找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 w; M( V6 c+ j! \% F  H/ m
<TBODY>
7 L0 [5 j7 ~" r, x# |5 {: g& _<TR>
$ u9 p: q* u+ ]% C5 e- Y) c# L$ `<TD><PRE>Method 01
* A1 g0 T, t6 z" g( y3 q7 n. y=========# P) Q! U  @4 @3 D) ?0 |( r. i2 B
9 d2 Q8 Y( X, l
This method of detection of SoftICE (as well as the following one) is
+ P- v. B. e' }( L3 u) L* sused by the majority of packers/encryptors found on Internet.
- Y; l6 T9 M. L1 J) w$ NIt seeks the signature of BoundsChecker in SoftICE. _# `" ?  q2 [' A$ q2 j
7 K; @4 w/ J8 G, o& e, W, \  b' p
    mov     ebp, 04243484Bh        ; 'BCHK'( J; r& @9 q! w+ W& k% G
    mov     ax, 04h2 @$ N& R: k' b7 N' f+ E4 ]# _
    int     3       : v* b' d0 x& V0 ~$ l
    cmp     al,4
8 I5 z9 P& A' j' c& y7 }5 h; O" ^) `7 R    jnz     SoftICE_Detected- o6 E. Q6 m/ D# A

1 U! r4 g  K0 w2 o___________________________________________________________________________. E! k, X8 t) _
/ V5 Z3 p. V% y9 |) f
Method 02$ _. H: U8 B/ c' y& M& S9 F
=========
! r- W3 _: s3 t3 q3 O- V+ K% \& J& |. X! W
Still a method very much used (perhaps the most frequent one).  It is used
! J2 F8 o+ I- J& C5 y$ ~+ g& pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 h: X' q$ T; W7 }# C
or execute SoftICE commands...9 j* `: G- w3 y7 N& r8 J0 V) k
It is also used to crash SoftICE and to force it to execute any commands
' J4 d# e2 ?$ s( Z* |2 k(HBOOT...) :-((  
3 C" v' T  O7 l3 \! o  O7 d7 ]; j# I8 o4 P
Here is a quick description:) H! ^5 {/ A& z+ |
-AX = 0910h   (Display string in SIce windows)& ]+ V: ?& x& q/ U% L
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
( [' d( J2 d( u# y-AX = 0912h   (Get breakpoint infos)
  k5 |& c" O1 f3 U8 m6 m: C/ i-AX = 0913h   (Set Sice breakpoints)
7 b2 _' L- a! M; v( A( F) R-AX = 0914h   (Remove SIce breakoints)
. D3 N2 R/ E* y/ n; v) n
+ v* l/ c! H* t# m9 PEach time you'll meet this trick, you'll see:2 G1 k  D; I5 i' o
-SI = 4647h
2 {; E) v4 O6 g% \, d0 y-DI = 4A4Dh
& M& ]2 `! }% w) {Which are the 'magic values' used by SoftIce.7 z3 x- |5 n/ r# m/ _' i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' z4 y; T, y1 i. V. p. H$ {; _: N& L+ `5 [" t* c9 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 N+ R& n+ V  ~) k  l- c$ Y' P
Envelope utility use to protect DOS applications:4 o9 H7 O3 U; U# }$ W7 j
$ P$ ~6 P$ @0 _1 ]) M+ |1 E! v
; |% b$ E2 {, ^8 _
4C19:0095   MOV    AX,0911  ; execute command.8 }7 Y0 Q. J% ?% z! `# H  o% \; N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 d9 `$ M2 p" \8 `0 v1 y& n+ Y4C19:009A   MOV    SI,4647  ; 1st magic value.2 B1 x. k, p" G0 A8 S( U: y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 l/ P" _3 {6 x) `4 V& o
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* I% k( a8 W4 h' ]0 P
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 P6 e1 g1 T3 E9 M* G
4C19:00A4   INC    CX6 Y0 O2 m1 v4 |( L+ i- }8 _
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ K2 {/ N- Y8 C
4C19:00A8   JB     0095     ; 6 different commands.
- k# M' Q3 S  c9 X1 R# {4C19:00AA   JMP    0002     ; Bad_Guy jmp back., C6 o0 S" ~; c1 }6 N- I
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ O& l% C$ B! p& r' o4 u! j, v  `+ a5 @/ Z
The program will execute 6 different SIce commands located at ds:dx, which
" m/ U/ d$ E- I' ~8 ]  j5 G5 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 W& e5 \2 a" P9 L, F' L  `

. e( X- T: S  a3 f9 j9 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; `0 M4 Q9 `8 l0 g" g$ m7 H
___________________________________________________________________________9 |; Q2 v* a% X; ^/ i. _) @1 v* I* E
! Z! ^8 o" Y7 _. O' x

1 m) x& N  g5 l8 A& }Method 03
% \5 D; \$ }" I# e=========4 ^, t$ V* Q% S0 j3 E7 E3 \; G

2 b9 ~# d" u1 h7 TLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; g$ J& i8 ^; C: @' j- x! ^  j9 x
(API Get entry point)+ A/ K+ g& I: g. u0 c
        % N$ h" V# i3 g

4 g; _% y" T7 ~% r    xor     di,di% D3 t7 a+ J- l( H4 x
    mov     es,di9 b) J/ A" A9 g) B5 V
    mov     ax, 1684h       5 ?$ J: a* Y" Y* ?8 |
    mov     bx, 0202h       ; VxD ID of winice
. y. G: X" Q: e% I% b    int     2Fh
1 g0 {! i2 h' N& X# Q$ x    mov     ax, es          ; ES:DI -&gt; VxD API entry point" r; e" t  e2 ~1 \4 A
    add     ax, di* a$ L1 Q" D# [4 `+ N( D" N* I
    test    ax,ax
1 o& O+ F) ~: }) P7 \' j$ ]    jnz     SoftICE_Detected! h0 e3 i& K1 [2 w0 Z
6 W" x/ ~* A; G$ v
___________________________________________________________________________' g% J8 w9 J9 @6 @. w

7 J' P+ [" G' V' R/ ]Method 04- W# W/ m6 ]+ z- F, L4 z& Q
=========- n+ ^3 q7 h/ ?8 h
" D6 I6 J* s5 y
Method identical to the preceding one except that it seeks the ID of SoftICE
1 r8 w6 _+ x! eGFX VxD.
# e; k  r+ _& a6 o5 {4 w9 ^2 V9 X- Y# ]3 O  b
    xor     di,di
& y- W8 D# `5 Q) i) W, [    mov     es,di
" b2 K6 h. a- `    mov     ax, 1684h      
; n% [. X; z) j* J    mov     bx, 7a5Fh       ; VxD ID of SIWVID. d. @, s+ H! l8 A$ E7 u
    int     2fh( a- ^5 i0 y4 _+ S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) Y9 o+ d2 y/ w$ a& s
    add     ax, di
' A% U& j8 @2 H* @! ~) O! b' o9 q5 X    test    ax,ax3 {. A5 M, d/ B. w, Q+ g
    jnz     SoftICE_Detected
' ^6 ]  B" V; W. `1 t
! [2 `: ?8 a# _8 J. z__________________________________________________________________________2 \/ C6 I$ \( E7 l/ k
4 r4 h) ?! i/ X2 L
. ?! l/ e2 v; g/ h3 B& r( E% `3 }6 ~
Method 05
! {5 {. {4 ]9 u7 Y* \  ^) m! J8 N=========* q; i# W$ f( f- W# D) n+ |
  J) T4 z- s% P- {3 J* o% c
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 Q( u3 a7 @9 Q  b! l
debugger. It calls the int 41h, function 4Fh.
( _  h4 A, n" C! A* {9 }There are several alternatives.  8 U: W; V  S: v% {! J1 Z

2 m# M! F0 ^1 A1 U; r- NThe following one is the simplest:, c) H" K* l& c- W3 y+ Z7 G
9 c: h2 b+ }( P3 {/ |1 o9 ]
    mov     ax,4fh8 }7 k1 u/ A3 C- I& ~
    int     41h1 F4 v$ j% }4 @0 V1 b! v
    cmp     ax, 0F386
9 K. N0 ]) c' ~% X) u    jz      SoftICE_detected
( _' \- |0 N8 b4 F( S: W- d, e% J0 s& j

; q* M; U# K+ L6 ?' s- fNext method as well as the following one are 2 examples from Stone's % A, C" B- U3 v& v$ G, k
"stn-wid.zip" (www.cracking.net):4 T7 c% g$ d& E0 g, ]# T

6 R9 A# X9 @. \0 `    mov     bx, cs( U# m; l) C3 s! V2 Q
    lea     dx, int41handler2+ N! Y1 ^3 G# A+ D) W# W2 w! k
    xchg    dx, es:[41h*4]
8 {- _) L5 w2 E8 R" j    xchg    bx, es:[41h*4+2]# B' @2 p5 I0 j! t
    mov     ax,4fh
/ s0 v; s2 h$ D/ |5 M    int     41h
5 o0 O" X2 t& J% C" Q: c    xchg    dx, es:[41h*4]4 _/ D3 r; V1 C$ \( Q; o1 r
    xchg    bx, es:[41h*4+2]. j+ s/ B& ]9 C# l7 G* Q+ }/ H
    cmp     ax, 0f386h
. ]# A& J, r2 {. E0 s    jz      SoftICE_detected7 r- L6 }8 d: h# `2 u* W! T7 g0 m, k

/ [; F. B% e6 w& a! n6 G$ ~int41handler2 PROC3 n$ G' W+ ]6 l) i: t- q
    iret
8 S, u6 U4 f/ {" I- b# nint41handler2 ENDP
8 X/ k/ [. e2 u. i8 d; G+ S( d5 _: c' H# m$ b/ e9 ]2 M: P' w  Y
7 {% f: k' M/ y
_________________________________________________________________________
& C2 W7 n- H, |( u( f! D
: o; H- J% q. }& y8 z& b+ \, V; P& [! e3 @& {6 W4 i
Method 06
, W% ]9 i$ w* d1 m9 v=========4 E/ _% a* ^4 i
# L9 m  s, m( J! T* F( L# N

" z& a2 |" S5 _2nd method similar to the preceding one but more difficult to detect:# h. C* O- v0 R& {
& |* K+ z) E3 i- L) r
8 B6 A; v) V' g9 Y" |
int41handler PROC8 V' p+ G, \! `6 x6 `
    mov     cl,al
( O+ Q0 p! t& y4 B7 J2 [/ j6 U    iret
0 D" R$ G/ r3 d9 }, Eint41handler ENDP6 t; x: o% e8 X  @/ l0 u

1 r& Q. k% y3 U/ D8 o/ q) g2 I% @: j3 A, b( d. B
    xor     ax,ax
$ w& V7 h$ o4 I# y6 J/ G' H    mov     es,ax
  T1 E# a4 @! h* d" {1 t; B    mov     bx, cs* A$ \  N/ D+ s5 B* n4 x: u
    lea     dx, int41handler
! A! E) Q$ l+ Q- F5 N    xchg    dx, es:[41h*4]
: @8 c, r$ e/ M& R    xchg    bx, es:[41h*4+2]
7 G0 A! F7 r8 q    in      al, 40h
6 s3 K* _0 `4 s3 B1 i    xor     cx,cx1 l+ C# x) @0 [0 v  L
    int     41h9 B7 H6 G8 S$ B1 [; e# R" j
    xchg    dx, es:[41h*4]1 K+ }& ]" |9 E* r) m4 g2 `* ]
    xchg    bx, es:[41h*4+2]4 i+ O% x1 ]0 a4 G0 ^% o0 e
    cmp     cl,al
$ r4 X; s$ z" n/ u+ j6 v7 Y    jnz     SoftICE_detected6 y/ s  Y+ ^  C; s- w; e

$ K& V' r/ c7 B  O7 p5 F% H_________________________________________________________________________( ~! X8 h: ?, a7 J/ x. ?9 E7 P

' f7 g: o8 T# x3 _" K2 _1 j5 s5 `  yMethod 07
3 M6 [' c( ~4 e3 j=========4 A2 g) q( s" n4 g8 W9 [, C

: W2 f) {8 h3 Y" YMethod of detection of the WinICE handler in the int68h (V86)
* i/ j: s9 F+ Z7 Z5 C4 p' V; q" W4 a' i
    mov     ah,43h0 n2 s- B- N' F  L$ R9 Q( l6 m* D  H: A: H
    int     68h
  n8 @2 k2 p) u1 k' k    cmp     ax,0F386h
* G5 e; |2 i2 p/ }$ h$ t; D3 N    jz      SoftICE_Detected
9 b, \* U! Z/ Y* S
: ?) W& F( g- F3 O+ [$ c
# S0 d2 F( A# m' S$ g5 ?8 j9 a/ @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: L9 g- Q  W, ~0 c9 T2 P   app like this:5 {% t2 k3 F2 G- ?( K$ W% n! B7 j
4 @. n/ |( W; N8 F
   BPX exec_int if ax==68
. ~/ q& R) v) x   (function called is located at byte ptr [ebp+1Dh] and client eip is
, u' q: C# H( Y   located at [ebp+48h] for 32Bit apps)$ L5 k! M% l7 q
__________________________________________________________________________
0 w9 L9 x% e/ Y% |+ Z) F' U
, A4 _% Z9 q0 Z
- Y/ N7 Q' A) M) \* L5 x) AMethod 08; b$ k) d$ t/ {7 O' U; u: V
=========- M; H7 m- H1 r. a7 x2 F
5 S7 ~0 N' O/ o+ z/ P. d8 O
It is not a method of detection of SoftICE but a possibility to crash the: \7 S/ W% K! M3 I
system by intercepting int 01h and int 03h and redirecting them to another
* y& B3 p. t/ ?, O* ?0 Xroutine.
' e0 q, n5 X( G1 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 s2 h: C/ {5 x9 V( sto the new routine to execute (hangs computer...)
6 Y% Z& I, g  g+ n3 i7 Q
, W# x4 j9 c, i$ q6 [, K    mov     ah, 25h
/ x0 S( ^; X/ f8 {8 \6 R& P" `    mov     al, Int_Number (01h or 03h)
1 G* f& b( w  M" c5 S# F    mov     dx, offset New_Int_Routine, A% N' @1 g" D5 {9 S
    int     21h3 ~8 E: T7 c5 C% u) f+ V; M2 B7 t

" s7 ]* }& a6 k4 U  B( b* E__________________________________________________________________________) X2 g4 U! G( ?

% @5 A4 s9 {8 E4 u" |7 wMethod 09
9 Z* g6 f. ]: b4 k4 ?=========
3 d+ ]4 k! [& j6 j9 I1 l$ K9 z+ i2 S, s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ U3 o' \' m' Q" u/ [* H; _
performed in ring0 (VxD or a ring3 app using the VxdCall).+ Y' i( C/ y6 H# z/ X" Z7 X
The Get_DDB service is used to determine whether or not a VxD is installed
7 W1 l! ?3 }. [3 O; X) _# r  lfor the specified device and returns a Device Description Block (in ecx) for
" U8 M7 s' ^$ d; }! _# Fthat device if it is installed.
' ^+ n# L  g, @) ^$ Q$ G. L& B9 J0 z0 N0 \# l
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ I5 K0 K4 j2 x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" g" E: |9 r& _+ u   VMMCall Get_DDB
; M/ ?7 W" |  i( J3 w; Z( z4 y   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! M4 Q7 t' o9 A% H! s: T
, \  H! j' [/ O) M/ p8 S0 J
Note as well that you can easily detect this method with SoftICE:
. G* z8 K9 L! h" V& L( L   bpx Get_DDB if ax==0202 || ax==7a5fh
% ^  z8 g3 P9 b9 {- g' c
* P9 f. A1 `. U7 [  a__________________________________________________________________________% g8 U" z6 I& Z. ~% a. S( Z
7 {9 q" l$ T# H
Method 10
7 `* `: U8 p8 J! C7 ^=========
: J. R$ O, c. s. B
) i0 Z5 ]. I2 n5 k" i0 E- ]# G=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
( o& S& O6 v: A8 a% |3 _7 J8 U  SoftICE while the option is enable!!% b, u; U! e' d- E7 s. P

/ X, S( E% [3 ], Y( k. Y, A  AThis trick is very efficient:
2 f' D. @( G6 Yby checking the Debug Registers, you can detect if SoftICE is loaded
; G. X6 k+ Z3 y% w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* x0 b, J  Q: M+ t" X
there are some memory breakpoints set (dr0 to dr3) simply by reading their' s3 x# E/ [) n$ R- b' N( t  ^" U
value (in ring0 only). Values can be manipulated and or changed as well; T+ Q! `& U& l2 x( f1 }, R, D9 c
(clearing BPMs for instance); @! Y6 ^6 r- l' R3 m

2 ?: N' A4 ~2 I$ g__________________________________________________________________________
3 L% A  r/ w6 x! M- Q1 `! v
- H1 a. K* E. M9 U$ P0 FMethod 11
! u0 j9 P! f) B* R9 `$ X8 X/ o=========
9 \( R. f: s- w) s$ k" {5 B1 P5 X7 w9 j
This method is most known as 'MeltICE' because it has been freely distributed
7 B* u% D1 u' U# S$ w- Z6 Mvia www.winfiles.com. However it was first used by NuMega people to allow
- g6 r5 d, t& H% ~Symbol Loader to check if SoftICE was active or not (the code is located
  j9 G0 y) T, jinside nmtrans.dll).
3 o" `6 U. _( p+ P; w6 M1 f. Y- n& N6 Z
The way it works is very simple:$ t  t9 l8 @' K( O0 E! U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# Y( `# P, _" O2 y/ J
WinNT) with the CreateFileA API.( q7 {# n7 d. F1 O
  W& }# y* n9 \$ ^4 O! o
Here is a sample (checking for 'SICE'):
5 D/ M  M5 c2 t- q
2 ]! L1 u0 l- U. QBOOL IsSoftIce95Loaded()
+ n* {* K! `1 s+ v9 m7 |; |{9 }7 W/ T# y$ O
   HANDLE hFile;  3 b1 X6 ]- w+ g4 r
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 w3 T! }& x' C3 ]5 O! _                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" p! T% S  L- ~/ R4 v/ z8 a- p# m$ b                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. n- n, u+ U0 \, B7 @# d/ e
   if( hFile != INVALID_HANDLE_VALUE )
0 V. U6 X7 t7 s% u' Q4 }* f   {
# J1 Z, u: s$ s: p9 p1 D      CloseHandle(hFile);
3 O+ D. A) e5 B/ G5 q      return TRUE;
& {/ M& k6 Q# F   }# a4 Z3 K* }  h; |* S
   return FALSE;0 U$ j5 N( u5 t7 r8 C
}
4 R+ L/ Z6 U( n( ^! l
) c2 M  C& o1 @1 G) bAlthough this trick calls the CreateFileA function, don't even expect to be
( }! j" i1 B" D- ]4 k7 Z. P$ Pable to intercept it by installing a IFS hook: it will not work, no way!* F7 ]3 [6 s% \9 j+ J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* e! u# W. U3 {/ t7 K' E- Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 N- a' i: D& K0 o) l: a+ j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ N: g) G( t8 c1 v7 `" U7 t' Z
field./ n- r- f+ s2 Z8 @. p- Z
In fact, its purpose is not to load/unload VxDs but only to send a
5 ?5 G" G9 m: R6 m, z+ NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% F  x( S; @! r3 j* bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 e2 s1 V& w1 }4 _, }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- [. n3 b' H! E3 y( Y: eIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 J9 L8 g9 I- }
its handle to be opened and then, will be detected.
) p$ H: {9 }* Q/ J1 t+ KYou can check that simply by hooking Winice.exe control proc entry point2 O; O) a3 a8 S8 v  o
while running MeltICE.
) H) j, L: }6 ~3 W8 g. q8 C6 W- I8 t  V" P% q

' E6 `6 c4 ]& ?! ^8 E* F  00401067:  push      00402025    ; \\.\SICE# A0 y) ]( N6 P+ b4 l
  0040106C:  call      CreateFileA% a2 D# G9 D5 g+ U/ H
  00401071:  cmp       eax,-001
$ R4 i  x& |1 D# Q  00401074:  je        004010917 S& d4 h2 \& z- i9 J* Y
3 g: x% B6 ^. M, G

, u  ~0 W! R1 O/ D! yThere could be hundreds of BPX you could use to detect this trick.
0 P; o8 C' R6 o. N) ~-The most classical one is:
) l4 z' m3 m$ @  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! a8 m8 U  ~2 m
    *(esp-&gt;4+4)=='NTIC'
4 o: W( B- K/ g9 y2 {; u% e9 \
  w& e( D1 W1 J6 @-The most exotic ones (could be very slooooow :-(
$ f9 L# U' }) t3 s8 U+ D- q# C$ Z  p2 s   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + G; P& K# }" U0 D5 G" x- H
     ;will break 3 times :-($ X+ c4 C3 X# \6 \( p
  T, y6 w" s7 B( A6 n& i- `
-or (a bit) faster:
" T6 p3 h! @% X: ]   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" K7 ?/ N; T& N7 V: V. ?3 H/ O' A
! Y9 D# r4 B+ R5 [& _9 `7 [4 H
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! S: m% A# f* Y/ j% h) l# X     ;will break 3 times :-(
6 F+ k* z1 F/ j" h" `8 S
  z- o/ l8 R2 v-Much faster:) M+ g2 l5 o- k# J
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! e# a! Q, D9 o; Y& J7 O1 {/ B' r( q+ b) y! @+ J0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ?  N/ |) i( ~8 Lfunction to do the same job:' B$ B2 Y3 I6 A7 b5 D2 |, }, p* y
9 |9 U4 K/ }2 ~5 j  P: c
   push    00                        ; OF_READ
' u1 t  E' M$ a+ g# _3 j: ]8 o   mov     eax,[00656634]            ; '\\.\SICE',0/ \; J( |, U9 k
   push    eax1 x6 J, W2 e  s$ f8 A
   call    KERNEL32!_lopen- H! D' A: S9 k0 Q# c- n! C, w! p
   inc     eax3 D5 ^# l& O& \$ E  s* l, f9 C8 d
   jnz     00650589                  ; detected: J* ~% [" y  ^% m" ^! Z# ?3 ]
   push    00                        ; OF_READ  I2 I/ |9 R2 N. o1 J# X7 Z
   mov     eax,[00656638]            ; '\\.\SICE'$ u% M; P8 H+ ]
   push    eax
0 m8 _4 I% X3 V, p$ q. P   call    KERNEL32!_lopen" {* x6 N8 d& N2 k
   inc     eax
9 ^  p9 }, z" e# ~. U! f0 T   jz      006505ae                  ; not detected
3 e+ T/ l4 S- f: E- @; n# B( P; b% q' j7 I* p
1 e8 L! W7 k+ k" p' t  R8 S
__________________________________________________________________________5 z, h+ V* n% Z

  }/ e' T5 a8 O! E% B9 oMethod 12
9 d( w6 ^, L0 Y7 |=========
9 _" f4 [/ `8 ?- h8 F
. H* r4 F. l, U% r8 h1 VThis trick is similar to int41h/4fh Debugger installation check (code 05# S: [$ [# G: x% F" g  z% Q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( |% @9 {6 |3 t* D- o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., E3 H, Y& C0 p* c# X9 d* b! V$ M
  S: X6 ~, ?# k" V0 f$ `! `
   push  0000004fh         ; function 4fh; j$ `6 {  ~/ t6 }6 O1 e# Z6 O
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, |+ V0 c* w9 e% ~3 c$ H) z; V                           ; low word specifies which service
1 G+ u4 n, c, I' [8 z                             (VWIN32_Int41Dispatch): {2 T( H- z9 B
   call  Kernel32!ORD_001  ; VxdCall7 z: }6 G( U4 D& O: f3 |
   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ L- M* ?& f) b  V4 p# E2 E, M   jz    SoftICE_detected
4 p9 V. F- ?# A/ O8 q  ?' S" {* a  W$ T$ q- f" f* A
Here again, several ways to detect it:/ J5 K- p9 g* Y" ?0 V( _

4 _6 O: w2 R* t9 c8 E; o    BPINT 41 if ax==4f# d* F2 w0 v# b6 u4 Q! T

$ x( y. v' H! Y% m    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& d3 S' `/ w! C% B( G6 q
! H, {& T8 p. V2 ?. [9 F) k
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 T' |7 y3 s5 y8 j* z5 _( d

1 N9 g& u8 R: z) L4 |7 b) u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 _% V1 w8 U+ Y
$ `/ S- g. o+ X' O( b
__________________________________________________________________________" w2 k) M0 p6 T. ~

2 s5 p' J4 a7 D# aMethod 136 q. Y: P! R  v' Q6 b
=========' ]6 P+ N4 |0 P
! E3 U8 S8 E" j1 k4 L
Not a real method of detection, but a good way to know if SoftICE is
6 m+ [7 W- K2 l) O- C0 Z2 U$ X2 uinstalled on a computer and to locate its installation directory.
+ Q2 N8 ?/ }4 T. a0 R1 ?6 D; J, MIt is used by few softs which access the following registry keys (usually #2) :9 R$ h' s( a2 h' z& \7 Y
: B. `- b5 \/ x* n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ t/ J4 E2 T2 a& Q\Uninstall\SoftICE
2 I3 {* G! G& Q+ T4 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 ~, Q( S, E; t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( S' g0 R. V9 U/ t4 ^( Y6 b\App Paths\Loader32.Exe
" A- y' O2 Z" S: L2 J0 X$ s2 s' O5 X1 a' {5 B" V

( t) m6 |) w7 O0 WNote that some nasty apps could then erase all files from SoftICE directory
( s: [5 `6 t$ f8 ?( Z(I faced that once :-(
! F& Q7 k  h7 s& H! ^% C8 o
8 Z/ g" N2 V" Z$ X4 OUseful breakpoint to detect it:9 n$ ~, }( b, Q# q1 U$ |* E

/ h* t9 h* \5 Z2 C. _# L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ z* Z+ I% f( M8 O. x* L) `) n! _9 ]
__________________________________________________________________________
  q5 g( g# H3 v- h, I' ]
1 B* `! d# o9 A4 X6 L
5 n* W5 W6 h2 R' C$ w' B# ^' eMethod 14
* E# H) h8 d7 |, ~=========/ K5 I7 N6 |' x3 }& S7 ^0 U

; V0 p3 D" b1 w3 c/ J3 M: c$ gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 P  ?) Q1 R- s# F
is to determines whether a debugger is running on your system (ring0 only).
/ Q1 H+ w! }. E0 M8 V
  }) y5 l" a! O3 t# ^   VMMCall Test_Debug_Installed* `  u7 r. n7 P# y; D8 i- m" }* l
   je      not_installed) M' n6 t3 j- J1 m( M0 C

: u  B0 B3 I% T' q7 iThis service just checks a flag.; q5 k2 @7 n- A( V9 o+ g" i, _* u
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-21 05:28

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表