找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 d* h8 `7 I: N  F  X% i3 I, n<TBODY>
4 ~8 H, Z% H+ M% C3 S<TR>" q: |3 O+ W6 q3 _* {% {( I9 U
<TD><PRE>Method 01
' Y, @/ c8 ]+ r9 e: I=========* X4 D4 s" ~+ `, o

& ^0 K8 X1 k. QThis method of detection of SoftICE (as well as the following one) is- n5 N3 P$ I3 H% D9 h( o  M+ s  @
used by the majority of packers/encryptors found on Internet./ R- M$ ^" N, `/ m1 z
It seeks the signature of BoundsChecker in SoftICE
9 X1 K, J0 x# V+ J' M* d
. p) U& G2 W; R+ v7 ]/ ?    mov     ebp, 04243484Bh        ; 'BCHK'
- b8 W6 j1 u! c) p8 Y9 o/ P/ Y0 Z    mov     ax, 04h$ l" @1 O9 t1 d
    int     3      
+ c# H% Z1 J* H  t( D" V9 l% s    cmp     al,4
' I9 u/ {. c" z0 n, m    jnz     SoftICE_Detected& r" r$ M) q3 _+ p3 y

  a7 V+ ~$ H# o8 G___________________________________________________________________________
. D9 M, ?' d/ C6 u7 z/ C( H3 R4 v$ r. [* s! x4 J) ?0 T
Method 02
* S1 V5 ~( j3 E+ x& s=========
& Y5 M" v- A% c! N9 Q$ G6 O
" j! L1 B8 B. `9 E/ a% \Still a method very much used (perhaps the most frequent one).  It is used
* E1 [2 u" b8 t7 C/ e3 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ a* n  C1 v, ?9 a1 h+ Ior execute SoftICE commands...) m5 g1 Y  n6 l4 s$ l
It is also used to crash SoftICE and to force it to execute any commands1 `9 y# Q4 F' j2 b5 Q' E
(HBOOT...) :-((  $ y1 J/ ^* g2 {/ h8 X* [" p
1 ?# E7 M. Q7 M1 \# m
Here is a quick description:: B3 W2 O8 V/ c' j/ G6 E& S
-AX = 0910h   (Display string in SIce windows)* e8 s7 a" F+ m1 u
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" m  Y9 f5 ~; _3 ?
-AX = 0912h   (Get breakpoint infos)7 `/ A2 N# L! O0 D" i
-AX = 0913h   (Set Sice breakpoints)
, ^* I% c' Q' r6 B. x-AX = 0914h   (Remove SIce breakoints), u, P' [5 y( L4 r7 K" e/ u) R
9 V6 S- D8 ?# v3 ^( e7 f& Q) c
Each time you'll meet this trick, you'll see:% p# W, q) b( H8 c8 `
-SI = 4647h
' W$ C* q( s9 R! z6 u-DI = 4A4Dh9 F$ ~( v. N8 `  d/ w! H
Which are the 'magic values' used by SoftIce.  x7 o! U: k% B: v' R& Y+ M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# j$ V+ I8 D6 `4 C* J/ A: p6 \
0 k. _9 T( p0 _Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 I/ s( j4 Z5 Z, A9 p$ hEnvelope utility use to protect DOS applications:8 q+ H0 @. g! a8 }' I1 |! F

4 A' I  A) A/ s- q; V3 {; k
% Y8 F' K$ R0 ~5 v* ]) e4C19:0095   MOV    AX,0911  ; execute command.
7 ~/ L- S$ F" O" |2 s$ Q% d9 L4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( V- }6 S. \4 [; }& o8 R
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 R; o3 @. M& q/ _  {4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 i5 C' ~- l- G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 m" ^5 g  ?9 [$ d0 z0 W2 }& i4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ d6 d: x# ^9 q. k4C19:00A4   INC    CX9 e% d& `: J8 q% S$ C1 q1 n
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 o  O6 c, |; a9 ^: ~' O; k
4C19:00A8   JB     0095     ; 6 different commands.6 U7 k. r/ @- d$ s' [6 l! ~. ]+ W0 g
4C19:00AA   JMP    0002     ; Bad_Guy jmp back." O, }8 b! x2 z- w6 a: u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# w( j) k" m, l' q% c9 Q- n2 E4 m. U
3 y- H8 J  b* z5 X" BThe program will execute 6 different SIce commands located at ds:dx, which# ^7 q7 [' w+ q# A* N) @$ O1 N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( K  n9 n; G. X; n( I: M9 Z, T( {/ n# n# V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 `/ H0 e: S, m6 u: B* ]8 W& O4 G2 ^
___________________________________________________________________________1 s8 l; k( {* l6 }: H
* C0 c' W* m" N! r; F

" W, b/ T& @- P3 t# Q) SMethod 03
& ^' l6 B" C- k2 d* q=========- C$ Z. d9 w. `# S
, \/ o7 x' A1 `. b
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" r  m( d: k6 Y3 j, v. F) m(API Get entry point)# d% Z( r6 k; y% l8 c( k
        
% |  s) @! r8 e- @" l; G+ f. z  G4 I% k4 T* c  s  v9 Q) n
    xor     di,di' k$ ]+ Y; t. N4 Z/ _
    mov     es,di
" [; X. D. O+ L/ b' N* ]. e2 @    mov     ax, 1684h      
& @  c" M! Y+ Q5 T4 x    mov     bx, 0202h       ; VxD ID of winice2 k) \7 f9 f* Y/ f0 Z
    int     2Fh0 |8 z/ Z8 b  M) {) K- N& a' ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% _- `0 k- m3 C+ |    add     ax, di, ~' w* K, ]. N) l' o5 \1 A
    test    ax,ax
( S) U+ `  _: x. Y& h  g    jnz     SoftICE_Detected
  U$ G/ X$ s( {6 e
/ h9 W: z! C, y& y/ Y! I___________________________________________________________________________2 @3 c2 M6 k5 u) k* ^

6 ^; O0 T& c- T, VMethod 04
6 v7 Z, c0 e5 I9 N7 A=========
8 J) J# F, j! A! M3 A( \/ w: R6 d8 T3 o' r4 Z9 G
Method identical to the preceding one except that it seeks the ID of SoftICE# s% t3 V- W$ X* f5 z5 y/ x
GFX VxD.4 d" p% n8 u; `6 J. p& p# j
& a5 [3 {8 z& e( C
    xor     di,di
1 i& o9 _$ [+ f4 G- S$ k* o    mov     es,di
) v1 Y# l* B: s  \5 v& C( n! x    mov     ax, 1684h      
+ U. @  x. G% S    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 \' j# K$ P: H5 |# w! t8 B( I    int     2fh
9 D$ Z- c* U! ^! U7 P" J  F  Y, C    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# v* b0 ^: |7 |4 m$ I, l7 @    add     ax, di% y) S- Z4 N% `, g) Q$ L' q
    test    ax,ax
+ m, \) I$ P+ }* w: C    jnz     SoftICE_Detected# S% {+ x4 L, F

. J# a! K: g$ o& W__________________________________________________________________________+ P" [1 o. M5 m5 f% y2 b

# G0 w5 U( H& e9 V6 i3 g) ~+ v. R( G7 ]
Method 05( e9 h. i$ a. v
=========( z4 W  L. h! t- O; ]2 {

$ M7 N; e7 A, t& j5 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
! Y% M* R9 U+ [" _debugger. It calls the int 41h, function 4Fh.
* p5 s. ?9 ?+ h1 G. F9 a. D0 FThere are several alternatives.  % }' j# b  u; e

: a- h% z* C6 [. qThe following one is the simplest:
( y; i! B* S; R5 U
, B5 O- W& j, v    mov     ax,4fh
& s+ ^- C6 j8 q% y* z+ y5 T    int     41h
3 G4 x+ C% q2 e7 D( O, |7 R: W    cmp     ax, 0F386( [/ ]9 y* q4 m- X6 v3 _
    jz      SoftICE_detected& X  d( d6 b, H7 N- y4 j# R
  N+ t3 Y& j( K. {& o. m

0 {0 d1 [- \/ X# O* i$ mNext method as well as the following one are 2 examples from Stone's * A6 f/ g  Y9 X6 ?' s' f
"stn-wid.zip" (www.cracking.net):5 n0 ?2 U- p! Q! B" n* D/ \$ n8 l
: Y% t# ~! v7 s
    mov     bx, cs/ u" o5 r" f4 v9 A: ]
    lea     dx, int41handler2# v: Z; D* H5 ~6 z" r) \% j
    xchg    dx, es:[41h*4]
- v, Q6 }% ]9 ^; D# {    xchg    bx, es:[41h*4+2]) H; x  R8 d% v5 u2 j" q
    mov     ax,4fh
' ~8 x4 }7 `8 m' v    int     41h' R! H+ y, L. x8 L
    xchg    dx, es:[41h*4]3 J' _, p7 f* q9 q- ^* u9 c, i2 G
    xchg    bx, es:[41h*4+2]0 u$ ]3 b* M5 j( c0 U
    cmp     ax, 0f386h4 F, t- B4 }, x1 A8 x% ^
    jz      SoftICE_detected
5 N" z' Q! [* z( Q. |: J' J
" L9 |* a) H  Q! N/ ]+ _/ iint41handler2 PROC0 o# `% p4 v4 n9 |
    iret, m1 }- B1 I& X; r# A: [; R
int41handler2 ENDP
  q) Q9 }  Y# @6 E( H9 |1 m& k" V' o1 m8 z/ [

4 u& I2 X+ u8 _) s; h) f_________________________________________________________________________
1 j2 n- M$ J# T$ i5 b+ u7 A6 q& }
3 _/ f4 j% c1 s, ~) S6 }5 D# p1 Z& P
Method 06
- f) B; m# p! o=========6 J: v: F3 i& d) f* l6 |
6 K5 k4 X/ W0 ~, T1 ^

/ t2 e$ P. a% \% o" _: D+ M$ v2 n0 x2nd method similar to the preceding one but more difficult to detect:
, @6 y. M' ]# B# {8 W2 M5 N: T7 a; K9 M  [7 X  B4 ]8 H; U

+ x# r: w* C) O+ r( ]) rint41handler PROC2 Z: d& W% i/ |! \2 h# t
    mov     cl,al- F, M5 H# |" B- t& M% _  m
    iret- p: q# m! x! J* F3 [
int41handler ENDP5 q8 T/ v4 w; \
. S' q7 R' w: v7 L9 y1 d) x6 S' D/ Y
7 M. Z( X/ G( ]9 u' u
    xor     ax,ax
% ~8 q- [: w5 K3 q. A; ^    mov     es,ax2 z3 K* Q6 T* X3 m7 n* U' s
    mov     bx, cs! L0 I$ p8 F. Z" n: W
    lea     dx, int41handler
1 d. w$ u2 |! s& B. Y. S; t8 u; X    xchg    dx, es:[41h*4]
5 u  C: R6 J# a/ N& N    xchg    bx, es:[41h*4+2]& r: W; U6 R$ }( g4 c* {9 ^; K
    in      al, 40h
) V% x' R+ Z0 H7 N' k6 o4 }    xor     cx,cx. j8 q: J( ~. C
    int     41h- g! s0 a7 X" y8 {" o
    xchg    dx, es:[41h*4]( V. L+ {, C. p  t) a! F
    xchg    bx, es:[41h*4+2]( r6 ?) w1 p; }8 \9 y" |7 z
    cmp     cl,al
+ V& T* |$ B9 P, j9 m    jnz     SoftICE_detected
) O% C: U; N0 m; d, a. [% J( q9 v1 t1 ]9 n% Q4 r
_________________________________________________________________________4 @* X: m7 V9 f
0 r$ Y3 n9 T% G5 b8 B
Method 07  Q7 G7 t# ^0 J# x
=========
; {' L  M6 H" ?2 N
' K. X! U! P) q, {6 xMethod of detection of the WinICE handler in the int68h (V86)9 j' t! @/ X4 i. [; ]: e9 ^8 e

& N6 W& U6 {8 R  S+ D    mov     ah,43h
3 ]( ~; {) ?% N, p: s    int     68h
# q& _# _# x" H3 q. d7 O. h& |    cmp     ax,0F386h
2 r  d) U8 D3 F. L" p3 i* Y! ]  m/ O    jz      SoftICE_Detected
8 ]& p0 K- t" m  N1 b3 p3 w5 y' u
$ `- V0 s' _4 J5 X4 d' V/ [
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) @  p& L8 Q% ~+ ]! I   app like this:
8 G0 l, w4 D9 @) O# a  t- `- }5 d6 E! e" w$ u0 @  w
   BPX exec_int if ax==68
" ?- d9 Y* Q9 V+ m+ }0 g+ C) y+ P2 P2 p   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ e  I+ M1 O  }& c  G$ ]# [) L   located at [ebp+48h] for 32Bit apps)  N# Q7 @# e! i) m
__________________________________________________________________________
1 A2 Q% R) v8 e8 u% t' c, i. t1 h" x- X

8 H$ N" {! O! d8 fMethod 08
/ a4 c( R1 ^( {2 t" f2 x* g=========
' n' q" o) _2 L! k4 Z8 y" D
% B/ w2 b/ n; v% m2 e* J& SIt is not a method of detection of SoftICE but a possibility to crash the6 r( }& I! n: e; O) e# @# i) U+ [
system by intercepting int 01h and int 03h and redirecting them to another! t( ?5 N9 U; x2 s
routine.8 [0 [0 n/ M) H" W% i3 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  B3 G4 q. t( q* r7 r# @
to the new routine to execute (hangs computer...): `, {, ?+ |/ E" {+ t( m" ]2 p5 `
' r! D6 L, q2 p& F
    mov     ah, 25h  \  C2 z6 S3 N/ i9 [* D
    mov     al, Int_Number (01h or 03h)
4 A5 F) i' o# R5 d  Y+ r    mov     dx, offset New_Int_Routine5 y9 m2 R" h- J! d/ ?) n: V3 |- a' M
    int     21h
) c8 ^& X$ m) d" s9 q
! J5 M6 q. Z5 s" e' E! i__________________________________________________________________________( [- m6 b6 j" N3 B- a" M7 {
) t. \3 P/ }  [9 m' g* C* ?
Method 09
, h2 c9 W" {1 J1 Y=========
6 k. R6 O8 t/ d( v  g! `% @0 o* t2 ]" R5 W/ p  Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 Q7 o/ W# N, [performed in ring0 (VxD or a ring3 app using the VxdCall)." N0 M. y  v% |9 U2 d
The Get_DDB service is used to determine whether or not a VxD is installed
: @! \) ]- F( o4 G9 I/ J$ Afor the specified device and returns a Device Description Block (in ecx) for
. Z& u2 N2 F& `that device if it is installed.  Z7 |: s1 C/ p! Z2 A

" ?! e. I; {1 h% L* V1 d   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 o8 s% r$ T5 n8 S' s! ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 J, F, v" a* r& f
   VMMCall Get_DDB! r; q# r) T% V; M. O! g: `
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 F1 O6 d& S6 W5 h1 b9 J9 Q2 m5 W/ K* g2 p  h
Note as well that you can easily detect this method with SoftICE:
! X8 ]& S% ]# ]8 D9 l$ h7 b   bpx Get_DDB if ax==0202 || ax==7a5fh) J- z3 |7 W) G8 o
2 z5 R# V/ G5 P" o% a5 ^7 R
__________________________________________________________________________8 m' r- C& b0 O. ]) {0 A+ ?
- U+ X- d9 [  g( g8 f# a# U
Method 10
4 G. u; p% J6 t=========4 W/ }* t" Q5 t  h; _3 M) \
" W" v8 I3 G: q6 ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
9 Z5 n' N9 x9 j! b6 m3 N3 u  SoftICE while the option is enable!!
) q9 W: j3 V; r4 c# W2 @5 j7 y% [5 F! W2 N' y2 v
This trick is very efficient:
' P! ^: |9 j# c* {7 i+ Sby checking the Debug Registers, you can detect if SoftICE is loaded- q  T, j- w4 U8 Q4 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& i" E+ ]' i$ S5 v4 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 b! a* t; J3 j- f' T* l. Y; qvalue (in ring0 only). Values can be manipulated and or changed as well
4 K  c/ J) v! c7 F(clearing BPMs for instance)
7 k; F3 g, m& t
. T* l0 ~6 b$ ^$ x  a__________________________________________________________________________0 |, F3 E1 ~" u; f$ Z# q( ?& d
5 R$ P5 M" n9 f- e' z- O5 y
Method 111 C8 M1 R9 ~4 d- ~
=========
) R; b* u  `8 @/ U( r# t  B& _5 U( n% j6 t9 T3 i5 p* J
This method is most known as 'MeltICE' because it has been freely distributed
" T, B3 T8 v9 evia www.winfiles.com. However it was first used by NuMega people to allow
" U/ k4 n+ D9 DSymbol Loader to check if SoftICE was active or not (the code is located
( W0 W- i8 I9 N# A( ninside nmtrans.dll).
" y( [3 g# V& I6 U0 N: r  x7 d1 D/ \( i% y, \7 E/ L& ~9 |; a0 v
The way it works is very simple:
7 c& k7 m5 M5 `; v% ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for  z1 k  x7 `8 {. |; j
WinNT) with the CreateFileA API.. `4 s: h+ k) O8 C/ U& s5 ?: n

$ _- X4 _0 h' j0 d- o3 q  FHere is a sample (checking for 'SICE'):, U7 K3 Y( ^7 o. V; L' D
: ~4 H. W$ O6 _6 S; \
BOOL IsSoftIce95Loaded()" A/ O4 x7 o8 u0 E. `9 c
{" w; n; c( |" z  J& P
   HANDLE hFile;  
( B1 {9 d1 ]' S5 n$ a- ^: c( s   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 {6 R1 L; I6 }" ~, R+ E! I8 ~                      FILE_SHARE_READ | FILE_SHARE_WRITE,
& C; O* {1 J- e1 N. x# O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ?9 W9 K: f+ V7 q* H   if( hFile != INVALID_HANDLE_VALUE ): J& z0 p+ A8 z
   {
: M5 [' S! L2 H/ D% g      CloseHandle(hFile);
  I/ k5 _1 Z, b( ]2 I  P      return TRUE;. ]/ H: H) ]9 c% q" g0 x9 r
   }- }1 w- G5 r5 Z) H% Q
   return FALSE;8 K7 A! X: J- u2 e5 E" X2 }0 P  n- e1 \
}
. @$ K9 D1 ]7 r- l
& S/ c; U. z6 `! s0 T$ kAlthough this trick calls the CreateFileA function, don't even expect to be- O& r1 o; U+ ~! _3 z! v6 B5 U4 A
able to intercept it by installing a IFS hook: it will not work, no way!
! h% c# T: X1 U5 A% ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ I% v2 G# l; E  Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. _0 z. v$ q5 ?- r- mand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ c- Q( g- R# l' f1 r
field." F9 D/ ~' A6 f8 w5 G
In fact, its purpose is not to load/unload VxDs but only to send a 5 j  ^9 W) c( r( X% K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# Y( t8 Z. p" ^' u  E8 \' I: x6 @! `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 G% b+ U" n7 Q. ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' P8 ]9 R9 M( ~If the VxD is loaded, it will always clear eax and the Carry flag to allow( X, V5 v* D  b3 b# r8 x$ G
its handle to be opened and then, will be detected." Y6 t& T1 H% }4 e# ^  f" M
You can check that simply by hooking Winice.exe control proc entry point
2 L# j/ q3 |0 h# zwhile running MeltICE.  G* N, q4 K. M
7 W7 I8 S9 C) ?+ W9 r2 F: \
! E  }- C; X* [5 H
  00401067:  push      00402025    ; \\.\SICE9 [2 s: ]( a5 e+ t# D2 U& N
  0040106C:  call      CreateFileA/ ]' f# ^  ]7 t$ X
  00401071:  cmp       eax,-001  |+ k7 I( }2 B( J7 Z8 ?1 ]
  00401074:  je        00401091
9 E0 x4 S2 c: X) m5 C
2 j' P" }* q% {  D0 {5 O" B6 [
9 D, t1 c+ i+ u+ M: N! RThere could be hundreds of BPX you could use to detect this trick.
6 {# L: ^( `/ x: m) g-The most classical one is:. i. x3 k8 ?0 ~$ E# |
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 K. Y9 W8 W1 Z9 w+ o/ g$ R$ f: c  q
    *(esp-&gt;4+4)=='NTIC'
  ^1 m; _9 u0 T
4 g5 w( m0 P7 h% k4 H0 C-The most exotic ones (could be very slooooow :-(. e3 g% i" d$ s% B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , ?7 r7 ?8 p" v4 K4 m
     ;will break 3 times :-(1 x3 D; y4 N6 h0 k/ s
4 g1 }9 m8 s4 f9 r5 f0 T* w
-or (a bit) faster: & s4 r! m5 `3 {2 W
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! w. |0 e; E$ Q; P' K, t. ]) o9 p1 M

* q- }: {0 g# O2 d, L  k; \  A   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. N8 `/ M& C( H     ;will break 3 times :-(  h- p0 }0 v5 [5 g& N5 D% A9 Z
7 r" K. |6 B4 I2 o
-Much faster:
4 H& ?. K5 v* }' j+ E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. x0 m0 E  R% m
: h4 M1 w; c  i8 SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( C* y" d: l: C8 `& O
function to do the same job:
0 D( `, Q) V: y2 h9 [/ f: f
& e9 I, B: @5 a9 X" c; g   push    00                        ; OF_READ5 b4 Q* `- A  C# o
   mov     eax,[00656634]            ; '\\.\SICE',03 ^* J4 c8 ]- B: I* |
   push    eax2 g8 T/ X# \2 q
   call    KERNEL32!_lopen
7 j6 |* }, c% e6 F9 u   inc     eax
* X5 h- ]7 B5 y   jnz     00650589                  ; detected
; G$ i* C8 Z9 g) j8 P. E7 |   push    00                        ; OF_READ% p6 ]% C/ f2 l: n
   mov     eax,[00656638]            ; '\\.\SICE', a8 q/ O3 @" j# `# f
   push    eax
6 i/ e- `' }2 ~! J% q4 ?8 Y   call    KERNEL32!_lopen
0 J  R( I2 n  ~9 C# U3 E   inc     eax
1 A* H, J0 b3 A   jz      006505ae                  ; not detected; X2 x8 `# M: q

! k# M" S% J4 a0 Z
  {0 i' ~# F* }2 z__________________________________________________________________________. c! o# u3 _* _: Z" K
8 t( }! G- ^: G0 B
Method 12
% P2 R; p3 k( ?; @' t( h=========
/ C7 |+ ^" U0 ?. l# f% ~3 {1 e* |' M1 `$ z. V, R$ ^
This trick is similar to int41h/4fh Debugger installation check (code 05( }7 E4 ~. y) x* J0 P3 j
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. e0 k6 z: v, T6 p: A' v2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 u2 ~3 q; ~  t  \: v; f( D  F: E) Q+ p$ }
   push  0000004fh         ; function 4fh) f" g2 b8 u$ [/ x9 ~+ A3 w; N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
: u9 s' X4 z' P0 V; A) p# K* y                           ; low word specifies which service7 u7 ]+ h& Y7 ?3 K
                             (VWIN32_Int41Dispatch)
2 I- ]. E+ S* ], g3 v5 z   call  Kernel32!ORD_001  ; VxdCall0 ?# Z* u* F- Y: x$ d+ B- r# t
   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 ?7 Y9 `2 N3 k, w$ D   jz    SoftICE_detected
( y7 c1 P' a5 P$ c1 I; c+ J) j8 v& b
6 A7 C6 n: j9 L/ CHere again, several ways to detect it:7 E, L. p6 Y& @& h9 I9 u$ h5 K
% G/ n5 t8 o" }8 J5 B# k
    BPINT 41 if ax==4f4 W' B. M% f2 X) e
+ }2 R( a' t) f, y$ S9 e
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* X5 \; ~" l& ]0 v: a  Y! r2 ~
, w8 N7 [- q7 o- n* _
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# `! P. P6 H. {# K3 |) R$ f' K) }; C3 X# {
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 U) d& `6 r7 v
% o& C2 \  a: y5 w8 x__________________________________________________________________________
% n4 V6 o" |. s! Z8 E. X8 {+ A4 _, o
Method 13
3 U9 {$ S. ?( P=========& T( H, L$ P9 e

5 n; D9 f( e* g. c  XNot a real method of detection, but a good way to know if SoftICE is3 f6 u. I5 s8 @; }6 d
installed on a computer and to locate its installation directory.
/ n8 r) ?9 S- y& {& j6 {It is used by few softs which access the following registry keys (usually #2) :
/ E. \# K4 X& y) N4 B+ h, x  i; J3 z3 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, e/ }* }7 O6 C2 w. b' \+ J\Uninstall\SoftICE
) k0 o4 Z8 t% G. ?8 ]# P! \! [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 q8 v1 c% ]' E5 L9 {$ q) B+ a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ^2 i5 h- ~! ~9 w8 c1 h\App Paths\Loader32.Exe
4 Z- p/ `( v: t# X5 G) E  {& n! p) Q- z  d$ O7 i3 s4 K4 n
+ u5 r3 x. A$ n5 d$ V
Note that some nasty apps could then erase all files from SoftICE directory
+ }( M. j% ]" }7 C: N(I faced that once :-(
  F0 c3 i, S+ m# `. z/ Q- H
) e) [" V  E+ H0 Y# dUseful breakpoint to detect it:' c4 I  |) R- ~! j, ]+ T

# I/ o/ U5 h7 }- a( E- [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% X: ~" C) K+ r; j3 K0 @! s; w( t2 G, L
__________________________________________________________________________
! i' V( D9 D  |/ ^/ o
) H3 ^! h$ P1 b7 O( N8 G
8 C" Q+ n; y  {# a+ XMethod 14
  M: \, g$ D% l% S* f) Q=========' o% U4 s6 i, I; o
9 `6 }+ w! ~/ m7 K0 E6 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Y; M- w+ ]$ D
is to determines whether a debugger is running on your system (ring0 only).0 h: U9 ]) k( T( g

8 f7 y8 k' p* L. o9 {; e. {   VMMCall Test_Debug_Installed0 V4 w  q5 u4 L- E. l
   je      not_installed
1 k0 T0 A- F: V1 l9 W
0 z. _, E6 H2 JThis service just checks a flag.
. ]) o' y/ m0 e- @7 _1 B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-8 16:47

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表