 D) B0 p1 Y  q
3 h8 w1 H* X9 x3 _' E4 h-Much faster:3 K6 j/ k: x+ w/ o% h+ P( b
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: G  w) r% J) g& J; [/ \/ _3 Z% R5 _: M  Q$ h- [/ q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 d9 R$ o5 O9 a  a( |! M6 pfunction to do the same job:
1 G, k7 {: R& \1 A
5 J- K- @( R3 A   push    00                        ; OF_READ
) H/ O; ]+ d$ s$ a  S" B! S   mov     eax,[00656634]            ; '\\.\SICE',0- |" {2 n2 q- `% |+ b8 ?
   push    eax
& R* p2 h0 j. m  E! m$ h" e) _   call    KERNEL32!_lopen" @2 W# ^4 ]: a: r
   inc     eax
) {+ ~+ b( c7 k% {, u   jnz     00650589                  ; detected
8 D+ H5 \- x* {; h: w8 ?* Z' _   push    00                        ; OF_READ  W8 d3 a1 T! S
   mov     eax,[00656638]            ; '\\.\SICE'
- ~$ w# e  e& [  i- f% ?   push    eax# N' g& f# E! {/ s/ l
   call    KERNEL32!_lopen  R( `0 u4 @1 e7 Y( J1 d1 B
   inc     eax% A  t  C4 i( \/ {- r, M. C" f
   jz      006505ae                  ; not detected
! M  G7 N) B  ~( A; F. l/ o5 ^% Q; j) z6 j( ?) p7 @# U+ g1 P, R

" p1 j2 M  _3 o6 n: T; a% g__________________________________________________________________________
4 P; q9 R' f1 `1 J; ]  t, ]' S( {
Method 12
( M. |# `; o( A% g+ `: z- L' e; p=========
% c: Y9 @: B( C6 Z
: L+ M1 ^% |2 H2 OThis trick is similar to int41h/4fh Debugger installation check (code 059 s& r! u7 f& n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- A4 R) f2 ]8 J+ X# i/ l, O" Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 C- Y  U1 {' P: E8 }+ x

" X. K/ H8 J6 Q5 Q   push  0000004fh         ; function 4fh
! h, }4 \' W: K8 {: w! F" h# {# Z   push  002a002ah         ; high word specifies which VxD (VWIN32)5 ^9 \5 G1 g; ?1 ]: t7 p3 y" b  a
                           ; low word specifies which service
* A1 \" O) B' F. b                             (VWIN32_Int41Dispatch)
% o+ f) j. C* v$ Y( p2 p   call  Kernel32!ORD_001  ; VxdCall/ o# E/ ~7 _% ^$ o) B9 m8 r; B5 c
   cmp   ax, 0f386h        ; magic number returned by system debuggers, z. a: E" `$ w% q% n4 R
   jz    SoftICE_detected
- _  H7 H9 m, d  K
& O0 z. K1 Z. x7 R2 QHere again, several ways to detect it:* L6 w' h0 o  @  s: I" R& H

. t' v( G" r2 I) }% c* [  f    BPINT 41 if ax==4f: y5 F" C) H- }, J2 e* |' }
* m) U1 M9 C5 @# n& l
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 y& h* L: r0 a+ }; F# n# F5 ]7 Y
0 ^& z- e8 X5 r
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; W. j5 Q! _) W& t; O5 c$ n( F
% V1 N8 U% f! Y* i0 w    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 g8 u/ ~! \: F, Z, s7 e5 n$ i2 N/ _( y# Y/ z# E3 G
__________________________________________________________________________1 Q5 g! {; r# S! |. r7 f& v
- x. E" t8 {0 u. w
Method 138 A  A/ Y6 L4 c+ h# ]0 [
=========3 N" ~3 d9 p) S: j, V
) Y  J" h, [, H% [8 c7 E
Not a real method of detection, but a good way to know if SoftICE is
! I8 t! v8 I5 C* Q) h( W0 Ainstalled on a computer and to locate its installation directory.
' l: x. ~, K! P. ?2 ^It is used by few softs which access the following registry keys (usually #2) :
/ n6 u  ]6 i8 F" s9 g' T8 e
9 J2 b% h6 W5 z% h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 M. D- k7 E5 S7 c/ ~! P
\Uninstall\SoftICE" ?' }9 y: h4 i+ p; t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 m6 Z4 }& l3 q  ?0 W9 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @0 v' @- z, c6 \4 _; Q\App Paths\Loader32.Exe$ v+ N: I( {( s1 J' H

/ M. ]# p4 k5 x& l7 c% f) L. A: v. F$ `1 n9 {1 G  T* d) ]' S! Y* i) f
Note that some nasty apps could then erase all files from SoftICE directory
# N$ k; ~8 D& k& ]" d; a4 ^(I faced that once :-(" k* q; y/ l3 o. ]( m3 }

; Y$ K- j1 M" a6 ~3 BUseful breakpoint to detect it:
; y9 C; M+ V0 {5 g0 E. O& ]2 X3 r. E# J3 @7 n* k: `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
' `$ \. K$ t- T) ]' O: S. b
4 o/ ~1 [3 D& Z__________________________________________________________________________3 U6 x- z1 u( @/ S7 \
: v/ c# C" p' I7 w

  B* n, Y+ Z- q; }5 x2 k- hMethod 14
1 A% x+ j6 ~# \5 M: K3 ]=========$ l2 e! Z7 H7 l5 D" ^

& Q+ v* s. H! I/ ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ r7 B5 k" k  `: r
is to determines whether a debugger is running on your system (ring0 only).
0 ~1 l  r. `5 C+ T
4 e& z# @* j4 k& B   VMMCall Test_Debug_Installed
( U$ C$ p% d! F; Y  s3 B- V) |5 ~* X   je      not_installed
4 C4 p& M7 H( k6 T% Q! z6 p2 S7 w# t- r, n7 h
This service just checks a flag.$ ]3 X* w4 ^+ H/ ]: P: t8 q2 t
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-24 07:14

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表