找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, x. V! n, H6 F; M4 r3 b. k
<TBODY>( q" V/ ]  \- y0 G5 [# h+ |# x
<TR>
  J: u5 P* p2 |% y) w4 H  q7 W<TD><PRE>Method 01 ) y' ~' g; E+ m5 O
=========1 f; k' `" f4 \- T1 w4 S
' g6 a6 K! H- o8 z6 m
This method of detection of SoftICE (as well as the following one) is
' e; Q7 v# [9 |! }) h5 h( w5 @used by the majority of packers/encryptors found on Internet.( @6 s) }' Z% v  e! H' }+ k, k7 P
It seeks the signature of BoundsChecker in SoftICE' n/ s, r* T- u6 n1 N7 ~
5 S0 Y; B" S! J$ X- j" t: F) j
    mov     ebp, 04243484Bh        ; 'BCHK'* B) }3 w6 O; a: l0 v
    mov     ax, 04h
% s0 X- ~2 n9 o5 p: n. D0 c/ f    int     3      
8 ]  ~2 c4 e: x9 ?9 ]2 s7 x    cmp     al,4
' a$ ]5 @7 s4 N! ^" s, S    jnz     SoftICE_Detected+ s1 ?$ ^8 F' N- Y0 Y
( E/ b% O' F7 c1 g8 D
___________________________________________________________________________
# q, t, \8 R  t8 h: r' U
4 c3 ]" k) O; e4 M5 _1 g' ~Method 02
4 M1 O1 k) e1 Z5 Z=========
2 `5 `8 h2 Z' @. Y: h3 Y8 J. H+ x& F
Still a method very much used (perhaps the most frequent one).  It is used
" k3 h' w: S! [; b: p6 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- p& B& b+ C' e  q0 p
or execute SoftICE commands...( w4 P- i- t. x2 x) o* R
It is also used to crash SoftICE and to force it to execute any commands
3 T* }5 P/ T: j(HBOOT...) :-((  
' ?: [, Q4 D" d0 |/ M" `7 ]
0 ]9 |9 O! q: k$ o. G: k) ]Here is a quick description:
+ l) V) A) X+ e* p8 u-AX = 0910h   (Display string in SIce windows)
3 J  \1 Z+ \1 B3 B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 q7 v$ a- t3 `
-AX = 0912h   (Get breakpoint infos)( T# R: G+ Z  ?( E  l
-AX = 0913h   (Set Sice breakpoints)& ~1 h; k/ |) h7 Z7 K6 B! Y/ R
-AX = 0914h   (Remove SIce breakoints)
* F1 h2 `! Q5 Z  R1 M, Z
2 i& H( E; M6 W6 S3 aEach time you'll meet this trick, you'll see:2 W7 Y% v/ D; M/ _. W' m8 z
-SI = 4647h
6 U$ R3 @' D  ?% K' l-DI = 4A4Dh
8 ^* o% ]7 j  q6 k+ @" ~Which are the 'magic values' used by SoftIce.: f/ M! X  E9 c" y  ?5 w1 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 `/ i4 J: f: D9 Y; M1 H
1 C4 r( }; X* M8 g7 ^5 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* o! e7 m; L3 s4 l# VEnvelope utility use to protect DOS applications:
4 U# t( U2 y) y
% j) Q* e( f9 E- l% [7 l, p% p( U' g, n5 K- M$ a& x
4C19:0095   MOV    AX,0911  ; execute command.( F$ R: H5 o7 V+ p5 a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 Y/ d; z: b' u6 n- b/ F4C19:009A   MOV    SI,4647  ; 1st magic value.- x, H1 J  D& b& }, v3 S, b- c
4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ M( g/ C( f9 {% L' H# \8 p+ V; j9 m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- R  y3 X" G6 \* }- W/ O. B% X
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, @3 i3 t. {( K* m# U4C19:00A4   INC    CX  ~: I3 V$ H! A( h! U; s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ i; G6 p8 ?' }
4C19:00A8   JB     0095     ; 6 different commands.
8 F6 b+ x; B: X) ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- ]& O6 Z; i, L0 \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 i2 C1 H5 B! |0 V( I6 S& Y  c, ?

4 e( x4 @4 c% l3 r; N/ h2 y& {2 wThe program will execute 6 different SIce commands located at ds:dx, which7 r. g. p9 ?  z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" F8 u' P8 p0 @
  N/ I3 F6 R" [  N5 u, x, \% ^0 c2 e1 |/ v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ X! x1 `2 B9 B' g0 i
___________________________________________________________________________0 q) U( P3 c$ ?6 \

1 X9 _  E) ^* D: a& b# t) G! E
% L: r8 p6 W) e" D* zMethod 03, o5 j+ k1 b8 B# G+ _- p
=========
, B, c+ G# j. c  g" \  ^- P
4 \+ Y( D+ z8 i/ NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h( o7 n. n! [7 G
(API Get entry point)
9 S7 y  @: h0 U/ F* E  }, t        5 r  q5 _7 Z* S' _
5 o0 W+ s' D- }4 O
    xor     di,di
( g: _) Z! ~& P6 r7 Z9 K- J    mov     es,di- r4 g; k/ k* L  y
    mov     ax, 1684h       9 O1 H; {8 H6 u
    mov     bx, 0202h       ; VxD ID of winice
5 c7 G, _" Q! j' ^9 `3 `( \    int     2Fh. |, K6 ~; o& {% y" U, J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; |+ g; r; x' ~5 T3 r3 K- f    add     ax, di: r% l  o3 G! X  z$ j2 V
    test    ax,ax
6 ^$ v0 d* i& H$ m    jnz     SoftICE_Detected
8 n% P: B1 p: }9 F7 }) w4 R9 s2 u  [8 i0 Y
___________________________________________________________________________7 A. r- i* t8 V$ i/ t
9 j. E. T1 ?4 l/ J; `
Method 040 W4 ]4 m7 l& @8 v% A1 _' v
=========
0 k" V# x# ^0 @2 p& h6 p. v3 ^( r" f+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE& }. g2 o: C3 s/ @6 H, |6 M, `
GFX VxD.4 G  A# b% }) s* q$ c

+ t. w% |1 j' Z: F    xor     di,di
# G1 D6 V/ ], K* B    mov     es,di
% w9 k$ t* M& m4 z/ }1 O    mov     ax, 1684h       * C) m# r. u& x( n2 n
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, i9 J  `, ]7 Q9 b4 T9 P& Q! g/ f' d" f    int     2fh/ E) t9 E0 a, J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( \4 G* S2 @3 P6 w) v
    add     ax, di
$ W0 z" J  d* ~" b    test    ax,ax
5 }* i# c2 o( N5 I. k+ g    jnz     SoftICE_Detected
8 k' I; Q$ u) J. `
# ]9 u; E8 W8 o! ~__________________________________________________________________________+ r! D! A0 [9 ?/ Z3 ?7 p
7 \+ s8 o' \( W6 j* A

0 o' {8 y4 ]  A+ F( lMethod 05, k3 Y! z: A$ s" F  x5 s7 J: _
=========
* W) Y6 |5 h  X& C% }/ [
0 S! E; D+ y2 N% Y5 |7 |1 b" YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( a! p) q8 W* ]0 q6 Y- Idebugger. It calls the int 41h, function 4Fh.9 H2 S) q! v+ |* t$ E0 [7 t
There are several alternatives.  
3 p7 ^, Z8 P8 e
* n. h  W7 B" \( RThe following one is the simplest:
5 R2 p; g3 w. S5 u) h
6 @1 m" q2 t# `" L- H; s. U) h    mov     ax,4fh& _1 \- p# n% D3 W0 B0 W+ Y
    int     41h
( _% X2 ~. {3 x; X% d1 X    cmp     ax, 0F386
7 T4 ^2 Y7 |  J    jz      SoftICE_detected, f2 q( k" Y. I1 A0 ~0 L' k' U8 L
. t3 Y. b) }# O' {9 P4 a9 `6 h
2 G% a, n. r2 U# ]& a
Next method as well as the following one are 2 examples from Stone's % I$ W1 |8 i4 |8 \2 a+ v: o* A
"stn-wid.zip" (www.cracking.net):9 H& U5 L5 A" O- i' P; }

  h' o7 L9 n' J3 b$ D- w. @( z( P    mov     bx, cs
) P  s& j  `* N/ k4 a, o' s, E: |    lea     dx, int41handler2
/ g! a; T5 X$ B" L( {$ `6 s    xchg    dx, es:[41h*4]6 Q$ V; [. d* q& W4 o
    xchg    bx, es:[41h*4+2]
) [& M, y' v# P3 a, r# j, w    mov     ax,4fh) s- X2 A/ \' C" w
    int     41h) `) ]% R8 K3 f5 y( K
    xchg    dx, es:[41h*4]4 W* N, y. ~% i: y/ D
    xchg    bx, es:[41h*4+2]4 P, \: ^$ w, u( p8 ^- o4 a
    cmp     ax, 0f386h# X4 K% T+ ~( t$ u) q
    jz      SoftICE_detected
, S/ M& U6 W, F% q% I1 s
# c8 L2 o8 Q- |. H" E0 i8 wint41handler2 PROC
4 E9 m4 k$ R0 ~    iret
, \$ J0 t7 i3 e! ]1 `+ ]: [int41handler2 ENDP2 S6 p. K, s6 I0 [2 p' ^% K4 V" e8 y% G

$ T( G$ Y7 g" I9 T) u7 T  B- o, R3 [# h
_________________________________________________________________________
; z9 ?# I6 ~% m
8 O8 d5 S% Q/ k/ i3 U; i' V3 \3 A/ D$ ~7 c: R  E
Method 06% v) I0 }5 R8 R$ j3 }% v4 V
=========" {5 G5 [" b% A/ h
/ O6 o. H, I: ^' N
9 `1 z( H9 Z4 q  v
2nd method similar to the preceding one but more difficult to detect:
3 d4 k/ X9 z  `: r, `( N$ Q& B, p7 B
7 r" @: p6 ?5 z$ _3 y
int41handler PROC
0 H5 B) m6 q! c    mov     cl,al
0 A+ X. {. j9 X" G* F" d0 j$ D    iret
% i9 E4 a. v4 W; b* [int41handler ENDP+ N/ b- _8 ^, U4 M2 f+ L

9 y2 p" a% Y  J: D) T
2 H  n( |1 }, Z( ^8 r( m0 l    xor     ax,ax
% C5 `0 Q) A" x8 `- {$ A) B! W    mov     es,ax
" r# ~* `7 }7 N% I( y    mov     bx, cs) S; Z/ T4 x9 e- v) K
    lea     dx, int41handler) J" j- F" m7 X- Y9 N2 ?
    xchg    dx, es:[41h*4]
3 }3 Z  n9 d' ?    xchg    bx, es:[41h*4+2]
* R/ H) [) B2 |, l- ~+ E' e8 C2 ?    in      al, 40h6 q: }& b8 k2 j2 D3 K
    xor     cx,cx
' Y) w  L7 P# V: q    int     41h
# t) Y' ?: I/ _& [6 u/ i) o: j% D    xchg    dx, es:[41h*4]
3 _, z6 v  W! X: c- {+ X- n7 v: L. A    xchg    bx, es:[41h*4+2]
) N+ H4 T% w6 r- j" G    cmp     cl,al1 }  n+ V# k( |4 J' y
    jnz     SoftICE_detected
4 \( N( e* m1 U" Z. v3 s
& X+ p; p" M- V$ r5 V/ F6 X_________________________________________________________________________+ h& E2 e$ X/ h

, s6 P0 I$ _( r: r; {Method 07
) }+ d# \; M( b7 \=========2 @% N, M% G3 a% s5 O2 I# Y

8 i" q8 \3 h/ u# @* A2 T6 NMethod of detection of the WinICE handler in the int68h (V86)
! h! @3 J1 I3 A- Y. b2 S% G3 y
' W/ {+ |7 q8 E- T    mov     ah,43h# o, c4 l" }7 J, u
    int     68h
; ?8 o; K& a5 m2 K* g# K' U, H    cmp     ax,0F386h" H4 e+ b* T& N# W$ O
    jz      SoftICE_Detected9 x7 m0 |* t% r) s9 _, ]! a/ k1 @

; F+ ^2 N) i2 L0 T) ]6 {
& Z" O9 l3 ^: j* {) {& E& d- w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 P/ X) `- _+ Y# M  f   app like this:/ c' s7 X( `- d# A3 \. Z

# K$ ^6 I( U( i, D: s   BPX exec_int if ax==68: \( U  r6 I4 I, ]* C
   (function called is located at byte ptr [ebp+1Dh] and client eip is
5 ~, A5 X4 i$ G) F+ t  z   located at [ebp+48h] for 32Bit apps)" s4 r" v9 N$ K+ |( v
__________________________________________________________________________" p( u7 y: t( c/ `
( C4 A: s5 L) J4 h

2 f5 o' D5 ?; NMethod 08( g5 [( e. ^8 f- q8 z! X% j6 Z) \
=========
. l) P. ~  f+ a& m$ W2 e5 d
' L: ]5 ^: ~" N0 @: o( i* e; ~6 L) ]It is not a method of detection of SoftICE but a possibility to crash the
8 ?8 ~' a" W! l6 Usystem by intercepting int 01h and int 03h and redirecting them to another. K  n9 t7 r9 ]
routine.* o8 Y) `* T5 f5 L+ H) U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" W. [' l) F6 Eto the new routine to execute (hangs computer...): _. d' G& r! ?# n8 K, z! Q

! J2 [* ^; B2 E5 L' B7 j1 n    mov     ah, 25h& R6 T7 M' H4 O8 t: y0 n/ C! b: R  \8 s
    mov     al, Int_Number (01h or 03h)
" s' S, J( U/ x- C( ~% Z    mov     dx, offset New_Int_Routine0 u8 v  M( |1 a7 Q0 }' t
    int     21h$ g6 F! z; g8 c* n6 N% u9 \

6 t( S) k" Z8 B+ M# t9 u__________________________________________________________________________" d* O  }  A* H4 {& H/ M2 a6 }

3 ?! Q+ U- I4 u) dMethod 09+ I! `7 I: O6 M) i8 u( b2 k
=========$ r' }; I/ n! t
/ Z2 i* z! w0 _" K: ^; c- y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 g6 Y5 b7 A' P& a9 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
: a  d0 U" A# A/ a; y6 l, AThe Get_DDB service is used to determine whether or not a VxD is installed
* K" s. x. o. S8 g1 R4 n* o+ |for the specified device and returns a Device Description Block (in ecx) for5 a" H: f# Z7 @$ h+ @9 S0 J
that device if it is installed.& o  c3 a4 W  D) I( L# h* R+ Z
+ X# Z9 t6 r7 D: q3 G% Y
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 U  x: d% N! X* m   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 W# [) m. Y& d  @   VMMCall Get_DDB3 o+ {6 P" x; P' _6 g1 N, r* h
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  T' [; Y  L; }( {
# Y5 `4 n" n. y' p9 xNote as well that you can easily detect this method with SoftICE:: G$ T) a9 w5 J
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ B. k5 Z/ F7 q- U
" b. u2 x, ^2 D" n__________________________________________________________________________
. f; o& q2 I! H" S* N: O' \' r
Method 105 |* g& }8 ^$ U& B9 ^2 u
=========6 d) y3 V0 b8 j

* H0 `  t* J- M6 H9 D=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
) u' l% c7 h& p3 Y; q  SoftICE while the option is enable!!( c3 v8 F2 }, t  {+ f0 w/ O2 A
3 b. `& h1 `( I( Q0 X
This trick is very efficient:
/ j; Y- x9 u  ?5 {by checking the Debug Registers, you can detect if SoftICE is loaded
* a# b: @2 x7 J) h. V- F  M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; R' E6 ?& {, q; ]5 Y8 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! [4 }7 x+ C4 W: S, G0 l& {value (in ring0 only). Values can be manipulated and or changed as well0 `9 J3 M4 N) R: A
(clearing BPMs for instance)2 ~- H6 b+ T$ O) P! w7 G  {/ b3 }
3 m) Q9 w* N: W. g* `* x
__________________________________________________________________________2 t5 [% h- D3 [" E  U+ L' j
% b' j2 T# w  ?) ^9 ]3 r2 r# Q
Method 11/ F5 n5 @3 u. @) h
=========' R! L1 G/ M# Y9 w

+ `/ ~! n5 e( X# |1 k9 pThis method is most known as 'MeltICE' because it has been freely distributed
) _4 h0 N& M7 S+ y" P5 |+ b1 uvia www.winfiles.com. However it was first used by NuMega people to allow1 L4 p2 a1 m. ?
Symbol Loader to check if SoftICE was active or not (the code is located. w: Y; \( u  Z6 f3 e4 e
inside nmtrans.dll)." c: c& H* n! S7 ~% V

/ z1 i& {( ^8 ?4 m! _- T7 d3 mThe way it works is very simple:: L6 l9 n" q( X! W4 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! f# e2 I* H, k7 y' C
WinNT) with the CreateFileA API.
; [+ \9 x3 I0 c4 v) v7 P( c0 O2 h" [0 Z* R; J& j, |
Here is a sample (checking for 'SICE'):- u# t: m7 N) N# g4 {, e9 }; F

2 V0 C/ j4 z7 V; t) O! CBOOL IsSoftIce95Loaded()
9 U2 P  H# o) o2 K( ?/ z{
( r1 e: a9 x: H9 n* @8 l* {   HANDLE hFile;  : E& C& o0 U6 Z" C- c% K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 i2 W# J7 g& I! g: C; u& z* x                      FILE_SHARE_READ | FILE_SHARE_WRITE,
& F2 H: c1 r' j+ w' H& U3 u8 F/ i                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; `2 o5 e; N6 m9 Y7 T# J
   if( hFile != INVALID_HANDLE_VALUE )
  ~: Q% }' e( J# j0 G   {
  s+ D. m, n2 a7 z) z& r, j0 V# U. Z      CloseHandle(hFile);& D4 ]( o& D! A6 e1 _  J
      return TRUE;5 h2 n5 B: r$ x% d- u6 r  J
   }
5 k! l% ^. R. f. Q- E) w$ y4 L0 B% s   return FALSE;8 s6 m) r+ C) D' T$ ^6 a1 K& E
}* U9 B! N+ ~, z
& L- X  \' l# K* _( e
Although this trick calls the CreateFileA function, don't even expect to be+ N; e. N+ c8 y2 Q
able to intercept it by installing a IFS hook: it will not work, no way!
5 l! Z9 A4 {0 [+ O3 t2 y2 t1 m: MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 I" n7 e1 O( n! w& w8 P3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% ]: C5 \  q% \' [" uand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 B" C5 ]. o  g- \6 D; T
field.+ n, Z2 |% o# ~  p
In fact, its purpose is not to load/unload VxDs but only to send a
1 W- u) L: ~8 N. W* V+ F2 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& J$ j$ R. V+ _5 u  ^/ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try: X9 I4 X4 j+ z9 l4 h8 [1 Q, v" X+ T( ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: Z$ \7 v* l- R) ?, V$ LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: M" B7 E2 z: q% z: c" A$ Dits handle to be opened and then, will be detected.
0 w8 _4 J. N! X( Z2 T% `/ P+ O. DYou can check that simply by hooking Winice.exe control proc entry point5 D+ W" ^3 O1 G- {; ^
while running MeltICE.
3 s2 [0 H& V5 ?; n' e8 Z( W$ }6 `( `
6 l. r/ Q+ ]1 ^! _
  00401067:  push      00402025    ; \\.\SICE
0 `  F) P% D; ?2 c% K  0040106C:  call      CreateFileA
3 m8 c5 @4 L( s: I8 i  00401071:  cmp       eax,-001( k. I$ A) L% I) L) L# X) |# O  g
  00401074:  je        00401091
8 d& }, ~  X' F/ C* \: b8 ], w- p9 t( h: D! l5 K
) j' C/ \1 d  J8 K8 _# Q
There could be hundreds of BPX you could use to detect this trick.) K/ [; n9 ~. l8 x+ r* \
-The most classical one is:) G  r8 J  U/ W& y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 S! c/ Q* d; ?( E, b1 z2 Q2 b
    *(esp-&gt;4+4)=='NTIC'" ^9 A/ s  k0 s' d3 L# D( f
- R) C" q1 P, R, g" U) z! Y" a& s
-The most exotic ones (could be very slooooow :-(
: Z! j* @' O. c: y* x( f7 l# o   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! k, M- h# c, m* D$ E
     ;will break 3 times :-(, a: k" A* i0 b
0 M! Y% [3 p( J, D& s3 k, k# k
-or (a bit) faster: - ]$ w) c" a- K3 _0 s0 D3 @
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 {. {1 B" U, _5 {' W" r$ |# V
  S5 G: M0 g* M# b# k+ i
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' z  h$ B7 t  e9 p/ R3 h+ j9 g; f     ;will break 3 times :-(
+ x- o1 N  O- J) o- W
2 X0 ^6 B* e9 `% m1 Z-Much faster:8 z1 l% y* [6 i" B
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 B$ h/ h# @3 `, z% ?. L0 B5 ^
" r& f8 C- M# M3 i+ @* ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* x6 q% B; ]- J8 o. ofunction to do the same job:
  W3 m) K3 A4 _7 ~  M5 s
: D1 }: l) j+ U5 q. e; j   push    00                        ; OF_READ8 n0 {; S1 f# m# l
   mov     eax,[00656634]            ; '\\.\SICE',0
  z; G/ z/ o) G* ]7 ^& r$ p   push    eax/ u+ E' W. g  _( {7 b# Q+ [
   call    KERNEL32!_lopen& g, i, s1 Y& r, `9 x) v4 ?
   inc     eax
% y, t* a5 O8 H7 [$ H' ?" M, b   jnz     00650589                  ; detected
% P2 e( A; |8 \   push    00                        ; OF_READ
/ c0 C: H/ D2 g   mov     eax,[00656638]            ; '\\.\SICE'
/ C( e6 P7 s" _$ l4 w! _6 {2 T: m   push    eax2 s( J: W1 I% A& H  T
   call    KERNEL32!_lopen
2 ]7 Z7 u5 }  i  x. [, p   inc     eax! f! b5 }5 C8 ^  r/ k7 l
   jz      006505ae                  ; not detected6 u) S  R( R! [' _  H- I7 `
. R1 S' f( ]) z7 W' N

; h" y7 u/ N* g3 g- g# K' J__________________________________________________________________________5 ~5 u# a$ ^# t6 ?* l7 d* e
* o. Y" h! x; a- x1 i$ O, z1 M3 L7 R
Method 12
' o% f5 p# v  }- H=========
$ I; g* f: Z8 ?  C" ?0 j; q5 v6 L& B
This trick is similar to int41h/4fh Debugger installation check (code 05
. O  S8 D" x3 [3 Z1 n9 |&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: y: m/ ?7 b5 |; z" Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# s  {7 f% R& S" J
% [3 e' K0 z9 H& Z7 p   push  0000004fh         ; function 4fh9 Y5 {1 U0 \* L! U+ s; B
   push  002a002ah         ; high word specifies which VxD (VWIN32). Z* O6 I# ?, p- R, k. r& o
                           ; low word specifies which service3 H! b+ p8 W' p3 o7 e
                             (VWIN32_Int41Dispatch)
  G/ y  F9 i, t2 K   call  Kernel32!ORD_001  ; VxdCall$ ?% t/ b) O8 N$ `6 i/ e) R
   cmp   ax, 0f386h        ; magic number returned by system debuggers) ^5 k5 N7 k' G$ ?$ ?0 q
   jz    SoftICE_detected
: N3 ^- C2 G; e- m3 ?  s, b: ]) \  X; `( ^8 y3 d8 v" Y3 d
Here again, several ways to detect it:
" G1 {# P& y. d5 D6 _( x1 I
. ]8 P! }( z+ S' _8 _& v0 I7 C, k    BPINT 41 if ax==4f) c7 w/ o  `+ h4 w7 V

& c, T7 j$ x( N7 O* `    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" Z2 h4 U  G: ]5 z( s! g  Q  j( Z# q9 L  X' c7 j9 S
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 [7 |5 G6 }% b+ M- l

4 R4 O+ _0 _0 a8 H8 Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 j: L3 R/ V& i8 C+ }+ i+ T
/ v$ p$ B, C% @/ d/ V+ p; _. `__________________________________________________________________________5 X4 l6 b- D: b

. v- \2 e6 L+ ~$ Q4 I1 k7 aMethod 13
: l0 M4 q% U* D& T$ O=========
) k# Q5 `, X# f' z5 [5 y: R
! _! q) g' ]/ l& Q) S8 oNot a real method of detection, but a good way to know if SoftICE is' c9 @- X8 u) m$ u
installed on a computer and to locate its installation directory.
# U8 t* x  n, Y8 F9 R! zIt is used by few softs which access the following registry keys (usually #2) :
+ R: S/ \: X6 ~: ~" M
# Q1 S$ A$ j* L' p) X; I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( i( z/ s% _6 U  ^\Uninstall\SoftICE
$ I" L. Y% S2 @) _$ |) l) R' \4 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" o) F5 K  \. U/ Q  {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 }; s, s& V; Q8 R* x) g
\App Paths\Loader32.Exe
% t2 S& ^* t! {: o9 R
! H( R& z# P0 w; ~" _( C& j5 N$ ]9 R+ \
Note that some nasty apps could then erase all files from SoftICE directory+ ]  X2 B1 L; k! u2 h  |
(I faced that once :-(
1 p+ x, M  s, v! h! t
/ U# a7 P) i/ _( ]; XUseful breakpoint to detect it:( A' O/ m7 R& |5 F- ~1 j
( D' D9 f, H; J9 A- z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. {1 H+ Z/ |& q- K: b& m; T; A
: s1 }4 ], R$ N) K$ t
__________________________________________________________________________# r! H! _( _  H
# a7 D. i7 A+ @& U

8 a! v8 Q+ {6 U+ b: b6 J- xMethod 14
# `5 s' e" h, d6 J  a=========, ?5 B; y$ n' q) u8 p
$ N- k$ W! ?1 B' |6 }) H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 W% ^% ^' V' F+ V8 T( @# ?5 k
is to determines whether a debugger is running on your system (ring0 only).
: ]3 s9 P, Z3 h  e5 e& o
' p. _0 K; U3 k5 B% o   VMMCall Test_Debug_Installed2 ^3 n2 p4 g- j+ Q( m
   je      not_installed
- g( ~  W6 E' i8 ], E/ |4 S
4 ^! J; }5 ~. }6 \* G" |This service just checks a flag.
& f: ]% T0 r9 y* k</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-5 23:08

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表