找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
6 v5 |: `+ o# k* ]1 v$ |' M* v<TBODY>7 x8 V  [. [' {3 _' n" ^7 v
<TR>  j' W& A2 ^' `! Y2 N
<TD><PRE>Method 01
! B' `( G. F3 z4 L=========
: N' @/ j: U% W1 A2 j
9 B3 H% O% u1 ?+ w' ^7 m; oThis method of detection of SoftICE (as well as the following one) is% K2 Q" N6 N) s1 \
used by the majority of packers/encryptors found on Internet.! M! T( m1 s# `6 A/ d7 e% A
It seeks the signature of BoundsChecker in SoftICE: r6 X. d- ~8 }7 N4 C# T% [

  Y0 W' h+ x& c/ Z: l( Q7 X    mov     ebp, 04243484Bh        ; 'BCHK'
+ o  y/ `. T4 n    mov     ax, 04h
( N0 R$ G; k) m7 C0 `! n    int     3       1 n1 P! o' B7 i& L" f/ h
    cmp     al,45 |: v8 X# l# V  {
    jnz     SoftICE_Detected
9 G3 w( [  W1 }" h* t* f' m4 ^/ f+ C) @  ^$ K1 L/ G* u" x
___________________________________________________________________________* p& Q6 p* v8 g# f% p
; t+ Q1 ]; @5 Z/ X* |6 s  m' Z: c
Method 02
1 [7 ^; M$ F1 y  V5 r=========  v( H0 s6 M1 |" a7 T

8 L( U9 |6 y$ t$ c  v) uStill a method very much used (perhaps the most frequent one).  It is used
* D) W8 W7 o- l8 D3 ^! Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( Z& X7 H; k. k& a8 `/ w
or execute SoftICE commands...
) N% k7 I; J6 b: n; T' _It is also used to crash SoftICE and to force it to execute any commands
) w3 I7 g) [% g2 I- l/ }' h; p# M(HBOOT...) :-((  * @: W3 ]+ s6 D+ f, {" w" j( r

3 m% K+ ^1 o3 M. E( o9 W. U- K  ]Here is a quick description:! y& P8 A1 b; ^: U, ^
-AX = 0910h   (Display string in SIce windows)
% w4 \! x4 J1 {2 U-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 [) i/ f7 f9 ~8 `+ w-AX = 0912h   (Get breakpoint infos)# q) v8 R2 P% ^; ]7 g
-AX = 0913h   (Set Sice breakpoints)& `, Z  s& r0 \! V# P" u
-AX = 0914h   (Remove SIce breakoints)
- a& E6 ~- d' S& r. e2 @5 N7 ~
$ @, K$ s; H; u9 `/ g7 ]0 qEach time you'll meet this trick, you'll see:$ Y0 e" L) k6 a& Y0 H
-SI = 4647h9 J2 a+ ^  m. H1 r
-DI = 4A4Dh
8 X3 ~1 Z+ U) q5 [Which are the 'magic values' used by SoftIce.0 @' C6 J. ?4 r+ V" p. S  j& ~; n6 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, W5 L, [* }- T6 l7 D, E8 L- G4 F- L8 Y/ }0 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. H! ^3 P8 ?0 {& zEnvelope utility use to protect DOS applications:
4 G! N. Y1 e9 G% ]
( r6 @  |' C) m2 Y6 J. l' b  X! @/ s& x7 D6 U; |" p
4C19:0095   MOV    AX,0911  ; execute command.7 ]5 {3 R+ I: ?
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 U' B/ N! L; z& x* x/ E3 m
4C19:009A   MOV    SI,4647  ; 1st magic value.
' Y' _0 @# M0 ~& v$ N0 e$ H( ]4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ i6 ]1 A8 ]; W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: L8 [6 r/ H$ L- P" \$ {4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 ~. x" u" a1 n2 T) T7 \- s
4C19:00A4   INC    CX
; T: k1 n& L. J, m3 Q9 H4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  J4 g7 Q. \: o4C19:00A8   JB     0095     ; 6 different commands.
; k/ W5 g2 U# S- b, }4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& o# V! Q* f9 U. C; X  V
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( b( C& X* }; L' v& v* `* \3 Z

% [, }; w" K- I0 B. z( i: mThe program will execute 6 different SIce commands located at ds:dx, which
) t2 l- |& z6 h4 I/ Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& G- @7 d0 i' a7 _; y  m) A6 ?) ]3 I: \; t, m8 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! F5 K8 x7 I3 ~9 e! t( j___________________________________________________________________________
0 ~$ b6 @$ m8 X; d/ w3 ~" ]% z. `$ b5 n/ E2 C. A' A, w

( F7 W3 J% J* [2 d  R  MMethod 03
$ b# d: K, H2 q0 [4 ?7 t* L=========6 y; W$ S' Z, v2 S& W6 [

  G  a6 s4 o( h5 P5 C) s) C$ FLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) X2 E: K" i& e  ?' Y(API Get entry point)" Q  k& b. T# Z% b! B' n2 n4 {0 q/ A
        
3 s) ]* l3 R/ B$ ?4 P
8 w: _# J( l# I3 `; R    xor     di,di
  G: W& x& b5 y' m5 ^    mov     es,di/ `! G# q& Y2 @4 Z2 Q
    mov     ax, 1684h       9 t) f* }$ ~9 \  ~( D
    mov     bx, 0202h       ; VxD ID of winice8 h* w& z8 Z+ x* J; ^4 E1 B9 T
    int     2Fh
7 X" `$ ]: P% _4 W$ p' \    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ ]# i7 B) i* q& X/ P8 ~
    add     ax, di
# e- G( Y* y7 f6 S) ~6 t    test    ax,ax$ X/ f! x% {6 J
    jnz     SoftICE_Detected
$ e5 u6 w+ a8 I! K. `# L& ]( ]- o4 V6 I) @: P4 k' @8 l
___________________________________________________________________________" h+ P/ u& X; \* a+ [6 B  J7 F
, k2 q$ y& n* I% Y5 y# O4 R
Method 043 C- G2 S) o  h2 l# j
=========+ }# Z6 b! [) O
. r" [4 H: v  L* {
Method identical to the preceding one except that it seeks the ID of SoftICE
( S; O0 I* r0 `& O2 uGFX VxD.. O' }5 `. J2 S$ t

- M" a  u3 U! U' V) m    xor     di,di
3 S7 Z. K3 u4 g2 y: g    mov     es,di
/ d. C) g: M/ p0 q6 c4 z    mov     ax, 1684h      
! _8 S: F" e1 Y2 i. Y& q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' [7 s2 a! ~& m    int     2fh# l# G* ]% ?# p  ^9 L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, `5 K: y, i2 y4 c. }
    add     ax, di
# K$ o  N3 \7 H, U    test    ax,ax
' y- k! A; S+ L1 c    jnz     SoftICE_Detected' Z0 e5 R( y' Y! U4 q' E

; E- j' q' D% J; g( v1 q__________________________________________________________________________
3 c7 a) R' H+ J2 d( n
2 s7 D3 u+ N- [: \
( _6 i4 X# v, U( p  X. F" lMethod 05* |, a! P( F3 a4 y# o
=========
% |6 h- ]* Q+ v% H- j. u- {5 V
3 l3 ^7 J5 l6 V; W. o) k' W5 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) o& n3 h* S6 ^+ F# v* I  \" \debugger. It calls the int 41h, function 4Fh.
+ B- _+ c- @8 Z. ]3 b$ {There are several alternatives.  
1 z* a5 I' x+ J/ a8 d, n/ P7 A6 g6 {- S- D( B6 C5 O0 i  L
The following one is the simplest:' x* g! f! b( J5 l6 Q
6 P! N- K2 \; [
    mov     ax,4fh& V' c1 G  i' D
    int     41h
4 E  k) J7 ~2 E# i- K    cmp     ax, 0F386
7 F& J6 U) h9 z$ Y4 r' V    jz      SoftICE_detected* b* ~1 ~% z4 ^8 k! {! v

% U: A# _- E0 n6 {! @3 J2 ?& i( R  x  y
( d: O  U; M+ Z) n  yNext method as well as the following one are 2 examples from Stone's
+ i5 L3 b7 [9 E"stn-wid.zip" (www.cracking.net):
4 E3 k  }  l! n6 p( A5 u! f
' o5 K3 L6 O1 {8 w" Y3 k    mov     bx, cs
# z4 T! E& j/ `+ @    lea     dx, int41handler2
+ e. ~0 p/ a0 ~& B( \- E    xchg    dx, es:[41h*4]8 T: M0 N/ c, B% N. l$ i# v
    xchg    bx, es:[41h*4+2]
1 n) o2 _+ @" K/ N9 a& C  j    mov     ax,4fh* `" {; }4 H5 \. E9 `2 p( [
    int     41h
% l  E/ z5 u% I    xchg    dx, es:[41h*4]
' g" g" e7 g, D  d6 i; R: X    xchg    bx, es:[41h*4+2]# v8 e" ^) D2 E" S& Y) y' j
    cmp     ax, 0f386h
" Y" |8 o0 j$ ?6 }( b2 M6 q6 a  g" l& m8 ?/ |    jz      SoftICE_detected
; }5 ^+ ~9 E# w6 |' e+ n0 }+ j# w, w( j. p
int41handler2 PROC
/ X! e' V, `; p4 H- ^    iret
0 u+ v1 V" ?2 f" p, u4 l5 ?int41handler2 ENDP. A" k3 z5 R0 D$ k' D! T
6 _4 w" J- [; w
: e! h% r+ o9 |3 y. l
_________________________________________________________________________7 C) ^) W' R9 E3 [/ D$ q
/ T$ {8 [$ \; u' S% q  I: j
2 @+ K/ F% p3 f1 m" W* j
Method 06& ~0 [: f7 @9 A4 ^  q5 B
=========
: `( J5 S( y0 X5 e
' R3 W- N4 Q5 D" H8 }7 ~
4 z& F7 |0 [% s0 u6 J, v2nd method similar to the preceding one but more difficult to detect:' h+ N& x1 z, q- d5 G
7 G8 r+ c7 g1 v, r- ^

( @, w  v4 b0 Q- _, Aint41handler PROC
  G3 v( }- O% Z1 H    mov     cl,al
; {9 F+ u, o4 c# O% ~) x. P    iret
7 s  E/ b' Q; Z% J# x8 Mint41handler ENDP4 ~4 i) O. S3 _0 n3 X4 N* I4 F

# Q" m  ~1 g  m- q! r
: y- D' G9 H- n$ A$ c' O6 R& s    xor     ax,ax9 u- X8 L" K. {9 @( w8 R& {  l2 S. Q% s
    mov     es,ax
+ p; J2 o* \: n7 y, j  D1 Y) n    mov     bx, cs
( ?7 q1 g) g% W: C  k% |    lea     dx, int41handler. v% g: n; p9 T- g$ k5 X5 F
    xchg    dx, es:[41h*4]
. {- s( E9 Y- h    xchg    bx, es:[41h*4+2], L- v+ y* U; K" J/ ]  k5 O
    in      al, 40h$ Y' V* v; N) N0 [
    xor     cx,cx: \, }* g7 N. o3 b% C# K
    int     41h
5 z  h  E/ H# [/ ]* a* d+ n. @    xchg    dx, es:[41h*4]% X0 T+ _; h% v  \  O4 D& T! \: x0 j
    xchg    bx, es:[41h*4+2]
" m1 F; z1 B$ R& _" X2 Q. H    cmp     cl,al
* F( l; g2 N9 j% X* Q+ B    jnz     SoftICE_detected/ T8 T7 J/ y  O2 H$ I: E
5 ]. t* ?0 Z  w% i
_________________________________________________________________________) X( X+ n3 Y6 Y- v$ u
; d1 G! @' }+ c/ n9 L
Method 07
9 ]$ G3 C6 X7 D0 \; m( F=========7 r& g1 W7 _5 r4 f3 x5 V
& U" k2 m8 b# s1 T# B0 U
Method of detection of the WinICE handler in the int68h (V86)7 w; [# {/ N, j/ _8 p" L4 @9 ^
4 p/ }( w  x' i$ _  n$ U' N
    mov     ah,43h. S' J" S  F: L& d6 h
    int     68h
# \( [1 }& r+ ^/ ~    cmp     ax,0F386h" C7 k# b7 `* ^7 h" {- S* I& I
    jz      SoftICE_Detected6 p2 D- @) o/ |' }* k$ F
* {9 n2 w/ ~$ G& P- v8 }
# K) N! [8 c# M( ~9 u
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 J1 S3 O* o5 Q" |# G
   app like this:
# _! Y$ M; \# x3 Y' ^6 C. N! t% P; @$ i( R; @
   BPX exec_int if ax==68
; j# M) E! v, }# }7 L   (function called is located at byte ptr [ebp+1Dh] and client eip is
  C# M8 x$ Y4 r: U% i& [   located at [ebp+48h] for 32Bit apps)/ a; Y6 [/ L. C' f) @( X$ r
__________________________________________________________________________' Y0 y4 |- z" q  m8 X( a
. e: @2 U: H3 q* J& o# \( c' G& q

$ |0 L: T9 c0 j% w3 _. I: jMethod 08. a" z* \" v, i5 R3 B2 T) F
=========5 M7 J2 E. ?7 M# A* i2 H
/ }5 W$ R! P. E9 g7 f" [" E
It is not a method of detection of SoftICE but a possibility to crash the# [; Y  h+ y% G3 |1 L3 n
system by intercepting int 01h and int 03h and redirecting them to another+ t; m3 b0 {1 ~% Q8 P7 k
routine.
0 ^+ Z9 }0 x% @8 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* d! }* B1 c6 C5 p8 R
to the new routine to execute (hangs computer...)4 R  f+ |# S. q) \- S) N  k

$ R  _4 m8 [2 n7 q5 g    mov     ah, 25h
0 ~8 w/ ^1 Q( p* _6 l. }2 [    mov     al, Int_Number (01h or 03h)
7 |1 e. z7 x! Q- b/ X    mov     dx, offset New_Int_Routine' z# r9 {: ~" R5 v0 X( S
    int     21h- ?0 y3 s1 m/ e; t: @1 A$ t

! K" x4 b! q/ R: V__________________________________________________________________________7 ~; f& H7 L+ Z' a5 [

4 V  ?2 b0 R( CMethod 09# H9 B! \5 ?5 P7 W7 I0 R  C2 d
=========
! l/ l# r& e+ h- b8 U* O) Z/ t2 K5 R4 c; J% T$ }0 _% M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 h9 S! D0 ]3 M4 N1 iperformed in ring0 (VxD or a ring3 app using the VxdCall).* c: A! `+ r. ?* ^
The Get_DDB service is used to determine whether or not a VxD is installed; S# u* F2 O9 ]
for the specified device and returns a Device Description Block (in ecx) for
; l) n( K) C  uthat device if it is installed.
8 W; X9 f. p* o5 q- }7 r- W
% `1 V6 j$ e3 v' h% D3 Z1 m   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& X) a& }; o& `
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 {' y2 ?/ N; M8 k# v6 J   VMMCall Get_DDB
% ?: ]( Y6 x  ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  U6 {5 C6 Q4 n8 p+ [
) y7 e  |2 h# V  L3 vNote as well that you can easily detect this method with SoftICE:
4 q- U- M3 j! F% Q0 s6 [& B   bpx Get_DDB if ax==0202 || ax==7a5fh1 @: W) y+ [, O8 s/ ~9 R- ]8 A
  b: n7 K) _* T4 c
__________________________________________________________________________& q7 E! y7 t' u3 }$ p% f

5 y9 p' ]$ Y3 Q+ I' FMethod 10
! v% e! W3 G% u. j0 v=========
# H" _/ J  N) j" j" z4 x6 A& _4 Y. d0 a5 b& z- F  j
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% C! n% P- M1 L. y) |; v& S
  SoftICE while the option is enable!!
4 _' s+ g8 {: M/ h( Y3 e7 C: \, Y# r
This trick is very efficient:! [" H( Z1 I( F- N& q5 U
by checking the Debug Registers, you can detect if SoftICE is loaded+ v% m) A; o( O  U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  v( z6 u8 c7 N1 }. Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their# ~7 l- B: Q; n! {
value (in ring0 only). Values can be manipulated and or changed as well) ^/ q/ y/ t& A0 n, w
(clearing BPMs for instance)% w- w  Q5 n6 n" t

9 [  R& M: U9 l. w7 u6 I( X__________________________________________________________________________0 f& y  p8 P! w' p% B4 s# k0 j

3 n9 y; e! M: N  HMethod 11
8 d' d8 }$ f8 X! ?# {=========
" L9 ^) s$ f1 |* y$ V- c7 t2 h' K/ f& C7 s: h: s# b3 t
This method is most known as 'MeltICE' because it has been freely distributed" v4 R+ t) O% U+ k: F# r  ~
via www.winfiles.com. However it was first used by NuMega people to allow
& A6 X9 y9 ]1 {2 j4 l5 \3 gSymbol Loader to check if SoftICE was active or not (the code is located
) s/ V/ Y2 s( q. V3 S; O' xinside nmtrans.dll).
7 ^1 H5 E6 K3 }
) U8 q2 a4 }0 B, A. ?' r- `3 LThe way it works is very simple:
5 N. V8 M3 l: Z$ Y( }7 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 n' ~4 h4 G/ a; ^# ]4 o: [0 I) r
WinNT) with the CreateFileA API.  i- x+ T  l! y: L  D

& t/ D  `2 U6 Z$ S$ m4 }Here is a sample (checking for 'SICE'):
- s% N8 M4 i! o6 g' P
/ @7 `6 G' @+ }/ W7 F0 K5 sBOOL IsSoftIce95Loaded()% u) s3 r4 b7 A/ C
{
* Q% T3 |, q9 e8 |- W: Z/ F5 p0 E   HANDLE hFile;  
/ Z, q# g5 ]3 W8 S! T   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" P  i$ p4 }$ `0 S, j: J0 P                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' D7 f; g: L- J5 U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 M+ ^. i$ x) q% U
   if( hFile != INVALID_HANDLE_VALUE )
# A* e3 g0 X1 K) f   {+ ^# F) Y% H1 C4 V
      CloseHandle(hFile);  ~( j# W* s" A, Q# h, M5 H4 Y
      return TRUE;9 J3 {* K# \; n1 K( Z: a
   }. m7 C# b# B: W4 i# g
   return FALSE;: [" Z1 y6 {' A5 }, P
}* J3 B0 W  s0 l) D

" o' H* z8 Z. d9 h' hAlthough this trick calls the CreateFileA function, don't even expect to be
% I9 \9 U: ~) b' R3 g7 R$ g7 P+ d: gable to intercept it by installing a IFS hook: it will not work, no way!& v9 G" a. b' C1 F1 J& `/ f; @6 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' W. `. }( b3 `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# u/ X+ l; [+ X0 n2 i' a7 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 S8 j. s/ h- g, C8 b
field.
9 C* [# X/ d# @4 b$ I0 ]3 aIn fact, its purpose is not to load/unload VxDs but only to send a / ?2 h7 o0 E5 B% J5 A' Y' U% R& X) [: x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ B6 K, m. z9 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ X1 i1 @; h" I0 L3 a# qto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 ?3 K( _2 {' q) T  I
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 p- I1 z  j' ^& N% H$ L
its handle to be opened and then, will be detected.
# r% C( z1 K% ^5 N$ KYou can check that simply by hooking Winice.exe control proc entry point
4 o$ Q' m# j' k0 L3 Mwhile running MeltICE.( N( b; V7 g/ q, H: e
4 l! E! P: J+ F; G

% Z. ~! L* z" r/ j0 u+ A8 B" Y  00401067:  push      00402025    ; \\.\SICE8 J  U2 Y8 G3 M6 k+ ?
  0040106C:  call      CreateFileA8 D( w" r* y- h- Y. @" |7 b9 x/ T
  00401071:  cmp       eax,-001
- s/ I9 U1 @) k2 L& g) D7 s6 o  00401074:  je        00401091) \& V4 p8 @; t* O
" x8 D; H- |" v0 J. p6 j) C+ Q
) W3 ]% r$ d7 ~7 j0 t
There could be hundreds of BPX you could use to detect this trick.
0 C, f/ P  Y# x- a5 r-The most classical one is:
' F# A/ a' A8 B. I4 i- F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! G, H* C: f% K    *(esp-&gt;4+4)=='NTIC'
% ]8 o7 i2 O! U
2 q$ I  C( y9 W: g6 G-The most exotic ones (could be very slooooow :-(
8 g- m' `3 |: h$ x6 @+ u   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! x4 m0 f7 O9 y: h, |# Y     ;will break 3 times :-(
5 I5 ?/ f# ^$ c# e% W; C5 v7 V; q$ a) Y$ H0 P8 e- x; @
-or (a bit) faster: : X/ V8 r" p) b7 c  L) A' ]* c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ u. b1 p7 d, B3 k5 a; y8 i

) G) u4 d) L9 ^: A1 p   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & V& T. N$ s0 q4 H& S1 V
     ;will break 3 times :-(
% f# E6 i% d/ [3 S, F6 n* s
' U( `+ ?" J( e  I-Much faster:
2 F9 U3 d" m5 T  R   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 e. d! T8 i! ?, l4 e# X7 _
( V( R' Y; O5 L  C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& ]( C8 E/ T) f) B4 Q2 W, r& pfunction to do the same job:% d7 X) L8 E) w0 C$ f

5 o& W0 R( s7 u. F6 y- H1 Z: w/ c   push    00                        ; OF_READ
, i6 m- N1 ~8 M! c8 L8 o. z, o3 e1 [   mov     eax,[00656634]            ; '\\.\SICE',03 y5 S9 U5 `/ ], K0 |6 m9 [" B
   push    eax
* U% v. A6 t" _' n4 n* `* v! @% T7 Q/ q   call    KERNEL32!_lopen
7 K# c0 A) @$ y  o/ ^* b: m   inc     eax
1 o7 A1 ^+ J8 h6 ]6 m# r" O0 q   jnz     00650589                  ; detected. H4 P* p0 U+ P! p! c2 h
   push    00                        ; OF_READ
0 ]/ g$ h$ d8 b' S   mov     eax,[00656638]            ; '\\.\SICE'; t7 h% h; M6 d$ J& ~
   push    eax
9 v, S' l8 r+ h& u   call    KERNEL32!_lopen8 U5 i  P9 \4 W( G4 ]
   inc     eax
' |1 j+ H8 q8 t6 C( O$ L   jz      006505ae                  ; not detected
" V9 Q% U& ]* U- c7 Z$ N
; E* ]- Y, O! f7 Z
- ~- k9 k# D5 N8 T__________________________________________________________________________# I" V8 X- |, }; Y$ f3 m0 l
9 \: ~% x' Z) ^) f" W3 i1 `
Method 121 D1 @; l" q# z- p$ K) _# e
=========
4 w8 t. H  Z+ l1 J% g& e7 Q1 R8 |) x! Q! Y. _; P
This trick is similar to int41h/4fh Debugger installation check (code 051 P% m. x3 m1 m- Z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  Z( L. B% s0 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% N3 B6 i7 E1 k' Z& a" O
+ F5 Q6 X7 ~  p0 I   push  0000004fh         ; function 4fh
; Q( ^( ]$ U% w8 q: y3 w9 `9 s   push  002a002ah         ; high word specifies which VxD (VWIN32)" t: {/ ?+ ?2 ^! i2 h. |
                           ; low word specifies which service7 {# C* Z9 {) x% k+ u8 ^. W
                             (VWIN32_Int41Dispatch)
" d- I" e) ~9 [   call  Kernel32!ORD_001  ; VxdCall( z; y+ B: m9 i" y
   cmp   ax, 0f386h        ; magic number returned by system debuggers2 O5 _3 ^, ?0 u2 ~  Y- c/ Y
   jz    SoftICE_detected
4 z7 `) e; H" t( I  G, w0 K5 d6 ]3 ]4 H$ X' c# z
Here again, several ways to detect it:- j' K! [$ L4 C
5 S% Q7 i8 {' r& V9 {4 V
    BPINT 41 if ax==4f
  T4 `' f* [! H' T/ Q, a
% F' t; l1 ?6 N" u    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 J" R- ^6 m7 w* [# ]( M& Q

& Q& v7 @0 z5 N$ S8 J* Q    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* c5 N6 _- C! k0 }0 E( j4 V3 Y: v0 f
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
+ D) G; b/ V. s9 d
8 Y/ U. n8 v; p6 t9 S/ }: ^__________________________________________________________________________
: r6 {) [( Q( k- w
/ S8 j. q% H3 @" `" g  @* h, WMethod 133 x* w6 k9 F9 h; u6 L5 E; R
=========
7 J& U$ E7 Q9 r9 Z
2 J! R* i& P( y% j% ONot a real method of detection, but a good way to know if SoftICE is9 |- R+ z6 _& b7 H  e6 k3 n
installed on a computer and to locate its installation directory.- i, y. E6 j% S8 h! T7 K
It is used by few softs which access the following registry keys (usually #2) :
6 U0 G% t5 |) P3 E
& h) W2 ?, ~5 D/ ~- M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. b! ]) a" v- K9 z* g
\Uninstall\SoftICE$ q. k$ ~2 ^  K" [* e6 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ T  f1 d! b, ?# o' \$ b3 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% i8 o' r4 R/ I\App Paths\Loader32.Exe
+ I3 x( T( [1 x6 x' I- V2 t* V7 G* y) a% ~2 ~' m  z

) P3 {% z8 G: SNote that some nasty apps could then erase all files from SoftICE directory
  t, W3 t# Q& M' R5 A8 E(I faced that once :-(
% E1 g0 r8 V3 `: m5 ?9 l2 D' `/ O. }8 t. w! W0 [
Useful breakpoint to detect it:8 [8 c& x1 i( ]! [/ H/ X

: N9 f( f9 ?2 W' j9 N  f5 I     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# I* ]  C3 C9 ~4 V
. y' z1 `+ Y/ u/ C: S
__________________________________________________________________________. d5 |* z! r7 y' }% H
$ A) B: l1 Y. b1 i6 O# H/ K
, D5 z1 s6 U2 O" u$ q. O" @5 _) S
Method 14
  H; E4 e/ [+ A' g* W. ?+ R=========+ R; t0 x5 v; [! @, s
3 m# z3 d8 D/ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ]; e9 X( x7 |# fis to determines whether a debugger is running on your system (ring0 only).) X) r8 [" r3 F0 B
3 N4 a% N8 i! E4 \0 y2 r
   VMMCall Test_Debug_Installed; P7 A* q# L2 k' t! r
   je      not_installed% ^7 A/ ]- s( V' d; x

- p$ d6 J* l: NThis service just checks a flag.. f2 X, i3 v6 {
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-15 12:50

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表