找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 }" O8 c" b, G6 v( J: `1 r  ]<TBODY>
/ l) [: r% `% w" A! B; H8 b<TR>- c: K' F! x$ U& B7 v
<TD><PRE>Method 01 % o9 `& g; L" t/ _1 I2 J% ]
=========
1 q+ {, }; y% e' ?7 l0 k  }' d: q$ k! \
This method of detection of SoftICE (as well as the following one) is9 t1 Z: T% ]: l- {
used by the majority of packers/encryptors found on Internet.4 o6 Q) N& H: t* N1 h; J3 e- \
It seeks the signature of BoundsChecker in SoftICE; G# O9 `. P' z' R3 ^/ d
) `( u" f; F" {! f) Q' U; m
    mov     ebp, 04243484Bh        ; 'BCHK'
2 J6 @- }% {- t0 T. w& R    mov     ax, 04h
: J7 \4 y/ a4 O+ G5 V    int     3      
; ^  Q. ]/ c1 F! V3 M. R3 V    cmp     al,4
, X5 ?: {/ _$ H6 a  N. I    jnz     SoftICE_Detected& e0 W# Q" X% y6 Y

2 ?% b9 `+ C8 M___________________________________________________________________________( B+ D8 k5 `& g) ?$ T5 _6 ~
8 K+ i' M; ], O
Method 02
$ J7 l; u  [4 b, ]: `=========; N( R( u9 ?7 n+ `4 E( x
4 w- F( I( @$ r7 K8 i* [
Still a method very much used (perhaps the most frequent one).  It is used% p$ ^/ x) g0 z2 E) W, O( r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% P/ }6 s4 i; V0 for execute SoftICE commands...
- a/ X+ \) a# [8 u( D' _It is also used to crash SoftICE and to force it to execute any commands, S# S0 ?$ B1 m* d( B
(HBOOT...) :-((  5 q3 c6 Y% M  @3 f% G; V
4 K# y, T8 m3 p
Here is a quick description:! E5 s+ `$ l! B% x; H0 b; c
-AX = 0910h   (Display string in SIce windows)
" d, f! o7 c, e9 @1 X: Z8 t3 B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 y1 B% U& B: y
-AX = 0912h   (Get breakpoint infos)  c4 E- [/ R- y- I# ?$ ^1 F+ m
-AX = 0913h   (Set Sice breakpoints)
0 i& b+ B# q  e8 `9 a; K-AX = 0914h   (Remove SIce breakoints)2 U" d, q2 A8 P2 X. W  ]
& \+ z2 r: U6 W$ i
Each time you'll meet this trick, you'll see:
& o  {3 Y7 i2 W  d$ n-SI = 4647h& Q0 y, x8 _' c+ t- Y
-DI = 4A4Dh
1 L3 M  U6 Z9 m# P: j3 K) a" lWhich are the 'magic values' used by SoftIce.7 q( h+ D* u5 t& m- d: ^, `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 r& ?) Z7 s3 m" F. M8 Q# N2 g; q7 m1 i4 D
Here is one example from the file "Haspinst.exe" which is the dongle HASP* m6 R3 |  Z4 Y1 k/ L& K* {6 O' V
Envelope utility use to protect DOS applications:
0 y0 R6 X" c" G. E4 N) @, ^8 _. m" D* q
; N) d! m) G3 N$ w+ h; o
4C19:0095   MOV    AX,0911  ; execute command., z" `' R' r5 o( i
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# V% B  \* |' i- H) K, u7 m, J
4C19:009A   MOV    SI,4647  ; 1st magic value.2 i. ~) q2 R6 t) `
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! a; r6 x, Z- V! u( t: h2 c  {+ p
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 X- \  u4 l; R" d4 M
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ F$ }. y9 }3 P: n4C19:00A4   INC    CX
# ~7 [* l: V7 V+ I2 B4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" k% A6 ~9 G: \* Y4C19:00A8   JB     0095     ; 6 different commands.. ?: u7 t: S* Y& v7 T1 `' q% u
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 h2 c2 ~6 Z; A: X0 W  a4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! X% t; v2 [9 r7 i! H% u6 E( K& g1 q. w2 r! v5 ~) N
The program will execute 6 different SIce commands located at ds:dx, which
0 a8 W& T) W" z) ]3 H; c1 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  m. S, j7 q& D$ j( N* t

) G0 [0 E7 Q) N. ~2 W; @1 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ _  J; k$ S' V) |( c9 A4 u" n___________________________________________________________________________
- K$ h4 r5 x& F0 e% W" C  E( P! y$ |+ j4 f0 @

/ [) O' d4 t5 C; _, \Method 03
% A0 `3 y  D) C2 T7 q$ s' F5 K=========7 n2 g/ |0 p8 f" k

$ d7 E8 L, @- O1 [5 L8 LLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- n  [2 C# {6 ?! e  o(API Get entry point)
) y# M+ {# o- ~9 B6 z+ F        - ~+ W" G  N/ p; H2 t' v9 U4 X$ u9 Y

3 B" F/ g  o7 R6 d8 S* @: m4 o    xor     di,di5 y3 b* q; r" `; I) ^  m, c# R
    mov     es,di
% n! c; X) j* k% j    mov     ax, 1684h      
% ]& n( l* @/ G" |/ a  b    mov     bx, 0202h       ; VxD ID of winice
' w, `9 b% b2 A8 V& [( C    int     2Fh
' w, p2 j- n, l  T; J4 M5 ^( q    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 O1 K7 G8 e' C1 C7 f6 ~
    add     ax, di
" X, u" h; j/ l/ ~% _/ j0 U( S    test    ax,ax
$ \. s9 V; _* I, m3 J) v  L    jnz     SoftICE_Detected
: R% H1 a- g7 `. |% m
% N* [1 F- X, E8 W___________________________________________________________________________
2 d, G! V0 e, o8 X
* e+ Q7 I; ~: s7 RMethod 04
! f% \/ a) R8 }5 o=========
0 J" O3 ~& Y. {5 \* [6 x  p7 @$ B- _  m# |( O* a, {* t
Method identical to the preceding one except that it seeks the ID of SoftICE
% Y7 a. I  E3 }% {! ?5 uGFX VxD.
, _# r! r! |2 t+ }$ v2 W7 f+ k, [; R$ p) C9 J* _
    xor     di,di
1 m+ B' f0 w- Y' O& l) R    mov     es,di
+ E: D2 r; t+ E. ~' ~1 a0 x    mov     ax, 1684h      
8 M! Y" _" `+ C# `# O) f, j    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; Z4 s4 q( u2 b    int     2fh
! B3 L$ C. }5 D$ o    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; c1 ?& I8 _8 l+ g9 ~0 z    add     ax, di
! X, C: h5 C# A2 P- Z5 i/ U    test    ax,ax
$ p' G7 v3 u' \0 h7 N1 n9 w    jnz     SoftICE_Detected
- f- K! z9 w# B0 x4 e* |* R* t3 u5 L9 @8 W
__________________________________________________________________________  p) p9 ~& Z, h1 m1 Q. r4 S% w* x8 ^. N
& r4 h5 H; F$ `& p) e4 f

4 |# W( D6 V/ {, y8 s/ GMethod 05; k& J- S, P: p, Y% q
=========( R' R5 O) V* t7 I# p0 w

! y; f( x0 D; b/ c# xMethod seeking the 'magic number' 0F386h returned (in ax) by all system" V; U( W! C# ~7 _) o) W
debugger. It calls the int 41h, function 4Fh.- V' T% ~' M1 A
There are several alternatives.  
% n+ k% V  Y- |4 U. m5 w2 a$ ?
- z9 ~. ]$ W- {% j* x% a3 qThe following one is the simplest:
7 v9 F7 @2 G9 Y2 M6 P) l* n. H7 n& z; l. o8 h6 ]
    mov     ax,4fh( D2 k4 B* M' e) C4 X
    int     41h5 G$ l* T/ _, m7 Z& J7 H$ d3 J
    cmp     ax, 0F386
9 m' A& v6 C3 q    jz      SoftICE_detected
- I( U) ?  j& g5 s& L* ?' F; N2 F2 Q0 \+ D5 {! u6 E* N

" P1 A# X9 K5 d' O8 D( rNext method as well as the following one are 2 examples from Stone's
! m5 B" ?% @6 D6 J3 X0 n"stn-wid.zip" (www.cracking.net):
, p% z8 k1 p; ?; v7 |
+ m; L; o, h" G8 V    mov     bx, cs# v- O. M. H% ?& ^: N, n2 G% C
    lea     dx, int41handler29 q3 d' |3 C$ r* U
    xchg    dx, es:[41h*4]' l9 ^3 k) f0 k  n) t
    xchg    bx, es:[41h*4+2]
: P1 b; K3 L7 T7 q; N    mov     ax,4fh$ m9 m7 r) i2 i2 Z& j# J5 Y6 f+ N. T9 u
    int     41h
! V' V+ P3 t* S, C7 e    xchg    dx, es:[41h*4]
1 L- L! T/ f; Z! ]: u' O    xchg    bx, es:[41h*4+2], ]  s  Q5 Z! j& }
    cmp     ax, 0f386h. E2 @# ^( R+ `" O+ C& h4 p# v) A
    jz      SoftICE_detected
# n: L2 d; R) a( i  T# o2 Q! n- P8 H+ \$ r) B
int41handler2 PROC
9 u% R; X+ b+ N9 _    iret$ y( m% k* v* @3 g) I
int41handler2 ENDP4 h; r6 F% U3 g& o
; {, z- G4 U$ t( q) K
) P3 }* J$ x" j6 n
_________________________________________________________________________: k" l$ [# z3 k* r; Q8 g

3 ~7 L5 S! [: C; k$ `$ x  j3 R
3 t3 _% S1 r5 V! _- h$ N& G3 bMethod 06% K* h: ~# q3 J1 x$ C, a
=========
& h+ c4 z" n4 O
$ S7 W6 K1 Y% o' m
$ H( r+ {8 D& L5 L2nd method similar to the preceding one but more difficult to detect:
$ _# w% G2 |  b. Q0 z1 k+ `+ n" ^9 q# R# U9 m$ c
4 T4 l8 A% }. M) R0 K; ^9 I
int41handler PROC& d, v( t3 i* \! L/ F
    mov     cl,al
/ Y" K( X/ `4 x: `    iret  Z- q( Q4 c: ?, a
int41handler ENDP4 u# [  _3 ^* B4 H$ @6 \8 a

& o/ W# t0 N) S8 v! p) e2 Q1 e, e2 E3 {# V! o; D! `
    xor     ax,ax) Z+ O- [+ o+ M
    mov     es,ax
2 t8 K6 K5 d2 ?, Z( @2 l    mov     bx, cs) L) U( d' |; V4 C+ ]% g  [
    lea     dx, int41handler
8 m% X3 w. e: X    xchg    dx, es:[41h*4]
0 K3 d6 D! E" g5 E3 w6 ]' a, a    xchg    bx, es:[41h*4+2]% M2 n! ^4 [+ U5 x9 n8 R( j
    in      al, 40h
; Z, Y" t; v/ ?/ m3 {    xor     cx,cx* z: v. _6 |$ N: w# s8 I
    int     41h
' a  C( J0 {! _    xchg    dx, es:[41h*4]
$ y" m2 I% F7 p    xchg    bx, es:[41h*4+2]
; d' c/ A' x0 r' ^: m    cmp     cl,al# c0 Q3 s9 k9 `" S$ j) k% J, O
    jnz     SoftICE_detected/ f  x' ^; z. ^0 k
! q+ p. K8 J4 L$ O. \$ C& t
_________________________________________________________________________4 g6 s1 p& n/ R9 p% P
  I4 }3 W5 B9 b" T# x$ u
Method 07
4 x- `! c4 {' Z=========
% c9 E6 q7 T2 i, M. Y  X2 X5 y- D: W! k2 l$ ?9 B7 P, f/ @) Z+ R, `6 r- J
Method of detection of the WinICE handler in the int68h (V86)& V+ `1 ^; ~1 S$ i& ?

+ t6 J1 Q3 m4 k* n+ Y    mov     ah,43h
$ ]2 a4 A2 j+ y8 J2 S& l7 ^    int     68h5 u7 }/ L2 z/ T/ q0 S- {4 A
    cmp     ax,0F386h4 E3 j# ?* V& K$ }
    jz      SoftICE_Detected* j4 y5 H1 ~# @
" \& X" ~! b3 R8 B. R9 R- O* T+ x

  C2 L) H+ D( U! K) E5 Y  \9 X- F2 R=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 s* `1 A7 b4 i5 x1 r! z" U
   app like this:
8 f* ~5 L2 F: ^+ ^$ j5 g9 F( i8 ]4 n3 w* ^" \) x  ]
   BPX exec_int if ax==685 w% F! Z. T; c  l7 S
   (function called is located at byte ptr [ebp+1Dh] and client eip is/ B$ q% s, F/ ?
   located at [ebp+48h] for 32Bit apps)
1 j% S- I$ a% Q- \* z: _8 m9 l__________________________________________________________________________
( x# j2 |# u$ C- y
0 \) b* a6 s& j: x9 o
) t5 @% _4 k3 \1 |Method 08
2 [. N: O2 z7 [7 h( d! r  o, m* t=========2 F: U0 s' a0 s' h  v2 U( j/ t
' @. `' P6 |) @8 [
It is not a method of detection of SoftICE but a possibility to crash the& V  A- k$ X7 G$ U
system by intercepting int 01h and int 03h and redirecting them to another) m4 a6 ~: b9 T" c' Q' s7 |
routine.
6 f* @/ A$ |( z; U( jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) w! i( n3 G5 l5 \to the new routine to execute (hangs computer...)
, V' A. j# Z+ p. K3 J% ]
6 h2 B7 E  F5 @- w3 h! g; w    mov     ah, 25h
  R& ~: i- \  |7 _4 |( ?) q    mov     al, Int_Number (01h or 03h)
: e- e/ J! J+ c4 e2 y% O    mov     dx, offset New_Int_Routine- C, _6 ^* T. I7 ?1 S# e
    int     21h6 a8 `5 k9 ~6 h0 Y- X2 [

6 ^; [# c# n5 a8 V__________________________________________________________________________  ^6 d6 _) q& M$ O( _3 ?: g3 }
* {/ v. f& R4 S! D& ?. {5 }
Method 09
/ h9 X; o4 X: q# n% R! e  f# {) D9 h=========- L, N6 c4 a7 X' c  \3 T
) \. V: a% u2 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ T+ L* r$ |+ s+ s  w1 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ \: N  G, S, ~  k' I- VThe Get_DDB service is used to determine whether or not a VxD is installed
! g$ _! j: n) a- k; {' }for the specified device and returns a Device Description Block (in ecx) for
9 Y& ~, i: ?7 @* I9 H+ B7 H. qthat device if it is installed.
9 `) u$ a2 D5 c& r
0 b$ X* o# T0 ]  v! L   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  H& ~9 N+ j# C5 S
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 a& A9 ]7 }' Y   VMMCall Get_DDB- O$ F5 A  A6 T: C/ ]' ~
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' x3 W$ Q) K. A& Q
2 [! z: C" ~5 U1 i7 s0 wNote as well that you can easily detect this method with SoftICE:
5 i0 i# i- D+ n: a! i$ U; Y   bpx Get_DDB if ax==0202 || ax==7a5fh7 d, X; P: p/ G
6 Q; V4 B5 u9 v9 ?5 G7 P
__________________________________________________________________________+ n3 ?1 ~: K, l
4 g; `5 g, t8 }3 x$ x
Method 10* N7 b, `6 F( @" U/ h4 y
=========3 d& E! E" M& Q. E) m' ~) h7 I- Y
4 {. g3 D) i$ |$ E5 I+ _7 I/ @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. h8 H9 b% j# S/ y  SoftICE while the option is enable!!) x1 I8 P( t6 R* M3 ]* D1 Z

- o7 X3 O2 m3 j& [: [# R. LThis trick is very efficient:& z8 H5 V3 h5 W# \6 @' X
by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^' @2 x$ U+ ?/ d% J- _8 E4 r& q8 D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 @1 W; @# G9 G$ i- j5 c/ B) m. Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their, i6 U$ h2 ^8 W, c
value (in ring0 only). Values can be manipulated and or changed as well' G, }7 x( Q! m
(clearing BPMs for instance)
0 K9 j  {+ V* D: @' |3 F' e* T4 Q2 u4 d7 n1 R( k% T) _5 c
__________________________________________________________________________
  a( \* `. R% i# P
  `- s9 g9 y9 ]+ D9 u" D- \Method 113 _+ C1 e7 H' B& s7 z2 a
=========: r+ @' i- R, b  A' ?
6 e& x4 S( X1 A9 V
This method is most known as 'MeltICE' because it has been freely distributed
, h5 e5 D2 x, Yvia www.winfiles.com. However it was first used by NuMega people to allow
" p9 @8 y! _  A: e) ?$ K" MSymbol Loader to check if SoftICE was active or not (the code is located
4 K+ J8 ?$ F+ ^  B7 t( ]% Ninside nmtrans.dll).% T1 S; U/ ~* k2 P- `. ~' x$ c

5 A4 j0 [* H* j$ Q& Y+ |2 OThe way it works is very simple:
" g. Q! w7 s4 \  sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# ~. |1 {" D" _6 ^/ @0 S
WinNT) with the CreateFileA API.
- z5 O6 c: [  g; m# B( V. X8 H  Z  z
Here is a sample (checking for 'SICE'):$ g2 Z/ V" d1 d, s2 s. X
' G  _# B& C5 W' ]6 e) @6 Y& S
BOOL IsSoftIce95Loaded()
  y) ]6 m/ K! v! B* o% m{8 U8 a4 D% ?+ U8 r* P+ X  i
   HANDLE hFile;  
# L3 ^7 w0 `$ ^  ^, ~7 i, F4 {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; O* J) `; y+ F* `2 h1 N' S                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 S  a+ x1 h" C+ V. O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! w5 H: Y! k- P  F- ?   if( hFile != INVALID_HANDLE_VALUE )
8 G8 @" Z2 h9 ~1 F8 U. _; N   {; {+ k0 m: [% {
      CloseHandle(hFile);. ?9 j& X* H* h, g1 W4 p! p1 [
      return TRUE;
# E3 i; `/ E1 h   }9 s5 Q8 K3 _$ s; K: i/ r
   return FALSE;- |" z  i0 n# b/ z# ]1 ?1 a
}
. v( p+ h; i2 k2 l: u2 F6 ]: p" w: u
/ {$ Y/ F' i6 n* }; ^7 YAlthough this trick calls the CreateFileA function, don't even expect to be
! j+ Y. q* n+ |able to intercept it by installing a IFS hook: it will not work, no way!
- d; Y; a& o9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F
  d* v2 U$ H/ w/ |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 @# }/ `! L3 p6 ?1 tand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 A3 b8 u# h0 _
field.& U9 n2 \7 H+ O# W, A
In fact, its purpose is not to load/unload VxDs but only to send a
3 J6 T6 d9 v# l- y% Z- u( IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( c: Q5 b- N) K  b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) p4 V% S8 K7 |- y, Y9 M4 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- e+ j6 f8 F6 j" e, {6 C& }4 ^' C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: b4 U5 D3 t2 u  L+ h5 K7 Bits handle to be opened and then, will be detected.
3 K, i6 h9 w: TYou can check that simply by hooking Winice.exe control proc entry point
2 q& Z5 {- q; k, u& |7 n% Awhile running MeltICE./ o8 I" z: i% G2 U9 O! ~

/ f9 F0 q% R  P" T/ ?) q, o# d  @; M+ P' S  y
  00401067:  push      00402025    ; \\.\SICE
& S# H" @. T4 V$ K; ^9 m  0040106C:  call      CreateFileA/ C: J9 o4 @' D1 t6 U( v
  00401071:  cmp       eax,-001
$ W4 l5 `5 R. r* r" a  00401074:  je        00401091
1 k& c, N& s! K: y4 {4 b0 d+ S5 a( t, h$ X0 s+ O* g
4 a# h' w3 @" D+ u. ]  m
There could be hundreds of BPX you could use to detect this trick.
0 X0 ~- f! B6 P1 E% n. c( [  x  V9 X-The most classical one is:7 s+ ~. D6 p. s) D: p3 W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, i( B# }9 k7 T    *(esp-&gt;4+4)=='NTIC'
! O7 b- X- y- f( j' \8 c4 _. H1 h7 [, t$ ^* _  d+ F0 \' }
-The most exotic ones (could be very slooooow :-(
& \  H3 f' n/ @   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; U3 B3 {  E8 N, f
     ;will break 3 times :-(
- n% \' ^& I* P7 k
8 F* H7 q% E1 C8 K-or (a bit) faster: % F/ \: v- f% `  w6 Q: q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 v' J4 H+ Q' b3 m  ~
6 Q5 ~2 o; o+ S: ~   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  {( N" R2 k7 v7 H5 E6 r     ;will break 3 times :-(
* K: u7 y% g8 y; ]  r
8 i: R* _8 H/ t+ p, a# r; k-Much faster:
- q: ?8 ^  s" m: |- b: P   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 A6 S- n( ^/ ^$ |5 ~, N1 d3 o
; L( w5 r; h* J% g. U- D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 A0 ^4 h% [& M6 x
function to do the same job:
: h5 F, S" Z" u# |# i$ v5 S& ?' C, b+ B: ^& o3 w
   push    00                        ; OF_READ( i% n% d' m! b( n7 `
   mov     eax,[00656634]            ; '\\.\SICE',0
' C& e+ a. V! |   push    eax7 r" j/ _0 \! _6 R5 R  b+ ?1 L
   call    KERNEL32!_lopen, n0 M# Y4 R% i  v3 Q/ q$ E% ^* u* V( m
   inc     eax! \( \! B2 s8 g) H4 a: b2 p
   jnz     00650589                  ; detected
8 \3 q3 T! d% C. w   push    00                        ; OF_READ
* l% L) a3 B) `( _+ e9 m! `   mov     eax,[00656638]            ; '\\.\SICE'- p% ], I+ ^6 U9 {- x
   push    eax/ \- ]5 _* x9 j+ u) Y
   call    KERNEL32!_lopen% E/ T* e) `4 B9 Y5 P
   inc     eax- B1 f9 d9 a1 ^( D
   jz      006505ae                  ; not detected$ d! A3 p3 m9 ~3 x" L# j' o
! Z$ [0 e9 F0 ]% X

! E* ^' E9 f3 C  H__________________________________________________________________________% O1 l% g% a/ r8 a7 k, J
( U! ]1 i5 t) ~7 E" ^8 Z2 `" F4 j: M" R
Method 12
8 ]- W: U7 r1 |8 n+ Z=========3 q* [2 [+ m7 p. M% `

$ {% @! e' a& D' W. \( EThis trick is similar to int41h/4fh Debugger installation check (code 05) O6 M* x3 h5 r) L+ A
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- X/ u& ~( v. F/ n+ q" n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 C; U% f# x; b6 E+ [7 {

  y* _; o7 b2 `   push  0000004fh         ; function 4fh
* L3 t+ k5 B- X9 {( w   push  002a002ah         ; high word specifies which VxD (VWIN32)) h  a# R3 o" ^! z
                           ; low word specifies which service7 t! f! }$ T4 b0 h( a8 ^5 h
                             (VWIN32_Int41Dispatch)
( {+ c4 e; [: G+ [+ A   call  Kernel32!ORD_001  ; VxdCall
  x4 K/ v' i, X3 r: I* ?/ l   cmp   ax, 0f386h        ; magic number returned by system debuggers) p0 w/ s1 K: [! ^: u) ]
   jz    SoftICE_detected
+ W7 u, o6 |( X+ E) E6 e) I: Y& `
Here again, several ways to detect it:% l6 E# \. J% E  F/ V  H0 ]& @* ?
' n6 x+ @( m& u" e( g
    BPINT 41 if ax==4f
. o5 u/ l. q) f  l7 u3 y
9 r: Z3 Q' V' m& p    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* K" o  i. y+ \5 n7 p* w& W  l5 B4 F& p) g3 N8 k( Q; q
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 n2 @2 D  |* U5 M( i) h+ n8 I/ O- G$ x- F  _- s
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! ]  i* j8 }, [+ w4 T% m% ~1 u6 C6 Z' W) l4 j$ L  ]$ x1 }
__________________________________________________________________________. G0 x( m, c+ F1 D, `
: j$ T/ a3 @$ A! s3 a1 _& F: f' h8 }1 ]
Method 139 d4 u1 U! }  Q+ X
=========8 A9 r# t" r  I- _0 c; m/ [, K

7 S) |: @' y* Z7 [# yNot a real method of detection, but a good way to know if SoftICE is
+ K0 n* g8 o- V& ?) Ninstalled on a computer and to locate its installation directory.
: z; g* @6 w; V: `( e3 w4 w# r1 wIt is used by few softs which access the following registry keys (usually #2) :
, H$ A0 d/ ?8 W+ W4 o& Y" B9 A1 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 s5 I5 L; f! N4 _) u$ X: _\Uninstall\SoftICE. {: g& I4 T9 `5 E8 t; ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 L- \5 j$ \3 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, E2 v. v0 d+ a' _6 F9 s* S) d
\App Paths\Loader32.Exe! s; U1 H9 o! O, k+ M0 t

* }% @' ~9 p* g. z5 u
; {0 }- \% L1 \* u0 fNote that some nasty apps could then erase all files from SoftICE directory6 j) @- X+ q, ~, j" C5 S2 G
(I faced that once :-(
+ R7 X8 h9 q0 J) c# h. l
$ b) Q- H) P9 T% y$ AUseful breakpoint to detect it:
4 s9 [- R9 [. w
' U6 R' |$ V8 g( G% g9 S$ K1 t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
' B* B+ ^+ h1 O% V# o( t& X; G5 l& d8 t+ E" `" i, s
__________________________________________________________________________
9 D7 q6 u+ P! i, L: q. l4 u3 g$ f# ], Y' M

' }4 P$ V4 P8 C2 j1 ZMethod 14
3 A- j! g' K. a1 K, c& c  m=========' ^1 M7 s# E! }; W; @. B
( c! a- i& Q- `8 ^+ l9 C, s6 O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 u3 u; O2 O, Y6 c2 Q6 x+ e* p  b
is to determines whether a debugger is running on your system (ring0 only).
/ `. F% V( A* r8 K9 w' w
6 M/ h" `- x1 e5 o) V/ S7 X5 O# @   VMMCall Test_Debug_Installed; r& `( ^8 u. i  Z
   je      not_installed& }0 i4 s! R4 j5 j0 b; E

3 l/ Y( {( y! L, dThis service just checks a flag.
( a( L: i. O' {1 \+ O4 Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-16 01:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表