找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 w: P. @& H1 |3 @0 H
<TBODY>
/ Y+ N- s, r1 i" i<TR>/ r9 {5 g. f9 R' b
<TD><PRE>Method 01 - ]  _' \7 r- B, j: O2 h+ ?8 Z
=========9 U  j$ {/ L* f1 x9 i9 [
$ r8 z$ I& G% V6 `* R3 M
This method of detection of SoftICE (as well as the following one) is
2 N! [* c- M$ U. Bused by the majority of packers/encryptors found on Internet.
; F6 V' g9 L0 TIt seeks the signature of BoundsChecker in SoftICE* Y; b- n$ V( C, ~' M. G* K8 I
( P7 ^* Z' d  u+ m2 s1 H$ S& n+ Z1 |
    mov     ebp, 04243484Bh        ; 'BCHK') X) m! p) e+ J- X0 D
    mov     ax, 04h$ S/ m; _/ X# b7 X  i0 d
    int     3      
  M+ ]) p4 E4 ]2 r  ]3 w$ c    cmp     al,4
- e. ?8 @4 @4 D/ ~6 X    jnz     SoftICE_Detected( d* }' s3 D* @2 v
7 e1 G/ R/ x, H$ }5 F; D
___________________________________________________________________________# E. t  n: O( E  K+ ]/ j9 g

) e8 t2 N) m7 D! _2 v" D0 N  P4 ?Method 02
8 X  J; N+ V* A0 s0 z! ]! Y2 V=========# q" }: K% i5 \8 O

* t; F: v  K8 E2 u& g1 l9 C& _4 R6 xStill a method very much used (perhaps the most frequent one).  It is used1 Q2 m& L6 X% x6 W4 A6 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ D; y! h+ x8 K4 l9 k* V) q
or execute SoftICE commands...+ b4 n. [* M. b0 J0 Y5 j
It is also used to crash SoftICE and to force it to execute any commands) X9 }/ ^( l2 ^# z# e0 w6 X
(HBOOT...) :-((  ! t1 @; U, k4 ]

2 B3 ^  j% ?3 W+ H$ z/ _Here is a quick description:7 N( P0 [+ a6 d
-AX = 0910h   (Display string in SIce windows)- u' _2 g+ @7 l$ L! w1 s: o
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 F4 K- |* ~+ F, h! L" Z
-AX = 0912h   (Get breakpoint infos)
( t: J. f0 m5 {0 f- |-AX = 0913h   (Set Sice breakpoints)
( q* }# C4 X* ?-AX = 0914h   (Remove SIce breakoints)5 W, q( {7 b- Z# ?

( L& w, Z& d# N8 c8 k, E  l/ PEach time you'll meet this trick, you'll see:
+ G0 Z# n9 e# M* l: f$ J, l-SI = 4647h
1 D# `5 s3 w  n5 m: y-DI = 4A4Dh
8 Q- v; o/ w4 `3 nWhich are the 'magic values' used by SoftIce.
1 ]7 ^) O$ Z; w1 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; b9 z3 J0 D' A" j. N
" ~0 u0 j. P& |Here is one example from the file "Haspinst.exe" which is the dongle HASP
: v- Q: G5 K0 ~9 s3 U, u* U5 P" REnvelope utility use to protect DOS applications:9 C  G( w5 x; K9 J% B$ y' k

9 [* U: D7 N7 N) E/ ]* [9 N4 ^. J! s
4C19:0095   MOV    AX,0911  ; execute command.0 _3 |1 d' k- P6 g& t
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' }3 u. r) F1 {. _( k7 F
4C19:009A   MOV    SI,4647  ; 1st magic value.6 b3 i8 f$ j# O. @2 g, w" Q6 ?
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.( P' K- y9 `+ l0 K
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- e' X5 c- o$ I  a7 E7 Z  g' D, A! [4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; B4 N* h, b# F0 G. J
4C19:00A4   INC    CX0 M( B$ |+ Y  ]7 d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( h0 H4 R+ v9 Q: P4C19:00A8   JB     0095     ; 6 different commands.3 u5 }7 G0 |; T( u; ]
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: ?( y, A& i) V- ~5 q& ?% @- n( l
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 h2 q) F5 g8 Y5 ?/ A, j- A
0 X" M! ]9 }9 q3 SThe program will execute 6 different SIce commands located at ds:dx, which: H$ y) o; L, C/ l1 F! V. M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 I- W$ J( N8 B6 ~/ T# }; I6 c1 [
' j5 k+ f  }/ t7 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 S0 ^" I' Z7 J/ K; ~3 L
___________________________________________________________________________
5 b7 Y4 d' ~; |% `  [0 s: Y+ V
: b0 Y; S- H" [/ K; X5 t. b
/ T& A+ `' v1 R, }: A3 Z3 wMethod 03
2 O2 b8 j) d, ^5 F# X4 M8 a=========- g' c( w! l3 l4 e/ u. v1 d1 d

# R6 e2 j0 c2 f7 y2 `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 g8 P3 J" u" p0 `1 M1 f+ s(API Get entry point)
) f$ c8 @1 a  v- f9 T) s; V        2 C0 W$ I0 t7 n+ s9 {! }4 y* O7 n

6 p* C; F- E4 t" Z5 D* i    xor     di,di7 x; G/ g, g& |( C2 k' x
    mov     es,di" }5 r+ J, j# {! S: N' J
    mov     ax, 1684h      
* K* f% }: S6 m0 C! e& [    mov     bx, 0202h       ; VxD ID of winice
- w! u1 d# B# e. ]) L5 j0 {4 ~    int     2Fh' F* F; Y# n# f/ l/ e) B
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 u( A6 V5 ^* ]! B+ J
    add     ax, di7 s( p) M# \2 r3 o0 f' q& {8 z* E
    test    ax,ax
$ I0 _( N2 k2 a. [' y    jnz     SoftICE_Detected6 G* p' f/ N$ \
. W$ O1 p6 v6 f3 T' Y3 W' E
___________________________________________________________________________
/ H( L; X# F9 x5 \) t/ U6 h
; S2 a0 `0 T4 y3 L% @6 t: rMethod 04
6 }: K/ I5 S- ^=========4 f2 u- [' D0 |
+ f) o( Q/ N2 v4 D: t
Method identical to the preceding one except that it seeks the ID of SoftICE1 @0 A- g" d- n0 j' _9 H/ z% H
GFX VxD.9 k8 f- T5 n) P

+ F3 v4 A$ w5 V' ^+ M% E) H& f    xor     di,di: R6 K5 b  w7 s
    mov     es,di9 Y3 c# p4 F9 E1 f- F% u: g
    mov     ax, 1684h      
- F" P: n  d8 ]2 B+ e0 K    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 c# s. A$ I: B: X! a& C
    int     2fh
6 h3 b. d3 D, S* I% w0 d) ~& Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' s) T; J/ x, _8 n    add     ax, di) y2 \  d4 ?9 A' o: e2 ^. @
    test    ax,ax
" @: Q4 {1 h! |    jnz     SoftICE_Detected: }% m7 j* n; H8 ]. b
# e% ?  C/ u( w4 O* `  s+ q
__________________________________________________________________________
/ X0 I! Z) w2 j
  \% D8 l5 I0 M& m4 V
( e: U3 B, X) |( u* QMethod 05& {0 h  ~4 k  E+ v1 {' C# i1 k  M- H
=========
0 P1 H% s, c: G7 f; s0 k2 r
5 J/ y$ U8 {, r- W4 y, H: bMethod seeking the 'magic number' 0F386h returned (in ax) by all system- V: R% R1 d* |' i5 b
debugger. It calls the int 41h, function 4Fh.
. a+ L5 V- c& \2 q5 oThere are several alternatives.  
! x6 L2 D- T6 J) {6 }5 ^/ J6 [' r& s3 V% R2 Z) S& b% _
The following one is the simplest:
; x8 C! O* e$ }5 x! J; Z! L
1 B, |  ]! X8 p0 w4 G) }; w7 I    mov     ax,4fh
# Z, P4 M) Z' }    int     41h
/ K0 k% A3 y$ p5 _    cmp     ax, 0F386+ N7 C: D9 n( n7 `" |2 B
    jz      SoftICE_detected  u7 q) t8 h, @( e% J
; `9 q9 n6 I# K0 Y  p

# l# P4 J+ P7 A! B6 Q+ W/ zNext method as well as the following one are 2 examples from Stone's - }/ l! s, I) y5 X
"stn-wid.zip" (www.cracking.net):
- ]9 D0 ?% P* h3 l# l% G* h: O7 J* g7 n4 z$ P* w  e
    mov     bx, cs  V9 I0 B1 Y. Q5 H  ?
    lea     dx, int41handler2
3 A0 N/ M4 F/ @* M( s/ h1 \$ ]    xchg    dx, es:[41h*4]9 D4 _9 H* d% R
    xchg    bx, es:[41h*4+2]
' \+ h4 i- g. X8 v* Y9 u& k    mov     ax,4fh
% [4 f9 {( d7 {- v1 v    int     41h3 n+ D6 G/ c! C9 }
    xchg    dx, es:[41h*4]. p6 z6 S# p. H+ v% ]9 x/ D
    xchg    bx, es:[41h*4+2], x6 Q$ X$ d$ v- [2 h0 @. o
    cmp     ax, 0f386h
) Q3 _# c! m2 E2 l    jz      SoftICE_detected
; {0 j" U8 c9 j* |
$ {( Q) ^2 S% c* lint41handler2 PROC( E5 j* w1 A. f1 C- i
    iret- e* p( {; a% [. @  y. _: r; Z
int41handler2 ENDP
1 b9 Y& J2 C. w! U) Z
' K4 q: E) z. I0 j, O2 G) I! }6 Q& P( P
_________________________________________________________________________
2 l$ \. C9 S. ~* Y5 g: o; j5 ]4 P6 f! [

  s7 {" D6 c0 U0 OMethod 06
5 e1 q2 P! {& i+ l9 {3 q=========+ D* v" Y/ q' |5 W7 }6 {0 J

- k- I- ]5 \+ \! ^  ?; `" x
* A2 z- I" }& J" ^2nd method similar to the preceding one but more difficult to detect:
8 P$ Z8 p# l% r# K0 E* S6 {2 v1 ]/ m0 `) A. ?
3 Z0 u0 s# t  a& k! V/ k, `
int41handler PROC
( j' R1 k$ f1 z% r" a( F' N( i+ e1 g3 j    mov     cl,al
- a7 r+ p+ o5 y+ y    iret
! _  w+ ?1 \& a: wint41handler ENDP9 S3 p+ u/ X7 r- E

" Q7 W% r4 s0 n0 n5 `% i5 X( u1 {* t
" B7 h8 b8 S) j( ^/ E    xor     ax,ax
2 u+ `0 j1 F/ d% k6 h& n    mov     es,ax9 ~4 N5 t7 {- N" C5 A- Z. k
    mov     bx, cs
$ P" v9 D2 B9 w0 w    lea     dx, int41handler/ [" R7 V* o5 Q' @1 @
    xchg    dx, es:[41h*4]$ G, p4 {2 N  }% C9 |
    xchg    bx, es:[41h*4+2]4 `# F" o, [5 w9 f* ]
    in      al, 40h  S- k- A- e; h! Y4 `5 I
    xor     cx,cx
6 h% H  p* S: a; k6 q    int     41h' M8 H, Z6 ^2 M5 X: g
    xchg    dx, es:[41h*4]
4 g0 U2 X' {5 R# D# t; w) {    xchg    bx, es:[41h*4+2]
7 k+ J7 w7 N7 s' _$ _! _# P! q) H    cmp     cl,al- q. s) Q8 c( X& S! D8 M
    jnz     SoftICE_detected
6 \# R+ R1 ?5 @
  G, C& N+ D/ ?' _8 G_________________________________________________________________________  c- ]4 p. Y  h7 [
0 V" ~# O. `! H: e8 X$ Y: ~
Method 07
; g6 z3 T, H9 w$ |2 a=========' l' {; j% g8 O; c  c
6 R+ P4 G- }1 M# U( @7 i0 w: L1 C
Method of detection of the WinICE handler in the int68h (V86)2 [/ W3 ?  M3 r( K" d

7 L7 a0 l% I+ D( ], l    mov     ah,43h4 i1 K8 x4 ?( S- }6 A
    int     68h
! c) l5 h  y7 J8 Y# q0 R    cmp     ax,0F386h
. J1 S0 D# ^7 r5 F3 F4 J    jz      SoftICE_Detected/ b' X% U1 s  {. j

+ h) X# i) t1 U& f5 u9 U& t; U2 q& N3 T7 v7 p( S8 o
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) w. z" `8 Z  w! P
   app like this:! T. {$ B5 ~# G: D5 J0 z% M* Y

. ~: m( V8 K8 V' Q  ?   BPX exec_int if ax==68
5 Z; B, Q4 @% k3 c+ N4 t   (function called is located at byte ptr [ebp+1Dh] and client eip is
( G' o; Q+ w4 b: A7 D; m7 z0 K   located at [ebp+48h] for 32Bit apps)
9 K& S! b9 }# G6 E3 Q4 K__________________________________________________________________________3 j, W: j) S3 {# m+ _' \

* T2 F+ N7 b, R
/ D. \" ^1 }' sMethod 08% k5 R: x5 K1 ~5 T; q" }( N/ {7 p
=========& U* ^# [$ d' Y/ T

3 s- h$ h+ u' L8 p' {It is not a method of detection of SoftICE but a possibility to crash the+ u1 s4 Y1 J# m0 k5 D6 P
system by intercepting int 01h and int 03h and redirecting them to another5 e7 F( u; v+ e* J
routine.
# |3 z+ R  g' [- u# v; t3 E! K% UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 Y% C% y* o3 K% `! H* [
to the new routine to execute (hangs computer...)
1 [. r. q9 o3 j& ^0 y$ m- ~' Z. ^' Z
    mov     ah, 25h- d, n  I5 A2 T- w
    mov     al, Int_Number (01h or 03h)6 C  l+ C+ M* f( d7 w# l, |6 m- v
    mov     dx, offset New_Int_Routine
" K* d( d% m6 W2 j" b' ?  f3 d& Q    int     21h7 t5 n) g, m; N4 }/ B1 a) O
  ~1 e( L6 W$ B$ s9 M7 t: ?
__________________________________________________________________________
# {+ ^' J7 O- C9 M( u: f, f
* o7 M0 I; {& Z1 fMethod 09
+ m" p" [0 U2 C4 \=========
5 W& |2 v. C. j3 x* t" }# G  V5 k& A0 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; {. l8 D' O1 F1 r2 w7 H
performed in ring0 (VxD or a ring3 app using the VxdCall).- {! @& v8 I8 `7 }3 f6 F0 V
The Get_DDB service is used to determine whether or not a VxD is installed
% S/ _. t$ E2 D7 v" |for the specified device and returns a Device Description Block (in ecx) for/ i0 |* x( q% B4 e
that device if it is installed.
3 h* X* p% I$ B* F1 Z. o
. f6 |9 Y5 X) O' N8 Q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID, N" _& G+ L4 b4 H' `" `5 {
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 [, L5 _' c# g/ _* i4 r% ^   VMMCall Get_DDB
) I" _' c" E3 T7 k: V   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) b2 f1 k3 v, E7 F9 a6 g

2 M  G' f2 \6 hNote as well that you can easily detect this method with SoftICE:" H7 g" a0 x3 W) e  q6 Z' `6 ^
   bpx Get_DDB if ax==0202 || ax==7a5fh/ w; r$ {3 m8 n& K6 E& ^& _

+ R" T9 j# d- |( k2 S& F__________________________________________________________________________& [/ a- T- p( z, N

% r/ u$ Y' ?/ o0 k9 N. dMethod 10( T! m) y3 M" B: u0 d
=========5 K8 C9 H0 M7 o) C

' f. m; b' _- o. ]" C  H% Y# W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' H( S: Q* [5 V7 B
  SoftICE while the option is enable!!6 a5 d0 m  H4 }# A
2 |/ o- a% V! l4 I
This trick is very efficient:
3 g0 q3 e1 x# e7 ^! u, C& l- O) Yby checking the Debug Registers, you can detect if SoftICE is loaded
( X, C7 X$ K5 B: B/ ~; H4 @! J7 Q9 {  y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 w3 v+ t; ]5 j2 w* G% qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" U5 V8 Y$ c( R+ D) w* Ivalue (in ring0 only). Values can be manipulated and or changed as well
! }+ r% a" k) b; |: B1 s; }! I(clearing BPMs for instance)
3 ?: C% m  E4 F! Q2 Q+ x! U) ~. H* Q& F) x3 d% G) n3 Z  F6 i
__________________________________________________________________________
% C" D! a. g6 T
+ D5 i+ q5 w: x9 y; `+ kMethod 116 d* f$ x9 W3 \  Z
=========
" }. r! H8 {/ {) k) T! ~! a: {* Z5 B8 d6 U' {% `
This method is most known as 'MeltICE' because it has been freely distributed
6 h+ m) v; r, I  T8 I7 z: y0 q: H; wvia www.winfiles.com. However it was first used by NuMega people to allow
/ A/ \! S/ C' ?8 y3 c1 V4 O: }Symbol Loader to check if SoftICE was active or not (the code is located* @( v+ u  f7 V( r) S7 ^! T% {! Q
inside nmtrans.dll).% C  u1 x* ~( X2 i9 W
( u' T1 e5 m& K
The way it works is very simple:
* n9 N- [$ w( N+ v5 T) {! S# O8 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 m3 E9 a: |1 a- q+ HWinNT) with the CreateFileA API.
1 u* U! H0 S. u0 \) t" m: Q2 V: F/ |1 f0 w( X. m
Here is a sample (checking for 'SICE'):
- Z. _# @0 O% H0 |: M* W( {/ C: {
/ f" x/ p7 B, G/ B9 b7 aBOOL IsSoftIce95Loaded()
9 J/ `$ p& s: f8 f( J3 I; W{
7 c+ T1 _1 x0 R/ P! t   HANDLE hFile;  6 p/ [/ r: h$ R
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 U  k9 W" C! J" C+ g4 {- B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: y% O% ]6 L7 Y4 E9 j                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, J$ K* E5 G4 V% E, r+ h6 T   if( hFile != INVALID_HANDLE_VALUE )5 ~% p9 B& u/ ~% i
   {+ d* q3 X0 o- L( D/ M8 A# Z
      CloseHandle(hFile);7 b6 J2 |0 ^( V- [& j' N( a
      return TRUE;+ I+ ?7 n  d& l9 M1 F& s- C( n
   }+ n, H) [) Z( \+ }1 d; O2 |
   return FALSE;$ Z; a4 V( q% d
}
" C% c, G. p5 n% G" ~) q9 S! s5 l: Q1 h4 M6 H
Although this trick calls the CreateFileA function, don't even expect to be3 s$ p; l& V$ C0 u7 I) |1 }7 w
able to intercept it by installing a IFS hook: it will not work, no way!  h, _3 r4 v! j0 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 f& c1 e% _% K) Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& y6 Y1 e: r* l1 x, F3 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, h8 B: r8 W( N" E; d# sfield.' [- H5 M, |) V  a" g" L) M
In fact, its purpose is not to load/unload VxDs but only to send a
7 T6 |, |8 s0 C6 dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# @/ v5 p5 A* ]1 z  ^/ I+ j* O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- [9 `) w. {- U8 s. ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 Q7 ~- l5 I+ u  uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 i7 y6 J+ O2 C# ?- ~$ w: N, Oits handle to be opened and then, will be detected.
  m- I. p( r& ], m" M- d  MYou can check that simply by hooking Winice.exe control proc entry point
/ N  L" R# W( \4 nwhile running MeltICE.
  F3 V; B$ l/ `/ b/ w
% a; R; U- P, b. O
% J) b' i8 r- R3 f  00401067:  push      00402025    ; \\.\SICE
4 I) d8 x$ f% p3 z! A0 x  0040106C:  call      CreateFileA  D; T" q* b4 ?+ I  D
  00401071:  cmp       eax,-001
2 Z+ T! h9 G2 X+ q  00401074:  je        00401091
+ H# d/ O- a8 S- o, J* m1 E1 I7 T0 i0 X
8 N; J3 q6 Z, A- {9 F
' Z5 H- B7 J- }# q7 q) M) _There could be hundreds of BPX you could use to detect this trick.' l# Q- x; J, m: y
-The most classical one is:1 D' [% W/ F" K9 U( _( f, Z: |
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
. k/ p( y; O( S# f: H    *(esp-&gt;4+4)=='NTIC'
. g+ l, }) h; N% H3 @$ c- v2 |; m5 A+ A; V$ e4 A% c
-The most exotic ones (could be very slooooow :-($ M- T5 d9 U- r' L, ^; ~
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % m1 r7 W3 ^' U" v
     ;will break 3 times :-(
% a) h4 {) Y% a! ^# i+ |- p) ^$ Q# C; |  I9 _
-or (a bit) faster: 4 G  ^8 f2 A" w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 k2 V8 L) |2 y  d7 o+ c' {3 v7 d. H

6 M* X- z& g2 B0 H, D   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 ?4 e. M9 \# i0 N8 H2 D# ?     ;will break 3 times :-(
7 ]2 Q; M# R0 a' c3 d
$ }- f) T/ c4 o+ h! M! W-Much faster:
2 r* y1 l& O2 K. T3 {/ }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': z8 G$ I0 k9 q( j! I6 z: Z& {
9 V6 E0 o; w; \" W9 ?9 X6 m6 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" j& s) g' f! u  w% E, F! s# cfunction to do the same job:
, h* v% k! c2 A1 c. Y1 _1 X/ L! \6 k9 C) @7 v  g9 B) z! k
   push    00                        ; OF_READ
# M. U1 l# S: K   mov     eax,[00656634]            ; '\\.\SICE',0& d5 E  y/ `% ^8 j/ g" C1 n6 v( O
   push    eax  i! T. \; y' ~. ^7 S, m  w7 P
   call    KERNEL32!_lopen# z" Z% x: ^" f% y  N) V
   inc     eax
1 H. r( H  V5 z$ p  @+ p# A9 [   jnz     00650589                  ; detected
- ~" F: Z! c; ~- c; O, h% F   push    00                        ; OF_READ
$ B) H( \; p$ H2 \- Q! w8 u   mov     eax,[00656638]            ; '\\.\SICE'! I' p; E3 _5 B6 ]6 C1 D! Z2 ]& Q" u
   push    eax9 E! Y# w; }1 J5 s- Q" \( I# I
   call    KERNEL32!_lopen
, z1 W; q$ P! c   inc     eax
6 j( L" l5 d4 N* }9 g6 A8 n8 i   jz      006505ae                  ; not detected, Z$ x9 F7 l, ~/ ^* G
  @# Q7 u. a! r( ]1 r6 T
3 Y: t' M. I1 N  i2 o
__________________________________________________________________________  [! o3 p% D+ i  W; s7 g0 h
  u! e/ v) D1 b5 T- b$ B+ b
Method 12
. I2 ]$ L; ]2 [& s: ~=========5 V* G( A! ~+ Y0 ]
3 t+ Z, s+ h9 [4 T$ E
This trick is similar to int41h/4fh Debugger installation check (code 058 Y6 @) t2 y( R2 x8 T) _
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  n) I" O$ h' h& k/ |  \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ B6 T% t, z& x" V' U4 j) q' i- H! B2 {7 a7 G- V
   push  0000004fh         ; function 4fh
& [. P# s* O5 T) z2 L   push  002a002ah         ; high word specifies which VxD (VWIN32)7 B4 F# h2 K1 _0 e- ?
                           ; low word specifies which service
2 r6 A  d. \3 r! ^                             (VWIN32_Int41Dispatch)
9 |+ K3 D) \  ~, x, s   call  Kernel32!ORD_001  ; VxdCall
# _2 w, a" |* C   cmp   ax, 0f386h        ; magic number returned by system debuggers
6 f6 y7 {( W6 {   jz    SoftICE_detected
1 d  x" E( W6 ^1 I- R
) S7 ~0 F0 D/ tHere again, several ways to detect it:- e/ _8 \! m  V8 U" F
, `- A  J" r, h; x
    BPINT 41 if ax==4f
, R4 t: D8 e4 U. M! _
4 N' y9 z# Y! P    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, \5 D" Q/ s+ h$ z
' x, B; k) o. \  Y( k& ]! u
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. c. U7 J- H1 e" s
/ U0 _; i$ W+ e  e- h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# u( Z# x  B( Z, G( `
5 L$ A& v0 X" ?
__________________________________________________________________________2 o0 {5 ], S2 x$ |: F

2 C! r+ {1 U+ E3 ^" f& P  ?) x3 zMethod 13
/ R5 P* J" w4 P1 `  e=========
& k; \8 C4 ^& t; n7 S% m" T9 H6 _' z$ H  B+ ?! e7 _
Not a real method of detection, but a good way to know if SoftICE is5 l: [& G( f' x7 D( E
installed on a computer and to locate its installation directory.
# J2 h( \) B3 Q- M+ L, e/ J! ~It is used by few softs which access the following registry keys (usually #2) :
7 i0 N# W9 s; Q& E6 o
1 S8 H8 ?6 J* d; w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ?; P9 b3 U% B! S2 Z/ l; n' m0 u
\Uninstall\SoftICE: O0 ^3 D* B% A) I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
  e: p; x: |0 M' m  b% |4 L4 P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" a; L3 ?- W/ c+ `" ?7 Y# {\App Paths\Loader32.Exe& M) |, C4 D9 z& f) O
+ Z! z+ A5 b- ^5 P# y
& ^9 K4 y  n$ Y' Q& X; u% a' ?' k
Note that some nasty apps could then erase all files from SoftICE directory
* P9 p7 Y& E) g4 k: Y& Y% R(I faced that once :-(. Y/ c' V+ `' U6 l8 W

+ n0 m9 w1 N9 \4 r1 t/ k1 ]" qUseful breakpoint to detect it:" g7 X) Q9 [8 F% _3 T( c1 @0 s
* J- c. j, s3 t6 m& `3 Y, |' {7 Q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 |! N/ @9 [; |- s. q6 I

4 ~; u& {6 c& [3 ?& _4 }__________________________________________________________________________
2 x# a" ?& ]5 I0 Y
1 v. s% ^' [3 @9 ^/ i) S# t; k
3 @  ~. M8 o6 S6 E1 ^' N, FMethod 14
2 F4 w1 ]- t& {=========- ?8 s# T# U+ }( ~5 [4 |2 h
& I; c( a4 b3 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, _7 p# v3 Z3 _& v( J) P, {3 G
is to determines whether a debugger is running on your system (ring0 only).- X- w2 P2 o7 z" r2 G
" Z* J% o# n- U
   VMMCall Test_Debug_Installed" N4 C$ Q) Z/ w' g& V
   je      not_installed
, ^$ v6 `6 V/ g3 G/ V6 E0 }, `& t/ ?1 |  F
This service just checks a flag.
: q/ B9 h2 E* J( k  P! [</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 10:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表