找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# V7 Y+ ^/ ~% a7 M9 ?5 i<TBODY>) g, c# ?7 ~/ D( }) H# K6 K
<TR>
0 }3 [9 M) ^( \<TD><PRE>Method 01
) I; b; j$ u; x, H1 A: r=========, c8 L; k9 B4 {( m% `' s. ~
8 ?# r% F6 v# ?6 L' L+ L/ C
This method of detection of SoftICE (as well as the following one) is2 S' W, H) O& h% l% G9 w. c7 M+ @
used by the majority of packers/encryptors found on Internet." x! S6 X0 J6 o5 G1 A; Q- h
It seeks the signature of BoundsChecker in SoftICE6 G, U3 f2 M+ B& p
( ?' ]5 P5 D# `' c0 G: ?0 K% _# l/ O
    mov     ebp, 04243484Bh        ; 'BCHK'
( {2 U0 ]# G' v& {* i  R% b1 z. W    mov     ax, 04h) X; D" V' k; D4 i5 O/ q7 ~) m. W1 K
    int     3       ' y. e/ d4 n3 ^! k8 o1 v
    cmp     al,4
& o2 m6 Q0 j! e  ]7 R    jnz     SoftICE_Detected
: a( d8 M* ?  ?4 e: |. B2 _
5 _! [3 d! Q% N' H8 X___________________________________________________________________________, r4 b1 S; ~. t8 W
: h, p4 d, q% u* ^/ e& H& }! A' ^
Method 02+ F( K9 I: _: H
=========' D. o/ _+ Z' p8 @1 S& b- x
5 a+ Q( H0 _, ?. p1 y; D8 I
Still a method very much used (perhaps the most frequent one).  It is used
/ t0 T' @2 \' e  j$ U; G# Q: \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) j3 U' Z  E  o# a5 s
or execute SoftICE commands...4 y3 Z* p7 Q' M6 ^
It is also used to crash SoftICE and to force it to execute any commands# r% K+ n" K/ K6 g9 {1 W) K
(HBOOT...) :-((    S: F- @6 W9 z( O. o
) M3 l) p, o, e+ M5 F' [, y! C
Here is a quick description:
- u' B! T( F  B-AX = 0910h   (Display string in SIce windows)3 C1 K0 h2 N7 [$ N8 m3 e
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# X: s+ x; A+ g$ h4 B2 G$ D. W-AX = 0912h   (Get breakpoint infos)6 v" y, ^+ E% U8 r
-AX = 0913h   (Set Sice breakpoints)
, o- B* m1 F6 @, c% Q9 b-AX = 0914h   (Remove SIce breakoints)
# u7 m4 z" |/ j+ `
; i& F* Y1 A1 N5 n, l: \) Q6 cEach time you'll meet this trick, you'll see:
! p  J( N8 B: e0 u' \: H. D. g-SI = 4647h8 s- }! f; o9 R* V5 x7 ]; P7 v
-DI = 4A4Dh
! D, X; n. T  M% L7 e1 }; jWhich are the 'magic values' used by SoftIce.9 M+ a% b0 d6 q. [! ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 G) E  Q, R) e6 Y/ i. u

9 G. v1 N( l8 R' xHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 k: O- j; k& h2 n0 O( tEnvelope utility use to protect DOS applications:9 D$ S; |, C/ D& U3 R1 G3 y

1 ^0 w6 Z' w* k; V
. @; J0 p5 E9 l2 {; p4C19:0095   MOV    AX,0911  ; execute command.6 O4 I' I/ I+ ~4 Y9 b: l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 I" V, T- W, c* A. w5 I3 V4C19:009A   MOV    SI,4647  ; 1st magic value.
) k6 L$ g+ m8 D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 B" z1 X- p7 j$ `* |; g4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! s" K% r, `+ \, Q# a
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ F. X/ Q+ a- I5 f
4C19:00A4   INC    CX! Z" h8 r8 P7 |) C# S  l; c
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ x2 c0 G) [/ k+ I- b4C19:00A8   JB     0095     ; 6 different commands.4 M: S- x% k$ j" E% G5 ?( g' H8 U
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 F1 v+ t0 e1 n9 H# i0 B3 Q8 A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( x' G3 D" b  t4 P4 Y6 R2 u4 X. I6 ]! z
The program will execute 6 different SIce commands located at ds:dx, which7 F9 ~6 s; n& u3 y/ [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 a. X9 O: Y3 _  a4 D

* R* e$ R' y$ o# d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. k$ A  @! F* ^___________________________________________________________________________& R: w- X" R4 ^

6 z8 p7 x7 m/ n3 D# X
# D  `. T  ?" B) J! x. PMethod 03
: Q8 |: I* R2 b9 C/ q. o8 b=========
# O, Z& N- V6 n. j, j$ {
2 C& b' h' d9 o2 W5 u5 R( h8 aLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# l: S, m1 w# |
(API Get entry point)
3 z+ w3 x, _# n) o' G        
) u) B6 k5 O. G9 G3 ~5 U/ p7 e% q; t- [- _
1 Y" s+ B* F, m0 i1 X: ?* J    xor     di,di0 V% S  K1 T/ a' F
    mov     es,di5 ]: E. m# K! z! H* U( j
    mov     ax, 1684h         Z/ q" b& N3 d, N4 I& c6 b  Z* W3 i
    mov     bx, 0202h       ; VxD ID of winice3 ?( i4 C$ f+ _) t
    int     2Fh9 R! b. u/ k" M+ C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 n, n7 v- L1 y  }" I- `- }) r, K
    add     ax, di! V: S9 S1 [  c- F" Y2 Z
    test    ax,ax% m$ n% G2 \0 I+ P
    jnz     SoftICE_Detected& u$ q, b: \1 f- |

2 v3 r2 b. E7 b% [7 q, I4 i1 a___________________________________________________________________________
% y! m/ @0 a, i  m/ X$ R0 j
+ T9 U2 v  O% L4 ^Method 04( M* ~& O6 L. v8 X4 s
=========9 l" d1 z. L8 `  P+ J5 n  T! n

, T: k. @' U- w) n8 D5 ?  s1 e3 E# d: N; XMethod identical to the preceding one except that it seeks the ID of SoftICE
4 j0 ?. C2 ^6 N, k! Q% S8 ~- ~8 L8 EGFX VxD.
  Y2 C" b+ |* c( ~" t2 {7 C  p( |0 P, G6 `8 B, m
    xor     di,di
' w6 i  P2 i' N" d; n9 @    mov     es,di% A; r: ~1 `# f% q  p4 ]3 x
    mov     ax, 1684h       8 n) a6 K6 H! \. h
    mov     bx, 7a5Fh       ; VxD ID of SIWVID& l1 l; `9 n/ {5 B
    int     2fh
0 p2 x3 s5 T( C& A3 n3 a0 s) h6 Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point) M* n8 |# V2 h0 X% B" r8 c
    add     ax, di
2 M- q, V  @+ W  H  G9 F    test    ax,ax1 ?1 f4 r+ R" A+ E8 J# N
    jnz     SoftICE_Detected7 b) F# X# s7 J3 v' Z
* O( {4 C' b7 A7 s
__________________________________________________________________________
1 t* k  ]% z2 i3 }% w, E( S3 w' i/ _. S) C! _

* ?& J4 g+ z: V1 T7 E! a9 LMethod 05
7 J& T! U& r. r3 O& M: F# r/ H=========
9 O' X; J2 N+ P- ~5 k# r1 E
1 s! X, }' r% [' zMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 s9 N; K# j( H" C2 B) c4 O! ?# x
debugger. It calls the int 41h, function 4Fh.
+ w/ S# t& ]6 H" h" O4 hThere are several alternatives.  
& X6 `7 n8 J; N9 s+ C+ i
% R0 c5 v; C3 \" B/ q# ]The following one is the simplest:& r5 {6 P2 v! N
' `: ~5 m* S1 o1 Z
    mov     ax,4fh
- W; D( w+ p5 c5 `# p3 G' B6 j) E    int     41h7 k" \- }0 Y1 G( k* f' F
    cmp     ax, 0F386
( ]; j# R& |3 R. o" f    jz      SoftICE_detected# B; D" U4 r% W9 B; k
& l# J  E4 s8 f

. [$ T( t% g* |  \" P* ~Next method as well as the following one are 2 examples from Stone's 9 ~( a- v, E% i; g
"stn-wid.zip" (www.cracking.net):, K2 t# P7 k9 L9 o6 a1 R

( I0 C* t5 b! ]7 F( N( Y5 H* G2 x4 V    mov     bx, cs, H0 w5 K2 r/ U+ L3 @# ^: ~
    lea     dx, int41handler2
) I( |4 t" s+ |    xchg    dx, es:[41h*4]2 F1 E! q4 u  O' T, `8 x0 H0 ^
    xchg    bx, es:[41h*4+2]
% @2 |3 Z7 R+ X$ b    mov     ax,4fh, ^7 H1 k9 i* N7 f
    int     41h
( X# w3 z6 E# p  z    xchg    dx, es:[41h*4]
+ a  d" \  [! Y    xchg    bx, es:[41h*4+2], X( z  M9 T. k4 S6 k5 v4 w
    cmp     ax, 0f386h5 w* C8 }% b6 U+ l+ \3 ^" C
    jz      SoftICE_detected. e% r3 a3 q: W$ g0 t9 B/ r3 j: @
8 q( a+ f) |  e) t: e6 f- L
int41handler2 PROC' K: D, y* E2 {. J$ ]
    iret
- W9 `; [9 K$ V- ?! \int41handler2 ENDP4 `. v3 u- ]: |2 k1 C( R* g6 [1 y
/ ]( \; C/ Q: W) z0 {* n9 ?) m, ^

% b( G# S! R4 F- R2 _% m* L4 q# ]_________________________________________________________________________5 X! K, G1 Z6 ^, \# b/ g
4 U' Y  i' A+ Y1 }" o3 k

! W$ x5 W- H( E. j* PMethod 06
8 J7 z7 t) `. y% s=========
0 j) ^" L$ {9 P2 I. b2 U. R. q" M/ P6 ]+ A0 n; P: [
4 a3 ]2 R4 |' j" W
2nd method similar to the preceding one but more difficult to detect:
; }6 A4 A& S& M: [# {0 Q: M
& G$ @8 d1 H; l& F
/ U2 J& [. T' g0 ^int41handler PROC
; p9 J' M7 w# W3 @    mov     cl,al
, `. B3 H$ i7 ^    iret
" \& R, L/ h; n6 ^1 }int41handler ENDP
% y4 ~; b6 N$ C$ [
- I7 C% s9 ?# |2 l6 Y3 G7 k
+ w6 _( S2 Y. P: ]/ K- |, |/ V+ ]    xor     ax,ax7 F7 h5 F& e3 k2 d' C8 v
    mov     es,ax/ p' B, X- }2 Z. x
    mov     bx, cs) @* V$ l# P9 }3 n6 [$ o' ?
    lea     dx, int41handler
" l+ B- f9 S6 b8 E    xchg    dx, es:[41h*4]& c4 s: `- E, ~  r0 o4 g
    xchg    bx, es:[41h*4+2]
$ x* s9 t9 C' f( a, ~  A    in      al, 40h# n( O: W% _3 F! Z$ d# ^. E# v
    xor     cx,cx
. F' |/ O0 Q% \6 ?5 r. B    int     41h
$ m9 M- K5 `, c. L, z% W, b    xchg    dx, es:[41h*4]' H. ]6 M. V, U/ S8 A
    xchg    bx, es:[41h*4+2]3 l- O* o) e; g2 P. z1 g1 A7 }& G
    cmp     cl,al
1 l) \9 x: _0 y4 h7 e! g    jnz     SoftICE_detected
7 |  u# K4 l+ W, O# l
5 O0 X  z% X+ O* q% f% |+ A_________________________________________________________________________& b' o+ j3 |3 v5 a
* |9 e" z/ F+ U: \, N+ G
Method 07
. w8 ]: M5 x* Z1 P4 u=========# B* N! R; H" H  |, q
' q# k! k4 y. O' ]8 S! x+ z6 E/ A8 m
Method of detection of the WinICE handler in the int68h (V86)8 A. K5 O; ^0 {) \2 X  y
  W9 p& B" t3 x8 d
    mov     ah,43h
# L; c% t4 S( n* P    int     68h
8 V# J! l2 i/ [" g4 x    cmp     ax,0F386h
+ E1 E# P& z% L; q, @% y9 h    jz      SoftICE_Detected
/ o$ q9 O, G! l- j7 b$ A4 U6 b" @& d2 ^7 [) b& c
" ]) R# F/ O3 V( E) g$ Q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ O* M4 X' c# w0 W& Y9 q
   app like this:( `, U2 X$ X& F) c! [' I; g
& x( s" \% W3 n/ H- d
   BPX exec_int if ax==68) s/ e6 @" g' T, f
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 l- b' p9 j) Q: K: o   located at [ebp+48h] for 32Bit apps)% g# b6 |6 U3 ]
__________________________________________________________________________
- q9 |5 ^* |3 v# T+ a5 C# I8 m
6 q( G, `0 `$ }' ~
7 j, w' {: V9 {1 a5 GMethod 08. O! ^" R/ g6 T$ f
=========
2 T/ V, b* |% o; g) |' c
& j# m% a- e0 i7 f+ p* G9 wIt is not a method of detection of SoftICE but a possibility to crash the
. @) z2 d/ T( ?# k! [7 E8 \system by intercepting int 01h and int 03h and redirecting them to another" ]" w7 T6 _' c: }/ Y
routine.2 g4 c% u% O/ I6 l9 r: {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, {2 f  M& o9 S. c. d3 b# w
to the new routine to execute (hangs computer...)5 z- ~+ X3 ^% }% p

1 i6 D# @) N# n* }    mov     ah, 25h. }  N3 W0 {" }* @. k
    mov     al, Int_Number (01h or 03h)% z: ]% Z( b7 r8 ?) j% q; N6 w
    mov     dx, offset New_Int_Routine) l7 d; ~, w, J! q* u
    int     21h9 X* C4 ^1 o' Q- h. s9 j3 T
+ v0 |6 B$ P5 f# h1 N
__________________________________________________________________________
8 _3 d+ l5 J' ^' U
$ x) V" e; h5 N! r' mMethod 09; k4 Y/ s8 m) f: j
=========
* o! u# a6 k5 N5 U" r1 y+ y) T$ B) Z1 B1 L3 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; L9 ]- O# v1 X8 n; n4 A5 C, @, T5 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 b+ x( H. v9 P" ZThe Get_DDB service is used to determine whether or not a VxD is installed  o! c& D. {& R- X
for the specified device and returns a Device Description Block (in ecx) for4 N, p! U9 d0 c9 B" u3 R& J
that device if it is installed.
. U' i6 ^# f1 c$ [: }; n* R- }8 j/ T2 h: `
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( }; i4 l* L, r! l$ b5 ]# G8 Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): q! u# M) V! F  d1 m
   VMMCall Get_DDB
; _" ^/ p+ O7 v( S/ `  P  }( f   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  T6 Z0 A! x  b8 `9 g' ~( v, I; E  r1 Q
Note as well that you can easily detect this method with SoftICE:! e4 Z( i6 h( l
   bpx Get_DDB if ax==0202 || ax==7a5fh: w- z! s9 |, k. j# r4 v8 j
1 E+ m% m+ R# s
__________________________________________________________________________: f# S! f* }8 @+ G2 ~# [; n

2 c( g& w$ |# a: r' G, [, B& CMethod 10
3 z, j4 w- I7 [/ `7 _=========
. h: S8 h: U3 a' Q3 ?+ d; @. C; ?( Q( v& k- _0 e, w% \
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* C' c2 l$ Q4 a- k4 ~9 N4 n  SoftICE while the option is enable!!
$ D9 B( V0 O" Z' M
5 k$ A8 X* @/ r* u; W4 ^This trick is very efficient:  _# l1 I: z: }, F  r
by checking the Debug Registers, you can detect if SoftICE is loaded
- k  R- l+ s; S0 @; ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, F. I% n# @  ?1 h0 othere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 s/ Y* F) ^# @value (in ring0 only). Values can be manipulated and or changed as well
+ W' y' O7 g! g(clearing BPMs for instance)% ]2 k4 P* p, ~( j
" B0 _* B- R4 Z( v/ j# ^2 ?
__________________________________________________________________________$ T4 g* e  j( z3 Q$ b, j! k

4 ?9 S* J2 A) C! L4 }Method 11+ V  N4 w  f3 x# N7 v
=========; g1 A& C7 P% U# g
: m* C6 r, L) z; E7 S0 r4 W
This method is most known as 'MeltICE' because it has been freely distributed+ j6 b& u& a) N# u
via www.winfiles.com. However it was first used by NuMega people to allow
; r- w& F- ?; B: ?5 j$ f8 PSymbol Loader to check if SoftICE was active or not (the code is located
& e7 y$ O9 ^9 i* W2 n) Hinside nmtrans.dll).
$ U5 [4 e- M) @" W. D% P
; }9 G2 R; v: A: C  LThe way it works is very simple:# O% D3 P( H) b% I+ I6 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' F" K* W6 a. v0 K+ I5 ~WinNT) with the CreateFileA API.1 @/ O' J; M4 H0 E" g0 C( P) ?
3 o+ ^' z2 R2 F, W8 S* I: i
Here is a sample (checking for 'SICE'):
) }, r8 U/ K' H" W, _4 U  z2 c, }; Q4 e: p
BOOL IsSoftIce95Loaded(): p7 v4 u( i7 g) X% M
{$ h2 Z5 q! b" {( d" U
   HANDLE hFile;  
* r2 b7 [5 y9 d, F  E9 f5 j, z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' h5 ]; {8 M, a" W
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 o2 O7 u0 y( L- @6 m* r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# h# n  F& f% Y7 y   if( hFile != INVALID_HANDLE_VALUE )& c/ T8 ?& H; x4 |
   {2 H9 c% O+ Y+ W. _; F$ m; P4 X. {
      CloseHandle(hFile);
8 L7 A' }. _4 S! N7 |/ e# \! |      return TRUE;
8 `4 H( t9 m. D4 w* t   }4 m! W. O; x& E7 k0 W
   return FALSE;1 ~( e0 |1 G8 A2 `
}
; D2 d1 P( D+ V
6 z$ D/ H- O& L: P- R" L! e& d& c7 BAlthough this trick calls the CreateFileA function, don't even expect to be
( c/ \5 J* Y' t1 c2 z. K9 D8 oable to intercept it by installing a IFS hook: it will not work, no way!
) `, t/ q. v' p- jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 x  [5 G8 b3 y* P1 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* y6 h# t6 I1 A$ j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 t1 O: u0 x" v- F. i, Q
field.
/ t$ M/ z& F7 C- l5 |In fact, its purpose is not to load/unload VxDs but only to send a 2 p7 e5 k5 m0 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 I; @6 L$ q# _$ w/ U- zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 z* S$ ^+ q# S3 C2 r1 @6 U9 i! zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: p; R& X) E/ L9 @If the VxD is loaded, it will always clear eax and the Carry flag to allow  Q* }6 a8 J% n2 i
its handle to be opened and then, will be detected.: Q! Z8 t) ]- `% E
You can check that simply by hooking Winice.exe control proc entry point
; G* n) V- h; p* R2 fwhile running MeltICE.- \% N" h7 t. W6 Z0 f' x! q* J

1 c5 \8 u& y: {* l) Y; J2 h' B. C) t7 Q: v5 i) E5 R1 y: Q) g" x
  00401067:  push      00402025    ; \\.\SICE) s% [. w( K- g3 c) T8 H
  0040106C:  call      CreateFileA
# i. {& E8 X4 D6 U! T( q- {9 y  00401071:  cmp       eax,-001
+ v" ]+ `- k9 ~" ^3 Z, `  I7 g  00401074:  je        004010919 A0 E5 u4 C) f3 h& b
/ |' J$ v0 c& }3 H/ K
$ M) D3 t  S$ }5 H1 a& P
There could be hundreds of BPX you could use to detect this trick.
0 o$ t3 c* y' l* L" B8 ?-The most classical one is:
' s8 M7 R8 J0 d: o6 d# [5 i  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 V0 l0 ]2 g) Q$ i  `# |
    *(esp-&gt;4+4)=='NTIC'
. t- }2 U; u+ X* c( L( J0 H- N3 a' s1 d" u* Z
-The most exotic ones (could be very slooooow :-(/ H# \+ K; e/ s. T; d4 @
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % Q5 Z" D. j7 \/ c1 v4 }0 C
     ;will break 3 times :-(5 E* Q2 O" g; Q2 M% {

  n9 j4 n% F1 q+ L-or (a bit) faster:
1 i+ X( @0 c7 Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ r% f: U0 ?0 M7 b
* E4 d% [7 w) z8 }  E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 e/ {4 ^/ i: y; m7 m     ;will break 3 times :-(
" _1 N/ o  @( a+ e) ^$ I- Y. [( ^% O; m9 d2 n( _' Z  q
-Much faster:5 v- h9 y* ^) l3 Q/ n/ o. Z2 u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  L+ e3 o1 C7 Z1 }. r: _7 W
" ]3 U+ q0 s1 L3 t, d+ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- x; {% X" {- C. s0 ^& T1 }# Y% d
function to do the same job:
5 H& `' |0 |0 P) u* E4 b/ `- s
/ U' w. }. {& Q2 a# {% N) ?3 Z3 D   push    00                        ; OF_READ
" C4 `' L' u: J& [, b   mov     eax,[00656634]            ; '\\.\SICE',0
, T" X6 i, J3 x) M" a3 h   push    eax. R5 j( S, W8 q( W4 j( ^( {
   call    KERNEL32!_lopen( Z! ]. R: g* W0 x3 \
   inc     eax3 H* H; [; h5 ?0 ~2 h# W
   jnz     00650589                  ; detected
4 ]1 U: \$ F6 C! q& J4 ~   push    00                        ; OF_READ
+ ?2 M1 l% w+ Q1 r: ~  L   mov     eax,[00656638]            ; '\\.\SICE'
- c4 a; p! R4 O) \) L   push    eax
6 H3 X8 ?8 i; c) f   call    KERNEL32!_lopen; |4 l  l4 O' u4 j' j
   inc     eax) u  i0 V, G4 E! e$ w/ g8 `8 d, {
   jz      006505ae                  ; not detected
* U! V2 q9 p$ v* |& A1 ^% }. e4 C$ A  K1 V$ I- A# y
7 P5 U3 @) @  O9 U4 |
__________________________________________________________________________! V5 N8 v* T+ u$ J2 ~/ q/ _

& D2 S4 E2 J+ s9 d6 jMethod 12# Z# f8 y, e, a$ c& `' j
=========
0 r: ]- H  l$ g3 x8 G' D6 Z4 h
3 Q+ M7 F" `* i5 p! B0 AThis trick is similar to int41h/4fh Debugger installation check (code 051 s% }% G5 g. V1 o8 b0 `
&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 [( A# W: ~" J- L2 Y$ w! W* H0 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( F/ |% `9 W6 c+ U) N8 q. h# X
+ _) B' y& ?( j2 o( }) P9 Y: a   push  0000004fh         ; function 4fh
- s9 ?% d# [8 V7 I   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 O" J& S2 |; }* D                           ; low word specifies which service9 h$ w/ _$ E8 M
                             (VWIN32_Int41Dispatch)
" T  ^! h  E9 b0 o% C/ i   call  Kernel32!ORD_001  ; VxdCall
% ]$ I$ e3 z$ c7 r, ~- L   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 p1 y7 w. L, ]% ^6 m! ]7 o   jz    SoftICE_detected9 d  T. f2 U5 w3 k' n0 D

5 l% ~- M9 P. a7 H& e: m+ y' a5 uHere again, several ways to detect it:
" t% q( \6 y( A: \
7 n, \6 \) R# T    BPINT 41 if ax==4f3 T/ N" c, i) |( `( G2 k" J
4 {6 J; c) D, P+ B+ M: Q/ {$ b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one( |! {& x/ k/ R; ^1 y1 p! n

- E" S3 e- |& g( O  b% Q    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# b4 u. t9 K5 u+ N, R, l& ]1 l# N9 y( l" U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 M6 v; L4 g) o

4 `% i  ~& F% E__________________________________________________________________________9 S4 j& ^/ `5 [
: }& t% R: e" H3 O% O1 B
Method 13
6 e2 z5 Y7 t5 a+ W1 o' \=========
6 T5 @2 i7 J/ S: z* n
: T! D$ @6 b/ e2 `% N2 jNot a real method of detection, but a good way to know if SoftICE is
/ ~+ E% V1 I+ O. O6 ?9 r. q9 Z# d+ Iinstalled on a computer and to locate its installation directory.
  p% T1 q* U0 T0 C' WIt is used by few softs which access the following registry keys (usually #2) :
4 |6 W5 r; m; L3 ^5 ?4 G5 Y5 a2 _  t% {) ]( d8 {. {: b- S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ I9 [% p9 k4 C1 O! U$ s2 S
\Uninstall\SoftICE1 f7 \: d8 Y2 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. I! w- ?+ `, y) X7 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# {3 x$ [  s, H" B% L
\App Paths\Loader32.Exe- s" t& [  n7 _
: T; R) f- _7 u0 z$ \

: O9 R- i4 a+ @7 @/ ]& ^Note that some nasty apps could then erase all files from SoftICE directory0 l  H  C! S9 U) F* o3 O
(I faced that once :-(
/ e3 Y- x% y2 ~0 I" j) D/ U4 I+ X( @
$ v' n  `2 u$ ?% B# w- g! \Useful breakpoint to detect it:8 N4 k9 a! k6 R; L* o) o6 P
  P8 s  T% A9 `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- J- d3 [. ]1 c! c

2 q! v. a! Y2 G+ R: w__________________________________________________________________________
8 p  z) o5 \5 I" K  i% C6 `
4 d: i' R, k* x# ^8 [" P2 m) e  B2 M, K. e! n5 X
Method 14 9 E8 k$ Z9 `. @8 s
=========  m: d% y0 t+ \2 n' n' f. j
/ [* f- ?+ T& p) C' i: R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 j; y! H9 ^1 c" e2 _4 [
is to determines whether a debugger is running on your system (ring0 only).
5 j+ ?1 i' J: m1 t& N
6 P3 m. e' K5 L( i6 P   VMMCall Test_Debug_Installed: A7 b0 ~* {, N  ^; N) O- w
   je      not_installed
" S8 N3 X8 l$ O7 A1 I  @1 _
) g6 i9 y8 e% S. y8 PThis service just checks a flag." C* c$ o- q$ N# \/ ?
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-22 07:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表