找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 q- v+ s, d: `/ o
<TBODY>
, a0 x7 Y3 I% W' z! M+ N( G" S  L<TR>
& e" S2 `+ `# y. z2 N  S<TD><PRE>Method 01
/ R: F2 \; a6 q) o2 |=========
9 x, _4 t$ F. O9 F8 a% S9 l: Q' ~( J7 M4 E5 ]! ^! X% G
This method of detection of SoftICE (as well as the following one) is" A8 m! g7 M9 D4 ]7 p* u
used by the majority of packers/encryptors found on Internet.7 n$ A4 Z0 b1 d5 e9 d
It seeks the signature of BoundsChecker in SoftICE) h9 n5 ]9 z2 d4 v- I: e
# `; q! h7 I/ B8 q
    mov     ebp, 04243484Bh        ; 'BCHK'
" B% }: U/ X3 _- ?& x    mov     ax, 04h4 V, A. O3 A2 a& F( S
    int     3      
' N3 f# z! D4 U4 ?4 j    cmp     al,4: ?) d) A" q" M9 o$ p! [% g" I
    jnz     SoftICE_Detected# w* U1 n2 @6 v# k; L. j
& Y% U2 g2 H3 r9 N' g
___________________________________________________________________________
3 ^; w1 r0 U; M; ]
5 X$ k8 Q4 e2 f3 }4 cMethod 02# M  Q/ Y, T" D2 d* A
=========
/ Y/ n4 }: A! W, ~6 s5 u% \# @' r7 }% M7 @& |: i9 O; m
Still a method very much used (perhaps the most frequent one).  It is used
" t0 d, d& O% O. c( Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ Y/ p4 X! m0 X3 P9 x* b! D7 p
or execute SoftICE commands...
/ h5 q6 d+ F( PIt is also used to crash SoftICE and to force it to execute any commands
9 X: a: e8 Z! j  z% N% ^  Z(HBOOT...) :-((  
; K5 v1 Z$ L$ L3 [2 `6 d$ F2 x8 A
3 l7 p7 l& Y( y7 ?Here is a quick description:7 V- n$ N; P5 A
-AX = 0910h   (Display string in SIce windows)+ i* T3 d' }( L( D) G
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. V) T1 b' M) g( w# X-AX = 0912h   (Get breakpoint infos)- k2 E# @3 ?) r2 h- b0 N6 Q
-AX = 0913h   (Set Sice breakpoints)) r: Q" T( x. v  @' N, u
-AX = 0914h   (Remove SIce breakoints)
. ~4 S: _7 v+ p% c1 E3 \' x; Z$ T
Each time you'll meet this trick, you'll see:; S6 D" C4 Z7 j% U  \
-SI = 4647h
( l6 V. M" _* r/ r  i7 e-DI = 4A4Dh
! i* N& ^% Y$ W9 w3 MWhich are the 'magic values' used by SoftIce.
$ f) a# F, x! Q; C2 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* o+ j" ^0 Y9 B$ m! H" R

- {/ S" ?2 b* @2 EHere is one example from the file "Haspinst.exe" which is the dongle HASP% a! g$ t+ E9 J& R
Envelope utility use to protect DOS applications:* D/ G' L. h2 A

+ y# e5 r) c) o2 e2 S% ]
9 d0 g' }9 ?+ Y4 H  L2 T: A+ D; T4C19:0095   MOV    AX,0911  ; execute command.
7 }( h6 W) e" H; s! n4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 ~! ~/ n& x" x* K1 w0 w( M3 Q4C19:009A   MOV    SI,4647  ; 1st magic value.
5 M7 B( R9 T7 s( C4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 F/ D7 q5 \3 H: s3 A* R% @0 [
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- v: z: P$ M1 M$ w; X  j# l
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 i" e  v7 p" Z8 c0 P
4C19:00A4   INC    CX0 ~1 ^& Z5 {0 a  [' A
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# d/ R  L2 n' G- V, o% d: I! u4C19:00A8   JB     0095     ; 6 different commands.+ h, E* O* r; g3 D1 F
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" o1 d& u9 a  R7 Q* g1 A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; m5 |5 R9 m( o$ b9 Q% X4 ^# l! J! ^$ m9 K0 W# j4 s; p; R
The program will execute 6 different SIce commands located at ds:dx, which
- L# ~9 y3 B5 E" F& n$ x  c/ Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 s3 l% k& b  ~% ]& q6 I* k" J+ b/ s; G2 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( n/ d9 U4 Q2 Z5 C! A4 |- Z
___________________________________________________________________________
# z5 ?4 D! [) h2 N  A! Z! G) I9 ^+ e: z

/ \% y, s% j+ ~Method 03
  i, j1 t* B3 U. |7 r1 i+ s; c* {=========
7 e; ]5 E, {. M* ~' k& a/ L0 }7 B8 t4 \" w2 K1 T( @) V
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 I5 F! X2 A3 j7 v. w. O9 L
(API Get entry point)
' j( ?0 L# x/ {" b% m        ' _' R6 x9 d) H/ M; t, X8 ^! T1 u

+ v; I( C! Z- s2 {6 x    xor     di,di9 C, l: K' H! z1 Y( N4 [7 J
    mov     es,di
: {3 |- \) I2 r5 M    mov     ax, 1684h      
; A, Y9 ^! V2 Q    mov     bx, 0202h       ; VxD ID of winice" h3 O0 R) I! a8 G
    int     2Fh; [5 P6 a1 F- |0 W- p7 Y$ H& k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 q: W. x' y8 V    add     ax, di
9 c& T9 A+ W7 A  B' J/ V    test    ax,ax
1 j& h) u0 h; n' ~    jnz     SoftICE_Detected* e3 L  S+ v. v& x/ \7 E. @7 ~

% v2 Y# ^4 H$ f4 m5 E) A! D___________________________________________________________________________; E2 |% n0 T3 R7 r. e: A) F
8 Y; l+ b. C2 s
Method 04
( W& R, Q! w5 I) ~' U=========' I- |, E2 R6 A% ^4 s
5 H) k# y8 ^% V/ c# u! `
Method identical to the preceding one except that it seeks the ID of SoftICE+ l5 j) Q* C* C! L; M  o; a
GFX VxD./ f( n# t  u0 E: r  ?3 _5 g& R: m
% [$ H5 T" n" ^0 W& j
    xor     di,di
; |' `- h- e5 U; e. Z4 _% _    mov     es,di
1 z3 n* {4 w  \% ]) T    mov     ax, 1684h       6 I. W5 B5 V+ A# w5 i
    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 P! [- ~3 i% f* F
    int     2fh
. s$ n0 u1 U+ [9 {: D    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 K; y; [: w1 ~9 p, A
    add     ax, di
2 O* o: v( u" k6 j' y    test    ax,ax7 }' K0 V3 X: C1 ^
    jnz     SoftICE_Detected5 G3 K- Q6 ^" r9 a* I/ `

' a% A  |9 ], h, O, m% W__________________________________________________________________________( ]/ B& N& L9 o7 g) T: w5 F) {" J
7 H& R9 M& G& `" H. i

& ]. h- y; Y7 b+ k+ A; L# Y/ X& ?Method 05$ ]0 T8 a4 W6 W5 y% c. a$ g  m
=========
* B' w, m0 q! U' J9 U* \4 C: U' D, M1 f& D3 q2 u8 G' C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ }5 |$ @( \  l+ ndebugger. It calls the int 41h, function 4Fh.# y6 J. d0 l5 V/ h2 ~4 ^
There are several alternatives.  
# _8 {7 c2 X* K- }9 l. T3 V  b8 `
The following one is the simplest:  F. d9 j6 _* [
, f) @. E: c7 K' C& W
    mov     ax,4fh% H2 \! M* K  K) ?+ p& o7 q+ j) g
    int     41h
  U7 o! D) A; m5 t2 E    cmp     ax, 0F386
: Y9 X4 b) D8 r8 }2 @  @    jz      SoftICE_detected
  A. i8 D  q: s0 |3 e) V2 r$ ^
- G2 V' c8 j  x
Next method as well as the following one are 2 examples from Stone's
' y1 r& y2 ]- d0 c# V8 n9 B"stn-wid.zip" (www.cracking.net):' u' |6 q; T9 d4 x3 F+ O

3 Z+ m, ^2 u- K/ |! x    mov     bx, cs5 s9 X8 d4 ?/ W# q* |
    lea     dx, int41handler2* l; ^5 T4 V! U9 A! Y& V
    xchg    dx, es:[41h*4]
, v) D# ~$ j& U    xchg    bx, es:[41h*4+2]& r( e* A/ x6 n; L: A: g7 G0 `
    mov     ax,4fh# O$ e6 ~0 ?- Z# t3 c! _
    int     41h
* D+ i( x. ?/ w$ @    xchg    dx, es:[41h*4]
6 ~' ?# T$ ^$ z: D& [+ V    xchg    bx, es:[41h*4+2]
, E) M- r# l1 _; F  d6 j. z    cmp     ax, 0f386h
/ L" B! ]: Y* K# ^    jz      SoftICE_detected
5 \- t3 S) Y" ~0 _, H. _; V- ?
/ b$ T* }! l- k1 R+ M# Z. Y# dint41handler2 PROC
. I% R) {4 t$ W* |; u7 L% q, r    iret$ i% T2 @& D. b' o3 W! U3 |7 p
int41handler2 ENDP) ^' M; I3 Q+ {3 E" T8 g9 ~
* ?+ }! c4 [! z! l  f
2 C! s" G8 V7 w2 M$ ^7 D$ n6 D
_________________________________________________________________________* `8 q4 n1 ^# R- U0 O) C- y8 F

8 g, ~& E: t7 y* n
/ x4 ^: `" K4 W8 F) j6 p/ Z6 OMethod 06
0 ]$ I* x0 O9 f  k2 ]=========
" W( i; B4 I: d( j! ?/ }7 O
- t8 I4 S. i  q! |3 L! x# l  K( D' D4 v' j) J6 `
2nd method similar to the preceding one but more difficult to detect:
) C6 b4 _7 k/ @; ]  u% v; g8 B0 g/ i0 f

: p, Q  v4 d! B. a- H- \6 Cint41handler PROC2 x# a' L9 r: L
    mov     cl,al
5 E- l/ X5 b2 O! l& g  D    iret
( z; Y  N% W( m4 q# @5 z. Kint41handler ENDP
; e# Z8 q. \) h" W" C% [$ o, b
5 _: w) L3 Z3 z) [7 x5 s: t. q
* s- y" ?3 G0 ]* K( \$ h" S    xor     ax,ax8 D! c5 m8 |' k( g/ f- C
    mov     es,ax& H. w0 b$ a! D3 D, D
    mov     bx, cs
8 f. J  |. U2 S0 p9 \$ {( X    lea     dx, int41handler
6 G/ G3 _. R1 j" R3 s/ w: v    xchg    dx, es:[41h*4]
* i* L; ^- D& q3 y    xchg    bx, es:[41h*4+2]4 @" q! m' ?8 Z; N  u* ]( C
    in      al, 40h
& z% X  V* h$ Z1 l    xor     cx,cx0 Y' P: j% [0 Y
    int     41h5 q( }4 U3 n3 @+ H) z  r8 R7 ]& y
    xchg    dx, es:[41h*4]; u, _4 H+ w9 W
    xchg    bx, es:[41h*4+2], i0 _! ~$ g3 r; j  C& {8 D# E4 i
    cmp     cl,al
7 _9 X0 x% S6 L    jnz     SoftICE_detected
' ^# w4 d6 S0 r+ d8 n" F" N) l2 y+ P" S8 w
_________________________________________________________________________
( B. x7 b4 s/ y: T. S( B) |# G) A' ]/ i, A5 Z* B' s
Method 074 Z' \7 c1 I5 J' S! v6 Q
=========  C5 j" s0 [+ S5 ?& z5 ]9 o# w
, n& t2 b$ E( r2 ]5 x/ c& I
Method of detection of the WinICE handler in the int68h (V86)
4 R, m% l; Q$ a
) `7 v5 h3 b- O" c    mov     ah,43h6 X0 {- s& j& S( c( g& d
    int     68h
  z* U5 K* G8 M4 O7 N. Q4 X    cmp     ax,0F386h
8 k& ]: ^8 i, e$ ^1 C+ M* _    jz      SoftICE_Detected
- i5 @( `% r! ~, I5 ~
9 Z5 }. _, e6 h) T; r. N/ x8 P/ z; d; @' i' o( N6 G! @9 z: c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" V8 R4 P% P& m' p9 d  o
   app like this:+ |7 j+ K! T" ?9 J* t$ _
6 i0 F4 z5 p& @3 j# J# I6 W, I
   BPX exec_int if ax==68
. Q7 P# r+ {2 m4 m   (function called is located at byte ptr [ebp+1Dh] and client eip is" L" _" v9 B- X  d
   located at [ebp+48h] for 32Bit apps)
( V- E* x1 ]/ W9 s; q( O" j. k9 Q__________________________________________________________________________
8 l8 ], s# c  @" p3 k! X# k# A$ f- c9 ^

; `: m& ]' j' r  f9 E; ~" HMethod 085 L+ v6 c* ], w/ \! _
=========
2 O$ W: N9 Q2 c; U: p( i/ A/ r1 Q. ]6 a& q' @: S6 R; H
It is not a method of detection of SoftICE but a possibility to crash the& h5 y/ @- D- h  I$ j
system by intercepting int 01h and int 03h and redirecting them to another
" f' }4 s  [2 {4 G6 M& m. kroutine.
9 _' S  _, D  y5 B$ i+ ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ I4 g) B7 {6 f* h8 M" g4 k' Lto the new routine to execute (hangs computer...)
% B5 F  o  I  \( _, ^
! l3 |) v& X) j* o2 P4 k    mov     ah, 25h
$ a- T9 H# w$ B% v) K9 p; M- N    mov     al, Int_Number (01h or 03h)7 o5 M1 n$ i% R& {, i% D3 T
    mov     dx, offset New_Int_Routine
! k8 h! f  v3 j8 @% |+ O' T    int     21h- _8 `3 E0 l$ A' Q* ?1 l0 u: h3 f
4 A5 e, S5 F+ Z6 K3 M
__________________________________________________________________________! o' N+ X6 u) c- J* s
" m3 [- S  G7 w; W1 G  b. M' {
Method 092 _1 S" L  R2 K  O
=========3 Q. l9 y7 h# k, Y2 _  z& P

# |; `7 k! I, V- d$ W5 q6 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 K  q4 {  K  c( o% Dperformed in ring0 (VxD or a ring3 app using the VxdCall).; e4 j  F9 R, y+ t; P: u8 m1 e
The Get_DDB service is used to determine whether or not a VxD is installed
) z( ~& e( r8 S8 e7 R2 N! ufor the specified device and returns a Device Description Block (in ecx) for+ O" @# o  X6 o
that device if it is installed.! n- R7 O7 T) ?& N. S7 e/ t
; L" o: u2 i- e& _- Q8 T
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# ?' L! a4 L5 Z9 Z$ x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" S& d  c7 J6 m& b3 f   VMMCall Get_DDB
+ N4 e+ h$ ^: t( g+ w. I+ c   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 r2 D8 l2 ]& S2 L8 x, @9 W
/ r) p4 m2 q# b3 T: C
Note as well that you can easily detect this method with SoftICE:
+ [) P0 s9 P( B8 J   bpx Get_DDB if ax==0202 || ax==7a5fh) |% \& R1 f: {/ ]: [' o: C

4 B9 H$ r9 M7 A8 Y5 T__________________________________________________________________________  ?8 g6 C! u# E! I" ~+ Z! O4 c- `
$ u' C& V1 _& k: @$ g/ V
Method 104 I  y# S5 Z7 A4 E6 G
=========
% F+ `9 T7 _8 l. S9 |& E
4 _- o  ~$ E) E' U# e6 ?5 O0 z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- i( Y; _- `. `# ]  SoftICE while the option is enable!!
* @& F9 R( n; S1 G: F* X. i" j; S  q
This trick is very efficient:( ]( ]3 }! Z2 K( P
by checking the Debug Registers, you can detect if SoftICE is loaded
1 B1 q$ t& n$ q$ W' D6 v# a; i+ H; S/ X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" ]- r6 g" E+ rthere are some memory breakpoints set (dr0 to dr3) simply by reading their! ]0 n2 ^1 e$ X. u) P( S  v
value (in ring0 only). Values can be manipulated and or changed as well; s% r$ M! G1 P+ T3 Y
(clearing BPMs for instance)
* Y8 E3 i6 ]5 @* _2 c, r! c% A! N" b+ H- _: c2 Y) `8 c
__________________________________________________________________________' ~3 v3 P% p3 x: \' \: v, z- [) b0 n
. g! s$ ]$ m3 p4 L2 f+ `3 T* G2 a. |
Method 11" v6 Q, y2 X* q; _1 T5 B
=========
1 S* }$ m3 N9 i3 b, Y1 T
' v- ?8 K: j/ C" vThis method is most known as 'MeltICE' because it has been freely distributed
, o7 O5 Z8 u% H2 h1 hvia www.winfiles.com. However it was first used by NuMega people to allow
6 n: k$ |% S) w+ _  U' w3 \- t# uSymbol Loader to check if SoftICE was active or not (the code is located
2 q- p3 K3 @3 d5 h' {inside nmtrans.dll).: s6 U3 ]1 I! A: w5 e& c0 b' S
3 l" A4 @: v# p: C3 G
The way it works is very simple:
' i/ q: v. B7 q( GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ?( \2 S* |# ], F" X' [! ZWinNT) with the CreateFileA API.4 v5 u8 h- r. ~+ [

- o5 d* Q2 ?2 _" L; U8 Y" N1 dHere is a sample (checking for 'SICE'):
0 e7 S% w7 G" i/ _" a- V# l, G" U
0 Z  D! z  N) X) d' `0 L, PBOOL IsSoftIce95Loaded()
5 q; q5 D* F! w+ `. l- C) V% F{
1 s9 w: x: O5 V) L( Y   HANDLE hFile;  
" i4 Q/ B' ]8 y  d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 F3 I( p8 S! K5 U. C1 I                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ t0 `* i$ u0 _4 x
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& G$ V- O& o. X4 c- _   if( hFile != INVALID_HANDLE_VALUE )
  ^+ N3 w1 P& R) G7 K7 p/ v   {
9 e1 c: n; A4 W4 n' y4 c- F      CloseHandle(hFile);
' k! y8 `; x" t$ q2 Q# U% W      return TRUE;
7 ~- ?- d' o3 a. x1 |; a   }
1 W2 Z5 x, x( N- ]   return FALSE;. w' \+ R, ?! B5 @
}
. t2 x1 N( o% {$ I( e6 K% I& }1 e' [) }" N; Q; j' O/ P
Although this trick calls the CreateFileA function, don't even expect to be5 Q, V  I' \5 o- d; u, X
able to intercept it by installing a IFS hook: it will not work, no way!3 B& o% C9 s$ k( y7 z% {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# V) A7 s! h/ C' X$ Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ `  @0 Q5 E7 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 F, [9 E& Q! x6 ~& n' o
field.
# w: i/ @! Y3 D) w; TIn fact, its purpose is not to load/unload VxDs but only to send a / q! H  @! N' N; P; o$ F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, S: l+ p& W! U/ `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 F3 _7 g2 C, \% y! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).# O5 e! |- A+ S: V; H3 m& E
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 f* O. x* B7 r. B0 _' P) z% c, Z
its handle to be opened and then, will be detected.
( V( F1 Q  V5 X+ _9 vYou can check that simply by hooking Winice.exe control proc entry point0 G4 u  `, y3 _" _
while running MeltICE.# o( c+ l- m+ M; @! o. f3 M

: Q0 W8 x. t; c" y! Y# b: o% q  n4 ^) R' k! D
  00401067:  push      00402025    ; \\.\SICE
7 h3 w5 f# E  r" }" A; s+ u9 I  0040106C:  call      CreateFileA7 ]' B7 s2 a* E) Z. j3 i* q  ]
  00401071:  cmp       eax,-001
7 U- ?- j3 |; A5 Y. d* Q. T  00401074:  je        00401091
1 ~" s. _, N) J& q, v. l, j
1 _% u0 S" m; }4 {) u
* H+ n6 |# G# r$ }" ~7 v2 W4 U# F' }2 aThere could be hundreds of BPX you could use to detect this trick.+ B8 O5 _& ^4 k, f
-The most classical one is:
8 l- s: B3 Y' U  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ V% A/ I" G2 v% b8 v    *(esp-&gt;4+4)=='NTIC'+ h; i" ^0 ]5 G

1 l( @' k9 F+ \. G. ~-The most exotic ones (could be very slooooow :-(
' g; r7 s0 P- t" q8 L   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 g# o: D6 `5 D9 J5 x     ;will break 3 times :-(: B1 g  F5 o% c0 a1 E
5 E' H  Y! K# P( e7 v0 z) y
-or (a bit) faster: * o  c7 S; R' h+ j1 g5 n
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( f) T1 H0 V( X8 d; A, @# l$ y, F( _! b
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
/ V% ]4 O+ i+ ~) G     ;will break 3 times :-(/ u/ T: Y. Y% i. G
4 I! w! Q9 u! f2 h
-Much faster:* \8 K0 {5 J' p% O, s7 \
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ r7 B, ~" x. c! |6 j0 R6 L2 W5 ]8 E/ V7 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) r4 Z4 L/ A' r- d) I* jfunction to do the same job:# c4 b7 U: M, k' c+ _5 ~8 Y9 Z% y3 u
" f& _. p* ?# k/ m$ G# o7 K
   push    00                        ; OF_READ9 C+ ^0 i0 U" m- \) |3 h$ F
   mov     eax,[00656634]            ; '\\.\SICE',02 Z8 w# W. a( X+ z
   push    eax% B# |3 m5 n% s# F  l
   call    KERNEL32!_lopen
2 t, q% i6 U; x& }4 s   inc     eax
4 u& {! l& s# X% h- h& \* S  |: |   jnz     00650589                  ; detected& Y6 }, g, D1 ?
   push    00                        ; OF_READ
4 D6 k8 f- g. K   mov     eax,[00656638]            ; '\\.\SICE'
1 `7 d  B* b7 a+ J# C   push    eax$ F/ O2 a) N9 w
   call    KERNEL32!_lopen
6 n! X1 [  u% ~9 e2 Z' Q   inc     eax
! B) g! z, |8 Z. ?: D7 y/ G   jz      006505ae                  ; not detected
+ s" f+ A6 y) B
& T/ p; T8 v- \4 _6 d& N# Y% P# J8 [  [
__________________________________________________________________________4 Q0 Z: j: f: @9 ]$ |( a+ l& u0 o
9 m) _3 f6 W' Z) w/ O: I
Method 12
6 H& t9 I! j: k% G=========
; \5 }1 e0 n5 ^. k4 G4 \8 b3 p
+ P  O9 K5 s, O* u/ yThis trick is similar to int41h/4fh Debugger installation check (code 05
9 G( J- E$ D5 U4 h& Y4 _4 g4 |& t&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 e8 {4 S2 ]6 F: ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& \, y# Y: a. U! d5 M, y7 C, g" A
4 V4 n" Y1 t' i4 |5 M# }
   push  0000004fh         ; function 4fh- H3 p" l# D) _  g# ]5 @) j
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ ^8 T7 x4 p, C& h
                           ; low word specifies which service
- j# o3 M4 l; V! J                             (VWIN32_Int41Dispatch)! E0 q1 t: x+ ?1 a* H! o! i
   call  Kernel32!ORD_001  ; VxdCall" J6 v) o, @; z$ M6 c# l# l1 e7 H
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 d0 p# h) K( [# c3 [2 A
   jz    SoftICE_detected  Q5 j; K1 O3 o  G: J
: \& C, e( [4 L- G* o
Here again, several ways to detect it:- y0 a' U; T% ^8 Z9 n; w$ O! t
' ]& K6 k: k8 ]$ N. [
    BPINT 41 if ax==4f7 e( [9 _1 j5 j. I9 x/ j) K
; J, s, B  r0 q$ L  a- L6 u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 T% m9 N4 N. g8 r% A$ |

  G1 ?: _) u0 v" M+ M0 ?    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- ~  D3 U& T) |8 L! {$ J' G$ u8 }7 |4 A& A  o
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 A' q% w1 z2 v9 Q: d% |5 ~
* q/ \5 a8 p- N4 h& U9 z__________________________________________________________________________* V3 [% v, R& \7 q5 B9 F# X
& ^; O+ K/ ]) F" J/ _2 d
Method 13& g9 [+ z7 A1 T
=========
8 A0 }+ D  e3 N9 _+ ^0 |6 W) {. \; M
Not a real method of detection, but a good way to know if SoftICE is( I" c  T& W# m6 s4 ~, X
installed on a computer and to locate its installation directory.
; m4 x' J2 F1 h3 {5 X. PIt is used by few softs which access the following registry keys (usually #2) :
- y% [; \- B% D' C6 B& p4 [- B3 p4 @+ W( }" k; y/ d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 w9 k3 j& j+ I7 J3 q- z\Uninstall\SoftICE- _/ l* W* i6 [; ^0 n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 ]: {, ]& r8 v0 h8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 }2 S+ v4 f5 h\App Paths\Loader32.Exe
# |8 M4 W$ L/ T9 O1 y6 ~; Q
: T/ t! }7 |' ]8 u1 q! v2 @
8 H6 a; z5 L+ h6 w3 lNote that some nasty apps could then erase all files from SoftICE directory2 F: W4 w  m7 L  q8 t; y( c
(I faced that once :-(
0 [" k7 F3 }4 q( n* W( R. S+ O6 Z' O4 T$ y" [6 [3 z
Useful breakpoint to detect it:0 C# J* Q9 M2 H, g
3 {4 w7 k( S1 o3 D$ p
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 X) d, U( [0 Y$ h3 g$ A9 E
' A0 T1 z4 l5 H' ]. @6 N  ~% D1 a/ o  b; T6 s__________________________________________________________________________; U1 j! o5 G( m- f5 o+ w- T

$ L: s: A6 c9 ?8 B& g9 O) `0 g$ ]. _3 j5 m( B; b0 J. a5 L. g7 s* f
Method 14   q' _4 J- {. t+ P+ e
=========
5 P& E' z: N9 Z% a) Q% ~6 ]* F$ c! _/ \, Y2 Z& _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' u( i( x4 W3 `( R6 j$ ?- Cis to determines whether a debugger is running on your system (ring0 only).
, Q% _0 ~" r% X. X* B4 c% z0 _% k
   VMMCall Test_Debug_Installed
( A4 t- S! J7 r7 T% Z+ n% P5 j   je      not_installed7 Y" g# N4 V  ?8 _1 ~' [. l
& K- [. o; d: }1 q$ N* O
This service just checks a flag.
* B: V9 s' }7 d3 D, ], [+ i4 P5 S</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-20 16:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表