找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 Q5 t5 W8 O3 Q8 e) P
<TBODY>
0 M- u, l+ E- }<TR>
$ n* b/ L9 w- l9 ]$ O( J1 G<TD><PRE>Method 01 8 N8 @& s; q4 @0 ]6 ?+ U
=========
/ r1 ~# M8 k+ E9 C& t. ]) y. T0 u$ ~, t% O4 N* {* G/ i
This method of detection of SoftICE (as well as the following one) is
' f8 Q9 ^; G$ E* X8 i  {. n7 k# \used by the majority of packers/encryptors found on Internet.
% g+ j0 m4 `. G) h" y0 C6 U+ f* R# qIt seeks the signature of BoundsChecker in SoftICE( O$ y7 M9 ?. }; O! w% u4 E: I

5 F, ~- `" [; l+ a    mov     ebp, 04243484Bh        ; 'BCHK', s! V9 m- K. K7 A" c! l
    mov     ax, 04h& l* N! R4 ?% u$ V
    int     3      
( [, ?# m2 p8 V+ ~2 Q+ x' ~    cmp     al,47 }  `0 W0 [; K$ z& ?- ]
    jnz     SoftICE_Detected
9 t, B) [( z1 [$ `4 @
6 ?2 L1 O# o! B; g% M4 `0 Z; H___________________________________________________________________________+ U3 ]- Z2 R' \. \- X

; `1 W, i: m! e( ^2 DMethod 02
' f, R6 v) N; {2 r' x& [0 a" p=========
. ]+ p; O9 q1 I3 f6 ~/ D7 [3 E0 O1 |+ w( D* _
Still a method very much used (perhaps the most frequent one).  It is used2 x; j  K8 ?- w8 O( F/ u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* @; y$ B1 \5 g$ D$ L; M* Ior execute SoftICE commands.../ J! f) w! ]0 f
It is also used to crash SoftICE and to force it to execute any commands
) H8 R- ~" {: V* a. Y8 b(HBOOT...) :-((  
% ]: k1 u$ s# V$ v; {0 P& O4 U8 I. G8 G5 v+ U
Here is a quick description:
) _! d9 p, B2 u* Q-AX = 0910h   (Display string in SIce windows)) W# F1 o5 Q9 c- y+ b; W  I
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). x6 N& H0 c! T- N7 [
-AX = 0912h   (Get breakpoint infos), X. k3 Z. t- y. m2 ^1 V6 O
-AX = 0913h   (Set Sice breakpoints)
# r* D& b7 k' H* c-AX = 0914h   (Remove SIce breakoints)
% L) k: T' Q2 M$ A) N$ K1 n0 p" \( I: L5 L0 P4 t3 ?
Each time you'll meet this trick, you'll see:9 d! k- Z& v" w- `# R; T& v
-SI = 4647h
+ [8 N' R8 f7 t; X" d/ t3 |4 n-DI = 4A4Dh
+ {( t) Z$ C2 P1 R2 v# bWhich are the 'magic values' used by SoftIce.
. S5 t6 p) a* L9 P1 Z- C" V; VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 K* c( v$ b; j8 B( Q4 i5 c( h* p3 Z1 t6 P! f5 q! O; u
Here is one example from the file "Haspinst.exe" which is the dongle HASP% s  S1 q/ @- `% l
Envelope utility use to protect DOS applications:
: e  L! F, m2 z" a  f) q1 Y8 L) _4 @6 J2 g
# N/ N) g3 d; q* }! I4 n3 _/ n5 A3 [
4C19:0095   MOV    AX,0911  ; execute command.
$ y5 t+ ]  a; D8 R4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( Z- z$ n! r) j) C+ [6 X4C19:009A   MOV    SI,4647  ; 1st magic value.6 c9 _5 u" b6 u) M" P8 U
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; ^' x% c; I' `* E1 ^# A$ U" v# n
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 C( ?+ F6 a/ U6 r8 t$ Y4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& g0 a/ J) d  Z8 }- C7 P6 Z( M& A4C19:00A4   INC    CX
  ^  V* I1 s) ^9 o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, q' P# C# x  g
4C19:00A8   JB     0095     ; 6 different commands.+ c2 |, D; d! Z% \5 y1 s  |' I5 L
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% z) r) X7 G/ Y. i) c0 _
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 v( e* {  A! x: A5 b# @
8 [; X- |6 {' m6 @- ?- F. b4 oThe program will execute 6 different SIce commands located at ds:dx, which9 `( V1 c* l$ G: I0 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 U) [4 q3 p1 o6 p* p3 X* O5 R: ~, R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ R% e; a3 {0 I___________________________________________________________________________
/ `  z$ `* j1 C$ d# `! N3 N4 j! ^/ ^7 Q  Y+ @  y
, U' s* p- L' R1 w1 y3 V
Method 03
$ A: A  _+ k; n8 s$ m5 w* S5 @=========$ j* d% q1 r, M# Y$ C
% d3 X% M. W% D8 G9 `$ V
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) l( `# O& P9 a& _/ t* u+ y
(API Get entry point); ^& Y) j7 Q; _/ v4 D% m( M2 m
        - K$ @- g3 g7 K* O
2 `0 {, P7 P8 N. x4 r' c
    xor     di,di
# B" ?" }3 M0 o, N% d; e    mov     es,di
" g. }4 C8 C( G1 O# k% l    mov     ax, 1684h       0 Y7 F' E5 Y# K3 g; S
    mov     bx, 0202h       ; VxD ID of winice" R4 @# U6 y' O/ }3 X9 ?
    int     2Fh
- ], e2 A+ F. s  ]; n3 n    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ n7 T6 ?; S7 }5 |
    add     ax, di/ o( ]8 e/ U. x7 p0 K: d
    test    ax,ax( {  i. S$ E* W
    jnz     SoftICE_Detected4 @4 Y6 _/ ?; v/ Z

' x% t$ Y# h, `___________________________________________________________________________" b4 m- U$ o9 a- F  M. H

) k$ w& V2 H+ l- b& ^1 _Method 04
0 v+ F' `" t0 X* ]! v" O) t* a=========
4 U% u3 x# n4 A% h4 g3 a1 Z6 m
  _3 p' T0 A3 o: D2 ~# {5 z! n& lMethod identical to the preceding one except that it seeks the ID of SoftICE
9 P4 u9 ~. A/ u  l+ A- TGFX VxD." r3 V0 e5 P# l6 ^

. L: o) q3 s. K  n5 L, p- c    xor     di,di1 z/ G- t% m- R0 P8 I* h3 t
    mov     es,di* R8 G- }+ l$ e* z: G2 Y
    mov     ax, 1684h      
2 G. K' w4 U. ~& F" v    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 ?( ~0 t* L6 o# p    int     2fh! x, c  L4 d/ T* @% Q! m5 o7 {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 C, K9 p2 h7 n8 R7 \
    add     ax, di
! F) z& n8 f! _- e( T    test    ax,ax
5 W2 [: f9 Y/ D5 U+ u, a$ o+ o    jnz     SoftICE_Detected2 Y, \( \2 L  p2 D8 ~

/ U0 k6 y7 q3 j* `__________________________________________________________________________
7 e" v) R4 G, F% A6 M
; h( ~% ]8 C$ v' f; i; ^; C# N% r! x- ~& f( t1 C0 \/ q
Method 05
5 }1 u8 q5 `9 P8 {) o! ?=========
; R/ Y* j8 r: B) w$ _. u0 |" O: M+ P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) j( j0 ^# k' b! D6 Xdebugger. It calls the int 41h, function 4Fh., H, B$ H" Z; j' \; q5 z6 i) K
There are several alternatives.  - y0 Z- a* \3 j# I7 m8 M% U& @, j
2 w3 _, B' @4 H6 f. L
The following one is the simplest:
& c( L3 O* r+ q
3 ^) \  F& ]: d    mov     ax,4fh* f$ _3 j; _, T. p& M, Z/ }
    int     41h- d) A) n: C( {! m
    cmp     ax, 0F386
+ c" t& a7 F! A' d6 z: ?( {    jz      SoftICE_detected, F+ R, l% f$ N/ W. Y8 z  y
# {  R' n8 H! H. D% F" u6 Q
4 _" L1 E; q# b7 Q
Next method as well as the following one are 2 examples from Stone's 4 R9 e$ t; ]6 _* i6 }- z7 L1 B
"stn-wid.zip" (www.cracking.net):, t- K* m$ d3 m4 i5 Y& Q: E7 A
2 p' g. y6 e+ v) y; \! x$ ^
    mov     bx, cs
  F3 K! F5 V$ @5 V; e: \. P    lea     dx, int41handler2
7 j. M! o6 F/ o3 J6 _    xchg    dx, es:[41h*4]
0 V9 W+ P/ |0 E. ~    xchg    bx, es:[41h*4+2]3 c* v3 ~) x  j' ~+ p- r' x/ i: ?
    mov     ax,4fh
$ e$ i. g- v* n- T    int     41h1 l6 |3 c8 N: n; Z3 B, M
    xchg    dx, es:[41h*4]9 V7 z! _6 d5 p
    xchg    bx, es:[41h*4+2]
( X- v# N5 e8 f2 L4 U; W* J; U/ H    cmp     ax, 0f386h
: v& y: U) Z. E2 G, B+ ^    jz      SoftICE_detected
5 ?; b0 k5 U  [7 _7 ]# h) o& g, `" V
int41handler2 PROC. L  `0 q" Q. p6 [, R
    iret
: b7 h1 z7 x+ sint41handler2 ENDP3 n5 s, A* _! r+ c% B* E5 j, [
4 y' |8 c0 L( A& G+ H1 y; Q

1 Z. w" Q$ B( e# q7 Y# ^6 C_________________________________________________________________________8 q! S7 t" h# }. J- B

! `4 u* E1 ?% O' `7 [  i; m+ l5 C) t! P. K
Method 06( ^0 d$ R+ l4 Z. a
=========7 C* F1 Z: |( W' h' y

! I" v/ e  \& p: S- J, a: ?/ E/ l1 j; |4 S$ p
2nd method similar to the preceding one but more difficult to detect:
6 ^3 C& }; j7 V) g3 x" A5 k0 M2 K1 D1 y$ _, @& A

% C* W* A! ^% I8 p" bint41handler PROC
% Z. C! n. D) s, ]$ U    mov     cl,al( M/ ~" I% a7 w$ L$ R
    iret
0 D: Y4 Z7 U' m7 lint41handler ENDP, L: V4 c* j- }5 u$ Q* @1 G, ^4 }, E
5 ~+ k. C) F6 l' Q, i0 |* i
2 {2 k# Z9 m. C! _4 {9 o
    xor     ax,ax
; B2 j4 ~  h3 m' V; f7 I+ I    mov     es,ax
* {* D- S- {0 p! S, l+ P    mov     bx, cs
1 T. \3 J/ R! q; r( s    lea     dx, int41handler7 k+ \& c; n- D! A# q
    xchg    dx, es:[41h*4]
/ S& D/ Q' z& t: o* u7 y    xchg    bx, es:[41h*4+2]5 |; o1 g' {& o3 V1 h$ f
    in      al, 40h& V& Y5 ~4 `7 _8 L0 B, ^
    xor     cx,cx
0 _$ {! S( f# Y7 v8 m+ _1 W( \    int     41h
  F3 E' R3 o4 ?' A2 y4 x    xchg    dx, es:[41h*4]2 q& x& e5 H' e! R2 i
    xchg    bx, es:[41h*4+2]4 p" m) h1 z& `1 a  T2 V' p; c
    cmp     cl,al% N' v5 e5 I3 `' \) @7 F& w* T
    jnz     SoftICE_detected" o4 }- ?2 ?8 p# f9 g
: Y% F- F- J. J9 s! n
_________________________________________________________________________( Q2 Z; p! e( A0 W
2 b3 r# x' a2 m* Z
Method 07
6 }( {8 ], |& R=========5 [6 {/ c: t3 I3 d& Z' ?( E

- [# `* [1 }" s7 RMethod of detection of the WinICE handler in the int68h (V86)
( m* g! G0 q) ?8 c
& B& p% l% p; }; C6 q    mov     ah,43h4 i8 ?" x  ?+ Y0 @/ `6 Y
    int     68h5 W: K# r2 c+ @: f! i+ z
    cmp     ax,0F386h
% I) i$ \% z0 i    jz      SoftICE_Detected
( V3 A! [! P$ W1 C" `  _
4 D  _3 O: c0 y
: W  H+ ~4 c2 B8 m  @4 d=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# ~& M5 l* x. Z) H- k   app like this:9 t) D% e( b2 |( i! w1 \% |. E
9 u5 R+ `) q& H: f  q1 t! r9 G
   BPX exec_int if ax==68& m2 n  |* l8 K& l( g
   (function called is located at byte ptr [ebp+1Dh] and client eip is
: o" D0 @! w. Y! b) q+ j   located at [ebp+48h] for 32Bit apps)
  w7 E) c7 `0 s0 u: e2 ^8 G__________________________________________________________________________
) Y& j. V" W9 J1 v. t4 n, T3 O9 ^3 R! A( P- Q- l

4 F$ Z# [0 Z1 E% R: dMethod 08
% O( V( I8 S  U$ D5 g  A8 M! C7 a=========
. K" B8 B# G. F% u5 c" G
3 b9 L  F: {* Z, H6 \* L+ RIt is not a method of detection of SoftICE but a possibility to crash the$ H7 P* m5 p% P0 J" F! Z
system by intercepting int 01h and int 03h and redirecting them to another
- K: D$ B- s  i2 _2 U$ Proutine.
) J* ?2 S. M: Z$ b% j1 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 D' k2 n3 Z& B: l' o7 s5 f2 \  I( w
to the new routine to execute (hangs computer...)
" L' @% H% D9 J; }% p' J6 N2 _: O' L' X) p) o$ B
    mov     ah, 25h
9 z, k* m6 c1 H+ M  y    mov     al, Int_Number (01h or 03h)& C, j- g( S+ K, `
    mov     dx, offset New_Int_Routine
# D2 z1 M- {6 Z  Y* m9 j5 j1 M    int     21h
. I: J' ]7 o4 _! [3 y  S9 p) p) L
$ v) D0 y( K% R9 ?# ^. E__________________________________________________________________________; p* n1 k- C2 i  Q

. J* X! h  K6 tMethod 09
- q$ O/ \/ ~& {4 ^- H+ h% v=========
* U  R+ r7 M+ f' `$ z) d) T* G8 h  a5 H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( _+ R: R% }' I1 ]  q
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 _6 b) @6 w7 ]# y2 ?" @: T3 DThe Get_DDB service is used to determine whether or not a VxD is installed  g! V  ^. r  P6 ^6 \
for the specified device and returns a Device Description Block (in ecx) for( C; n# D. u: T2 W' O
that device if it is installed.8 V8 g& M  f; W" j4 x: @
# R* T) P' C* W) N- ^
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% T1 b3 l. ^0 P7 x" V$ f6 A   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 \9 p! Y* o/ @, ]/ X7 k5 j   VMMCall Get_DDB# ~5 \" u9 m! q0 T2 Q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 V7 M. J) R$ s, |) E; k$ U& q5 B3 X3 n
4 h4 {5 q4 N) n  ]# JNote as well that you can easily detect this method with SoftICE:
8 V; ^& L9 G) O5 ?   bpx Get_DDB if ax==0202 || ax==7a5fh9 }3 y! p3 }( N( @& W) I" {

, i: V4 \6 g- P7 B& }( R8 i" v__________________________________________________________________________# [- D5 H/ Z+ m% a% q: S; ^+ g
: T6 p% s6 _' l2 c
Method 10( D  d8 u9 }* n- D0 F
=========+ i6 L9 y4 B; c3 ?2 \. ?

" ~+ t0 X, `, A  _! l% H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: |: H5 c8 r6 h, _' a
  SoftICE while the option is enable!!; C( @7 Z- t# p1 E2 `

/ z8 [- o4 a: }. {% OThis trick is very efficient:: O0 k! h* N2 K( Q- W+ L
by checking the Debug Registers, you can detect if SoftICE is loaded
4 T" G" e, d8 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 i+ \$ T4 s+ v; l4 O0 G* e$ ~there are some memory breakpoints set (dr0 to dr3) simply by reading their: v  c1 l+ \, }) F1 d; Y
value (in ring0 only). Values can be manipulated and or changed as well/ d# x5 M1 x# ~6 U
(clearing BPMs for instance)0 c$ ], M& N- Q  ]9 e" r

/ l  D9 t: y6 {( p; b" u. ?: V__________________________________________________________________________' j7 e  |# Q8 p% p9 s

: S& R# b( ~, G" gMethod 11
& J5 w1 ~; ~3 s" M0 x  `=========) v% `" m. C; Z* O! K% N6 e3 f& q
  Q8 D9 L, k5 J. [( H5 [
This method is most known as 'MeltICE' because it has been freely distributed
. ~& Z9 h* d7 R$ {  Hvia www.winfiles.com. However it was first used by NuMega people to allow- n7 @, E0 i7 u  R
Symbol Loader to check if SoftICE was active or not (the code is located% g  Q/ ?% a8 X/ Q- j/ _" f9 L; l
inside nmtrans.dll).! u8 B' L8 Q7 F
2 l! S, H4 N% e, K/ d, S/ r3 a. S. X
The way it works is very simple:# T& G! L4 z% j5 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! [) E; p$ S9 W6 J  y6 C" {WinNT) with the CreateFileA API.$ d. M9 b. f8 P  w

" I  a* M6 z5 }9 IHere is a sample (checking for 'SICE'):
2 ~+ r% j# d+ B/ \6 I
9 a5 r4 j) e9 W" hBOOL IsSoftIce95Loaded()5 z  M; l3 Y$ g8 N
{; Y0 h* p; `5 C, h
   HANDLE hFile;  
3 ]9 K+ |$ [  z; g6 H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ i6 |: y* g6 f! I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- c% ?5 u6 h3 u1 ?6 R( x+ a# A                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Q5 l5 w+ t4 o! O0 m
   if( hFile != INVALID_HANDLE_VALUE )
  V  J+ Q( t: Q0 E: O7 x& B  C   {
0 ]7 B2 h* q, m5 P% B6 r4 n$ k      CloseHandle(hFile);: M6 T/ q/ [  |" X- ?9 |9 p
      return TRUE;
1 s# i, e  K9 I7 I- ~   }
7 o0 v$ \) N# _5 L" P6 ?: J   return FALSE;; l  M' R9 R+ Q
}2 N$ d4 Z; P+ s
! g8 r1 E) q; M) c/ n
Although this trick calls the CreateFileA function, don't even expect to be  j  b( U: u/ N0 R
able to intercept it by installing a IFS hook: it will not work, no way!; ~/ B0 N% w& Z# W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' b% ]: G6 A3 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- m% Z- ^! m8 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& N8 G% ?% V. Xfield.
: A  D- V8 G! ZIn fact, its purpose is not to load/unload VxDs but only to send a
5 C5 Q- h' l: M+ S( l3 s- _8 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 K$ e* I( R2 @1 d! Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 k# V2 Q$ c, H) a; o: z5 k% Q  l; X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- @* r1 b4 k) z) O3 @+ AIf the VxD is loaded, it will always clear eax and the Carry flag to allow; B# |- V7 R. \' Q
its handle to be opened and then, will be detected.
* z! K$ y* @+ T  U7 F. S: f' jYou can check that simply by hooking Winice.exe control proc entry point! X5 m$ p: ?" D
while running MeltICE.
- K* \# \% J/ c+ X, e* S1 a, w
4 X4 A7 Z5 e% x% R0 ~% u6 D7 T% ]8 K1 W, t
  00401067:  push      00402025    ; \\.\SICE
0 U- Z8 E5 S! y. s: y5 v  0040106C:  call      CreateFileA
! k9 K/ Y( p6 a8 J$ Z/ y9 ^& v3 O  00401071:  cmp       eax,-001' \4 B" X; s& C6 P. e
  00401074:  je        004010917 d% y4 t* X( {# y9 u
% e3 l: c7 p+ n) G4 l8 ^

8 M8 t" i) c0 Q+ j7 _There could be hundreds of BPX you could use to detect this trick.
7 U, [7 J2 k& c! i: M% E-The most classical one is:
2 a. W7 S5 b/ A1 k0 Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# p" K5 ?( _+ o5 F    *(esp-&gt;4+4)=='NTIC'
1 B% T; b& f3 m, U5 N6 ]. ?) S0 x& y/ \
-The most exotic ones (could be very slooooow :-(
2 ^8 e  w- _7 ~5 `# z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( F7 d& ~1 E* |- \7 ~, {     ;will break 3 times :-(
3 N; d' ~; a! i5 N6 j& y0 S
% S/ }5 }3 {% e* M5 m3 i6 [% ^4 O-or (a bit) faster:
4 M0 G; S8 ?7 O0 z; w; g# l% y( r   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! d$ `' e+ o: p0 F, F4 M8 ]
7 ~& g6 H- F9 d7 z7 P, a) x   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# u0 Q" l  D* Q0 m% [2 o     ;will break 3 times :-(7 T& n* g2 R% D( B9 p1 C. ]3 X( _
- e; v. U( |) O2 p% K% g
-Much faster:6 Y. j7 _& b' M2 h3 Y" H
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  p2 G% w& F% \# A8 X

' j: R  V4 d& c) H& wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! G) }' I. M( S+ Efunction to do the same job:
# _3 Z/ `: V) i: h, _6 ~5 C7 V4 t2 t; w
   push    00                        ; OF_READ
8 O/ l; J: x% E! L3 p8 d   mov     eax,[00656634]            ; '\\.\SICE',05 n( t* @+ v2 h5 z. o! W
   push    eax
6 ^3 B6 P: h0 b4 t* X# G1 x   call    KERNEL32!_lopen- O: l3 M  S% L4 t/ X, g* ?
   inc     eax- Y" [8 U" m: h# ^$ i
   jnz     00650589                  ; detected
7 V8 P# p3 X7 _) u   push    00                        ; OF_READ
" d2 E0 a) S% u6 X7 x* U! ^   mov     eax,[00656638]            ; '\\.\SICE'
+ z  _4 _: ^$ A* h( q   push    eax& Z2 g4 ~$ S9 L+ z6 h+ E6 k
   call    KERNEL32!_lopen' C1 B3 y' w5 o; q5 X
   inc     eax9 e8 j! \9 J6 Z5 E' ~( }
   jz      006505ae                  ; not detected
( j1 r0 Y; @$ {! v+ O2 y% k+ f3 M
" U2 e2 S% _% v) z/ J$ v; p7 `/ a9 [8 A; y1 Y1 f9 _  @  w, F! j
__________________________________________________________________________
, @+ m+ o6 k- H0 k  m2 Q) ^: z. y; O4 E; I5 L
Method 12
# I2 H' N$ E$ `6 c=========
* K$ X  l# D8 i  ]4 }* u6 d% L  O2 d' Z
This trick is similar to int41h/4fh Debugger installation check (code 058 J* k9 @" l. j. G. H; ~
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* I& {* q1 C6 u- u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; a; P0 ]! U" S& o0 G

0 _$ t5 ?  }& S$ u, w' z   push  0000004fh         ; function 4fh  B! k" Y( T8 P$ l
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, K5 E# E) N; T5 ~8 l                           ; low word specifies which service
1 N/ p! k) {8 _9 j8 e: R                             (VWIN32_Int41Dispatch)( ?1 B* H0 w2 p! x& P+ j
   call  Kernel32!ORD_001  ; VxdCall
: u2 y; T' b8 G5 k! Z) w+ e2 f# M: D   cmp   ax, 0f386h        ; magic number returned by system debuggers" b! \: [: O4 B5 Z% b! O1 X7 p
   jz    SoftICE_detected* ~! z& |* q3 j+ G& ?# N& W

2 k9 h8 J2 o& N6 e) f& C/ {- l0 pHere again, several ways to detect it:
' x! f) J+ N0 ?2 S  B( t/ l6 q# @5 K' ?1 @7 v
    BPINT 41 if ax==4f
9 r& q4 X8 b( {4 J+ M6 v; U2 O& U4 v/ F+ H& {; f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ I) ?6 g+ Z9 J  J! i

) ?) W: ?( C) B0 D4 q' t    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- @* t, W  v$ b' O+ b/ {/ Q
( m! X8 e) l9 X' u( P' d) A
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ z- c! m& Z+ r  o# z" P8 I- w# |
# D8 U* r4 _3 h/ }, x$ k( ~__________________________________________________________________________
" Y* v2 C( U" r( _) a
9 W- |: d3 f+ f( q: RMethod 13: E# t( ]! {1 ~2 f
=========9 }3 T9 M7 C2 w! `8 a9 Y

! ]. `- i$ I2 [* ?& D& yNot a real method of detection, but a good way to know if SoftICE is
  H' H/ s: x7 ]$ N, m. p4 E/ cinstalled on a computer and to locate its installation directory., T. o) u6 a2 }2 R* X
It is used by few softs which access the following registry keys (usually #2) :  W: y. L0 R# c  S9 R# m
! N8 K( Y$ v+ N2 F5 N3 d' [4 U; \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 E3 M+ H8 e- G. `
\Uninstall\SoftICE- `$ F' ?4 d8 o3 W5 N# E( Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" g) h* }% h4 o+ `! w1 d1 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 f# b" @; ?; I. j0 P7 V$ q+ W
\App Paths\Loader32.Exe7 U) _9 X, `. P8 c! k, @7 L

$ t9 _' z+ Q: E6 Y/ c* U( K2 ]8 U# X0 d. y! o# v7 i
Note that some nasty apps could then erase all files from SoftICE directory; C/ W. w# H* i3 P
(I faced that once :-(1 a1 C0 h5 T" g. y

) a$ t! ]# j- [( s4 KUseful breakpoint to detect it:
( b8 ^9 y- M; t9 |* Q' f/ j  R% n- D4 `4 i7 X
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE': m. z( I2 [6 R, i, F$ j
; I! v) h, U2 b4 y% T
__________________________________________________________________________
, _3 K. I  q1 I% z% R8 F1 v" g" q# E. `6 F. l9 [0 ~

- O2 K; u9 B; b, aMethod 14 4 r2 L; s! E% a6 e/ o
=========
' v& C+ {# Q* }, Y
$ [: C+ P# q7 Y" SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" f) ~, K) I9 j' E1 R
is to determines whether a debugger is running on your system (ring0 only).- k; U3 e5 a4 d3 i
. G: S+ q2 O6 A, j
   VMMCall Test_Debug_Installed% ]' P# f: `' m  A  ~7 _: B
   je      not_installed, W. h# O7 Q' ~! ?( [
  Y8 B$ i4 i3 }
This service just checks a flag.
& L  S& F+ ^  j$ R% O" ?</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-9 12:03

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表