找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, q/ c) C0 l6 U<TBODY>
' g  I- v4 @% Y" q: G* u) p<TR>
; L9 o! e" S( O4 @9 g<TD><PRE>Method 01
1 k( w: n( E5 R6 B; P. S: r4 `=========
& t* g" o" m* v7 A: E5 z2 L
% J9 r$ X' o: W( L- g7 jThis method of detection of SoftICE (as well as the following one) is0 e$ s1 W7 y2 I' n: r/ f( l6 L' d0 w
used by the majority of packers/encryptors found on Internet.
' I1 i, o! Y* a! v5 {7 S; @It seeks the signature of BoundsChecker in SoftICE
# O6 T3 z- b7 M) T0 _5 Q0 l  ~* }4 v) P
    mov     ebp, 04243484Bh        ; 'BCHK'
% X; h. B0 L; m    mov     ax, 04h/ S: t) n6 F2 X% y% q% \( S2 H
    int     3      
/ X" k* f% t* @; f9 E# G0 _7 y    cmp     al,4
. ^# K. A" ?3 i% ], ^% g    jnz     SoftICE_Detected2 J2 y3 N/ @) X% w
4 u# u) s5 y# X4 X8 H
___________________________________________________________________________. d8 M  b6 g! R. e3 E% i) Y

% K1 Q' A- D$ @5 GMethod 02
% e1 a8 [' o* {9 S  f3 o=========
+ d* c/ x" D; i. V/ I6 X
) ]- x7 m" P* o# QStill a method very much used (perhaps the most frequent one).  It is used1 k4 {' m/ M- {. e. j+ Z' }! U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ d& M' E; F6 T# v) d# _1 |or execute SoftICE commands...; f- O7 l) v& ]! K- Y7 K
It is also used to crash SoftICE and to force it to execute any commands  F, ^$ y  G7 n: ?5 N9 t
(HBOOT...) :-((  3 m5 T/ E: F, F! [2 q
* u% s5 s+ v2 T
Here is a quick description:/ k* D3 k0 L/ Z
-AX = 0910h   (Display string in SIce windows)
1 a1 d9 Z- A& n- [' M6 b/ j. M-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ o2 ^/ o- _5 n( s7 l) o  @
-AX = 0912h   (Get breakpoint infos)
8 v0 H% Q- B, \: z( q$ N7 D-AX = 0913h   (Set Sice breakpoints)0 B- }! e# X0 d
-AX = 0914h   (Remove SIce breakoints)$ h7 S9 f  l% S1 j% Y9 G

/ D+ V* _) }8 C/ |0 ?4 FEach time you'll meet this trick, you'll see:
* f5 B. {: z' G9 b0 e+ y-SI = 4647h
  \8 J) O2 R# J/ }. j# |-DI = 4A4Dh$ B; j5 h$ q, I& @8 Z
Which are the 'magic values' used by SoftIce.
  f$ T; I7 ~4 I& e3 m( V3 Y$ tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." s! c9 C7 y" J( u  b0 c
: `  u  z$ V( ^( E! r# l7 x; n3 l; a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 b) h% ?6 x6 P2 L7 aEnvelope utility use to protect DOS applications:
+ A6 I: N# s& H" s
- ]- _4 t/ o3 Q# I
" z$ \9 ?! B# m8 [9 G& I( `# u4C19:0095   MOV    AX,0911  ; execute command.
, c$ h1 Z- n2 r7 {7 v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% Q/ Q: w) h$ o% T: a4C19:009A   MOV    SI,4647  ; 1st magic value.3 h% U% o7 `. X0 p' Y* s/ B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value." {( ~1 X# p) Y* ]0 H
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* C# i. |6 J+ B5 @
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ h+ l! L+ U& H, `) d- d. j4C19:00A4   INC    CX
! V; q( V9 X* F0 o/ V1 C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 s8 |, M; E2 c* Y
4C19:00A8   JB     0095     ; 6 different commands.
/ f' W4 @8 w. k3 M1 D' K0 I$ v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- U6 s! q' I1 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 I  r5 I7 U" z* W
# u2 |; k- N1 fThe program will execute 6 different SIce commands located at ds:dx, which
' [8 F/ n9 N, V$ t: ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ d7 i( U5 G7 T  m! q% \; W! P" N; I
9 z* e. G" V# R  [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- b9 T9 T! z1 }% b- R/ x# m- I* ]6 S
___________________________________________________________________________5 S+ o1 r3 j6 R  u

% Q+ n2 X- n( V
9 k8 o7 ]1 C0 X3 |  MMethod 03- h9 L; _" t9 r! m, A$ I8 }
=========
8 s5 b6 P0 w: V2 _) I8 {: d6 d6 Z  y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% ^$ ?9 t  T  K4 }  B(API Get entry point)
! t3 T6 c+ K  n) k/ K+ }' F        
& k( c8 M. {5 G  ]0 t" O  x& ~8 F5 \9 m$ I2 u
    xor     di,di; b* E3 }9 e( z8 v) g" {
    mov     es,di( C! k9 Y) O0 ]
    mov     ax, 1684h      
. r2 U& d, E  t. B5 U" U    mov     bx, 0202h       ; VxD ID of winice2 O+ e; Y- n* k) w6 [" r: I
    int     2Fh
( Y3 t, Y: ^, ~% {$ \    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& t0 x" G/ M; m# X2 S- k4 v+ D    add     ax, di, p9 f8 Y* E% L5 P3 U
    test    ax,ax, Y$ B* R8 ?8 Z  ~2 f# `
    jnz     SoftICE_Detected  A( C7 i& W+ c

8 j8 J4 E8 M( ^" @1 w3 ]___________________________________________________________________________8 z, U& s0 h6 r7 x3 P. y

0 e* t, f7 c, ]Method 04
0 c" c! }+ A" E9 c. ~. y5 A% S=========/ a0 f% \3 ?$ f- z  z; [
8 }) Q4 O- t2 j- O2 ?3 n
Method identical to the preceding one except that it seeks the ID of SoftICE
- q: D! K% x' |" O/ OGFX VxD.: y+ g: p' V! X9 F! z% N
* R$ }) x) w6 K0 g& ~3 \# h+ i
    xor     di,di- Q8 T3 B6 h2 a% C% E, G' F
    mov     es,di* w; g1 }- [" q% j: u" v
    mov     ax, 1684h      
) C0 n( J# m7 N/ r: r$ E! W" C) Q    mov     bx, 7a5Fh       ; VxD ID of SIWVID! z9 c- J5 z* I% Y! k/ ~- U
    int     2fh2 ?4 v6 Z7 ?, f% F  Q3 f) p
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 u& P+ Z- z' O/ W! [
    add     ax, di! d" e+ o! I  O& D. k
    test    ax,ax
( j5 h8 v. A  L, D    jnz     SoftICE_Detected
; g3 u& @! ~  c- r' w, I
: |7 i6 A  B% U* z7 [7 j__________________________________________________________________________9 c6 S5 {: n/ x* m4 @
- X  s% {8 v  y$ Z# l
. g1 v0 ]5 s! v4 |1 c7 D1 `
Method 05
% Z; g- Z/ m/ g; J% Q=========
. j* R$ [: M2 J/ a) m% u. F. U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, j# g) ~9 n+ Bdebugger. It calls the int 41h, function 4Fh.
/ l" d1 X5 p- P+ T$ m6 d0 y  }There are several alternatives.  
9 _: _/ j4 |; ~6 Z
2 x  U) b8 k+ PThe following one is the simplest:
5 j/ j# l& g, h- n) T3 U, p4 r0 e. X
    mov     ax,4fh
& _% F2 A8 x0 o0 ]9 r2 P    int     41h
: T( ], R3 h1 `. H( H7 Q$ {0 x    cmp     ax, 0F386+ q' D: s3 B7 M
    jz      SoftICE_detected8 c' W& q1 Y9 L1 `0 J
1 l) |4 d% V& [8 ^+ p
  |  n+ @8 N; o! t# T
Next method as well as the following one are 2 examples from Stone's & B2 F- P8 j' F. K$ z% l! C$ x0 A
"stn-wid.zip" (www.cracking.net):1 K! T, Y$ ]- K9 t) r" J
1 H5 J& ~2 D- J' W0 [6 |; d& x! M
    mov     bx, cs
1 V# Y# [( d* A; R6 A7 H4 v/ x4 t3 X    lea     dx, int41handler2
6 B" m4 @! ^6 P& c% r! x    xchg    dx, es:[41h*4]+ i- |, `, c+ \- {; n6 ?$ K
    xchg    bx, es:[41h*4+2]
( ?! X; X; Y* ]    mov     ax,4fh- Q, c0 J0 K- }7 Q  ]  J) V/ E6 w
    int     41h& F9 A% `( F' |* A( B$ S
    xchg    dx, es:[41h*4]0 q! {5 R) `- D3 P
    xchg    bx, es:[41h*4+2]: o# D( n) F5 G/ q4 G' X2 g& o/ T
    cmp     ax, 0f386h
" G2 L" c5 I9 e3 ?' N8 o    jz      SoftICE_detected/ @2 N& O. X3 S( u% i: `7 D/ B

4 F+ v7 V( g( u, v) k  g4 oint41handler2 PROC& J, e2 g- f$ B6 c/ Q! u0 N  o
    iret
6 I6 T- d$ L: k1 }8 G' ?- Dint41handler2 ENDP/ P3 e# w+ U# c# ^, y0 W) }9 W% x
$ G  D+ @# L5 C) g( t

7 z; M! c7 K! H5 A_________________________________________________________________________0 J. G6 X  z4 }7 \1 @- X1 p( x  I
# C+ d1 I7 W# D+ Y0 e

( i' h$ g9 \2 J) S5 L- bMethod 06! d1 p) W0 g7 X1 U6 A
=========9 M+ N, Z8 w7 z: v

# }# j. h1 ~' M. w
2 C6 P8 z( M$ q) P6 d  n3 m2nd method similar to the preceding one but more difficult to detect:% Y2 T( I" q# j# h# z5 ~9 @, O
7 `7 @: |9 Z6 {. [

( [6 o: Y" T( M' E+ F: c' Yint41handler PROC
- n9 V2 p0 @) X/ Q8 Z    mov     cl,al" w% |% l) N! k; b$ m4 p
    iret
8 t8 c: G. y- ?3 Wint41handler ENDP3 G, G! p( Y* ?$ O

* H5 E: v4 J" U3 M8 ?: V
& _9 G9 R2 v; n$ |. K4 `    xor     ax,ax
9 k' B) F8 F, N! I' c5 w    mov     es,ax, P+ c- ~& k5 G  F- Z
    mov     bx, cs
0 l% x' d  K3 t& i- t- G    lea     dx, int41handler
) @- |- _$ [* K7 W    xchg    dx, es:[41h*4]! ]3 S3 d9 _" t1 v, i
    xchg    bx, es:[41h*4+2]8 o4 _5 n& |) T" l+ b0 d! @* n- _8 H
    in      al, 40h- z/ H0 N% W/ S7 h# ~
    xor     cx,cx2 {+ }- f$ S8 M3 Q) V8 e
    int     41h( S- v4 {& N2 b
    xchg    dx, es:[41h*4]7 O" \- L3 [9 ?; o$ f8 v
    xchg    bx, es:[41h*4+2]( T6 J+ @0 N9 T
    cmp     cl,al
+ }( ~0 r& ]( }$ Z# [& C0 i    jnz     SoftICE_detected
" e* N6 a0 D7 p. K7 N  [8 X9 N0 f) D; z
_________________________________________________________________________8 e! e+ E# b2 \& }

4 a. Y: `% g4 H5 S6 q! z% o- l" hMethod 07
" y2 \  L, ?+ D! h/ x! v) A' q=========! J# b! H  }8 b) e7 U  M1 z7 i. ^

" h% B, @; s* I5 FMethod of detection of the WinICE handler in the int68h (V86)
# O7 ^: T3 {) N4 `5 w+ b  C4 x, u: X$ y) {( o" x
    mov     ah,43h" ~* o9 l) t  V7 s- M4 a  t# C
    int     68h! T$ Q5 m1 m; d/ Z
    cmp     ax,0F386h* l" {8 T- O6 _# ~
    jz      SoftICE_Detected: [  E& v3 b- Q+ o7 j9 M6 ?8 n

0 Q" C6 q: F' U
1 v7 Q6 Q+ O# y5 I( x! f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 a$ V* {- C  Y6 ]
   app like this:
4 L5 S! o% T. m3 V/ M! j) ]7 o
/ A1 U0 {- ]5 o   BPX exec_int if ax==68
+ p5 q, H3 O! Q" j8 H" r$ r   (function called is located at byte ptr [ebp+1Dh] and client eip is
% Y/ l7 J5 x3 h$ v# l1 ?& A   located at [ebp+48h] for 32Bit apps): j* V: [( I7 \/ A
__________________________________________________________________________
$ A( s8 W1 o8 [% j2 n" v
" _6 f; f) W) j- F8 M/ h' l2 Q' j
" G+ g; T5 |/ I9 O; IMethod 08. V5 k6 S  ^1 `2 ]. H; v
=========
: d# ~5 o0 }8 n, y% T) `: L' A2 g. p
It is not a method of detection of SoftICE but a possibility to crash the  I: |5 J6 p7 }
system by intercepting int 01h and int 03h and redirecting them to another
5 f) L0 N5 X2 Q. a, v/ N# iroutine.: i2 q4 A4 k/ |' ?! C5 r& \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  c8 \. Y: C/ G5 _) A3 o- ]
to the new routine to execute (hangs computer...)
5 q6 V) {$ }+ T/ b% e+ y1 Z8 @( ~% U
    mov     ah, 25h+ k5 W: V$ i7 I# S9 L/ w
    mov     al, Int_Number (01h or 03h)
( \& u- S# R% A! d: h& P2 ~3 k    mov     dx, offset New_Int_Routine
* W8 F1 G6 M4 `8 e7 w8 ~, v( K6 T    int     21h2 ^; I" R- S4 p

& q" ~! D$ U4 G9 x__________________________________________________________________________
3 L* {; `+ |2 c, C' _) N
! i  X+ _: O6 C- ]! F0 x% V& M; MMethod 09
' m4 @4 U+ m5 r1 d" L7 S7 G=========# ]$ S6 ]1 r- c7 i4 |8 E. ~

6 r( N; x2 ^1 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. W6 t6 _: P# K* j6 x& O2 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).3 [$ S" t3 G, {6 ?1 {0 \) Y
The Get_DDB service is used to determine whether or not a VxD is installed  ~; B" A6 B6 M
for the specified device and returns a Device Description Block (in ecx) for
( E' P' _" J0 U: r8 }- Tthat device if it is installed.0 p: |$ M' D! i" H8 b% u6 ?& V

+ q3 d9 ~0 ~' f3 B, g. s: }   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 G) \+ e  W$ Y$ v5 i) ~, G) S   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 u, k0 r, g  a  B8 S, k" U   VMMCall Get_DDB
) g2 V8 C4 g( w5 m, ?7 F3 P   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 \! F1 r& n8 a  U3 E' ~! ]5 f
7 }1 M+ }# w$ [/ _0 q: p( I; pNote as well that you can easily detect this method with SoftICE:3 v) f% k0 H  I7 g4 `3 K
   bpx Get_DDB if ax==0202 || ax==7a5fh+ Y" H, h* V# I& v0 Z4 E4 t4 ^4 Q
1 }) b* Y& {$ J" o, S0 P
__________________________________________________________________________- R% \* o7 K5 }  R1 M' ^, Y
3 M2 v% }6 n* x% p5 ^' v
Method 10. Z8 F  Z2 |+ N: C+ C/ k: `# A
=========. ?+ G0 x* ]+ x$ c9 p
! V4 I6 I$ V/ v0 X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ X0 P; T* V' J/ K9 T7 r7 L  SoftICE while the option is enable!!4 l, l6 }, M  \0 U; l0 k

; |% u/ t8 N7 \. r5 A4 U9 H- _This trick is very efficient:
3 ^! ~" U) M/ [9 {by checking the Debug Registers, you can detect if SoftICE is loaded
  d, ]( L) D& z$ x, B' \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 }  x5 w. {9 h2 m* Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their' o4 ~% X+ @5 [* t6 f8 r: J$ u
value (in ring0 only). Values can be manipulated and or changed as well
! v( J  N0 S8 ^( m(clearing BPMs for instance)
6 p6 X; ^" F  w+ M" p8 }5 I
% F# o' }0 o  h+ ___________________________________________________________________________) {- d4 g& C4 ?/ P( g4 l+ s
8 s2 i( Y$ g! k0 ~& l5 ^
Method 11
1 |# q7 h3 W9 q% G=========
2 E1 T7 ^8 {- o& u! H: z6 ?) ^, {, {8 F* ^, a1 S: i# L
This method is most known as 'MeltICE' because it has been freely distributed
8 l! m3 L2 Y" T, X: Ovia www.winfiles.com. However it was first used by NuMega people to allow! U7 i; B2 f* Y, Y6 K
Symbol Loader to check if SoftICE was active or not (the code is located
& U# F2 ]- M5 _) v2 v' \9 ^* a1 Uinside nmtrans.dll).
% B! D  @, O  N" t, L* C' w' P
6 Y9 E. b2 K+ b# S# I& t! G. XThe way it works is very simple:! A* d) n' L; Y; u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: ~' n1 S* n# ]. ^
WinNT) with the CreateFileA API.
- h' L, [4 f' L  k
( h4 l  n" c* {+ \& ZHere is a sample (checking for 'SICE'):( B' H" J0 O4 W8 P/ |! b
' p; s$ P  Q4 I9 k' e
BOOL IsSoftIce95Loaded()) W  l  Q( _6 z) q5 H% Z. b8 E
{! l3 N& L+ F7 z8 `' E  r& |
   HANDLE hFile;  / |, r; n5 s& _  g* K3 C  C
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- _+ D: M5 h. u% a, Y  a                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 _8 e* D7 R1 }' I                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% \6 O7 T  o; v8 l; U, y* g
   if( hFile != INVALID_HANDLE_VALUE )! b' R3 ]5 v; F3 Z; @" y3 o( l
   {2 T( H6 j$ a8 i
      CloseHandle(hFile);
. K) X+ b" D( \9 B" T5 @  ]3 {3 _( ?6 t      return TRUE;
, S& b  _! @7 a* j0 B6 }$ K   }
+ t8 R. K2 r( z   return FALSE;2 l/ ]4 U/ \' j$ X8 ^- z. d/ H0 {
}$ V$ g' L& P. N+ j
6 z0 O9 {0 n( @4 F' D
Although this trick calls the CreateFileA function, don't even expect to be: C: J% k& j- e. f/ k3 j; Z$ J( C  [
able to intercept it by installing a IFS hook: it will not work, no way!& M. p% A" H- R1 T6 G& G8 s/ s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ @  F- D( v1 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a( d% P. `, \1 K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) ?' s9 {. n- g. {  H3 wfield.2 {) m4 g2 a" X
In fact, its purpose is not to load/unload VxDs but only to send a
! x( ?4 |* ^: C% UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) H* f3 p( `! uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; s3 }; F" K5 L4 H* b) R' E* N2 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 c2 g. j9 r1 v4 b/ @7 ?( H( M+ {" b
If the VxD is loaded, it will always clear eax and the Carry flag to allow* |7 i: o* d- O4 ]  ]
its handle to be opened and then, will be detected.
' f1 x5 o3 K7 ^6 P% x, xYou can check that simply by hooking Winice.exe control proc entry point7 l, Y2 H* A6 C# Q" U4 c4 @+ ~# Z  Q( J
while running MeltICE.
: Q+ y) ]# j& g! t/ T
& U( b$ e2 X" `6 k8 i% Z8 y/ P3 L/ M1 @+ V4 T$ B- n
  00401067:  push      00402025    ; \\.\SICE
+ g! J# T/ O/ p' W) a  W  0040106C:  call      CreateFileA, n" Y) U' z' N/ }
  00401071:  cmp       eax,-001/ [& ~2 Z& a8 T
  00401074:  je        00401091# m# o- l3 N( w0 P5 }
- S6 K3 E* f% g* e3 J! l% z

0 k5 q' N/ W% o" EThere could be hundreds of BPX you could use to detect this trick.
% }* `: ~; I: A0 [: D+ g7 N) P-The most classical one is:4 d) O6 ?6 S9 M( {, D; u# G# K
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 ?6 k! ?8 y/ E6 \5 I6 s
    *(esp-&gt;4+4)=='NTIC') a2 w* ^' c3 {& n" c

3 [: `" H* W3 Q$ w) g0 J-The most exotic ones (could be very slooooow :-($ o7 C% T2 O6 X; `8 z2 p! g
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 _3 F4 ~4 C; v) Q8 I' ]0 i9 O# f     ;will break 3 times :-(
$ d4 k5 w' M* l" z+ c! G: T1 r; Y
3 R) y" q9 D2 @& e4 t  G- P8 ]-or (a bit) faster:
$ G1 W7 A5 t' b: a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  x* f% _3 I4 V' H% r- h  S: k* t4 D8 K9 Q' {0 z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  , b, U& F; @& V7 w# a! X* r
     ;will break 3 times :-(! `4 z* e$ E# r# a. d
& x2 V/ A2 ?% V" j
-Much faster:$ y) ^. `# L. f* O* c* H& [3 l
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& e8 j: f" L0 r/ x$ B* `* K# D- k% K$ q5 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 I+ y4 r* L8 e! e) k7 V2 G& x
function to do the same job:) t* c7 V6 m/ i  @% Q" e' F+ h, i

* Z/ y: {. A- Z' M* Q   push    00                        ; OF_READ
! |& ]1 v* H1 Z( f   mov     eax,[00656634]            ; '\\.\SICE',0- i/ Q* U, s/ i( K
   push    eax
+ `2 ~5 o: d! W   call    KERNEL32!_lopen$ ~- ?* x' _  ?$ f$ E0 T( m
   inc     eax5 ?3 z# z7 m% t
   jnz     00650589                  ; detected7 \" b# Z) e/ C, L+ J
   push    00                        ; OF_READ
# o2 O' v8 R  E   mov     eax,[00656638]            ; '\\.\SICE'3 s) i9 m5 a8 i! M- s$ K% G
   push    eax$ V  e$ \* D6 N( \% b9 z2 K
   call    KERNEL32!_lopen
5 ]; l( I7 e( z( t# i* A+ V. P   inc     eax
9 t1 O% K3 P+ Z   jz      006505ae                  ; not detected" D3 v7 ]9 v* d) b* s
0 N: T4 a, I5 k# F. A( o; a, A
* v7 E- Q# T+ ?
__________________________________________________________________________
% G$ {: ?6 \+ \" U7 ^3 H
. X" H2 A: C5 k! vMethod 12
8 |8 \( c4 D. b' N- U6 B=========0 P6 ?* f( ]9 F
% x7 y" |4 a* k* a% [
This trick is similar to int41h/4fh Debugger installation check (code 053 \5 }  c/ L; s/ F( Z- V5 T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ O" U+ N" z2 j; f3 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: j4 [  U1 f. x* Q

( G/ w/ m  Z( e6 O$ `   push  0000004fh         ; function 4fh
$ G) `8 \7 h2 Y   push  002a002ah         ; high word specifies which VxD (VWIN32)2 z5 ~' q# I- l# _2 w  V4 h* ~4 ]
                           ; low word specifies which service" u- b. b; a$ ~8 t# ]' a
                             (VWIN32_Int41Dispatch)
& P2 b6 ]( X" m+ r   call  Kernel32!ORD_001  ; VxdCall% n) K7 ^+ ^8 P
   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ @5 v+ V& a$ ~- J5 o  ~   jz    SoftICE_detected
# I! g( I: G6 R# _
1 W* E! k; k* N( v! L3 sHere again, several ways to detect it:
2 c9 `1 e$ m& T$ {8 ^" \2 E' ]6 ?0 z
+ q( E! U4 k) N' k    BPINT 41 if ax==4f( Q/ x, v2 E6 A% c! W
8 U  V# m# D# x2 m2 M( z# @" N, X
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. c* P1 p3 y5 p# ~+ n8 [
# {$ R! _7 x- D$ q6 {
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 J7 U0 g, p! a9 v# I. {4 D# P, `* e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 p& K7 i( f) Q2 h
2 y2 T& g. G) ]__________________________________________________________________________
5 ]9 `* T( e& [) n3 o0 j9 f( a8 v- q4 b; M$ }6 ]( Q8 J
Method 139 J5 g* b8 t5 j2 \4 G  A! r+ i
=========" j* K5 T- u  A- t- f

5 Q! {" U9 p/ {8 O8 {Not a real method of detection, but a good way to know if SoftICE is- m/ X# s9 ?$ L
installed on a computer and to locate its installation directory.
* j5 R1 [4 A# E) |9 fIt is used by few softs which access the following registry keys (usually #2) :
# K9 u  [! z' u0 C! b/ E
2 `5 N+ ]) Z" y5 O, {- V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" N0 ~% U9 G8 I( w0 X; K" ?# P\Uninstall\SoftICE
$ W6 v0 W1 V: d4 s. q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 A$ V; Z- \: t6 O0 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- b; p- N" x8 N
\App Paths\Loader32.Exe
6 e' c4 z; s$ q2 I- z
) Q% j- @) e% [" P4 P$ s& B+ F6 I1 P5 T  s# k% ~
Note that some nasty apps could then erase all files from SoftICE directory
& J7 I5 q/ H( h% T' b' p0 @: P(I faced that once :-(
2 F7 i' L' J  i4 m0 |
2 s  D+ G, H: D6 a! t) o- I* `Useful breakpoint to detect it:
3 Y4 K( n% L3 K. J8 J' L! ^! q" u( s3 @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 `* F- g: v, ^3 c

  T' h$ n" Q1 R__________________________________________________________________________) k+ J2 s( u4 |! V

. X1 w9 |5 h, v  G! [9 c9 c0 E( m! T9 r6 E6 i
Method 14 * v, ~1 [7 J; C5 w
=========" c# b, F/ L: G& u9 C& t, j
+ W. \: C, N1 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 H# r, \* `( V; y6 B  I% cis to determines whether a debugger is running on your system (ring0 only).
8 G1 E% `3 v) T7 g3 U  `
+ w/ o9 }  g, }   VMMCall Test_Debug_Installed4 b* u  b: s- _+ Q& E
   je      not_installed$ q% w# D: w! p1 N7 J

; `* W5 C9 {6 l. FThis service just checks a flag.
' l/ k/ z, a3 X. r7 c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-21 23:45

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表