找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 H: ]$ c' R5 q& h4 [$ O
<TBODY>  r; [( p: t5 y2 z
<TR>
: x! S0 v; J; |3 Y/ i<TD><PRE>Method 01
1 _) E7 n9 g: n8 n=========6 \4 @7 i( q0 Y9 w; `0 `5 I) P
. Z- k$ C4 y6 l% w% o- g
This method of detection of SoftICE (as well as the following one) is
) u+ c3 E7 c9 B* \% o* bused by the majority of packers/encryptors found on Internet.
3 w8 Q# \1 R$ t8 t" e# uIt seeks the signature of BoundsChecker in SoftICE% A# }7 e: l5 q
) F% {: R7 z6 P1 ~6 Z7 B/ ~
    mov     ebp, 04243484Bh        ; 'BCHK'
# E1 U3 c: h0 Y, R4 Z! W% s$ Z5 a    mov     ax, 04h( L) m  Q8 h" U) t- ~
    int     3      
  w9 T7 t- O, `( J" e, ]) U& u    cmp     al,4" I4 ^' ~- m' R
    jnz     SoftICE_Detected4 U  s' [* q3 F5 V4 o
; n  E) p) T: J) V: S( Z. V
___________________________________________________________________________
! o( M' h+ q4 ]/ Q
! H4 a( E/ R3 [* z1 d$ W# p! G2 sMethod 02
* a/ m1 x0 w* m=========% b3 Z9 t  N0 [- ?2 u# y6 e) h; O6 P1 g
. v2 G" |+ T7 v. P, P: ^
Still a method very much used (perhaps the most frequent one).  It is used, {% m  O1 R; g5 l5 w2 R1 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 x& j! `7 o. \  ]/ l; G5 y: hor execute SoftICE commands...6 K1 [$ U7 J' ?' \
It is also used to crash SoftICE and to force it to execute any commands
0 `) n) a6 i6 D: L& Z  @(HBOOT...) :-((  
4 C! N0 {  P, g9 U: ^1 \) J2 f3 s0 z) X5 m$ p
Here is a quick description:( \6 \! Q: e3 F8 R
-AX = 0910h   (Display string in SIce windows)1 r+ S, s  Q/ \5 d
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 |. s: ~+ f% K$ ^1 K-AX = 0912h   (Get breakpoint infos)5 X4 a. x# I/ j! F2 _
-AX = 0913h   (Set Sice breakpoints)
) o+ F$ E8 I" h( e; U-AX = 0914h   (Remove SIce breakoints)
. Z  f4 u: `9 o. f" f/ Q5 G1 R0 R9 g& o( g# K; `  h  \
Each time you'll meet this trick, you'll see:/ n; R' U& c, v& _1 r
-SI = 4647h
3 a4 V8 ?5 X# D5 v-DI = 4A4Dh
. n5 p2 N5 J* B! RWhich are the 'magic values' used by SoftIce.9 F% v) J' z# O  W; r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) b  Y, x. v) F( K+ s9 x% T
6 V& `7 o! [+ A, V: nHere is one example from the file "Haspinst.exe" which is the dongle HASP
. w0 V. W1 m7 GEnvelope utility use to protect DOS applications:% ~3 [  o! y0 ^

( |7 \2 m5 R9 l& Y7 Q$ @
7 ^7 W1 P- `5 C) L1 D4C19:0095   MOV    AX,0911  ; execute command.
* ~: E  g" H9 k# o7 S! O4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; o1 i* Q9 h8 }0 p, K9 X4C19:009A   MOV    SI,4647  ; 1st magic value.
. C" f( f: F( o9 `2 X5 a7 ]4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 q5 I) _# m) n9 |5 E1 f. M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 ?; G( S/ |% b" A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 `" s4 G, m( D3 y2 E3 ]7 ]4C19:00A4   INC    CX
+ I, d0 g2 v7 I9 k& C. w" s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' N: U) ^8 [. D* O4 o  _! i4C19:00A8   JB     0095     ; 6 different commands.( y9 c3 V) B, d$ I+ q0 i
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  B+ R! [; O* e0 x4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)5 n) x; _0 Y" Y, d$ j) b

9 H8 [6 U9 e5 d9 P" R" qThe program will execute 6 different SIce commands located at ds:dx, which
, c0 L0 g0 z. V; o/ Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. C* F# i+ s9 g+ T4 U: |' [
% n% p- Y' u; N) k# Z2 e9 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& W  c' o; \/ c5 |3 b___________________________________________________________________________
0 H! m' j6 Y( b  T- Q
5 X. I- S- o% g/ k
+ m  ~' W/ n/ S4 y9 ^- iMethod 03
; Y$ Z, `1 j- |* X- a% i9 J=========5 [+ W! p! v$ z" g

" \: J& }# V: x% }4 \: ?8 ?% uLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ Y" y' L+ |2 H  Z" u6 S3 ]3 u9 j* m(API Get entry point)3 J8 H: I+ f) }- |
        
2 ~; q8 h' U" s6 t" [: J0 @
! U! b( e0 r" Y) e+ f( z    xor     di,di% x* Q# h. j8 k$ ?. _
    mov     es,di
% W/ H: g; A& a    mov     ax, 1684h       ! L; s2 E0 k% G. Z# J4 ~! U9 k5 b
    mov     bx, 0202h       ; VxD ID of winice
3 k6 J" c* |1 H1 ]    int     2Fh
! ^0 {# q' X5 G; ^5 m    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 t. {$ Y% E2 I9 R( j4 A$ [. W
    add     ax, di
" q& M1 r) G3 L" c; c1 Y    test    ax,ax" ]& f, X; v# Z2 Q* W+ H6 n
    jnz     SoftICE_Detected
7 e( d4 A+ ?" w4 e: Q3 ~% {5 U6 W; t6 x: v5 W
___________________________________________________________________________. ^7 `6 F' F! \' i3 l
9 M  `* `/ [8 ?+ @( v1 S. a
Method 04
+ B+ I: y5 d3 X- {5 k( Y2 s5 G$ }$ F=========; V) l. m4 G4 x' E# i, ?* x) i

4 ]. O" w+ _0 G9 jMethod identical to the preceding one except that it seeks the ID of SoftICE/ B! I1 Y" C( O+ V  j* U) A5 H
GFX VxD.
7 k( Z. {4 Z) }7 K3 D2 A" n  ]0 F" Z& ]
    xor     di,di
2 B& V; u! K: F3 |2 R  n    mov     es,di* b' o: R  H/ [2 Y1 Y7 v
    mov     ax, 1684h      
7 J* i- w7 I& _% u$ z  t  q    mov     bx, 7a5Fh       ; VxD ID of SIWVID& _8 O3 s4 `; _) S
    int     2fh
" P- [. Y$ P3 G! m6 m+ Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 @$ Y* C6 @$ R5 e* f    add     ax, di
3 x/ D8 g* f( a/ E3 ?! d' ^. l% o    test    ax,ax0 E2 A$ s/ r: U- Z
    jnz     SoftICE_Detected
/ s3 G1 |6 n" s0 c- z) H: ?# A1 o4 ?
__________________________________________________________________________# t" k4 Y$ O+ g6 i# s
4 c& y( ?& B  J7 B9 q
: g4 `% L3 r, z; i% X
Method 05
1 F* K" X) b* |5 Y7 x4 E4 a9 I=========$ h8 W: a+ u& H' o' K6 I
% S& [) J) v5 {. M
Method seeking the 'magic number' 0F386h returned (in ax) by all system- |# I: N+ W$ \4 {4 A
debugger. It calls the int 41h, function 4Fh.( t: O, J! o6 I2 T8 f/ V
There are several alternatives.  
+ G1 M4 j" i; ?' l* t2 Z) J/ H% _" ~2 Q% ]; ~$ E: d, C* D* t
The following one is the simplest:
1 G" Q9 D  u. K  y
& n6 E9 d8 J$ w; K7 f2 t    mov     ax,4fh
; B" X: g% W$ D  ?* _    int     41h- }8 ], V3 e& ^1 i1 K9 l- Z2 p
    cmp     ax, 0F386
. c  c) {' Y0 P9 i2 W3 p    jz      SoftICE_detected
& B6 D+ m4 N) E! V8 s* e/ b4 o! h7 k8 Y, @. ?( w

/ T6 h' [7 m6 q+ vNext method as well as the following one are 2 examples from Stone's
4 r! s# ~8 c0 y$ N8 }- p"stn-wid.zip" (www.cracking.net):8 D5 h" T" B9 O3 P7 v
  b% u; u6 O0 ?) F  G
    mov     bx, cs" g$ a2 s: x7 z$ c
    lea     dx, int41handler2: |$ u# f1 [/ M5 j
    xchg    dx, es:[41h*4]  i0 `8 c# o! W* k
    xchg    bx, es:[41h*4+2]0 @4 w4 L8 l$ b5 T# n( x! I9 ~, i
    mov     ax,4fh; Z: g! R- Y+ A' \% T, o9 ~6 I( G
    int     41h
4 {. X: E6 a; U" O5 p/ u1 a' ?    xchg    dx, es:[41h*4]( k. \1 N5 D4 T5 l' B( b  L2 B
    xchg    bx, es:[41h*4+2]
) r$ |  r5 ^* O9 P    cmp     ax, 0f386h
# g2 B: G7 r. I8 }+ b    jz      SoftICE_detected# ?7 _  ~; O! A+ V* ]! h5 \
. U6 d, s! H2 x% G( m
int41handler2 PROC
( p6 F; o% ^# S  Q" |' D0 @    iret  s# e6 I" v7 L5 H2 F) \
int41handler2 ENDP
6 {  t- v- h& Q7 ^1 [& O4 X( ?% i
/ ~2 u* l2 n4 A6 Y( i3 Q
_________________________________________________________________________6 k- j' i3 `8 \; f

9 N, `( ?+ t7 z0 V2 \$ J; @4 Y4 c# f; t1 Y
Method 069 Z. g9 k) y+ h  P1 ]; g$ X2 n
=========
1 h/ L3 g& @) w4 e+ k" `7 U
4 K' n# e1 N; }  M
4 ~5 I( U! z( m. w  B" e* o% U2nd method similar to the preceding one but more difficult to detect:9 l# N* \! l. @& A0 a) B0 c& ^
) i" d6 X$ M0 e% [$ l
2 k" R( Q4 D- e6 j" {
int41handler PROC
! Y4 Q. ?5 j0 O" ~    mov     cl,al
8 |' X& \" s+ A$ s5 i$ A7 V. w    iret
* C/ k3 k8 W4 H# d" Iint41handler ENDP& T0 ?/ V& l. ]5 `' M8 s1 |) n

5 m; {, o, R) W& b6 |6 E; ~
3 d$ z" n/ V* }" R' k. e6 v    xor     ax,ax
7 }# \0 |- q9 z3 m    mov     es,ax
  g. u' _* y$ D- Z" q    mov     bx, cs
+ S$ Z' P7 S0 t0 d    lea     dx, int41handler+ E) m: @! K+ a0 _; c
    xchg    dx, es:[41h*4]
8 x% J! y. o' ~8 L) L! D    xchg    bx, es:[41h*4+2]# Z0 b& C( l& L! Z
    in      al, 40h6 T5 J5 k1 E' l
    xor     cx,cx. ~( k5 U$ S. e  ]# T: _' _) Z
    int     41h
% `$ ]0 ~- M9 H4 \' I    xchg    dx, es:[41h*4]$ k; H, k. |5 C7 P( M8 v
    xchg    bx, es:[41h*4+2]
0 s( a  e/ Q" y! o, H' o    cmp     cl,al
' @& i! i0 Z  O, v' y" |( g    jnz     SoftICE_detected0 F; [2 F; Y4 ^- v' q
1 v" D5 J- B. x4 E
_________________________________________________________________________
+ \7 n5 o* x& y7 P& O0 _
* x3 S( u- o. N( z! v1 ?- ?Method 07
2 A9 A, P4 o9 q2 Q=========! P  F% S+ O0 Q4 w! K. z5 Z. ~
! x/ e2 X, I0 e6 s# J! {, g
Method of detection of the WinICE handler in the int68h (V86)0 I* D* Q8 G, z8 d& ]- }6 ~

0 }2 g. e. Q" c5 h/ g  L; v    mov     ah,43h9 n) S+ |1 w: W+ Y- f1 d
    int     68h
( c) o' V, Q  {    cmp     ax,0F386h3 o9 V8 o3 n% s( d) T
    jz      SoftICE_Detected
) C/ r" f5 c2 @6 N+ B* J
' h8 t  b: ]5 Z' |1 c* p$ Z0 l+ Q: `4 Z  i2 Q- `$ h
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! r- [$ F" ~$ P4 O" D3 _' S   app like this:
8 s+ a' q& x  M" C/ X" U0 A5 w# ]. K( z+ Q
   BPX exec_int if ax==68
' n1 V6 I: |/ ]  t6 R# t8 v7 q5 ~   (function called is located at byte ptr [ebp+1Dh] and client eip is# r5 K/ A4 ?6 j7 |0 G$ N: t% e* d% R
   located at [ebp+48h] for 32Bit apps)
! A- ~+ Y1 k/ k" W! r2 A: v5 x+ ?__________________________________________________________________________3 I. [8 E0 a0 O% |/ y
6 Q; k8 ~4 z1 H+ D
. @: V! u; K0 a& n" \
Method 08- V( T9 x/ p4 W  U0 P+ h' y, ?0 g: a
=========
, c4 x* A5 b- {: Y+ H; z4 o" @3 |3 Z- c4 B+ I
It is not a method of detection of SoftICE but a possibility to crash the1 O7 Y; ~& w9 D. C: E6 N
system by intercepting int 01h and int 03h and redirecting them to another
1 o  [7 n! F4 L0 A6 ]0 U0 aroutine.
3 v1 c2 |( Q' xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% f5 i* b; X. ]to the new routine to execute (hangs computer...)9 [8 _! B$ e- n0 J/ k6 U
! m" f/ f5 j7 m& A3 I! q( T
    mov     ah, 25h
# E: C$ V: f6 R2 n9 s    mov     al, Int_Number (01h or 03h)
8 b, @/ X/ C5 A    mov     dx, offset New_Int_Routine
0 K4 B* I9 n% \3 ^- P    int     21h
9 b7 o% V2 g! I4 h$ ~' [: K/ J4 S4 i4 Q' a% [0 a5 r
__________________________________________________________________________7 v$ m# _( o; [0 o4 P) ?+ o

' x$ z( T, m; R  JMethod 099 m( e4 H. ?2 x. H+ V$ |
=========
. S7 }: O* b3 y' F( d0 \1 r7 ~- c
( v2 u1 @+ L$ @* X- t" XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n" `! p7 D, v' z+ H: Cperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ q( D0 o# ~. @9 A$ n7 q* {9 ^The Get_DDB service is used to determine whether or not a VxD is installed
  g* M" D0 g1 |! pfor the specified device and returns a Device Description Block (in ecx) for
, u* ]0 s0 ?0 U! p  z! \that device if it is installed.
7 o/ [: z8 Z4 z  e, c
: q; r+ |$ G: c$ u& i   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ \# g, T" A7 t' c0 X! e* `0 h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 `4 U: C+ {0 N. z9 @   VMMCall Get_DDB. F% l/ m; ~0 b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 \5 r+ B8 o8 h+ n  ~1 I7 C2 d' U$ z- a1 g4 T1 }
Note as well that you can easily detect this method with SoftICE:7 Q6 Y' {+ m: i
   bpx Get_DDB if ax==0202 || ax==7a5fh) f6 `8 }+ d7 G; K- X
6 r% I# v% K3 {" O1 ]! V
__________________________________________________________________________
7 P- s7 M' r" A# t+ a1 s+ t9 {3 i$ P, t
Method 10- a5 @) Z! i# q8 w+ i  Z# @1 e/ r* q
=========, v' ^$ i$ e3 w, u  @0 Z% S% N# Y
# ^: I. v" V- E" _- j
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 m( `5 H5 f, w9 Y8 L  SoftICE while the option is enable!!
5 y- [5 w1 A# [. y* |% ?7 _% }' x7 ~8 U1 h# K/ y2 N& v' {
This trick is very efficient:% o- T, [% A6 M7 T
by checking the Debug Registers, you can detect if SoftICE is loaded' Q, `9 N5 H! y% U" D% B9 j! _" `. v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; L; g/ T$ G" O. a* `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 v0 J! D& C- s9 U- ]/ ^- @value (in ring0 only). Values can be manipulated and or changed as well# [7 E' V- s  _( a% W( X
(clearing BPMs for instance)
. l6 u% o. M6 s# C- Y
5 t, W; T* X, F8 B+ ___________________________________________________________________________% {3 s  Q& o+ X5 f1 j
8 V$ Y! Y) y: k4 o& L# z
Method 11
6 R/ |( T9 S9 p; }=========
: |. O, M7 P$ p# r: ^( L) z; L8 F5 p
$ `3 m" L1 [' c- V- \1 }1 rThis method is most known as 'MeltICE' because it has been freely distributed
7 }* B, c, P! v: k+ ivia www.winfiles.com. However it was first used by NuMega people to allow
3 h) I# B- }4 Q; x+ ]6 b% m. gSymbol Loader to check if SoftICE was active or not (the code is located5 h: c4 d/ f+ H" {
inside nmtrans.dll)./ a2 I) {, U- Q7 z

' q2 B3 U( O& j& X& oThe way it works is very simple:
1 ?3 _. |4 s9 ?! q" _7 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" }+ }0 D& i% B) w
WinNT) with the CreateFileA API.
6 L7 [7 {3 c  _& T8 L% x# R8 q9 J
  }8 Z. E2 @+ y- a6 Q- p: WHere is a sample (checking for 'SICE'):9 @2 x! [, X" H  |; m1 V" X4 D

8 B1 K4 |1 l( V% X4 D  ^+ }3 gBOOL IsSoftIce95Loaded()
# L0 o; A1 S# b1 s/ w, s, w{
4 @+ r2 @  S0 U' j# s# V% Y1 G   HANDLE hFile;  
0 E7 G' n+ {  t; r- O   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 m+ d" [6 q: |                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 s$ c8 f% w6 Z3 h; W- Q' i' \                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 `7 h% R! U  Z. a3 j1 F   if( hFile != INVALID_HANDLE_VALUE )
: O+ e6 V  n- E5 x: U( j1 H! z   {3 S+ g2 y0 m* F4 N+ @# L
      CloseHandle(hFile);
8 M( C( k- w# a8 O      return TRUE;
( m: K* z: K! ~) c   }
  Q5 f' _/ U1 {   return FALSE;
/ _0 q( h( t0 s- W& U( I}% E1 N+ e# G& d4 f8 I
8 n* r. C$ ^+ g2 [- @9 {
Although this trick calls the CreateFileA function, don't even expect to be7 G% t* e: L& z7 r( W# x( O
able to intercept it by installing a IFS hook: it will not work, no way!8 g" X2 k- r+ u9 X& h# C; u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, {% q# g" W$ T& P7 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- {5 O0 @6 I' ]  F# Z/ z3 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& y0 |  y0 i1 B6 ?9 }4 G1 C! G1 Z1 T6 e
field.( q# Y* ]0 h' i0 G! ]  ]) h4 c
In fact, its purpose is not to load/unload VxDs but only to send a
; P( C6 {! s* h& H8 G3 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  u) \) z" c, eto the VxD Control_Dispatch proc (how the hell a shareware soft could try% @1 B) R: }' r$ i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. @4 f6 |3 ]8 Z9 G0 w% K; [If the VxD is loaded, it will always clear eax and the Carry flag to allow1 N! ^7 P/ ^5 a$ `
its handle to be opened and then, will be detected.8 L+ R- H( C0 R* E6 [1 T7 k
You can check that simply by hooking Winice.exe control proc entry point- o4 `  Y9 n1 n' P& O
while running MeltICE.1 A8 ^1 Y  X: L/ {- e2 u! {$ k
, B: A4 h" u  J% S

* ?4 b; U% M5 z. [' M$ C: V  00401067:  push      00402025    ; \\.\SICE
* g5 x' s" D& I6 N) R  0040106C:  call      CreateFileA
5 z" {7 q* T2 ~5 ~  00401071:  cmp       eax,-001
* q# Q# D9 k+ h$ j9 u6 c( y. i  00401074:  je        00401091
" \5 c1 e! X: k! D
1 K3 |8 J7 d: X: J) S/ R- E( L' |1 `, }
There could be hundreds of BPX you could use to detect this trick.
6 C' W' D/ i3 ]$ _+ e-The most classical one is:' I1 }1 x4 [+ y$ y7 v
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 o- [: I( f# L! K7 f8 v0 _2 R    *(esp-&gt;4+4)=='NTIC'
6 {. a. [; x; O! ~& F4 z& p; O2 a. Z9 u6 c
-The most exotic ones (could be very slooooow :-(
1 F+ z9 P# n. j/ a5 V# T4 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ C  @, P! }+ }8 I$ p
     ;will break 3 times :-(
9 B  N5 `5 ^% |9 o+ W" b! v0 `; N# z* ?$ T! M
-or (a bit) faster:
& S: S! P  I: e   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" F5 r$ e' a+ A2 N( z. F
% e1 S8 Q, W& H5 u- t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 J% P" ^# K  ?5 @     ;will break 3 times :-(* B: F% A7 W' N( ?

- m; ^6 l8 o! ^4 ]* N" G-Much faster:7 t- n$ K" t& u6 @1 `/ }4 _
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', f9 x) ]  U& t' }
! z! _  s2 \% ]) w% ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 {( }6 _/ F# ^, yfunction to do the same job:' W/ a# B3 o; d* D, g. s/ A2 h

: @5 U0 X6 V5 A! e3 k, Q   push    00                        ; OF_READ
0 w$ e$ F/ v' _8 u7 ^8 W7 z: |3 C, w   mov     eax,[00656634]            ; '\\.\SICE',0' Z6 n5 l/ w0 S6 {! l# _2 O
   push    eax
* R4 K$ e2 e# t& A" ^* b   call    KERNEL32!_lopen. c) G6 \. Y0 `4 f  y% i  i
   inc     eax5 d# \8 Z* d3 ~. [6 z  r
   jnz     00650589                  ; detected( d7 X" E2 G2 G7 r% k- \+ e
   push    00                        ; OF_READ
  h8 Z1 {# [( r; a( F  @1 t   mov     eax,[00656638]            ; '\\.\SICE'
" g/ i5 N! H! o' P  T& o   push    eax/ w* ^) K8 _% B
   call    KERNEL32!_lopen
) T, F) _$ v. H1 a* c! A0 }. C* w   inc     eax
  v9 k( q3 A) o' ?9 F1 ~   jz      006505ae                  ; not detected/ a: v6 l( F$ `" `/ V, h- q
7 z1 p; y9 g2 Y+ @# O

- a1 [) j' N8 U0 r+ y  C__________________________________________________________________________
! g: c$ p: D+ Q$ h" a6 M( Q$ }0 r" w7 X% y9 d
Method 12
$ q. u  @6 V% \8 |6 Q3 h+ v=========
$ @& m) }! i+ S/ w
- Q3 v* ?, u/ R! l! l- G7 y: y2 {This trick is similar to int41h/4fh Debugger installation check (code 05
5 A! a3 F1 y- U&amp; 06) but very limited because it's only available for Win95/98 (not NT): x3 b9 D# M1 W+ `8 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 J7 p4 u: d* M0 |; j. x! G' X

+ F- `$ d4 t; c7 @# y   push  0000004fh         ; function 4fh
" ^; B% V% p+ H2 X   push  002a002ah         ; high word specifies which VxD (VWIN32)" h- J) h5 B0 A' D" o/ ~7 x2 A
                           ; low word specifies which service
5 G$ B8 {* a; j8 H/ J                             (VWIN32_Int41Dispatch)! C. N% [/ S9 I! {+ Q" g
   call  Kernel32!ORD_001  ; VxdCall8 {& q1 u& K/ @' T* z( U! ?. [+ [
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" k% Y: r" m% b6 h' t) M; i   jz    SoftICE_detected
3 c  z+ r' B) T# ?6 _* o* d
: A; a! [8 }6 I" N9 V  f8 T& @Here again, several ways to detect it:0 M2 N: Q5 p" `

9 R0 C7 n0 r8 w3 i9 ]' F    BPINT 41 if ax==4f; S: a: [2 x$ [% L) @* J/ o) t" a

; e+ d/ o' P3 x0 T: s" m    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# Q$ ~5 K2 z" b2 P- p9 B. }% \& w; u( ?# F
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' J8 Y- i6 ~& }9 a
% w5 S& t2 g* R( P5 t' ^    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 L" \6 w' D- A* V  o5 N9 o! Q% A1 ?3 I0 c4 J( k
__________________________________________________________________________3 ~, H, `1 Y$ T7 Q( |8 C) \
8 d5 R% C  h, ?9 V4 C9 J
Method 13
4 b& D, b: S9 L' ~: {5 C$ g=========
! k6 I1 L: t3 P% f; f5 d5 z
3 I9 T# Z: z( ~- ZNot a real method of detection, but a good way to know if SoftICE is# m, b; `$ e$ u, ?6 a
installed on a computer and to locate its installation directory.
' _- C0 {1 c$ X( EIt is used by few softs which access the following registry keys (usually #2) :- Q8 ^0 L' {. `& i( A  |6 t+ K& X
- p; o4 v4 R- ?0 T* q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  `0 [% g3 J1 L- c& g) z8 x* |# L* W$ G
\Uninstall\SoftICE; X8 r6 r" D" M. i. G  a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 F/ `) w! p. B! @/ F3 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# \" o/ W0 P5 L( h! W8 s/ |1 a\App Paths\Loader32.Exe
& W$ v# J( P" z' i6 v
! q+ j; w9 B8 g# X0 a
! W" f  r" D# ?& O' H) U3 Q; eNote that some nasty apps could then erase all files from SoftICE directory
  t- @$ [& U: I/ x(I faced that once :-(# y  y5 o6 Z9 v" F( O  e

6 K; R- b6 S# D7 C- hUseful breakpoint to detect it:# O; ]" e4 d. V  i0 |* Y: |

% {- z  N; e1 {6 S+ ]/ t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 D2 B7 \8 W6 @0 k" Z4 n
! a( {0 C6 ~8 C, `8 e1 V% S6 G* A9 U__________________________________________________________________________/ E" |3 n# v3 y. Q: l; n! X$ L" \
) Z. g1 H# m( f9 W( D. N
* t5 X( e" j" g
Method 14 : p9 M, l! B- F& P$ s0 Z
=========
1 J: L5 G; f& H3 G/ v- H( j! C7 ?5 E5 U3 O0 e, {. n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% v* T9 g6 T: }1 i3 X8 e! ?  P+ Xis to determines whether a debugger is running on your system (ring0 only).5 f" _+ ^& z0 q/ F  ?9 Z# Q
7 f; i3 q$ ^. @/ p6 X/ b- \0 Z
   VMMCall Test_Debug_Installed
& F# ^$ d" ]# c   je      not_installed
# Z' d" `& c* \0 ]
0 f9 M7 e$ [' b& lThis service just checks a flag.) X3 @6 p! M' k- N6 W: q( g' J# h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 08:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表