找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># J* c6 s/ J; w; K! n. T& @" X3 q
<TBODY>
- @; ~# t3 B1 V+ v$ a! W<TR>/ r) ~# a7 k" a* ^* \
<TD><PRE>Method 01 $ l( z7 ^8 ^! l! Z/ H' k% f
=========
' }  H$ W" P9 Q; s! g# ~/ ~" w! ~+ O' T! ~+ B* s
This method of detection of SoftICE (as well as the following one) is7 u  D9 O& K) h5 _& \
used by the majority of packers/encryptors found on Internet.
6 p4 g4 R  F0 a% O# \It seeks the signature of BoundsChecker in SoftICE
, o+ K7 g4 d% ]+ v+ C
: T0 a+ H) h  V- h: S, |  O    mov     ebp, 04243484Bh        ; 'BCHK'
9 y3 m3 T* T: q( E1 Y5 ?* [    mov     ax, 04h0 W1 U) H8 S6 a, v: q
    int     3       5 ]$ g( e/ ?* t" V- X) N
    cmp     al,4- a+ [- ~* E2 O5 z5 Y6 |/ L
    jnz     SoftICE_Detected
6 i# c1 K  N, F' J0 w/ P! ]7 K! a) L
___________________________________________________________________________+ W. |# V3 j8 d7 M5 b2 A

: D1 _0 l3 ]+ D1 gMethod 02
5 [4 v7 C/ O5 n4 J=========" |% T9 N( |- F( P
6 r8 s1 r, y6 R' e" k, E) h
Still a method very much used (perhaps the most frequent one).  It is used
$ J- d* r" h6 \7 @' Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( Z( m2 g3 J% e+ p9 f
or execute SoftICE commands..., }2 i0 T( d  R
It is also used to crash SoftICE and to force it to execute any commands& i' Z+ W4 m7 U3 \) N- W( V$ C% C
(HBOOT...) :-((  , ?" d2 P* l% F- J
* ?1 ?  L$ {6 S- u  U  N8 F
Here is a quick description:
! Q. V* k# m3 ]* I( z4 \4 f  Z-AX = 0910h   (Display string in SIce windows)/ v# P& j; R1 |" b/ ?0 p) a. i- j
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). w$ C1 H' O# h- s
-AX = 0912h   (Get breakpoint infos)
, D, ^; T! ]+ }! d3 i* |-AX = 0913h   (Set Sice breakpoints)
3 d2 ]& ?5 K: y0 Q6 w6 h-AX = 0914h   (Remove SIce breakoints)+ Q; z* V( v' }6 ?* {# ]9 ^* t* a

4 x- s, m" I$ B, \3 `: `8 LEach time you'll meet this trick, you'll see:
1 `) W* F3 J, W1 _-SI = 4647h
- z, t2 f+ y7 f: m; v7 M-DI = 4A4Dh
0 x' r, m; _! ]" U' m9 Z$ aWhich are the 'magic values' used by SoftIce.
0 J, d  _7 i9 O* U2 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* z; ^& q% p3 j

6 x" L9 Q2 A  a( ]/ @Here is one example from the file "Haspinst.exe" which is the dongle HASP$ T0 G8 e' f- C# l% e# \
Envelope utility use to protect DOS applications:
* p5 b3 W6 `1 D
: z0 L$ x- X/ k, t8 p+ L7 K- [$ A! R7 q2 e7 J, W) T6 @
4C19:0095   MOV    AX,0911  ; execute command.8 G+ S4 F. a" g7 l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 R+ T$ [7 J- y4C19:009A   MOV    SI,4647  ; 1st magic value./ T% H7 l2 Y; P2 i+ [
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 D; ~$ N! e2 r* |0 ]
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ^3 l4 p+ C7 U) Q6 }# ?. K4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 Y5 h5 C, S/ e. ~3 C( M" n
4C19:00A4   INC    CX
/ l2 Z  v) @( v, t; N+ ?# _4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* o/ m. F5 X7 h
4C19:00A8   JB     0095     ; 6 different commands., t0 r" d/ w" Q- ^* `
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.. a) N- k; y7 K7 [6 M
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& F: M" Y# Z5 [1 Y& V: _; r+ u( h
  x& D! j) ^8 L, [" V" r+ u/ ]/ @0 ZThe program will execute 6 different SIce commands located at ds:dx, which
& e) D* Y- }: `' H% ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 T% \9 i" Y1 x$ T1 v8 P* Z3 N4 W

; e+ ?: z; M3 L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 M, q7 C% j' X# H7 R
___________________________________________________________________________( Y, I- B: _' ^& q' ^! b* b

+ j  B3 s" m$ Y7 z  S. O  X# Y4 D4 s; E: K
Method 03
! ~" S3 e. k1 [4 Z=========/ o: z7 I! I0 I3 a

. R  v5 [: b. _7 \3 t9 r( ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  k8 }$ p: a/ w- s5 ^(API Get entry point)9 j, p4 D3 m8 m9 @4 A) T( Y$ x
        
% m2 K- n4 F3 T8 y3 {# W6 c7 G: k' j
    xor     di,di
! ^! ^% _1 k- c( e2 R* j    mov     es,di/ y) l7 c4 g+ N2 X# a+ V
    mov     ax, 1684h      
3 x1 R* J( ~& B    mov     bx, 0202h       ; VxD ID of winice: Q* o; _9 Z5 \
    int     2Fh
, P1 i8 W/ |$ I' Z$ ^( E    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, u% l" E/ m  S; D$ `# c    add     ax, di* ?* e+ |" E: E: R; r# m6 C" M
    test    ax,ax
3 V  _9 j6 W: q' f" B2 U6 B! |. O    jnz     SoftICE_Detected6 A* l) Z0 O/ Q( v; |% ^/ z3 J

5 P+ e+ G; C$ U/ K___________________________________________________________________________
+ _) @4 ~6 ~4 Q5 [1 t
. e0 u' ?9 N* b0 A8 {( q! U6 d  GMethod 04$ X- D$ N, Y* n
=========
( O( t' _! K. H/ L' z+ t
6 r) i5 b2 Z. c% d; c) mMethod identical to the preceding one except that it seeks the ID of SoftICE8 y9 Y9 o+ }# a7 @8 U7 G0 ]
GFX VxD.6 B2 P- t+ s8 K  q. o

& s( R& K$ \6 t! M4 b! u    xor     di,di
3 S  Q$ n2 n; q! `, {& [% Q    mov     es,di
/ |9 P. K/ q; o5 g$ O    mov     ax, 1684h       + }/ _7 |. s! o# Q7 D5 X( x- q% x
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 I+ \( ]) j7 x5 @    int     2fh
. y5 f. c+ i7 M0 {& m& b    mov     ax, es          ; ES:DI -&gt; VxD API entry point& `5 k% @! I: E* `1 {9 @
    add     ax, di
2 T9 D( ~. ]. {+ L2 p7 ?    test    ax,ax* I! w) ^- E* o$ d4 l  n" x
    jnz     SoftICE_Detected
' g8 v4 o: F& t  i1 x& [8 F
4 @% ~( ]( B6 X4 Y7 `" f( ___________________________________________________________________________
- W: C, h1 ?8 j
0 W6 w% g' @  w* \9 D: g
) G3 r+ i) N4 t( l* {) ^Method 05
9 o; A4 [& Z" C' N% ^=========
8 i% x+ j& Q# B- b4 j/ Y( a2 @
0 D/ U, x3 L; i7 u; l5 r" OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 \* k3 N5 E6 y  ?, mdebugger. It calls the int 41h, function 4Fh.3 C4 h4 |2 r6 v
There are several alternatives.  
4 W9 K& G# g! h2 a
' ~/ t+ s) H! sThe following one is the simplest:  ]& Z8 _1 W' l8 h" G
/ E0 C9 _: L& w8 e1 A
    mov     ax,4fh
7 ]) E* E- y# O9 m5 Y# _# j# V    int     41h
* C9 V- \8 j/ G- [0 a    cmp     ax, 0F3863 V4 b/ `1 Q. l) G' o/ s
    jz      SoftICE_detected
% {, u: _; W0 l( u" A5 ^* [1 j: f. J# `5 N

2 |* @" t7 z3 u4 t$ HNext method as well as the following one are 2 examples from Stone's
  g& y7 v+ z+ W# x" `"stn-wid.zip" (www.cracking.net):
7 `1 T# ?8 Q- a; G3 W! H& a- ?+ h) Y' X
    mov     bx, cs2 e" c3 W% V4 h( o! e- Q
    lea     dx, int41handler2
1 L: U1 d7 X4 r" \7 j    xchg    dx, es:[41h*4]
( e; m( H/ ]" H$ n; _9 Z, f4 ]/ }    xchg    bx, es:[41h*4+2]' B  H8 q, \4 z
    mov     ax,4fh
& Z% f' S8 [! Y# f" g2 L3 u0 Y    int     41h
9 R4 ?1 x+ l8 q1 I5 G0 G    xchg    dx, es:[41h*4]4 C9 J  x! m7 s: g+ t' l
    xchg    bx, es:[41h*4+2]- h: @, F! W1 t9 Y
    cmp     ax, 0f386h2 Q* f! {7 N7 r
    jz      SoftICE_detected
# C) D/ K! _! `, S3 ?' k; |9 K& S) N1 [
int41handler2 PROC  Y6 R# o0 g, I# D9 \1 c
    iret0 @% B4 ^* s- }
int41handler2 ENDP. Z8 q8 ^9 `5 J7 V! z# o
6 P2 h* V$ ]! a, x+ m4 h- O& d$ W

! ~+ r7 u0 `" b5 w0 q; ~$ ]& d& K+ p, j_________________________________________________________________________
  l( a/ X9 w1 w0 x  M9 `, a- R0 u
3 T: x* U. f5 t+ `2 _7 q
Method 06! s) s' ~0 |. P% k
=========- C( y" d3 l) y5 J6 M! H
7 {; y1 G. h- C3 F- `& A; R
7 X3 L7 Z+ E8 W+ R3 }* R4 U
2nd method similar to the preceding one but more difficult to detect:% p! b2 N6 g% I5 a9 l* q+ y* {/ T1 r7 V
- @0 {0 @; \& n' I8 ^- A

" G; D2 C4 o6 \+ {; _' Z# G8 i* J, Oint41handler PROC' E4 o, y$ o8 R$ @& G
    mov     cl,al" n; E! m5 J" c
    iret
! M$ H; ]) M% m/ n$ Aint41handler ENDP
8 k( k3 n) w4 f" D2 z2 G% S
& _1 [+ h; {6 h5 m' B0 S# `$ R$ c: F) {2 m
    xor     ax,ax1 I) e. l1 `, |7 v+ \, b5 a* p% B2 W
    mov     es,ax
* X0 F0 z$ B0 G; f$ @6 T    mov     bx, cs& ^  G8 u  A+ c9 Q* l
    lea     dx, int41handler1 I. v; Q0 M' _0 U. _. g
    xchg    dx, es:[41h*4]/ S& |' C# A  ]! C, H0 C1 q
    xchg    bx, es:[41h*4+2]
/ n$ F0 j7 [; O+ B, h    in      al, 40h
; e$ Q" E* M- s$ K    xor     cx,cx
% L' I# t+ x8 Y    int     41h
+ R" f8 I6 r9 d( y% [1 W4 X1 e    xchg    dx, es:[41h*4]
& {3 X/ P: G4 l( X# |* j  _    xchg    bx, es:[41h*4+2]
5 K) ^; z' K. h; ^. `6 C    cmp     cl,al$ e* q4 x! I2 A0 D) U1 w- I5 ?
    jnz     SoftICE_detected8 F" Y9 ]- I- Q; Y% c
8 W; S3 F0 A0 b9 `) g6 b4 P
_________________________________________________________________________5 O$ S5 V9 ^  O; V

  F4 d' i3 k0 }' _% _3 \2 aMethod 070 }" Z' p  R" p4 J3 [. T
=========
4 p# v' z/ e5 P. A3 n& `: w
/ T1 Z; A: W3 z9 o4 x8 y) H5 X& ~7 p7 |Method of detection of the WinICE handler in the int68h (V86)
' T3 @1 Y2 a5 t  ^1 @( [! p
, r+ |9 J: w0 H) c    mov     ah,43h& b" Z, f* O( Y9 ^5 o
    int     68h, f4 |; ~# t- w  K8 z
    cmp     ax,0F386h
1 y1 g7 T* Z9 {+ f7 k* e- z    jz      SoftICE_Detected
5 e* M# N4 U* L3 A' e5 ^* U8 f+ Y" `+ x7 a" B
: X) i' ?+ Z: I& b" |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 O% U4 K  \9 L
   app like this:. m; ]; X9 i0 u$ z1 N8 r* w

; s, Y0 B4 G& S$ n7 D0 p   BPX exec_int if ax==68
5 O1 l4 U4 }. ~, h   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 b7 q$ M) r  \' M( r6 ?# Q6 N   located at [ebp+48h] for 32Bit apps)( e" {) J: p! G6 s
__________________________________________________________________________8 z1 y* _& n2 H, l  G8 o3 B
7 L9 j" l9 T7 a3 Q' M' ^$ q: q
6 O, c( W& r- S7 @% h
Method 08! z/ y" ~' a8 z
=========+ |$ `& n6 x8 u5 M( ~
1 b: \0 ]' `' z3 r7 P; c0 b7 F
It is not a method of detection of SoftICE but a possibility to crash the
& k8 g0 U7 |7 }. T; n: Fsystem by intercepting int 01h and int 03h and redirecting them to another
' n0 l; v% j; uroutine.
; A3 c" l, g8 n6 a( UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; d8 ~- T) }% d) Y! d3 k, R, f
to the new routine to execute (hangs computer...)
" A: g: u% m* p1 F# v/ @3 ^: `' V1 H5 I# }7 B- P
    mov     ah, 25h
' E# a5 @+ f# q$ {. [& A# H6 m    mov     al, Int_Number (01h or 03h)- k% l+ ?& X7 Q6 w
    mov     dx, offset New_Int_Routine3 l& `, f1 N: b
    int     21h
: A1 t$ [0 S) y! |  s
! s: g/ ^/ e. f& m% g8 T__________________________________________________________________________
& w" o' |3 J  d
) `' `. k/ f% R: \- f+ fMethod 094 T, F( h! _' R- x* Q+ Y
=========
' ~7 [* t$ }! J, k6 W* k" Q+ o
  o+ P. n' X+ ^9 ]% r! WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ m4 e0 q! E# w8 h9 x
performed in ring0 (VxD or a ring3 app using the VxdCall).1 B) v( b0 \. x' _2 `, O( W8 ^
The Get_DDB service is used to determine whether or not a VxD is installed6 H+ J& K) g* f/ L; S, Z
for the specified device and returns a Device Description Block (in ecx) for
1 c+ F2 U: L0 othat device if it is installed.
& m, f. |5 }" R4 E% p" D- g! D7 W) Q  g: E
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ y1 R# x* E) S" X  d
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' B$ c: J8 Y  N3 Y0 h, X+ g
   VMMCall Get_DDB4 }  J3 w7 X& A, L0 X
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( T& ~$ a1 M' E* f* p% V

+ H# R7 I" H% eNote as well that you can easily detect this method with SoftICE:3 C: m" T: x6 J( ~
   bpx Get_DDB if ax==0202 || ax==7a5fh- i# z. t: N6 e
  h* W- [% ^' [3 t$ s
__________________________________________________________________________
, M- _( f9 O7 w5 ^
# c* q- R7 }5 p9 ^+ e' N' g( S, AMethod 10
" L: p6 \# v" _=========$ }8 X' L& `3 \/ y, c; h
# F8 f& ]" h7 t5 u. m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( W, E3 L; `* ?9 m) l6 f0 n
  SoftICE while the option is enable!!
. X- C5 J: j2 y& Z6 M  D9 E: X0 q8 N# j2 t
This trick is very efficient:7 M8 I- ?# q3 n2 {; B+ V+ f
by checking the Debug Registers, you can detect if SoftICE is loaded
* o7 G& j2 f9 W  C( R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ T! ]& v3 L. m! _  l+ Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their( k  w' W9 w* }2 H, t
value (in ring0 only). Values can be manipulated and or changed as well
4 w% s( \) p  _1 S4 \. k4 H(clearing BPMs for instance)
, |. Z$ @- p( c6 G
4 g% f& ~5 C, l% }7 G( h__________________________________________________________________________. ^. s2 R/ I* T8 K2 {

: `2 O8 `9 Z' x: m/ S9 A4 }4 {Method 11. P5 d; P' }0 @' K4 y
=========
( C* E  r; e! A) j- F' l
5 Z1 t( y8 M6 l. I3 AThis method is most known as 'MeltICE' because it has been freely distributed
# A  t+ T! V% N. e# m* a: V  ovia www.winfiles.com. However it was first used by NuMega people to allow
) v7 S8 m/ `& X2 S, b/ e3 m; ESymbol Loader to check if SoftICE was active or not (the code is located
# x( ]8 _$ }% I7 z6 `- Y! L; L; einside nmtrans.dll).
) Z* u! B" i1 v5 y1 I) j1 A' S% b% [4 }( F6 G# v! n
The way it works is very simple:& e1 `- y- W' \8 {, ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 D" O6 X, ~9 @/ Y9 ]6 k; D  ~  v
WinNT) with the CreateFileA API.
1 P: ]- {: M; Z0 Y9 x
& N. e1 E+ a* N# a+ nHere is a sample (checking for 'SICE'):
5 O- S6 J' l- M# z8 ^4 H$ |$ M- d0 m& ~: p
BOOL IsSoftIce95Loaded(), p" Q. _' w% i2 k4 \- z
{
5 a& f- x7 l, v2 u   HANDLE hFile;  9 a% m5 i0 N8 d& i( a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 o' T/ E' H& b) E) ^
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ M( o. Q: M) ?! R. f% r3 t- y3 ?                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 S! x' Y  @) {! h   if( hFile != INVALID_HANDLE_VALUE )
5 f' Q% J& L) @( u) P  s& r/ j2 k   {
, \, m2 \7 X3 J      CloseHandle(hFile);
6 f* u/ N8 ?+ U$ [" t      return TRUE;* R5 }3 c( K/ U" }0 S
   }, N. e* N4 u) ~# G
   return FALSE;1 n6 d8 N* U0 y6 O9 Q
}5 K* g6 b% n# A+ |

9 X/ o) ?8 u& W* t- `Although this trick calls the CreateFileA function, don't even expect to be+ @  u+ x( K( f3 J! v9 s
able to intercept it by installing a IFS hook: it will not work, no way!  k2 \( r, {0 `4 @* K1 D' p; W9 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 ~% N+ ~% a) W+ u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ D% x: n$ s8 x$ H% {and then browse the DDB list until it find the VxD and its DDB_Control_Proc* q! a) z2 @0 H7 o9 _$ L
field.  H2 r% ~0 G4 j; \( H- l
In fact, its purpose is not to load/unload VxDs but only to send a   Y1 E  r7 y  B3 v9 b5 a* N4 |( S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% v& o2 a7 F% @8 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 T6 ]1 W! `9 `$ E+ y% h9 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ A4 ^. a8 `2 f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! t0 i& A' A$ Fits handle to be opened and then, will be detected.* h; |8 Y5 ]: l5 m7 `
You can check that simply by hooking Winice.exe control proc entry point
$ |! g# ^5 e' w2 C) dwhile running MeltICE.
! {2 P# y, e2 w- `  ?4 i) c& Q. k" f$ ]( m$ ~
. B9 j9 O2 m9 ?+ L2 D
  00401067:  push      00402025    ; \\.\SICE
& U" T6 B: N7 h. O# i, {6 P5 v  0040106C:  call      CreateFileA; b0 ]/ ]) \; Y3 i$ Z1 @9 n* I8 _$ f' S
  00401071:  cmp       eax,-001/ C, L4 u- g2 d# r% `
  00401074:  je        00401091
; Y- }7 h- s* A, k7 D7 ]! G4 B' \
/ E/ d4 H$ z% `( T9 j
; D* v+ j; G. hThere could be hundreds of BPX you could use to detect this trick.- B! x' d- c2 n7 ]) y  `
-The most classical one is:2 Z* I  |# P% Y" S1 F
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! d5 G) U6 K# l6 s0 i/ |! O
    *(esp-&gt;4+4)=='NTIC'; Z$ Y. R2 O: W# b
' e5 [, y% Z0 s2 i  b- N/ r
-The most exotic ones (could be very slooooow :-(
! i4 `$ g8 T6 s7 k5 p1 Z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
6 [* _9 Q5 O3 T$ e! l9 [! o# ^# h: A6 z     ;will break 3 times :-(
4 I7 V, @1 W; g* q' z( C: M8 A. f9 v
5 z4 O1 L3 X, o7 l0 w* A-or (a bit) faster: + s  b7 ~' H% c( ^5 a: z0 i* P
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ @5 \3 x2 A+ _* \

: Z3 x$ ]$ `% `* N! F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * k9 @% l8 h) m5 z7 X5 d
     ;will break 3 times :-(6 y; K" R8 u1 R( c9 [8 u) C
8 h" \/ {2 o0 U4 e9 |
-Much faster:
6 m- Q8 B/ F* u2 ^* v/ X9 J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 t9 a2 Z5 I  C( ~* Q: \! S  y; |5 S
% ]8 ~+ t* X$ c) W6 h" b! O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 D) ^8 I2 J. o4 {. i+ Kfunction to do the same job:
7 I8 w5 i% j6 n) B4 [' K* h$ `: [* N+ g6 {! K4 l' R* v& u% [
   push    00                        ; OF_READ
2 K0 B9 y' N, c  R6 [, J5 r' h* i   mov     eax,[00656634]            ; '\\.\SICE',0& V) m3 |2 {$ X/ m$ s0 T' O9 `! j
   push    eax, S$ i/ e* J3 ^
   call    KERNEL32!_lopen& B, F: F! \0 M
   inc     eax
' u4 j1 B+ @) |* N   jnz     00650589                  ; detected3 f5 z) f* g' m0 r. u: P
   push    00                        ; OF_READ
' X( F/ R1 g7 `  n& A( \   mov     eax,[00656638]            ; '\\.\SICE'1 {* v' K- B6 b/ M9 f$ R
   push    eax
( k! `9 Q2 y4 F$ B" N" j   call    KERNEL32!_lopen/ V0 B( ]3 u8 H" N7 e
   inc     eax
% ^1 d; _. k" Q# A( Q0 Z   jz      006505ae                  ; not detected8 A5 w9 n$ w( o8 d

9 N- x& K+ `$ B0 Y3 M* ?- j3 `) E4 k; U* E+ [
__________________________________________________________________________
$ `- }5 \. {9 ?4 i+ @
- x% o: p/ m& H# V: `) QMethod 12* X  Y/ L  s6 x/ a+ S
=========
2 ~; {7 N+ F- f$ D* Y) }2 F& i- F; g3 z7 {( A% O
This trick is similar to int41h/4fh Debugger installation check (code 05
, t  t* s3 c: @" X; s1 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; l( p" N3 N0 c1 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 T; `5 Q& [' a/ B9 A' D& F1 @5 {. }* n4 h6 v; _2 y
   push  0000004fh         ; function 4fh  O& p  r* P' v+ T' j
   push  002a002ah         ; high word specifies which VxD (VWIN32)
& i, ?& ~9 d/ T" n0 y, {! k                           ; low word specifies which service
; U! F" ~0 i+ m0 b1 [/ E                             (VWIN32_Int41Dispatch)" C9 U% J0 M. j; B9 S$ Y  u
   call  Kernel32!ORD_001  ; VxdCall
  }" e2 R: ?& [7 o2 `/ I   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 N0 w4 `7 o4 t. w* c# _6 V3 \   jz    SoftICE_detected
& D/ ]. B5 B2 r# U4 E
. k( s7 k! _3 @$ `Here again, several ways to detect it:
: g5 @, _6 A3 m9 c5 {" _) p3 _1 ~+ z+ c  d
    BPINT 41 if ax==4f
( U) q+ p* F, s$ [, [1 U8 \% J# }! E6 L
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, J( w+ ]; y1 ]7 D) D. |7 z
, }6 T+ l2 S+ a( n; C
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 m5 P* p3 t% o4 w, v

0 Q7 L# f8 T  W9 w1 P    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 C/ s* W' T) P7 D2 K
6 d- _& S0 ?0 d+ x+ }/ ]. r( ^
__________________________________________________________________________+ O% u6 X. J7 @& Y% w, C0 R3 J

0 B' y" f2 J5 Y: _) V* _* NMethod 13
7 Z0 D6 J0 a$ o% p=========- q( ]7 D  ]2 V' ~" p' n# x

  `* m: ^/ n& @' |Not a real method of detection, but a good way to know if SoftICE is
5 Q2 D/ @6 o0 j7 Vinstalled on a computer and to locate its installation directory.( G% |4 S. D: a( U
It is used by few softs which access the following registry keys (usually #2) :
- d! e6 ~$ o3 N# D7 x* y1 Y/ A
# Y: `. C6 s3 B( h1 t6 J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) B. Y6 W& w! u5 X' M2 p! y\Uninstall\SoftICE
) A- X- V% m9 D' W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ A/ O( Y) M7 ^" c" j) _4 u3 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 q& ~' E9 v. d; t& {) }6 H0 x3 ~1 G8 d
\App Paths\Loader32.Exe/ R* P' f! M! D9 P. {( w
% b. Z. `1 b  U: [+ g
/ L- {, C6 e- o+ T0 V8 ^+ d4 z
Note that some nasty apps could then erase all files from SoftICE directory
3 g  B3 m8 \( l- }' _4 N+ P0 F(I faced that once :-(
- D4 k& @. ^( O4 V# y* Z7 @, s
) s6 L  u5 ?' QUseful breakpoint to detect it:) e3 a, R$ M( f! L- m  x$ o3 S; z
3 W- L3 }$ [; G. [  `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" e& ?; A( u& O5 M
- }6 F1 G: @# t$ h+ }' h" s, w6 o
__________________________________________________________________________0 l/ o: W9 d0 O6 S% C

) y9 V" Q0 V0 G* a9 I7 @' `* {* _' N+ c4 m: Y$ p- I0 f
Method 14 * d4 R+ J$ @) ?
=========( X: v( o7 v9 O  L( J
' N- }& Y5 I; r% d$ h$ O, ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; f$ ^4 E, X* M7 ^- u% s
is to determines whether a debugger is running on your system (ring0 only).
2 K* [6 f0 h' e, F9 M+ R0 k, n( x! c( S. S) K9 k
   VMMCall Test_Debug_Installed
6 H+ n! ]2 ~% X   je      not_installed9 f' a. ~# }' z, S) q: N
5 u  z/ s9 ?, T5 O, o, S
This service just checks a flag.* b1 R- N# A7 w: n( L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-8 19:45

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表