找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 ~: I9 g% ?4 l1 _6 O  D3 R& S
<TBODY>
. E) W  |: N7 b5 j: r/ G7 b% l<TR>
* q* F1 ~  Y' o. h" T. _+ B( {$ J<TD><PRE>Method 01
! M' v' l- \" h+ C' q=========; ?( x& |. Z2 e% L9 ]

6 n) Y$ O2 M/ U, DThis method of detection of SoftICE (as well as the following one) is% O, T* ^+ j1 Y( g3 R
used by the majority of packers/encryptors found on Internet.
" K- R5 A1 z) _7 Z/ [' A1 k1 n8 VIt seeks the signature of BoundsChecker in SoftICE
0 H' l0 X6 N' ?8 I
4 |% U0 s& i5 _+ W9 B2 a    mov     ebp, 04243484Bh        ; 'BCHK'8 i- e0 w* H9 i9 w( z( r5 x
    mov     ax, 04h
  _+ Q+ y. H. w    int     3      
7 N* u# y* _* G    cmp     al,4& w* \6 I, b# S
    jnz     SoftICE_Detected
! |# E9 U1 s0 L
) F# z/ d. k: O% e4 Y___________________________________________________________________________: U4 Q7 w. s/ }1 y+ x7 G6 L2 A
# G! m7 {; d( [/ y) [
Method 02$ J$ F8 |" N: b1 ]7 S7 U
=========, S0 E& W  d2 z7 D! [; M

8 ~" C1 Q: v7 A7 d0 _0 ^* r2 yStill a method very much used (perhaps the most frequent one).  It is used% d! e( e; w4 W/ v. B1 V3 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m3 P: X7 N) y) w, k" l4 a
or execute SoftICE commands...+ [5 U" W/ n) _. G6 k2 B
It is also used to crash SoftICE and to force it to execute any commands
" n5 d2 w( G: C* I) f) K' _) @(HBOOT...) :-((  7 i) w. \: F; J

$ X) N* G& I$ F2 v2 AHere is a quick description:4 ~  o. J6 v" m9 ~4 v8 p
-AX = 0910h   (Display string in SIce windows)' T' g$ p5 p! B( h1 L) D: {9 x/ C6 i
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 M! U7 n3 H& i* B% X7 L-AX = 0912h   (Get breakpoint infos)2 q2 J1 y0 s. [
-AX = 0913h   (Set Sice breakpoints)
) k& V! X; ^0 s! ~-AX = 0914h   (Remove SIce breakoints)* U3 U* r% z6 C; b& U& U
: d# `! L# j$ |) n0 }0 x
Each time you'll meet this trick, you'll see:
, F2 A* m* w& Q. y-SI = 4647h
; P+ S- U: J) v- Z-DI = 4A4Dh
/ x$ L+ ~4 t) u; U, M  Z, U2 QWhich are the 'magic values' used by SoftIce.' Y+ _8 N0 E$ L7 ^, g* i% L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 }+ Y' Y6 d3 k1 w7 J
6 Y% b' \5 Y, c9 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 w6 L( p3 O" u3 Q; }6 \
Envelope utility use to protect DOS applications:
- X( K$ k* X( Y0 z' u' d/ V) a: {$ c( Y: r0 y

/ ]- W/ F( e2 R5 R& _, t4C19:0095   MOV    AX,0911  ; execute command.
- `; L/ ^* K8 i8 E4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 {* o' ^  Y, `7 }4 Z4C19:009A   MOV    SI,4647  ; 1st magic value.
/ L& u1 [- ?' e+ p4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ Z0 b& @1 ~/ _" S, H8 W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# t4 l6 `  d$ r- U4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ W! ^, |" U9 T
4C19:00A4   INC    CX
6 D. H! B) H' V* t1 h4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 {( |6 E! k- F" Z* E! q
4C19:00A8   JB     0095     ; 6 different commands.# M3 w7 H* h( \2 H" X, o* k* k7 U
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( C; j3 X+ v0 _4 ^& I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 P3 u! R4 r- Q1 a, B: j. y& k3 E1 R  R' U# {4 m% U: G  h
The program will execute 6 different SIce commands located at ds:dx, which
" ^7 y4 n" h/ p, xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: V/ P2 a0 L# I) l) J
5 g0 V* Q5 d6 J4 k+ {6 m! M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 v. V9 m; [6 t* H' t
___________________________________________________________________________
, J3 I/ q& R5 c5 \
7 y7 Z' ^4 p9 i* A% E& M" v9 V4 W+ h
Method 03
: ]) _! ^$ t/ F. r( X=========
; H3 y8 i7 K7 I( k% i0 N
. ~% W* R3 K, X/ E/ R6 r- p' L! H$ ULess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 [( n5 F% b" |5 I4 P(API Get entry point)! f3 U, R7 k$ O' w
        0 I8 U, ~- B& D

2 F& G# S4 E3 u! t: f    xor     di,di
1 U+ @) f7 q; V    mov     es,di
8 l. O4 V3 R) T$ X2 p& R" ^) N    mov     ax, 1684h      
6 a$ Z: H6 [' c8 G" W: _    mov     bx, 0202h       ; VxD ID of winice/ S/ F; Z8 A; j( x6 ]' I  G4 Y( e
    int     2Fh: _, _6 D+ N; d- W1 ~: Y* D  {& V! @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! P( f7 B! t3 r
    add     ax, di1 p5 X5 h/ W4 P! P3 w9 c) @& W2 i
    test    ax,ax0 d$ @- R: G* s
    jnz     SoftICE_Detected+ }4 R4 q+ z. m' o6 f
5 m$ f. H. o+ i; W1 s' u
___________________________________________________________________________7 M/ N5 U% f8 L& ]: k
" N  `" [; w9 Q4 {  E
Method 048 h3 p6 G8 _0 ]! J6 Y" h
=========1 \( Z: n2 F, o$ L! E

/ r2 p) l4 e5 V3 cMethod identical to the preceding one except that it seeks the ID of SoftICE. O$ d. U# W% g( d$ Q# Q% ]
GFX VxD.
) S0 g. g8 m. f( z$ n; H- Z4 h2 g' A5 q& {+ t; ?3 d% Y
    xor     di,di" [* h5 ?; R7 R7 I$ V; d& g3 c
    mov     es,di
2 \) T; ]% _/ w9 ^    mov     ax, 1684h       0 ~" j/ c% e% B2 J9 Y" s  H7 ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID" }2 D4 H$ u/ `$ l0 B* c
    int     2fh
0 S" M: o/ ~" S0 l/ p; j! {    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" l; r8 d# f+ ~0 V( t    add     ax, di
3 s7 P. n" f# E9 O    test    ax,ax
9 N4 B9 Z: Z  m' y    jnz     SoftICE_Detected$ Q# |! T4 S0 e
* Y6 |' Q7 z+ O) P
__________________________________________________________________________# V5 e! u& f+ W8 o6 n4 {

- F$ ~( B+ ?5 L" O  t
1 m7 ]- c. E, ?0 YMethod 05
; L1 K0 x! }6 |& d=========
, K0 ~: s8 s3 U. K6 u3 I9 F( R1 ]
8 b! z# j: u4 j4 R/ f  GMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 D, s5 }4 n1 D" e% l3 ?: U* j
debugger. It calls the int 41h, function 4Fh.
, t9 o3 \4 T. B0 mThere are several alternatives.  
5 Z' ]: H( G2 ?0 Y
" ~2 q  h. r1 ~, n# ~The following one is the simplest:
+ R, C% g* o9 O2 m0 D
  w5 w( h: k# y6 ?) M    mov     ax,4fh
6 J0 U7 i0 Q6 B; F3 g( t+ q, k    int     41h( T; G& d6 s4 b5 k( P
    cmp     ax, 0F386& j8 B: N! y6 C1 ^# W5 t" D
    jz      SoftICE_detected
$ s6 q2 V* k8 c: h1 N# _% a
; I% N# j: }  _# I7 P$ G
" ^2 S6 b' W7 w/ gNext method as well as the following one are 2 examples from Stone's
2 |9 P6 a0 J! R8 `0 X"stn-wid.zip" (www.cracking.net):
6 R8 d5 l% j( z% \+ j
/ n, J% L. x% c: O, q* ^: S    mov     bx, cs$ n5 B; j/ h) q& o) S9 Y  L. q
    lea     dx, int41handler2+ Z+ ]# t% w* G6 U
    xchg    dx, es:[41h*4]
8 F3 M$ c+ N+ e" I! E( t) c    xchg    bx, es:[41h*4+2]/ G5 H& Z+ D8 P
    mov     ax,4fh
7 |6 D- R$ ~) ?9 x2 i: B' W$ A    int     41h
, x( |- r( z: Q8 H' u3 b    xchg    dx, es:[41h*4]0 h% H: w  T# ~. c7 A% C
    xchg    bx, es:[41h*4+2]
7 _7 F+ P! G+ y) ?5 C    cmp     ax, 0f386h
, |6 _8 U7 k$ n& d2 t8 Z# j    jz      SoftICE_detected
3 x  J& O2 W. T/ N% u
* k0 J; y+ |% [9 H6 y; |int41handler2 PROC! M+ H% k$ T3 E( O
    iret
1 A6 v! B9 U: z& [4 f  qint41handler2 ENDP
( |2 \2 q- C. Z8 v. D1 q* Z1 K5 o' C

8 i6 j% h0 p+ |; |: e5 m_________________________________________________________________________
3 R9 }7 h6 C7 r8 A: {
) i, K7 S( J0 B+ ^; Y1 _
8 M9 \9 O/ M8 W2 z5 wMethod 06" X+ X# M8 O8 P* C% s3 M. J
=========# O* Q: P1 e/ O) n0 T' Q6 F' f9 e
' N0 |. ?+ I; {" x
( \+ Q: }# @. E6 ]6 L
2nd method similar to the preceding one but more difficult to detect:) o" b* u# B$ K1 x

1 ^+ U, `, X0 H7 ]2 P: |3 N
$ h2 ^4 v+ s- D5 Q, f" hint41handler PROC
- m; ?! V2 @& I: |0 I7 n8 N    mov     cl,al8 H# R9 U, ?. x+ r, \
    iret7 U% Z$ I4 O& @
int41handler ENDP) g! @% C. y- _/ b! j' d

. e' ?4 ^# Y. f0 b7 O- D* m
  B' ?- r; A+ ~' w/ x) V+ ~7 v    xor     ax,ax8 z9 _9 U2 a3 Z2 t, \5 f
    mov     es,ax
1 a2 D8 @9 l6 c: w) H    mov     bx, cs7 t* r- G+ Y+ M3 ^1 t# R# \' C
    lea     dx, int41handler" x- _: S7 B, D/ n9 b
    xchg    dx, es:[41h*4]
/ z: U. n" ?1 \5 g    xchg    bx, es:[41h*4+2]
8 A9 j, z/ Q- g: W" t5 A    in      al, 40h% b! \& ]& u1 M4 h" B; S% ~6 x
    xor     cx,cx1 Y4 ^% Q* }8 R( E" X) ~
    int     41h8 u# m/ X  W2 \7 v4 W' t
    xchg    dx, es:[41h*4]7 F, T1 I- j7 p) M/ w
    xchg    bx, es:[41h*4+2]: l- @; B; f  t& y0 z/ Y
    cmp     cl,al
  d. I% M) p* U: M" m$ E: {! |    jnz     SoftICE_detected
3 k, v5 Y: l. }( Z. t
+ }' L, I! e4 g" d  u+ s_________________________________________________________________________7 f( @/ r/ y; G1 s% `
: B9 o8 [" w) x" ^/ h' y
Method 07
/ Y# n9 R2 P, ~) [6 Z7 m* }=========, k. t+ v' Z# ?* F, A$ d% _5 F

; O/ D* p$ x. m5 ~6 A: H. r) T! rMethod of detection of the WinICE handler in the int68h (V86)
2 n: N/ \, l1 X% R0 ~6 r
) b# c3 u5 i2 u, ]& O; [    mov     ah,43h1 G, }+ O8 k6 {" X' h) @; K
    int     68h6 X( ]5 u) a! q5 {
    cmp     ax,0F386h! f9 t6 E/ n6 O$ T% p# h
    jz      SoftICE_Detected; M4 g  v2 P, t7 @$ [

% d6 s2 E) y" z7 _- n
  r) {, d1 ~1 n$ I4 a) }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 s, q; @5 a# O, V' ?% |   app like this:% J! \+ K3 \$ M# k+ x8 d7 k) r

, V# I- l  U1 k2 ]   BPX exec_int if ax==68' m, M- S# J. E+ ]. u4 M1 J0 [) D
   (function called is located at byte ptr [ebp+1Dh] and client eip is8 J& ]7 v; Q+ M5 Z) ~( M9 m. W
   located at [ebp+48h] for 32Bit apps)
; t$ ^7 V$ `# m' g, ]4 V__________________________________________________________________________
* c4 A: K+ l4 R  q: S3 p, m7 U; k% y8 H4 g- q+ x
+ f0 H. [" R+ W3 [9 Y& m2 u0 y) U5 |
Method 08
- A  h' v- y+ a8 f4 M; ?=========9 ^7 u  H8 y2 l; n* t' l2 W

4 n, O  F4 x9 }% d  OIt is not a method of detection of SoftICE but a possibility to crash the, L1 B. W2 Z( v7 t
system by intercepting int 01h and int 03h and redirecting them to another" w3 l+ J3 h+ S: }& {: ~
routine.
- b- d! Z. v5 {6 C' y1 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' b2 h% y' c3 k0 I
to the new routine to execute (hangs computer...)
4 X2 o/ \2 x$ R' a9 e6 g& q5 `' b8 p8 p( j+ @
    mov     ah, 25h
1 e6 L6 m. C& j& O7 K* E    mov     al, Int_Number (01h or 03h)# t( C: j6 u0 j3 h( t' `4 J" U7 L' W
    mov     dx, offset New_Int_Routine
% j# `; h% `+ W% A) [$ o    int     21h9 c$ i6 {! f7 S* r7 j5 H% {4 E
. Y0 D& t2 S! {: B
__________________________________________________________________________
: D0 ^2 A, C0 L, P' ~3 n; p$ {, ~2 j
Method 09
, X7 u+ ]% c, a7 ]* e# S=========
, w9 V* b1 v9 L2 u# O5 @5 G
. a1 P, s* u5 w- ^" x8 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 L1 ~  `, n; P' F8 E+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 y; G8 c. W, i9 I! ~. hThe Get_DDB service is used to determine whether or not a VxD is installed! _; v6 Y& B/ K7 {! T# V% o/ \9 Q
for the specified device and returns a Device Description Block (in ecx) for
1 j! L$ k. b5 f/ Y: F; l; y; X" Jthat device if it is installed.
: P3 l9 `+ a( v
$ I2 h% Z# L1 Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID# }, A6 ^; Y4 D# x- r
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" C8 E' r) Z8 A2 y2 r
   VMMCall Get_DDB
  y& q2 a/ C+ \4 L% i2 p( c   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) L0 F! K5 R  e4 T: n

) u6 @9 Z# [+ Y2 i! PNote as well that you can easily detect this method with SoftICE:
: J) D  N* V# a5 m) Q/ j6 v   bpx Get_DDB if ax==0202 || ax==7a5fh4 y1 R# M# H: N$ R# C# t  y0 d

) ~5 Y, I; Y- m* f8 m$ D__________________________________________________________________________/ L& C1 C9 k# u9 ~- M0 I. ~8 D
# o9 O. e  b+ O  y* V( R) Q+ t# C
Method 10: P. }) @6 M4 j) ]( ^9 t3 _( N( c
=========$ x  ?, d9 W  S  e2 t& J
8 ~5 {, k4 E: a: @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  H8 v  v+ u/ W4 y7 h7 G1 }& n  SoftICE while the option is enable!!
7 h3 _4 y4 O& W% C" ]7 N+ U2 N+ e0 v, y4 g8 T) P
This trick is very efficient:
% W0 E* g. S3 m2 oby checking the Debug Registers, you can detect if SoftICE is loaded
' l" V2 {2 K4 \7 a/ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 c* o' N; j! z: f! Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their& ]( X8 G" d5 A: ]
value (in ring0 only). Values can be manipulated and or changed as well
3 |" Y5 S# x* B7 ~(clearing BPMs for instance)7 ?4 f2 ]  Q0 o5 u2 W

1 T5 w6 D" g$ N" f3 W__________________________________________________________________________3 O9 t# S! d' f9 E1 ^4 U7 q
* E; `0 S2 S1 @' l
Method 11
7 |9 v0 v% l% E=========
7 S& J* w& A( u4 H+ P) Q" Y4 H& {
This method is most known as 'MeltICE' because it has been freely distributed  p# z7 z) h8 I; ~  u7 u
via www.winfiles.com. However it was first used by NuMega people to allow
, i( G8 H* Q  @" ~/ s: y4 vSymbol Loader to check if SoftICE was active or not (the code is located0 S4 T* u+ A  J7 \( J
inside nmtrans.dll).
- N4 ]. m( W1 z1 W7 a& O5 q4 W6 b. c* _' W
The way it works is very simple:
) u0 `* _  _. f- e2 |3 {7 m/ ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 R+ \; f7 c7 D8 mWinNT) with the CreateFileA API.
& V/ @+ w4 I: P2 G$ T+ b5 k
- U* @# G, l( B& @! `) oHere is a sample (checking for 'SICE'):
7 \4 b4 m: r3 T& @/ v' y" J4 }1 c$ \1 r/ D" b, l2 g' c8 k
BOOL IsSoftIce95Loaded()
6 U, S% S3 \7 r4 b" P4 e" \# d! [{: z1 t) O8 C: W3 G. \7 R
   HANDLE hFile;  
3 v6 [+ m( B: N$ }+ W( U5 {/ }% i   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: _7 K* w7 z# d0 p4 Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: |0 P& N: `8 ]9 r; O" {                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ M: H  Y9 l8 \# M. I/ c( ^; P   if( hFile != INVALID_HANDLE_VALUE )
$ L' T/ O0 a! e7 i' y   {0 X  W. x# v5 A+ a4 I4 m" H
      CloseHandle(hFile);
9 c8 R+ U* g! D1 u7 M- P3 h  x      return TRUE;. N$ [0 e+ v# Z, V
   }6 S, s' L3 S7 |4 W
   return FALSE;
' N, z' C9 G* [5 l}& p0 G4 P( L- P
4 X; w2 L0 j5 {
Although this trick calls the CreateFileA function, don't even expect to be8 a" e5 m) s1 o, v# y) Y* S
able to intercept it by installing a IFS hook: it will not work, no way!( }- E9 n  t9 u2 C7 f8 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" ]1 _3 l2 Z* x- Z* ~1 k5 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  H6 Z" a& }$ Y$ D- r, h2 H3 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc' h; o, E2 D4 ~3 l+ J, D
field./ }, P9 C3 r% U  y  X
In fact, its purpose is not to load/unload VxDs but only to send a ! w5 \% p1 u! g1 f& I( ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, G1 }  M! ]- F! C6 i3 v0 K& Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 [) U3 P8 L! j: y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).  P' C( \0 K8 w. _1 c$ g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, `1 X0 c$ ~7 o) ~its handle to be opened and then, will be detected.
/ B/ A& j8 T. Q7 P3 OYou can check that simply by hooking Winice.exe control proc entry point% I/ ]4 P- f6 f5 n
while running MeltICE.
) O" H- Q( K; q1 ?6 K5 j7 Z4 M0 m* I/ m' T/ a- m

4 O9 E# @- c9 Y% l5 Q  00401067:  push      00402025    ; \\.\SICE1 [$ ^5 O) F2 W8 z. |% l' J: @3 V
  0040106C:  call      CreateFileA  S! j0 k9 t/ ?) E
  00401071:  cmp       eax,-001
9 L3 H- f) a  s/ U1 {  00401074:  je        004010915 `3 a5 E# z4 P8 Q% s  X( w

& G4 c# L# O% J! L
+ Q6 ~- W  b7 f. c8 BThere could be hundreds of BPX you could use to detect this trick.  d6 d3 f  ^5 f7 B  x: ]# P
-The most classical one is:
/ F  }: h+ m! ^* C- f: ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- E1 }1 ^" w) s' |/ I1 M6 \    *(esp-&gt;4+4)=='NTIC'
  w( ~6 E# K+ J. t* C  d
9 S) z5 k9 f8 R% Y* `-The most exotic ones (could be very slooooow :-(; q" w& V5 U8 [  W3 W% W, K* d) t
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& S5 f& ^  K3 h/ V' _: l9 W9 ?     ;will break 3 times :-(
" k& c3 Q; Z& t9 Y2 ^! |/ x7 |9 n4 r* s
-or (a bit) faster:
5 p- A2 P" l* L- I5 J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( Z6 w% q$ b5 P
- ~4 m) g, E+ F1 [, L5 i% ~   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 O9 r2 [' x8 }/ H     ;will break 3 times :-(
# g8 d6 `& o: v" ^8 j* Q( w2 R4 g: ^) m$ ~
-Much faster:
! l( }/ ~* h" A   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. C" y( [8 l$ A  E
, O. @3 l, z/ \& ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 z, f) e8 J. |) n; j) Hfunction to do the same job:4 p, u- I+ c% B1 W) x# X

* y9 j2 L7 W# M8 H' X/ z' K8 }   push    00                        ; OF_READ* ^8 A5 P5 H% m" w8 s9 w# c( }
   mov     eax,[00656634]            ; '\\.\SICE',08 y$ W1 c2 _  d* H6 t
   push    eax
% R9 A$ H5 @* s; p( I   call    KERNEL32!_lopen
& M% a& B  \9 ?! z   inc     eax
$ W( F/ e3 z% o8 [. O; D   jnz     00650589                  ; detected, g/ O8 _, T, i3 J  p
   push    00                        ; OF_READ
  F8 K) B1 t. [; |0 X1 |, k3 L   mov     eax,[00656638]            ; '\\.\SICE'
& g. e9 J; a- J8 q& R- v4 z   push    eax: h5 P+ g) l7 B4 F9 A" i4 L- D7 F
   call    KERNEL32!_lopen8 ~: X6 d  z+ E5 ^
   inc     eax$ B: t; Y: |5 f8 z# k1 Q  f4 R8 D
   jz      006505ae                  ; not detected* p2 @* W7 c) B7 r7 t# p3 {
* Y3 `  G  V! @+ G# k' i

" Y7 m) B6 V* }: Y__________________________________________________________________________
. ^; o7 z2 C! C! L5 W+ c' E: q+ _' J/ `' F8 i
Method 126 S. T  X" s  J; L
=========* E0 C) t6 V. a- V4 C

. w3 \# Y. \  EThis trick is similar to int41h/4fh Debugger installation check (code 05
& H/ T1 O% N: Y&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ d7 }9 y3 h; l8 ~+ W* w, J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! i# }  E& F$ V( u  r' J. r( `
/ l! J0 g, U4 i' ^6 Y5 Y% L
   push  0000004fh         ; function 4fh) G9 Y. c9 O- |- a) a8 K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ I# v; h/ i( q                           ; low word specifies which service* U( h, u7 @* L) }, @
                             (VWIN32_Int41Dispatch); t7 a+ ~& B9 ~
   call  Kernel32!ORD_001  ; VxdCall* @* M. p2 X1 \/ ]% C  K
   cmp   ax, 0f386h        ; magic number returned by system debuggers- a. }* j& t& W1 w* W
   jz    SoftICE_detected+ g" f# M1 @6 G" I- H
8 @2 Q6 [0 P7 H9 s
Here again, several ways to detect it:
5 q! s/ V) L2 g7 l6 T' y( R3 v1 ^4 h* I" }
    BPINT 41 if ax==4f
/ A! i; F9 H1 ^7 O& Q, R) Z8 P  k! D7 F/ X  i; h
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; a6 ~! H0 u) J3 I& g4 N1 @4 b, X2 j7 n* O' z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 ?8 w8 n4 C& A( N
1 o3 c- k' K+ u% z% k# k; ]
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' f5 S0 n, j  r" p& r
3 ^. y. d6 O3 y& O; l+ H__________________________________________________________________________. `9 E+ y. u' @; ]
* ?% W  g0 l2 o4 A
Method 138 y1 I/ l# O5 O9 B# Y7 t
=========; M4 D# s! f% Z3 a7 i$ ?

0 P% |) j0 @1 r# L; b; S" [Not a real method of detection, but a good way to know if SoftICE is
' F6 s! v  L7 _  W- n- {installed on a computer and to locate its installation directory." q7 P/ X- h8 F( r! h& C
It is used by few softs which access the following registry keys (usually #2) :
* u* t7 g7 c& R7 Y' {
# X9 }$ r2 V3 T3 A) Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% U/ p; G. q% E) {* _) a; S
\Uninstall\SoftICE
: r4 i1 ~" B# {& _1 A7 U! C/ Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& G+ N& N2 \, q+ N8 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 o4 k4 h9 F# h; ^4 u# a\App Paths\Loader32.Exe
( Z* N% `9 Q& ~/ w+ m1 W
5 t; I) x% m: ^/ _
4 t7 L( h" x8 M% j( eNote that some nasty apps could then erase all files from SoftICE directory1 F% W6 Z! J' Z; g" p# R+ Y3 t
(I faced that once :-(
4 C- s1 H/ \& i+ L6 Q5 F. \! g- l* e- d3 [1 I
Useful breakpoint to detect it:
5 J# V0 K. j# c7 ^2 ~0 d
# K" w( W8 [& {  K% F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  f  Y! z! S* q" l, C/ U2 N

. l  J# ]( B  j/ i$ L__________________________________________________________________________9 Y- k4 P# _* K+ J
7 g9 ^8 B6 ]( T6 _$ c9 E
/ s1 [6 T# Y' h5 ~9 x7 t
Method 14
2 P2 k0 y# x% q. Y. q% u8 _. \! `=========. y, g6 h9 q% [8 K
/ I+ i; X# f  w6 R8 ?, A+ [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& A. @) G; I' z- A
is to determines whether a debugger is running on your system (ring0 only).0 x5 K7 W6 u) O) Y; y8 T! I# ~
; _" B& g# }* l: I, q8 i6 [( @
   VMMCall Test_Debug_Installed) S5 Y1 ]3 ]7 p8 {9 y6 U
   je      not_installed
# D" @3 d4 B1 b6 A
& v( v# B  e, ?3 e- ?. tThis service just checks a flag.
; O2 s$ w- z/ K; F6 S; E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-25 21:48

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表