找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! ~+ P, O6 e9 R+ a5 L<TBODY>. Q* Q- o8 B$ c+ Z+ J
<TR>
" e, R4 _. U# C! U<TD><PRE>Method 01 ( T" S* |3 K! B
=========
7 N$ V, v# u8 N$ L% U! @0 Q2 k7 z& Q5 q
This method of detection of SoftICE (as well as the following one) is- i9 u4 k% D5 R3 m/ a$ F- O: f
used by the majority of packers/encryptors found on Internet.
. c5 [5 Y+ L( V- h" s$ LIt seeks the signature of BoundsChecker in SoftICE, O. U4 X$ U3 y) X* j& ?( ~5 Z
6 t' P6 x2 _) ]" j
    mov     ebp, 04243484Bh        ; 'BCHK'
& F4 B3 y# Y* N' r# ]. \    mov     ax, 04h
. y9 D" N2 z( ?3 o    int     3       9 d) [/ w" r6 \, D
    cmp     al,4
0 s! h/ v$ |( p. S" F    jnz     SoftICE_Detected
# M( i$ s; j0 T* I3 N
' n9 C) }/ ?1 B& G) q; w2 {0 r9 S6 `___________________________________________________________________________
+ {* E. F% ?/ w
8 |, D1 Q1 W5 D$ T, X$ g- l6 z: |Method 02
9 M; e0 @+ n1 z$ P+ M=========8 t  }, S' R( O$ i
; P* Z) e, A4 P; V8 ?9 X
Still a method very much used (perhaps the most frequent one).  It is used. q$ c8 U1 H8 o5 b; ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- Y0 ^) E8 r' l' r1 X7 O* G% F8 Lor execute SoftICE commands...
. @) r3 F7 R* r0 e, DIt is also used to crash SoftICE and to force it to execute any commands
0 ?0 G7 e# }6 x7 m2 _' i( s(HBOOT...) :-((  
' ^. S  f1 m, O- y! U1 x# |1 ?) ~# w# `* J
Here is a quick description:
5 l7 @/ C9 G6 y-AX = 0910h   (Display string in SIce windows)( `- L$ {3 j; @; `
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 p' r3 [- h# g- C1 h1 X8 |0 U-AX = 0912h   (Get breakpoint infos)
$ |* i- x+ T3 T* h-AX = 0913h   (Set Sice breakpoints)6 W/ H. z/ W7 o( k& J; u' ^
-AX = 0914h   (Remove SIce breakoints); Y) {' `6 ~- F, l

& d$ B) c* a5 y) L# R, m. EEach time you'll meet this trick, you'll see:1 L5 A- V/ ?0 n8 p+ n+ w1 q
-SI = 4647h) h5 A8 ^  d" y4 {' B5 M9 {) t
-DI = 4A4Dh; N) x9 m1 r4 A) w. e+ k1 `* G- P
Which are the 'magic values' used by SoftIce.
  M9 [: [& z3 z. zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# ?) y- N0 S3 \9 ^3 f) y9 d) p
7 X" J$ O4 @7 B' G% F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ \- t" J: J! jEnvelope utility use to protect DOS applications:! N& y% v- x2 n" d# w2 P' N* {

! H+ Q1 Z8 C( [" s, @/ a/ i2 [5 G
4C19:0095   MOV    AX,0911  ; execute command.2 ~* r; O4 j# f) N" @3 h
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. J! a0 O) {: Z# v
4C19:009A   MOV    SI,4647  ; 1st magic value.3 }2 L3 ~* J( q0 r; N
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* i/ r& i9 a$ |/ {# Q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) x) R; l- c0 p
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, I( w4 E5 ?* y( Y, B
4C19:00A4   INC    CX+ ?9 R) X9 {8 U. m( P5 J4 |
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ `& Y9 ^7 w' D! w- Q3 J' v4 j9 {
4C19:00A8   JB     0095     ; 6 different commands.$ c& f! B, i! d
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" V% i/ z0 d* \4 L5 V! B4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) F1 c" {2 ~4 p6 e- ^1 K4 s# }; |
2 K" ^2 Y, [) p3 F$ y2 `( e$ R
The program will execute 6 different SIce commands located at ds:dx, which; s6 v4 {& U: X. l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) ~$ W1 L& ?1 J0 y

& v5 M& Q. z. u- W2 p" f' ^4 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; r" [+ J2 w! L8 f+ e3 }6 x
___________________________________________________________________________
  J6 ]7 @+ {( t! e, Y
. Y7 z0 A& S2 s
7 J7 o2 ^  F% [Method 03
$ |* F( p) K  A% E- I) v* y=========
( F& N9 G7 Q+ @: d' D3 @
6 T" o2 P* Z- B5 G& \Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. c2 D" r' m- g7 C( a( H+ u  d
(API Get entry point)
# A3 ?) T4 q" }" Y1 G        
4 i8 \6 T4 j* r% Y# Y& K' e
9 A* Z! W- ~  d" a# J( d: o! h0 }    xor     di,di
, y) U8 u% b" t. N  Q3 c    mov     es,di
0 `# Q) l( C9 J" p, `    mov     ax, 1684h      
7 X4 I# o( e2 d6 T4 y    mov     bx, 0202h       ; VxD ID of winice
! m5 }5 d$ z" |5 N- h/ e    int     2Fh" ^4 }9 P' z$ l: q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; x. o' `* k$ T: i
    add     ax, di$ M$ Z. U2 S. o
    test    ax,ax8 ?# {) U* M! b+ O  q# z
    jnz     SoftICE_Detected
. r5 W4 W. v) x5 q6 o. p8 ?8 Q* m$ I0 m
___________________________________________________________________________
9 A! r6 G% B) s9 c9 T* s# Q/ l
! x- x  G1 R4 a5 NMethod 04
' Y; S( J8 n$ x! O( s=========9 c7 z. n) g. Y6 Z( f

. B8 I5 ^5 D3 P& H: j* n- rMethod identical to the preceding one except that it seeks the ID of SoftICE- Z  e8 C% M/ K' z
GFX VxD.1 y  w8 ?! E3 p% W9 r2 Y6 _- |- Z

3 ]/ k/ c5 i. s$ h! a* F    xor     di,di
. s. u, O6 N4 M3 u2 n    mov     es,di
; u$ Y. C  H, u* A" K! U    mov     ax, 1684h       5 b; ^1 Q3 S/ S. M2 v+ Z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; O( q2 v6 S  K8 B4 |# y    int     2fh
/ S; s  t4 i7 F! D  W0 i# ]# {- [    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 G5 i; ^3 |) I' ]5 [
    add     ax, di
7 X- o2 f% u0 F5 V' ^) q    test    ax,ax
  e& O7 p, Z& F) i+ b7 h+ o    jnz     SoftICE_Detected7 t0 ?) a4 f" |! T
% Q$ s6 C8 J: O: E  P: }7 {
__________________________________________________________________________
' `" x, I! ^: [' x" z5 X$ Y6 C2 @& g* a1 _& T6 O% b1 z

2 [2 u/ }0 h: c4 @. r  X9 BMethod 05
1 c1 X! }/ N8 w, R=========
( k- Z9 T$ n. k$ o& ~: h$ c, O: z6 u* E; N
Method seeking the 'magic number' 0F386h returned (in ax) by all system# s5 C$ |, [8 i) T7 R0 i; z
debugger. It calls the int 41h, function 4Fh./ o6 ]( e- @+ q" O' }1 z
There are several alternatives.  7 D/ l7 i$ A' D' i& `4 ~
% @/ {7 e1 c& w
The following one is the simplest:1 d6 g2 M' W* e8 t5 |6 s( G; ~

6 W) d/ r: ^: l9 o, p    mov     ax,4fh3 p2 J* |3 t- o6 K5 I/ Y2 M/ _- u
    int     41h4 m3 l4 V$ I" v2 |! g
    cmp     ax, 0F386
! q/ s  i$ q, ~4 ^& W    jz      SoftICE_detected
- ]( o5 c* ?( |" [1 Y+ m! [1 u& q
0 F9 |( X, B* f8 F9 G$ f  O/ ^7 T  r) {+ S4 D/ E8 C  W
Next method as well as the following one are 2 examples from Stone's
" S: f# \' R' j" X+ Z( M' Y"stn-wid.zip" (www.cracking.net):
" |+ d6 j4 c; @$ V7 q' U- t; i4 n
    mov     bx, cs
, E" W- h. W& @, O8 s8 T- [    lea     dx, int41handler2* H: w. l0 e" A* F3 Z
    xchg    dx, es:[41h*4]
: L, m' J* ?- \1 Y    xchg    bx, es:[41h*4+2]+ }3 {4 U! o1 i3 J+ M: I
    mov     ax,4fh5 W( G4 D9 `+ C, \) n
    int     41h
) S8 Q" D# M: W4 s7 v) |    xchg    dx, es:[41h*4]
* D/ \( k0 J& f. r    xchg    bx, es:[41h*4+2]
0 A) `, U% B2 j7 R$ k    cmp     ax, 0f386h1 m+ m( v, b6 |, J- r# w
    jz      SoftICE_detected: X% I# i4 t7 P# F

+ m) v+ l1 Q7 R/ I8 T! G5 T/ ]int41handler2 PROC
" G! P7 z8 V' V: C    iret
: C+ G0 o. B! B6 b& G% fint41handler2 ENDP7 f. ~+ h4 }$ }6 m

1 }! @: ~5 c8 I$ H: J8 t6 o0 B, g! n0 G% L0 `
_________________________________________________________________________" o* A( D2 y6 m2 C
9 F- X$ P$ f  l. s& X# G

* U& {' G# T+ e- v% O. _/ a4 S! CMethod 06
$ R9 c( e2 H7 x! Y=========7 p5 ]+ d+ Q+ G7 G8 d
4 {: _' Q$ D! m3 E, |8 A6 K3 p

+ s4 l, A+ }; g& y! K7 w# ~2 x2nd method similar to the preceding one but more difficult to detect:# N' w7 b& R4 k5 j6 E  Y
; J  U: H! D6 [- w% O4 `3 r

9 m! `0 l  p' n7 b  D! Z5 u% S- cint41handler PROC
& j* y0 P8 j$ ?+ W9 e7 z    mov     cl,al# Y: U  w8 Y2 v* J
    iret
7 }3 V$ v2 |3 A6 r4 xint41handler ENDP
& C! U0 b( p" M& w0 }' j( j" `& g8 G1 C8 o8 F
3 n% _2 }8 L5 n% C
    xor     ax,ax0 Q  G* f' ]/ ~- f' t6 W4 R* G
    mov     es,ax
5 x$ E; S1 V! C9 Y    mov     bx, cs4 L2 ~8 K' c4 Z/ T3 u! B
    lea     dx, int41handler- Z7 g9 ~0 q$ n! B( V" @7 C
    xchg    dx, es:[41h*4]
8 J4 L3 o) u0 i- e! k! H; n    xchg    bx, es:[41h*4+2]4 e/ m! ]5 a3 `5 I5 A
    in      al, 40h& M4 o. o& e0 c: e* j' E
    xor     cx,cx) S7 w9 x& `9 h9 U" Q) ]( D- R
    int     41h
/ P+ i6 B8 N7 l5 I! s8 Y  F    xchg    dx, es:[41h*4]; x8 m1 U- ^+ f' F  a
    xchg    bx, es:[41h*4+2]
5 R4 f0 D" m6 g( P7 X! F    cmp     cl,al
! o5 C! Q! B0 W    jnz     SoftICE_detected
3 y- C& K  T& ~" u2 F- I- j% [( B$ Y; ^
_________________________________________________________________________
3 H. H- c( l0 [. C. ~' U0 g  ?: ?7 k4 \+ B3 e( H
Method 07
( g$ @: T" l" g/ `) V9 x; O& J9 M) A=========
& s) g0 }) ?' B) ]' O- @2 G1 B  Y# I" u. H' r. }( ]( a- D* s
Method of detection of the WinICE handler in the int68h (V86)
) Z2 n; V% V6 T( d
# j8 c6 C5 @: r( }! m  e" e) L+ Q    mov     ah,43h1 E+ U6 l9 R- z7 o6 g
    int     68h" K' e0 U6 F! s
    cmp     ax,0F386h+ x2 m3 D( u  J
    jz      SoftICE_Detected
8 h" n0 O. z+ ^8 J* o# y( ^5 R0 g: E8 Q/ t
7 C# j- b3 Y& p, i! M
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) `4 y& {$ q) g9 Q+ d# ^2 Y
   app like this:- T4 m( w$ J* N( k5 P- ]; C

& s) P/ p' o7 ?/ X( ]+ I& n  K! H   BPX exec_int if ax==68
3 w8 g$ B# d5 X# ~  c   (function called is located at byte ptr [ebp+1Dh] and client eip is$ A4 n& G/ t% J" S5 e9 W1 L9 S3 N
   located at [ebp+48h] for 32Bit apps)6 H; q/ X* H  B2 E. |9 z+ M
__________________________________________________________________________
- ]3 Q) H  w+ @9 E& x( m) N( T4 d
! F/ K& P# W: Z( w! }( _$ c3 P. g+ H/ [* @
Method 087 q/ {& i* s* C  s: i# ~/ z
=========
# F4 Z1 I. N) l& D& i- T: G" M5 N' E8 f7 d% F, s
It is not a method of detection of SoftICE but a possibility to crash the
8 ?8 r6 J: Z- N; wsystem by intercepting int 01h and int 03h and redirecting them to another
( w6 X/ I( p4 Croutine.* L- G5 @3 R* D9 C9 j3 W& c% F) E3 e6 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# i: r, z% n4 J4 s' {! Cto the new routine to execute (hangs computer...)4 _- Y" J$ z; P" c- P
$ u# R- h8 u! p- L) E) J
    mov     ah, 25h
0 @- w' l) y5 \5 F  T0 h8 c1 N    mov     al, Int_Number (01h or 03h)
! ^/ p) l: ]( r2 J) z    mov     dx, offset New_Int_Routine
+ G# q& c/ J. n' k3 t7 T0 }- i  l- N    int     21h
+ B1 e; b, T/ `3 K9 n3 y
: l* j/ |2 r9 [3 {. d. Z6 h7 R) r5 z__________________________________________________________________________
# G! j8 S' T, Q- @% ~: I( H+ x9 b! ]8 P& }3 K( z4 O
Method 096 y9 f: `; `2 [3 U( f2 q
=========
( w0 {  {" o# c% y- T# D. J8 O7 ~7 }8 B- d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ m" G9 W- D. @+ d" J9 T( |
performed in ring0 (VxD or a ring3 app using the VxdCall).2 w. }3 r9 p0 }- @
The Get_DDB service is used to determine whether or not a VxD is installed1 Y$ J$ O- [7 y) i2 l' Y5 B1 P" a
for the specified device and returns a Device Description Block (in ecx) for
( d  A! ?, N* |: athat device if it is installed.
# }% I. o% _' U! c/ w$ k. ^# g% H2 n9 I0 q2 o7 e
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% B% h( w: |) J0 f+ ]: h+ C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" z2 V  n* W. ~5 G6 ]* H2 E# o5 \
   VMMCall Get_DDB' ?! y, @$ K3 h# J7 o- s; e8 M) v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 e$ s; s6 D9 l& D
8 K) C$ N$ I3 c8 wNote as well that you can easily detect this method with SoftICE:
6 |! e2 f/ b7 p( y9 ?9 i( U0 k8 Y- G- Q   bpx Get_DDB if ax==0202 || ax==7a5fh
& L) l; W$ _. [3 S
% A( g8 _! O8 h: y/ y! N__________________________________________________________________________
( h1 U8 w+ D# U+ w8 ^, J  g+ g! t1 P
Method 10
9 {. E4 J* Y3 z4 h1 A/ J=========
5 D1 W: Y# a0 F/ b' D4 k
: w; y, R% S5 q& K- W. {=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; Z( U* V0 G; D/ H+ @
  SoftICE while the option is enable!!
# s8 K+ A# B* Z2 G3 ^# ?' q
* A8 N/ w0 w- ?- |/ @0 }- X3 YThis trick is very efficient:
, `; U7 C: r. A' |% jby checking the Debug Registers, you can detect if SoftICE is loaded
$ `( r3 d1 n2 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- O) u  E$ ^, g. g/ D/ ^/ Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
' l" K1 f; h/ b. Tvalue (in ring0 only). Values can be manipulated and or changed as well
$ E+ v3 L3 D! T5 h& G) y(clearing BPMs for instance), u, @+ m* t, V4 p9 W% i  S9 j' [# V
5 w) X- S, O0 R
__________________________________________________________________________: e% V  p& k; v  ~! T7 J- N

3 x" x5 ?/ @% U! EMethod 116 b7 c) M: Y: d! f6 u3 R2 X
=========- C# k8 f% o( [- x" q* I

: L% P9 z4 K; z: p2 x7 mThis method is most known as 'MeltICE' because it has been freely distributed5 a3 B3 [3 s, b3 p& G0 G* ]/ v
via www.winfiles.com. However it was first used by NuMega people to allow6 M( @; S( V2 @. e
Symbol Loader to check if SoftICE was active or not (the code is located
$ j$ p) `" Z. X( W: Zinside nmtrans.dll).
- J. H" [% L0 D9 U
: K) |* \- [9 N9 [The way it works is very simple:
; b8 W9 ?/ Q/ L! }" TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. E' p  r( S* I$ [' k) O
WinNT) with the CreateFileA API.
2 e: a: r' f  ~# G" P. ]' s7 j! x* g; K4 |% O3 S
Here is a sample (checking for 'SICE'):# u, f+ q" t0 C
9 F) w# T( Z$ f
BOOL IsSoftIce95Loaded()
+ q' A8 K4 r) n% R{+ n$ v- ^8 a  K2 V: I9 F9 f
   HANDLE hFile;  
2 M% }" `0 s4 r, J; Y) T9 I, F8 H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 W2 J# t3 P" s  i1 J                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 L1 X1 r) D0 ?) D/ d. L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: o0 ~3 M8 b6 M8 h! B5 C( \8 N   if( hFile != INVALID_HANDLE_VALUE )
- \4 n' R5 H1 a3 ~8 ~1 N" }   {
5 ?" {& Y1 d- H: D0 ?      CloseHandle(hFile);
, a0 b: R/ [% }3 V      return TRUE;
& G5 U3 R; N! i) r) U2 A% I   }* f, @4 h: t. v( n. {1 s% E
   return FALSE;9 h( j# N& C- U
}3 P3 T  Y: e7 r1 H6 r2 B4 c

; m. U7 B  s  C5 f; S, s! g/ h! hAlthough this trick calls the CreateFileA function, don't even expect to be  Y4 ]  X4 ]. ?2 x/ Q
able to intercept it by installing a IFS hook: it will not work, no way!/ s9 F9 i( {! {$ x* P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 \& F# Z% Z; c% F( Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ u) l1 |5 x3 P3 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 W( n/ e% j* H1 A: nfield.
, o5 D$ s/ L( ~' b. UIn fact, its purpose is not to load/unload VxDs but only to send a / \% ?, f# u; j$ W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) [0 Z& R4 G! o; O; Y. v- Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try' P; V9 b* Y6 f8 {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& Y7 E$ K0 f0 w2 Q2 d$ YIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 Z* g; R; v$ M' e9 q3 K# a- G
its handle to be opened and then, will be detected.
' S  ^6 X% L! \/ `- q7 nYou can check that simply by hooking Winice.exe control proc entry point
0 H* v8 D  u6 d8 u5 P/ L7 G: Mwhile running MeltICE.
  ]9 _* V: R, t) q/ Z2 Z( a0 s+ ~7 Z& K) v, N; B. [8 F# g
- t. I$ x; Z' b/ {  k
  00401067:  push      00402025    ; \\.\SICE
$ l' N1 ]' j: |! H! m' |; {* }  W  0040106C:  call      CreateFileA
7 z3 i0 W+ F2 U3 `; l2 z  00401071:  cmp       eax,-001& W% {1 H, u3 u9 {8 }" K
  00401074:  je        00401091
- |% b% ^2 [! T" N# g' D2 V* }, N! r
9 @) v5 G0 h- H7 I
There could be hundreds of BPX you could use to detect this trick.
5 s+ q7 `2 C) O9 A0 B! {4 o/ V-The most classical one is:. v; D/ Y! f& _* ^/ t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 i! U! U! Q# w# Y6 _# z; p    *(esp-&gt;4+4)=='NTIC'
: b1 Z6 d3 W# c) Q- o* n) Q- \2 e/ Y) `5 K# B5 @5 u7 g( F$ S2 O2 b
-The most exotic ones (could be very slooooow :-(! j% N( o0 E$ P9 D! D# L
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " }$ r3 g) u: U8 \6 W
     ;will break 3 times :-(
/ |* i1 m  z& R& q1 L$ Q. n+ w. v/ ^* v4 C' y/ Y" C% R
-or (a bit) faster: $ W" K( s9 d8 s) f
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ j$ s$ J$ g3 U4 S, l3 K+ N+ u
" Z. F9 C# i8 F7 N   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) `9 F  v0 |3 ~; T8 Q     ;will break 3 times :-(
8 ~, \! s6 C, R; R  o& v. K/ j$ L, F8 J+ F: v- B5 z" c
-Much faster:
3 i1 y, F- v! b% [" [   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', w, l  R& V; x7 H- j, z) _
/ G7 a! J" Q; ?& O7 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; V4 b& P) d3 d" q# y/ t% z
function to do the same job:
! z- d" j: m7 W# N' u: R+ G7 X) Q4 J% X) a# v+ G" v) ]
   push    00                        ; OF_READ) ?1 n- r9 N8 p4 I* T
   mov     eax,[00656634]            ; '\\.\SICE',0
* |( c3 \: S% j; J  m% x: u   push    eax4 _0 C8 u" q( l6 x$ T
   call    KERNEL32!_lopen
' ?; k6 N- Q/ E* }" N+ o& ^3 d5 z/ \   inc     eax
7 V1 G0 w" t+ b0 o   jnz     00650589                  ; detected
$ g% R8 C  |) ~! _1 F2 u% c5 h   push    00                        ; OF_READ
/ h# v  H5 d- L* f% T, h" H   mov     eax,[00656638]            ; '\\.\SICE'7 _- |9 w7 l$ K6 u9 k  }8 N
   push    eax9 f. y  O: h2 `4 G  V. r
   call    KERNEL32!_lopen
& B. P# H7 d" }# u' j   inc     eax
1 [4 F7 i( r: k' k' R1 p2 P   jz      006505ae                  ; not detected% f% b3 d* ]8 O1 W* e

8 @$ i6 D' }+ K3 N. a/ s# _7 j0 W) i6 P. F, h0 j8 M5 x- _8 R: L; ?
__________________________________________________________________________, S3 a0 @' [- m% [

* I! V. z2 P6 ]. [Method 12' n, W3 [0 }! v
=========2 ?( q6 \; @; |$ D
! J& ^! H0 X- V; h# S& o
This trick is similar to int41h/4fh Debugger installation check (code 05
9 ]* d3 |+ o) l* [: o+ h* s8 Q- j&amp; 06) but very limited because it's only available for Win95/98 (not NT), Z: H/ ~) D+ ^) ?; g1 h" F2 e- ]7 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 A9 h7 n# C8 ~4 a- a8 r0 {  S/ ^0 m" b
   push  0000004fh         ; function 4fh/ ?+ _  ^/ U7 C; Q( v
   push  002a002ah         ; high word specifies which VxD (VWIN32); o( ]0 a# j0 z
                           ; low word specifies which service
( S! j9 b1 q, e2 c7 X* h                             (VWIN32_Int41Dispatch)
# X/ o8 C: M; y; c   call  Kernel32!ORD_001  ; VxdCall! a0 ?0 G8 ^5 g( [2 p2 c5 o
   cmp   ax, 0f386h        ; magic number returned by system debuggers
; z0 E1 U( c! v2 ]5 |   jz    SoftICE_detected  I% T% C5 J" \# j& j2 `9 ~' l

) g) ^$ G5 Z' L+ L7 j8 UHere again, several ways to detect it:
5 E3 k0 _2 a0 |; l0 S5 ]/ @2 `
7 O  J: b) y* l5 |2 A7 P/ s2 D    BPINT 41 if ax==4f9 x( I. F/ I1 ]: f2 y7 D9 a# E5 q

$ I, z8 u' `3 P/ z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, I# N9 L1 s+ R+ i) U
# {2 w+ V+ e! P/ k
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, Y; N. d+ i$ x, K1 D

. `5 A3 `- B  |, J( h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; I1 ]& [: s  P' o
; N1 @3 q! G, L! ]
__________________________________________________________________________9 _" A$ }9 y% x0 ?' ?/ u
5 ]) V' Y* Y( U; d# ?# u
Method 13
( o1 |5 l' Y- F: w* e=========5 ^( Q- N- e- H3 [& s

- a/ ]7 N0 n$ q4 Z+ M0 \Not a real method of detection, but a good way to know if SoftICE is5 B3 I8 L% D7 @
installed on a computer and to locate its installation directory.' ^& U; u7 j7 t/ F" ^% T; k. }
It is used by few softs which access the following registry keys (usually #2) :
0 ]' Q" {. e9 M, Z& S
2 v* W9 m% g. P' H" f6 v$ ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 i7 a4 }# ?' u$ H# L\Uninstall\SoftICE; G! \" D4 g7 C8 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! K8 g3 I9 H. m" R$ q; _  N- k* G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 {: Y0 h. r- Q3 @- r8 T
\App Paths\Loader32.Exe
& s% B# q# a0 ~9 x* ]# z7 \3 B+ }9 m) n: S1 L

: {: g  H8 n/ D' X4 ZNote that some nasty apps could then erase all files from SoftICE directory6 j) c8 U1 Q: E3 H+ {
(I faced that once :-(  V. Q7 ]$ e6 z5 d) L
* J0 v3 D% j% M2 v, X9 e
Useful breakpoint to detect it:
4 l/ V" V& j. F) b5 S' Q- Y
9 i8 y5 N# o) V+ \/ ^, I- d) x     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 W4 x8 J2 s* M: L* ~" p% k- w! p/ _$ B
__________________________________________________________________________' @1 C4 U0 Z+ P- B1 q. K
1 k2 |8 ]0 ~) [% E
! h$ {! S' z+ B9 Z# t
Method 14 * |, b6 E3 M8 o) A/ k
=========
  I- x: u/ v- K5 \, n5 D. j9 Z+ R& \& j2 ?. v, Z+ L7 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ G7 {3 M# y4 E, @
is to determines whether a debugger is running on your system (ring0 only).
  v( ?& S2 U, Q! X, c5 Q
# z' @* E  G- ]6 E2 ^   VMMCall Test_Debug_Installed' s$ H* f) K! t. w7 g$ ^9 N7 }
   je      not_installed
$ h) w1 M, ]3 D4 A' _4 o: x, `9 D) L* {. W% U- M
This service just checks a flag.9 w. e/ b3 f. b4 m% m' p5 J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-17 21:44

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表