找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& z0 C- ?+ O! @( s+ `) F# @/ `( Z
<TBODY>
8 z5 x( h) X  R- z! d+ _<TR>
# G: J+ h/ E+ b- w<TD><PRE>Method 01
* s* R) y6 ~# e6 C9 Y# Z=========
' m  w2 _' k+ T1 v
) v! [7 [$ J  _2 b, M0 Y. \This method of detection of SoftICE (as well as the following one) is# k" X* s2 y/ ]$ ]' w9 }8 u) P
used by the majority of packers/encryptors found on Internet.
0 o  j8 [  `1 D: JIt seeks the signature of BoundsChecker in SoftICE7 ~, U/ U3 e% [  |) M

$ j# r1 J% f! ?6 x# N6 A    mov     ebp, 04243484Bh        ; 'BCHK': |' l! Q+ Y$ B) d
    mov     ax, 04h4 B5 g' W  C+ K" y* ~" y
    int     3      
. ]7 O9 Q) j2 r$ ]7 |0 O3 |    cmp     al,4" M; \" R8 d$ P5 H8 L( ~
    jnz     SoftICE_Detected
5 ^' i# [9 `- ]+ S: m' {
- ]: a( e! T2 A2 h  B1 v+ H: Y  G# N___________________________________________________________________________
: K* z5 ?" y: k7 W
3 @4 g0 w8 e* z5 R% U; rMethod 02
" J' X( @6 K$ l* ]=========, Y. q+ Y& ~) b" ^

7 H  X% Z6 N: E! t1 H; fStill a method very much used (perhaps the most frequent one).  It is used
5 z  Q- j7 K$ r7 {+ l) s2 ~" Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 w& t8 M) X( S% b) W$ G
or execute SoftICE commands...4 m- I: L) t) F( j
It is also used to crash SoftICE and to force it to execute any commands
2 l% a# x8 w. G& e6 q2 }6 [8 c0 j(HBOOT...) :-((  5 x2 K2 N" T3 a* _$ R4 @

7 b5 H7 \( p" sHere is a quick description:1 A/ X& @: n% T# ]" e& \, [  r
-AX = 0910h   (Display string in SIce windows)
+ X* v8 x, J& E' o2 q6 q) H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)2 P8 Z6 v/ D; c7 d' K
-AX = 0912h   (Get breakpoint infos)
6 n' k+ x$ @$ Y2 t, _-AX = 0913h   (Set Sice breakpoints)
) N6 C4 }7 o1 c8 N3 U" {-AX = 0914h   (Remove SIce breakoints)7 A# n! o) z& y* |1 ?

0 e2 F' `; }! i# {( HEach time you'll meet this trick, you'll see:
, t; J+ F& j% D% p0 g! E-SI = 4647h
4 v  ~0 \: Q. s8 H, D-DI = 4A4Dh
% y7 ~  G8 V- s2 ZWhich are the 'magic values' used by SoftIce.2 U5 M* h' v2 K7 C$ A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 q) e8 c* O3 [& R1 N9 }$ I
: B5 Z1 y5 E) Y; JHere is one example from the file "Haspinst.exe" which is the dongle HASP
& q8 L" z+ {& ?! ~) }$ j1 MEnvelope utility use to protect DOS applications:
' g) O' c& C" A5 I2 [- |& k5 {
" S& K" x$ Y  c, o
! z- Y8 f  ?* y! Q4C19:0095   MOV    AX,0911  ; execute command.5 M  E) u, F9 |& d8 B- d
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 ~9 M0 {9 u- b  D
4C19:009A   MOV    SI,4647  ; 1st magic value.+ l- r: B3 W9 k. ^; P' S
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( z5 j+ m' Y  x' ^. G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
) b% \9 U0 W; B, I% F4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 G; i+ B' _6 H: C4C19:00A4   INC    CX5 h; @* N/ ^! H* N0 m( X
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute# A, Z. s6 ~& R
4C19:00A8   JB     0095     ; 6 different commands.  U/ L# x! t: \) ?% I3 F- W
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* V5 S# n7 {: k6 l' ]4 ]4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# Q6 g/ M5 \& V/ f7 I; s7 _
! g* k( Z( g2 P3 L3 hThe program will execute 6 different SIce commands located at ds:dx, which' u0 U% k' _: |- s3 p- B, @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: A; o: Y* O9 i$ N$ l4 t" A" B+ y6 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! V$ _) {. p5 e3 ^+ Z/ R. \' G
___________________________________________________________________________
- T* P' A% z0 U$ E) S. H0 @, j: Y  n2 h4 |2 C5 E
* B4 [. h$ X9 ?
Method 03
* }0 T* ~9 N9 Y; W=========/ B$ {- |' y: a2 Y" e0 G

7 R# y, ^3 r  \" g% o# m9 ~Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  y' B6 @/ q6 b/ R
(API Get entry point)
( x  z7 H; `; A& ~! v8 H        
9 \$ j* `. ?$ {. C
! {; ]4 @; {& ]( g: f    xor     di,di, T; w3 _7 g" x. p5 g- v
    mov     es,di  M4 b- u" A, ~5 r7 C- X  D( Q
    mov     ax, 1684h      
7 K6 P9 K8 f/ _0 E& W* H9 e* q    mov     bx, 0202h       ; VxD ID of winice/ s- ?0 j3 ]" {. u4 }6 Y
    int     2Fh
' A" w/ C) [6 l  D$ p' {& b    mov     ax, es          ; ES:DI -&gt; VxD API entry point: b; {3 x* D- U5 U, y, ~
    add     ax, di
- b" a, E7 K' d; p$ K6 _    test    ax,ax
) I2 z. ]+ U6 S+ T5 H    jnz     SoftICE_Detected$ N0 d% r- n$ B8 f7 O( N3 p  A

. |9 e5 E- O& y6 H! r- {___________________________________________________________________________
8 g8 a! ^: m- \- ^9 w
! ]8 Z) f. d. [9 x  {Method 04
* y/ W- C8 J9 s  b4 B: T: H" [=========
1 O( v- d# k. W. R6 Y2 v% ~2 }9 w; R! a  B/ T5 Z( E1 F* h5 l. I( a
Method identical to the preceding one except that it seeks the ID of SoftICE
. j# G) `" W9 ?' w# S7 D- {GFX VxD.0 |# _3 j, q6 E/ A- M
& P6 F- r, j& W1 A1 |, r
    xor     di,di: h$ b  X" g( k* Y% u5 m
    mov     es,di) d) K/ C4 Q) f' \: m) ~9 n
    mov     ax, 1684h       ! D* [+ b% ^: J/ O/ d1 n0 E2 i/ m% `
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! T' g. |% K; H/ D. m
    int     2fh
/ v* \0 F# A9 C' u! S    mov     ax, es          ; ES:DI -&gt; VxD API entry point. J- v- @2 ]/ F& C7 [& r
    add     ax, di0 p$ \0 H. b/ a. R5 A
    test    ax,ax
3 ^3 K6 _. k: s1 b& k    jnz     SoftICE_Detected7 T# h& N5 d3 v/ x( p- S) h

- v$ t. P, v4 O3 c% n__________________________________________________________________________
% L0 G. q" F6 l: Q5 g9 e
9 _1 ~& b' r5 f3 j9 u6 T
" K2 S4 m$ r' |5 S5 ]$ V7 ]Method 05, r" F1 K! t. V" N' q) ^& W1 R( p
=========
& Z# F5 [1 ~) ?& J  c& C! y9 _1 ~: M1 z6 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system. T+ u' Q8 u% h8 n
debugger. It calls the int 41h, function 4Fh.
& ?; K) d: s9 Q& H# MThere are several alternatives.  ) c# O7 n/ G$ J3 c

0 o+ i; W# P1 s: e* UThe following one is the simplest:2 J0 {# t/ u/ a( F$ q

" R8 Q3 v* `# ^8 w9 B& `% b    mov     ax,4fh/ o! I* ^, F+ i8 n9 [( T
    int     41h
" s, s: p. @2 u    cmp     ax, 0F386# }. G: e: N9 l+ ?0 w
    jz      SoftICE_detected) K- P& ^+ J. H, I
+ ~, T: K1 U  i/ I: {% a
& c) c, k/ y! {' V
Next method as well as the following one are 2 examples from Stone's
% n5 _( A! j7 |; u! U) }"stn-wid.zip" (www.cracking.net):" p$ y- G, R4 R5 x# |
6 O' r' N0 l4 u$ o9 R  |
    mov     bx, cs0 Z! c" C4 m6 z; \4 D
    lea     dx, int41handler23 n2 f/ B* Z" N
    xchg    dx, es:[41h*4]
: n% X9 n3 T( P0 N1 z* R9 g    xchg    bx, es:[41h*4+2]
2 _: O6 b1 T4 h5 ^1 I4 B    mov     ax,4fh
0 g* L8 w7 }/ B7 b( Z( Y+ O    int     41h
1 q" c9 G2 |5 g. M# S2 U# ]    xchg    dx, es:[41h*4]
( H- X7 S$ `4 H    xchg    bx, es:[41h*4+2]7 T- a9 `- n: u6 i# @( z/ S, h
    cmp     ax, 0f386h! A1 b; @" ^  M% W) y" ]1 S- }! J
    jz      SoftICE_detected" d  ^. E& X4 F. {" _! @9 r
6 V) X* a1 p) V1 v
int41handler2 PROC
! q/ U) p9 q. H6 b6 R  ?" I9 S    iret
% c" B% g- [! [5 ?int41handler2 ENDP+ V0 e0 a' B% ?; D8 r

- ^4 G+ T; \7 v. f2 r& k
9 B; _6 I, _* u6 y" __________________________________________________________________________# l4 A* j1 c7 S) K
9 {: z" e' m/ z+ |5 f7 e

5 ^1 [2 Z4 N. ?% iMethod 06
5 v" Q$ o0 B9 t$ v* n" f/ a=========
+ C  T, V, z8 Z4 ]
  y0 H8 M& O  H' c4 \8 e  }
" C: M( p1 k: q% I2nd method similar to the preceding one but more difficult to detect:+ W& Z4 w/ r4 V3 i: S2 Z

6 j7 p5 I4 M& d4 u9 F$ u/ e* k4 s( A9 S+ y
int41handler PROC+ K; m8 S+ C: V/ M8 h8 O
    mov     cl,al
! E4 l! q6 @5 |2 H6 a0 I* U) a    iret
  M7 X3 s' n( d7 m7 O3 w% Lint41handler ENDP" w) u6 S+ z4 H# r7 k/ ]6 H  }
8 k; w9 L1 F/ f+ ~/ b% N+ ?0 Q
' e( G+ u3 e1 v; c% i& B$ A! M' V
    xor     ax,ax
+ i& t4 T' p/ y" x, h    mov     es,ax4 m6 Y9 z6 f& ^9 x; x4 Q
    mov     bx, cs
4 |5 W. r1 G) O2 @8 k" n" A    lea     dx, int41handler6 o2 o2 N3 L5 V
    xchg    dx, es:[41h*4]  @! \6 H6 |  r1 e
    xchg    bx, es:[41h*4+2]
: B" r, b+ n0 v( B% z8 K/ G    in      al, 40h3 X" ~! f: P" _% W+ I9 w
    xor     cx,cx0 \* k$ Q! G" |! @! M# J, \; T
    int     41h
* W7 O7 V- R! V; x5 Z3 [  {, o    xchg    dx, es:[41h*4]' F8 I4 }- U' r% f' T2 D
    xchg    bx, es:[41h*4+2]
- B' g: O4 q# Z! l: s- s    cmp     cl,al
) y. P6 d4 \0 S. B& M# v    jnz     SoftICE_detected
- T. I; c9 e9 }7 p( s* c# f- H: o3 {6 e
_________________________________________________________________________
& M, s8 P2 y. q" D1 K! d' r7 B8 h  }1 M, L; l* ]* g. U
Method 07" `3 p8 d$ P$ |
=========
5 g8 Q9 h5 |1 m0 H; c& c/ R+ N' d+ @2 U% s& `
Method of detection of the WinICE handler in the int68h (V86)/ z0 j' s5 D0 P* J
+ a! [$ {6 @0 x3 s& _
    mov     ah,43h
- {) T( a# V$ p0 ~2 J    int     68h1 v  y. H; z& e1 N+ e- x; I3 ?) b
    cmp     ax,0F386h
; b3 \5 w; @; z) S, ^  t# `" d    jz      SoftICE_Detected
9 {4 N  C$ S5 P2 ^# G/ L8 f# F6 J% V0 L" ?5 G& Y

& s/ i, [: C* J=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 H9 Z% ?' g4 V   app like this:/ u/ @! b' n9 }& Q9 k# L5 H: _& L( c" m

3 n! j6 _) s7 u3 K   BPX exec_int if ax==68
8 l  }5 N, T# l  ^+ W7 d. [   (function called is located at byte ptr [ebp+1Dh] and client eip is5 ]/ F, }) W8 ?
   located at [ebp+48h] for 32Bit apps)
5 |2 {* w6 t* ^6 C% L" r__________________________________________________________________________
1 }' [  B) e" `& m, v/ F+ E8 t! X2 ?9 R6 x

- Y' B+ j9 m8 d' ~% G; h% AMethod 08' X0 h, O( H# w8 u& h: m
=========& |* S2 f* V7 U: W0 ]% y8 t
2 b2 g& q( h+ b4 S& N2 c
It is not a method of detection of SoftICE but a possibility to crash the: _& ~9 O$ i" b$ `: N
system by intercepting int 01h and int 03h and redirecting them to another( o5 ?- Y' ~7 O: \) N: p
routine.  H5 f* z; j6 B7 H8 A/ E- W: I) u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( M" ^8 V& m3 E, t8 N0 yto the new routine to execute (hangs computer...)9 m( U: L1 g! ]( I" `$ p' V" l

8 Q! n+ f2 o; U+ P, j    mov     ah, 25h4 y9 m- n' H  \8 {
    mov     al, Int_Number (01h or 03h)
9 E) \9 X9 K6 W) f* [    mov     dx, offset New_Int_Routine
0 ]0 y8 J) e% ~6 H* g0 P    int     21h
  f) y, j+ p  H5 \( ~" Y2 P
8 s7 e, V& o* Y/ {__________________________________________________________________________9 }6 p9 ~% K+ t, t: p& L

5 L, p3 [1 X; M6 h$ kMethod 09! g; S! C( O8 H" {' D) F
=========+ k+ m" ?! t' V" {

, D2 ?4 @. h' ~# [. ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 Q5 }2 a* f+ a8 G! r7 X, Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: P7 K5 K  l: LThe Get_DDB service is used to determine whether or not a VxD is installed
; f& M" X7 d7 d( A& @$ S2 ofor the specified device and returns a Device Description Block (in ecx) for
. d) t$ I2 V" s8 |, wthat device if it is installed.
' A+ H! q3 b# D( F: z5 ]( \' M7 ~, S. s  \1 w6 M! y! |4 }0 R
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. e, y' i2 K: L2 i; |  b   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- Y3 B# [9 @4 l) ~
   VMMCall Get_DDB
4 W8 P/ z5 k( y# I3 N   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. t" S( @9 v" {7 i& R8 F+ N1 Q! K# X
* C; [* t0 X, w7 H' C/ D7 P: ?9 p
Note as well that you can easily detect this method with SoftICE:
9 ]9 @, C7 \* Y0 ^; D, ~  @   bpx Get_DDB if ax==0202 || ax==7a5fh
5 V! N) I& W- p8 p3 x5 U! e' R/ R/ G. m) Z1 j3 p( F+ j" X
__________________________________________________________________________- s, Q% M" E! A: N- |

1 o: A. d! f0 @0 M0 eMethod 10
+ y" T% m+ I3 I$ V=========
& A/ C9 F; d+ |# _* v! U4 ~- i8 g: |
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% e  X+ _) {2 `% C& U' ~$ z+ {  SoftICE while the option is enable!!; M9 |' M* b9 b9 _1 o

2 b( s/ t+ Y% _# G% TThis trick is very efficient:) a1 M6 O# Y- m# s4 f
by checking the Debug Registers, you can detect if SoftICE is loaded/ e# d4 K4 u3 J7 l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 H6 E  k2 g8 l, R  g% n5 h( _there are some memory breakpoints set (dr0 to dr3) simply by reading their
& P3 B; p4 m6 k# E6 m# Fvalue (in ring0 only). Values can be manipulated and or changed as well
8 t& q( A6 J/ B3 p3 e: }& I4 ?(clearing BPMs for instance)
1 l: o$ G6 ?% _. K; y3 p( Y4 i! H
__________________________________________________________________________' L& t( t# y) u- v) ]8 i( v

+ ?: p  t. a1 J. v8 ~; I# P1 g! HMethod 11
. O" f, Y) S" _5 s: Q=========8 C2 ^8 q7 Y1 Q

4 w% J& D9 Z: S; h5 [This method is most known as 'MeltICE' because it has been freely distributed  e+ q6 R" D# z' Y, L3 i4 H
via www.winfiles.com. However it was first used by NuMega people to allow
* }* `; {( |8 O" i$ p" Q, CSymbol Loader to check if SoftICE was active or not (the code is located$ R% o5 e0 K( d* {) Y2 K
inside nmtrans.dll).1 I6 e% p$ K. a7 @* k

3 ?. W, _/ K" T+ I8 i& i1 ZThe way it works is very simple:
, W" g* R, _2 R: v# M0 c% P- g$ AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" n2 a$ C' H8 |% T: [$ P( `
WinNT) with the CreateFileA API.. p+ I- c4 S7 L

2 t* s8 B( d/ X. j7 A: e, ~Here is a sample (checking for 'SICE'):
8 a& S5 y% y  W5 S- l4 H, z+ F5 k) O
BOOL IsSoftIce95Loaded(). g5 R2 X$ T8 h% X/ m/ k
{
9 u: d8 j5 V7 ]3 O0 R1 e, j   HANDLE hFile;  
* O! d# }( O% h2 L+ s: [+ p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 Q+ ^' @; R- A, t                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' b0 y, N; `+ k$ j4 g                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 t: i! F* D; I$ \1 N: p   if( hFile != INVALID_HANDLE_VALUE )9 O1 I% j2 h. \6 Z
   {
0 Z1 i0 o% A' H" r& F8 P      CloseHandle(hFile);  J6 T- b1 x! ~" \5 K; @2 U$ H
      return TRUE;& X, f- _( t3 g) |) J. L& r
   }* H: |3 s" P/ ~) z5 f! T9 X
   return FALSE;
1 v6 b; ]2 X4 X0 p( V7 c. [}
, m" A% P9 n) U4 E* y0 r. R! s) g* m/ I
Although this trick calls the CreateFileA function, don't even expect to be
0 C# Q9 j: h. K, P8 o- h! F+ d( f% I( yable to intercept it by installing a IFS hook: it will not work, no way!; R7 w! R0 W/ A# v$ l! o" ^+ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# O5 E# h2 a; iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 ]7 c$ M  v9 p6 ]& G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 s' K% j2 l. p$ }. w
field.
$ M' |$ U2 v! ~In fact, its purpose is not to load/unload VxDs but only to send a
( s4 v4 I, V% ^4 Y9 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ M% b; w- q5 h) ato the VxD Control_Dispatch proc (how the hell a shareware soft could try* \; n/ n/ Q0 G, \4 E9 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 d1 `6 N# N. L! q7 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 R: U  O; V: z; y' B$ e+ Hits handle to be opened and then, will be detected.
- o2 ~) m/ z6 o+ w4 qYou can check that simply by hooking Winice.exe control proc entry point
# O/ H, I+ r- R7 G9 Q) p& h+ E7 h& x( Ewhile running MeltICE.
8 J9 j7 R+ B* L0 j( u8 q( H( g9 h$ [* {) z# K5 B9 M/ |( x
, z  v2 f5 z4 G/ N" R0 b
  00401067:  push      00402025    ; \\.\SICE
6 b, i# F8 A2 c% g5 x1 C2 y& f* k  0040106C:  call      CreateFileA8 m1 M8 V$ h7 S( Y! o
  00401071:  cmp       eax,-001) X, a8 a* U' N2 O  q( x- T
  00401074:  je        004010912 u1 T, `6 _/ D9 w( Y/ {9 {

+ k4 E4 s3 q# s# l9 I
, H7 O3 t  K& G- V9 e" R' RThere could be hundreds of BPX you could use to detect this trick.7 ~+ r6 e; H) v: _
-The most classical one is:
! G, }9 ^  B, Q8 x  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- ~6 Z5 q1 o! x" S' C5 B/ V
    *(esp-&gt;4+4)=='NTIC': d+ \& E% D; e2 W7 A" r

, K$ a2 }7 [# h( F; B8 H# c4 ]& _-The most exotic ones (could be very slooooow :-($ o5 K4 L2 S- T- W; K) X
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % T0 X! @' C5 Y7 K5 x/ j/ j- C, {1 Z* q
     ;will break 3 times :-(
0 F, _! e; u. k( c1 b: E* R8 k2 N
7 P" ?) L- C& Q' W-or (a bit) faster:
0 t( T% a; ]$ S! C: S# a( B   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* E8 B" x3 |- c! d! I' U8 m# A+ a$ K' p, D# X
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" U: S( w  [4 m8 U) p  y6 t     ;will break 3 times :-(( X7 l$ V) ?# D2 l! I0 b6 i

9 U7 s. G* v6 R/ U-Much faster:
/ ~  f8 q/ ^% |3 G+ w/ L   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 B1 N6 z* ?9 P7 n/ H/ y
1 p# a1 a- T; x  {, x8 ^7 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 \! O4 O9 _+ q/ K* Tfunction to do the same job:
( V5 m2 F( U, \8 k9 X$ z2 j8 d0 o! o, a
   push    00                        ; OF_READ
" I# J  J: c8 j% G/ a* p   mov     eax,[00656634]            ; '\\.\SICE',0
: @9 h* i0 M: s+ r# P$ N   push    eax& {- F/ o) y, ?" w( N8 O) }  _4 C* X
   call    KERNEL32!_lopen. F/ [! p2 K( T/ [8 K- v
   inc     eax+ X' F6 h4 Y7 C) U0 S
   jnz     00650589                  ; detected
0 P5 X5 ~3 C- B4 Y   push    00                        ; OF_READ
( R0 s7 T5 X  d# A9 R  t# Z   mov     eax,[00656638]            ; '\\.\SICE', n+ U* K2 G+ J( C& o2 d
   push    eax
; C& a. [9 ]1 f9 L   call    KERNEL32!_lopen2 `0 e7 A0 t6 @0 S4 S8 l3 {
   inc     eax+ C& C1 M! P: z
   jz      006505ae                  ; not detected
( s0 x; p* p8 F% P6 I8 e4 \) l3 e0 @3 X. t2 d
2 P* [4 u4 g1 G; s3 J5 h, A1 A* B
__________________________________________________________________________
3 u5 K7 ^6 \: q0 ?3 H( t* r. ^% i
# P* E) c) G2 G, H  g: M4 \Method 12, X( V" j" [9 g0 O% V5 t2 ?
=========
0 M" h( v9 M2 T: J
: m# m: u; j/ l  v4 kThis trick is similar to int41h/4fh Debugger installation check (code 055 s& l3 _5 H1 Y; y% c( H0 G! g
&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 v7 h5 G. B* B: m9 O( a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; N7 D" W% d, u
* @$ `2 q" @! k! C5 ^/ M* `% m   push  0000004fh         ; function 4fh
+ P6 g* U5 P4 B" T) I" J   push  002a002ah         ; high word specifies which VxD (VWIN32)6 }% J; L' E8 Z) [& x+ e' o
                           ; low word specifies which service4 A6 v; b/ B/ F0 `9 d
                             (VWIN32_Int41Dispatch)
8 e/ N# h7 ]5 X) _0 v   call  Kernel32!ORD_001  ; VxdCall
9 S2 ~! i; H' s0 E. S. n3 S   cmp   ax, 0f386h        ; magic number returned by system debuggers
; C. W. h8 J/ s3 o' h   jz    SoftICE_detected
1 Y* ]* E8 {  e, }+ w+ L/ n. B( M# u. n& J8 H% v
Here again, several ways to detect it:6 Y4 c- ]' _# L8 Y; h
, v) _: c$ X! ~& S* L; d
    BPINT 41 if ax==4f
7 \0 T8 E+ B( j& O9 H/ F% [1 u6 r: g
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 h0 Q2 X5 }% g- K8 K
, G! v: y' c! g7 v: {3 q+ L* Z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% U# t! p5 j  ]
' o! @% f8 i4 U1 k    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( X* {! h$ t$ H% R1 A3 l

- w# y7 \7 M) I$ z8 L( M__________________________________________________________________________, k0 \# |) k7 g( H
  l; G! @; O) l5 @* F7 v  v2 I  W
Method 13
& ]( @4 b1 |7 D6 e4 T/ w1 k  e=========3 ]& e4 o+ D. `) c# l; n" }- `

" R2 d, C( j) w( B5 tNot a real method of detection, but a good way to know if SoftICE is, S" d+ g) o7 o3 m
installed on a computer and to locate its installation directory.
, `5 {, z# \3 `+ aIt is used by few softs which access the following registry keys (usually #2) :6 T0 _3 b: Q: Q7 w
. Y- Q3 H$ p, b+ y- ^( `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; I+ \5 I8 d) L( X- [# Q6 `4 ~\Uninstall\SoftICE
5 l+ i* f4 B* w  O# K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  [$ l1 k0 W) E- q/ ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 e% ]' j$ P" P! L$ F
\App Paths\Loader32.Exe
1 h2 ?7 X2 V' C, @5 I: {. J; D$ i5 i9 l4 o0 @+ ^/ i2 V7 u1 m

! q9 I* V9 ?, `& t6 b2 z8 b, BNote that some nasty apps could then erase all files from SoftICE directory" p) W; H) d$ S* q" u
(I faced that once :-(7 P2 `  v; F# q+ f/ [0 P3 e* v
2 z4 r( k" I6 X* d: s  L# E4 @9 s  o
Useful breakpoint to detect it:
( p9 n1 R% b- H* k5 ~, z
( }7 l3 y; y$ Z! P- V, r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 V9 {: m( i; X! L' l9 O0 ^" @( z: w; ~
__________________________________________________________________________4 w' d, [) s5 o9 D

6 K2 D/ a3 c" ^! Q/ `3 q
/ A# i* w: T) U( W+ R& t. EMethod 14
$ v! i' n4 R7 t8 h+ }% f. ~/ i=========
/ z' F; D5 r9 t/ L% x6 N! x' \. R8 P0 p- J' P3 r( t# s3 Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; [7 T1 b% S0 Q' a3 _
is to determines whether a debugger is running on your system (ring0 only).
  H9 Y! k2 ]" p1 ]' ^# N+ g! X5 d4 p! L% P6 ^+ s1 A7 V
   VMMCall Test_Debug_Installed
8 M  J$ h: Q& A( w% G   je      not_installed
6 L/ B; q4 C- }
$ _$ v1 L5 j! G; ~$ H& T" RThis service just checks a flag.0 G, r* C+ R0 h  a
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 02:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表