找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 @. |7 e8 r' G<TBODY>+ K+ \6 o! |: x
<TR>! z4 a) u+ K: K7 ^$ R
<TD><PRE>Method 01 ) B; k$ W- S2 b" c) c: `
=========
& y3 m1 s/ I0 T" J, c8 |! K
2 q$ X6 E9 F+ ?& r3 PThis method of detection of SoftICE (as well as the following one) is  F: c( B7 x7 @; z" M8 ^' Z8 u5 ^
used by the majority of packers/encryptors found on Internet.
2 Y1 P0 G) ~, uIt seeks the signature of BoundsChecker in SoftICE
1 }0 J1 i" w' t# @# |5 N; ^, k2 Q. b) u& ]3 V
    mov     ebp, 04243484Bh        ; 'BCHK'
$ f* A6 L4 Y, L" J2 m  K& F) f    mov     ax, 04h0 f0 S# I. I7 F& d7 M  d$ j
    int     3      
7 J) Y, V3 W3 C" ^    cmp     al,42 t; v: q- u9 f9 f$ w3 c' _
    jnz     SoftICE_Detected7 u+ y5 r4 k/ b* h$ k6 b/ R  j7 ^/ [

7 f3 o  ^: x" q9 M___________________________________________________________________________
1 ^6 }" R' @( j4 p/ |6 L' M2 f: r* e$ u+ [( b* r! |/ q0 [4 U
Method 02
0 I* f( r# q* C3 _7 N% C4 f  v8 h=========
. V) t, a0 `+ V( m5 ^$ T" z0 f% R1 t% m) i" ]; l
Still a method very much used (perhaps the most frequent one).  It is used5 N" F$ _: g0 T+ j& s8 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# N, R- I5 g* q4 i9 G' x) H
or execute SoftICE commands...
3 ]$ ^. k0 ?+ U, _2 AIt is also used to crash SoftICE and to force it to execute any commands
1 ?  d+ `6 G1 G6 C8 T4 e. a  u& t(HBOOT...) :-((  ! Z1 y- Y. d+ b

6 Q; C0 N2 m6 N! q: [Here is a quick description:2 F  o9 w9 G! W$ t: P7 d2 g
-AX = 0910h   (Display string in SIce windows)5 I: n- C( }  w$ D1 N# S- \  b9 B
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 i0 |/ C/ T. S-AX = 0912h   (Get breakpoint infos)
# f3 e4 z9 y, G; w, w2 _- j-AX = 0913h   (Set Sice breakpoints)
+ k! Q  f& q$ C-AX = 0914h   (Remove SIce breakoints)
# {( f$ W$ t/ o! @* M6 F' ~3 q% e% |* {+ F! J
Each time you'll meet this trick, you'll see:
/ u7 d6 x3 V  I. s-SI = 4647h  C- Z3 V1 E8 d0 _5 f- i  C
-DI = 4A4Dh8 v1 `( ^. s& V# M
Which are the 'magic values' used by SoftIce./ c7 X9 Y' p2 ^  I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 R2 E* h- l; @! @* m$ Q  y

( v; L# i  E! e5 h/ b# fHere is one example from the file "Haspinst.exe" which is the dongle HASP
# \: t' H# `- k' aEnvelope utility use to protect DOS applications:$ t* r* E/ a( ~' |! D$ g
3 n9 _. \" Z. W0 S* @$ I
! H" L3 @5 `/ z0 d( i5 t& z
4C19:0095   MOV    AX,0911  ; execute command./ F4 ]; @7 S2 _1 n1 X2 t; f1 X
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)., T- Z# l3 U" D( [3 d5 a9 S& }
4C19:009A   MOV    SI,4647  ; 1st magic value.
' v3 U; \  h9 c+ h1 y) B( q4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 |+ R6 B5 O3 q  @2 {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* U( [( [& A* t4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 H. i/ }* o% }4 d7 v5 G4C19:00A4   INC    CX
: S, W9 e, n, a. F6 n6 C$ q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 ?1 B9 ]' x0 u0 x) ~4C19:00A8   JB     0095     ; 6 different commands.' r9 A0 @, K; \3 l$ p
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ d* [5 F3 V) m2 G0 y( k+ W+ h4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ q: `7 t; g) F
! R% @% V- `1 |- wThe program will execute 6 different SIce commands located at ds:dx, which
5 T; G+ g3 D) U3 U+ W! lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., B/ T9 G- O4 E: I9 ^
; Z7 j0 k2 y) ~) V1 U7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 C5 r. ]7 `. |, [1 L8 w& ?___________________________________________________________________________* T5 m1 ?7 T" m0 ]
6 J: p; m' T- Z; K

$ j" d' d. s9 p  S9 i7 lMethod 03
( ?) G* s& a0 f+ H=========! o  i# h6 z$ a: r: T/ {
1 C, y  ?! ?1 j
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) }( F7 l, z- V" o) A, x- n& X! B4 f(API Get entry point)9 i: ?0 a6 H: C- F
        
# N" @6 L& S5 ]) j; X) K0 V# N1 f5 z- Q7 q2 C1 A% z8 v
    xor     di,di/ d. x" d& M% |7 y* c
    mov     es,di
  U/ f; K8 d/ Q5 x    mov     ax, 1684h       1 J% B6 {6 d# Q2 ]
    mov     bx, 0202h       ; VxD ID of winice1 o9 H( c7 ?1 d1 v3 z
    int     2Fh8 j$ |4 T- r9 v  ]* a7 H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# r1 [" g# M* P9 J8 G7 v" I+ \
    add     ax, di! P( x' [3 V/ M5 B( ^' u' t2 k* ?/ e5 m
    test    ax,ax
) N$ [! r9 u4 Q, a' k    jnz     SoftICE_Detected. Z7 A6 {* u7 X* N( G) D* ~

3 g& H* l# W  {___________________________________________________________________________
- w$ F, [' t/ T5 U
! q4 k$ V7 P) w3 Z0 p- `  A  kMethod 04
5 W/ V1 b6 l/ f$ v9 a, `- W/ h=========
& l( P2 j! d) [5 L1 p- \# F
: q& A7 ?" v2 oMethod identical to the preceding one except that it seeks the ID of SoftICE6 c2 ?" `$ N1 G0 \
GFX VxD.
- d8 U- Z4 K% @+ k( u1 Y  ~5 [6 i
5 i) _' K3 h9 m; p# I# @    xor     di,di
4 F/ q" r+ Q. ]2 M# b( L. ^    mov     es,di
% @7 s- I* q# p3 q. z! H    mov     ax, 1684h      
( ^0 k6 @$ i( E. `6 N  w    mov     bx, 7a5Fh       ; VxD ID of SIWVID
3 W8 z/ W! x: X7 S- ^    int     2fh
7 t! A$ k2 d2 E, H    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 _/ P# y1 o' {) `    add     ax, di
4 q5 E; \/ w  v5 b! R+ R' c. F& }    test    ax,ax3 u* T: |0 x% z+ Q& J- [0 r
    jnz     SoftICE_Detected
9 G6 U/ Y! ^/ E+ B: c% V' e" c0 P1 T2 O0 b/ G  T& L
__________________________________________________________________________
9 y- K2 ?5 d& F3 Q8 R4 m  W8 v; N9 `+ e5 I( F1 M
9 ^- N$ t5 N+ H7 l& B
Method 058 E1 D- x5 u) _8 Q* t
=========+ c: H1 k: A4 \% }1 q' U! Y( x
+ P# I) h8 Y$ n( [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ W4 [) L8 k+ S4 {# e3 n' Wdebugger. It calls the int 41h, function 4Fh.
( m% c" v; C- E& w! zThere are several alternatives.  % E/ a/ S" u" ]

1 Z' G) K* K4 ^4 f# ], WThe following one is the simplest:
' b* [; g7 v" P' n6 K
+ }/ f7 }7 j3 M% }/ t% L5 B    mov     ax,4fh9 f. D  b. |/ a0 W9 I# |
    int     41h
& Y6 C9 ~! [- O" t$ D! S$ j    cmp     ax, 0F386
( h% q' L# F& o$ I9 P& m8 E8 D  q    jz      SoftICE_detected
# ]: i1 y# D7 I# z, @4 p
" h! `- L3 k( g/ [/ H
% h  N: j0 \- ^; c7 Z% J2 S+ R& ANext method as well as the following one are 2 examples from Stone's
% t  k$ T/ |& T"stn-wid.zip" (www.cracking.net):
5 n& i" B% r" W0 t/ G
% P4 {) N/ D1 P9 ^2 S6 b' I    mov     bx, cs
5 p, H4 ]& n  K8 e# ^    lea     dx, int41handler2  G, i% w# ?3 V  C. o! m
    xchg    dx, es:[41h*4]' S; m; S+ P/ g' v; q/ [; Q6 c
    xchg    bx, es:[41h*4+2]8 l, K( V. x! \- S
    mov     ax,4fh( _6 J- h  ~/ Y) S
    int     41h
, Z/ p3 y$ |6 r: v    xchg    dx, es:[41h*4]0 P( G7 Y# x9 Y1 {3 w0 ]
    xchg    bx, es:[41h*4+2]
3 X0 Z3 y' o+ g! I4 h    cmp     ax, 0f386h
  e$ V7 W5 S7 V$ F/ U: K5 x& C    jz      SoftICE_detected
2 V" \8 o7 h% T! ]1 u2 |4 ?1 a! @5 _: y1 j3 J
int41handler2 PROC8 g# w. l; Z2 a) B  @1 f) s
    iret
; }1 o  ?% O  j0 nint41handler2 ENDP
7 U. u5 a5 T: n' {8 q% v
/ B0 l" K! b5 s: Z/ q+ {4 Q7 o" m  F1 S' ^+ n; k) D/ A* M
_________________________________________________________________________5 K3 A2 c% w% u

# S" [3 |; r- ]( H3 |) U
# ~* ^- W6 y$ p0 x* jMethod 06/ S* {% F: G5 G/ x& w2 B
=========
  T; F: W! b' }, Y. h: S
2 N9 g0 g, e2 V7 h( q# @' X! W( A# R. D6 H' {* K- `
2nd method similar to the preceding one but more difficult to detect:  m, S4 t# n  e9 ], ^
1 n% N6 @* ~( ?: Q$ G" F! u  m

' P3 M5 S1 m0 x. I2 Lint41handler PROC! r( c- D; G9 `$ x0 b
    mov     cl,al; s" @  o: {* `. E8 ~+ e
    iret5 |$ R8 \0 R& ]; i- S7 X
int41handler ENDP
7 L! u+ n1 t5 E/ Q+ C% q$ T( f
0 M! R* ]! o: h- O4 D# g) J2 P+ a! }+ \$ q5 a3 Q7 F5 q/ W; |
    xor     ax,ax7 g; A4 ?7 M# w8 S
    mov     es,ax
4 e; V& t$ N- Z3 h% G    mov     bx, cs
) i$ Z- {. y' J( G' \    lea     dx, int41handler
7 m- R$ T6 v3 W* m" S    xchg    dx, es:[41h*4]
) @- p0 P( l* N2 Z8 V0 W    xchg    bx, es:[41h*4+2]
, K% G1 u& Z9 O1 m9 x+ o( m    in      al, 40h
$ c+ Z  x7 W8 N% e& @. t( Q2 B" K    xor     cx,cx
( \1 n$ \1 }$ _" F/ Q/ m    int     41h$ T  }( |# i0 X
    xchg    dx, es:[41h*4]8 T% v4 Z% d% _- ~
    xchg    bx, es:[41h*4+2]2 p3 q; i& m% [7 E  r; F+ X$ o1 g
    cmp     cl,al
) i' O+ X; |1 k# k5 _' J    jnz     SoftICE_detected! ~& z* a. w' _* r2 Z9 X
; l+ G- A% a7 ^5 I/ W
_________________________________________________________________________
0 x' J  r  _& c/ ~* [
0 E* j1 H' h; t+ H. ~6 K$ J9 S/ sMethod 07
' K0 N9 q) ]0 Y* |9 Q4 v$ x/ I, M" s=========1 B+ [8 a) j3 \" }% _+ B

5 |: P7 K  ?1 @- T$ @3 q+ D% Q7 bMethod of detection of the WinICE handler in the int68h (V86)
" s! o* F9 r+ g8 \7 P. t* m
- S) [. R7 X" G9 k& {4 m" O    mov     ah,43h% R& x# R4 H4 y; H9 U
    int     68h8 X2 E* Q2 U4 m
    cmp     ax,0F386h
7 h5 q6 w! H8 I0 W    jz      SoftICE_Detected8 p: x4 d. U, u; g3 N

. h& Z9 Y) z1 u) _6 p$ _
5 D$ @" d% O% I/ ?# o=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 g' O5 a4 W' ]) m
   app like this:- B; C4 n2 r4 k5 \6 F6 V
3 e4 L& ^% M8 V0 F
   BPX exec_int if ax==68
: z. u6 t5 z, E: e( W. {5 W, o! m   (function called is located at byte ptr [ebp+1Dh] and client eip is
& s" N, a) z/ O8 T, Q8 d   located at [ebp+48h] for 32Bit apps)
0 U; d1 {! \2 @6 ]# K, [__________________________________________________________________________
+ R; j8 v1 q7 g9 y" U
' n0 _. S  R9 p4 s9 l1 I/ B( H0 P9 P$ l+ Z+ ], L& K& X  @3 J
Method 08
9 J/ o5 R5 @$ n9 _. j& f=========
: J* O: B, o/ G) Z# M' I+ d. t1 d; m+ J) u- w* f" F8 k. _
It is not a method of detection of SoftICE but a possibility to crash the! I1 d2 ?% j* C' G1 R
system by intercepting int 01h and int 03h and redirecting them to another
5 f/ P6 X( W5 }; iroutine." Z/ B  z" o: _* a# p, N7 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: O- U% k& n2 a7 `- Vto the new routine to execute (hangs computer...), [/ r7 y1 r7 x% r9 M) l+ z1 d

9 ?" k8 ]6 r( m% X, [    mov     ah, 25h7 \; O' d) P4 s; `$ j9 a
    mov     al, Int_Number (01h or 03h)
4 M: `1 w  P5 Z% O9 i    mov     dx, offset New_Int_Routine( v! C( d. @0 @' _
    int     21h
" z1 J) q% a0 I" O0 f& _  q1 b% Z* M. }9 u. u
__________________________________________________________________________
; o2 _: X: r$ g* u& p/ V, I1 h2 Y+ f$ e' S7 p8 F
Method 09
* o5 f8 ]7 s3 c% q1 l4 H, V=========
( E* n- n$ ^% b2 L1 q3 M
3 j/ N: Q8 D" _+ \5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {$ U: v, T, {& i' i( {' @; vperformed in ring0 (VxD or a ring3 app using the VxdCall).6 ?0 e! x* K. ^
The Get_DDB service is used to determine whether or not a VxD is installed
+ x2 s& e  M+ d5 p: t3 l$ W0 B5 Y; rfor the specified device and returns a Device Description Block (in ecx) for
) h- Q& R, s4 Z8 ?* z, q% v* G: Cthat device if it is installed.5 s$ _8 W% x. n" I
' _' N. x) U" u- m% k. Q( r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ Z" w/ N0 L& L+ e$ M% M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) o9 f% o3 B5 g3 F0 j& B6 s! Z) }2 n9 d
   VMMCall Get_DDB
8 V8 t0 j9 {/ x( u* _$ r: g' o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ @4 V* _  k0 s1 c/ H
4 ?: c3 S: {% k
Note as well that you can easily detect this method with SoftICE:
9 @6 }) B% O$ J9 b! m4 x( _' G   bpx Get_DDB if ax==0202 || ax==7a5fh& o1 o$ a: W, F0 o
) r9 [3 m, Q* @7 I& P- {
__________________________________________________________________________8 ]. i! W. ]' `) v. g2 v+ ?  m/ K

; H1 d1 w4 T2 [$ s% w  U# PMethod 102 T; B: e  ?- U& M, z1 ]3 x
=========
8 @% F  a, C/ u9 a$ q0 E
; \3 e# P; [  N  J=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with& g$ I3 C) a$ n* l6 }
  SoftICE while the option is enable!!, e  m$ `3 {; G! i

6 A/ K( G  t! A- v3 p- o5 AThis trick is very efficient:9 R' j0 I, W7 |# A: U- E4 e. |
by checking the Debug Registers, you can detect if SoftICE is loaded& B, b( x9 k0 v2 n/ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; _% W9 x$ ~  t0 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* w$ l0 E" m1 V) Q& q" m: nvalue (in ring0 only). Values can be manipulated and or changed as well6 t- e( V0 N: Y' R
(clearing BPMs for instance)
. x) F, a! ?% c4 M8 D; a. H- o
__________________________________________________________________________
* j6 ^- N; e- ?: s/ t4 S
% h  N- {2 a# n1 r7 b+ U+ F1 fMethod 11
$ k6 B( S! L1 s! d: S$ b=========1 U! V5 u& C- y

' n0 P# g9 p8 ^% LThis method is most known as 'MeltICE' because it has been freely distributed
: s! W' Q# f: F* X  d4 Hvia www.winfiles.com. However it was first used by NuMega people to allow
9 Z- e# ^! x6 ESymbol Loader to check if SoftICE was active or not (the code is located. d0 b# \4 h- B2 y& ?  q- C
inside nmtrans.dll).
4 {$ j  k5 s$ \
% M- J' ?  s; {3 x9 O3 h6 lThe way it works is very simple:
* j' g1 P  o/ J6 y" rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, v' E! `- L6 n: {! ~) X5 ~$ GWinNT) with the CreateFileA API.1 A9 N* B) h, R9 l# G0 N3 g! N

1 e/ {* S/ h$ ]; b0 m& G+ m! S# f5 _Here is a sample (checking for 'SICE'):
2 }) Q: u+ H* i; @/ Z( d8 N: x, Y. M4 ~8 O/ D
BOOL IsSoftIce95Loaded()! C( X+ {3 p# U2 E
{
4 @0 A5 T+ p$ G/ V0 H5 {   HANDLE hFile;  
* P1 Z' o* F0 q# \   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 ^. J0 c4 h+ L9 n1 F# s) P- \
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 M3 A  O( a: v1 a* c& e
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; h& D/ ~5 P0 u) u& Y
   if( hFile != INVALID_HANDLE_VALUE ): |# C. }6 ^) p( H% _% r
   {0 u7 O, R) A1 I  J0 F
      CloseHandle(hFile);
- Y; m; X4 |' S      return TRUE;. s0 d2 w/ K3 o9 \" e& |
   }0 P! L/ N/ z. ^+ d
   return FALSE;" b& d9 [" ?- y
}8 U* L4 ^! z* d3 r+ a
9 W6 s. ]$ K; B
Although this trick calls the CreateFileA function, don't even expect to be
7 p) h  i+ I* K% k0 ^0 eable to intercept it by installing a IFS hook: it will not work, no way!6 R( Y! n& ~" b& O. @  Y0 c; ?" M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 _% g' v8 I! ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, X! ~9 F. S; e1 S0 Y8 v- P2 [; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 n% S; k6 i. Mfield.' b- ?' O+ m* k: G- M$ g9 I7 g; n
In fact, its purpose is not to load/unload VxDs but only to send a 3 `; \; v5 i1 p1 }! o0 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 T- Z: T2 |  y% _0 P8 m& jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: {& I4 v  I# [, h" Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
! ^$ }5 q  K" V9 P! O! B( U  y( W: w# ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow) v4 m' w& ?3 m" X" x* o+ c
its handle to be opened and then, will be detected.
4 K4 ~1 {* T2 [6 `You can check that simply by hooking Winice.exe control proc entry point
* B/ u5 I1 L8 s; Fwhile running MeltICE., a- Q# M0 i5 E. Z
, w7 u! a  f/ t3 {' Y+ J

/ Z5 t0 \/ P* r  c  00401067:  push      00402025    ; \\.\SICE( t  d: B% s+ ?
  0040106C:  call      CreateFileA
$ F/ _% A  Y" S9 H7 L" I  00401071:  cmp       eax,-0019 C" C, F( o0 l9 a5 b
  00401074:  je        00401091/ @1 I+ T0 E* o2 w

4 r2 J& L3 k3 D/ z# d
: r3 T2 l5 y0 Q0 XThere could be hundreds of BPX you could use to detect this trick.- H+ J& m# I& y/ A" h
-The most classical one is:, N' H/ L! }; r  q" U& O
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( C3 u0 R3 ]# `    *(esp-&gt;4+4)=='NTIC'* v2 o7 @6 i/ s4 h

( N6 J+ U+ D8 m, O2 ~# ]-The most exotic ones (could be very slooooow :-(
1 D4 [# ]- ]9 U0 n+ w/ e   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " `# p% U$ T3 E; K6 s  a
     ;will break 3 times :-(  C2 D8 L" ^+ z# J) K" T! W
; f/ Q0 p& ]" D- b, O
-or (a bit) faster: 1 R" r' z8 k9 q1 W) e
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* Z8 H+ N2 t8 v. O1 g9 Z
1 g  T; Y5 [! B% C. H* \0 X  Z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# z9 H4 |9 R3 J, N1 k# h     ;will break 3 times :-(2 q/ C' C2 K2 z3 O" b" v1 ]7 H5 N
( D* ]. [1 ]4 w
-Much faster:
3 Q/ R$ p6 P, s; m   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 A3 \2 u& f7 c# ^/ W
2 ?1 H" m8 Z: F9 P0 b& x! Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ L( l) i# k. N3 Y, n6 R3 W2 Gfunction to do the same job:
& y4 h) q6 d3 v1 c9 m  w
* }6 n! ^( \7 U; `& D7 U+ p   push    00                        ; OF_READ8 O3 M5 s% q  I. g. ]) F3 C
   mov     eax,[00656634]            ; '\\.\SICE',0
* z8 i  o- S4 ?+ z1 A4 g8 v3 K   push    eax& ?- m: R1 Q, v7 A- N4 D
   call    KERNEL32!_lopen
- [; {5 w5 A) N# M% u   inc     eax* N  I" g0 Q+ E2 L! z8 i. T0 c, ]3 x
   jnz     00650589                  ; detected& j. A; [6 W1 I8 r
   push    00                        ; OF_READ  Y8 `7 d& x! {8 X' e8 a
   mov     eax,[00656638]            ; '\\.\SICE'
9 X  c3 J! y) e4 @. U4 p   push    eax
3 Q/ u( \# s: T   call    KERNEL32!_lopen
6 ~. Q% H! l3 \& m  E, ~& @/ {# ?   inc     eax6 [9 n  R3 H5 L, B
   jz      006505ae                  ; not detected
9 T- B' q" w6 U* d# O/ c3 q5 s. Q+ w5 ^% r5 {+ |: X0 g
) D( m; n& T" x! w
__________________________________________________________________________
% d7 t+ X) l, c5 l% x" i$ N: J5 n# ]
Method 12
6 _* x& B/ k& u& ^7 L. _/ |=========0 l$ w3 \; _$ n% O8 z: ]& l
% a1 Q' d' h# K2 G
This trick is similar to int41h/4fh Debugger installation check (code 050 f8 K  a! N1 s+ x: F0 ^8 Z( r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 D7 u$ _+ c# V* ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 |3 u& K  G$ ]; w- |
# p* F- w& h& e+ r' W3 z2 B   push  0000004fh         ; function 4fh
) o7 r, B- ]" W   push  002a002ah         ; high word specifies which VxD (VWIN32)
- ]2 F" O0 Z- P6 o' d                           ; low word specifies which service; {" [* l. c- f6 s4 R* l
                             (VWIN32_Int41Dispatch)1 U) R- h& y- j5 T8 M
   call  Kernel32!ORD_001  ; VxdCall3 ~8 T& N2 |' W5 K+ B7 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers( X4 L( m( d. ^; h3 a) z/ f* P5 \
   jz    SoftICE_detected
5 D8 ?! C. j/ w
% \. g0 s- h2 k/ E7 A4 Q5 [Here again, several ways to detect it:! x0 e2 \: F6 c! Q: q" Y; B
( f1 s3 X+ T& s: Y+ P
    BPINT 41 if ax==4f* ~1 j$ S$ Z4 z2 r5 S
# g9 O1 [/ r* Y& l+ a& M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one; ]3 w" Y5 k" _
3 n2 R1 W1 z! |4 a" u# L
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. p+ N3 D1 z+ S2 N% f' F' F# m

9 |" B5 [! t; _/ J8 D; B9 Y3 V    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) r. v0 _3 I$ v" s# C5 Q# E7 z3 T. g$ F: F7 M' Z
__________________________________________________________________________; L+ n" q) @! M6 l5 |4 X" n! V1 h
- |! D6 s! M* C
Method 134 [! t% B% d" _! h1 s! X. K
=========1 O* Q- t9 t6 I& `! m7 W8 `

8 K. h# l$ c7 rNot a real method of detection, but a good way to know if SoftICE is' M6 O3 m- h# o6 E$ o2 `
installed on a computer and to locate its installation directory.
4 t+ U. ]& q  \2 g/ p$ ^+ E/ ?It is used by few softs which access the following registry keys (usually #2) :
, c2 z4 j! A1 E9 q# }5 e4 i9 }' A. D  O6 H- Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 v$ \) X# J/ q* f\Uninstall\SoftICE0 |! j/ n) n: ^+ z  i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ `" Q! e* w, ]9 s5 n" {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* b' t+ ]. T" B! b\App Paths\Loader32.Exe
# d4 Z! O: i" J, o* n  z# ]' h7 w) F$ c6 N0 o" S

1 h8 [0 e. [' z4 o* ?" N$ O+ t7 `5 jNote that some nasty apps could then erase all files from SoftICE directory/ Y) R& W) @4 f6 Z2 k1 h& i4 G1 e$ e
(I faced that once :-(# \/ d0 K! @6 ~6 {

$ n2 g( |! R! L- ]) o; hUseful breakpoint to detect it:
: V+ k; j) k6 k0 s. f* \, l. J" z8 g, F% t: v' y4 A
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; X# r. {6 |5 A% u; Z! g+ {

0 A8 L0 L+ Y6 n6 D$ A# S. k__________________________________________________________________________7 ^, O. {+ S0 n! w% M9 H  }; C3 _

  A* R4 N3 O0 ?- r! t& }, q6 `- {" [# _* N2 W$ f( U
Method 14 " O- F4 i( N- }5 \9 Z
=========( J/ V+ ~& S2 f( F

8 t- B) X1 p" l- H3 F6 v. wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 i' t9 Z% x5 y# H; U+ ^$ ^is to determines whether a debugger is running on your system (ring0 only).! A  T$ }" y* w/ Y6 l3 o; I
1 k( H7 l+ N; v$ j& u3 ~- \) I
   VMMCall Test_Debug_Installed
6 G4 q+ W  M/ e: z( ~/ n3 D   je      not_installed0 `) N+ ~' Q7 S4 R
$ O5 E8 m+ \8 T" ~8 N
This service just checks a flag.
, f! ], W: S; Z+ T- u6 Z( d6 I</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 22:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表