找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: @1 o2 ^: Y" }7 Y$ [& j8 U
<TBODY>
6 \" C3 ]9 P- v<TR>
+ }8 i7 ~# v, U<TD><PRE>Method 01 9 |2 O' k: B, x3 ^+ s1 Y; G
=========
1 s0 m8 B  H! s1 }* K; Y, k- S$ J' W0 I4 _: o4 v
This method of detection of SoftICE (as well as the following one) is9 d4 F3 @9 `/ a' e
used by the majority of packers/encryptors found on Internet., {3 V  b2 p6 F- z% J' U; C! r
It seeks the signature of BoundsChecker in SoftICE6 f3 n- L) o+ k* ?/ y& c7 E  w3 T  ?+ [

0 f; T$ w! v- h( l* p1 r/ Z( @    mov     ebp, 04243484Bh        ; 'BCHK'
$ j3 R( V, ~8 |( e; p    mov     ax, 04h) z% M* y8 I; z6 m% e* R+ X" O6 G
    int     3       7 h1 t5 M2 ~- P
    cmp     al,47 W6 a3 r8 [9 @5 Y& D4 w3 j
    jnz     SoftICE_Detected
% c! P  M1 g/ i1 ~. Q6 V( e5 b. S+ b6 G0 M
___________________________________________________________________________2 M! q4 P3 i. h; Q9 p( n
0 s. T: Q: s& P& s# h+ J
Method 02  C, O8 z% H; y5 G! W1 ^% c
=========3 k5 ^- j, q, R  P, P

. Y/ F) R. r4 }- ?) S$ AStill a method very much used (perhaps the most frequent one).  It is used
% }5 f# n; J! R8 G! Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Q( T2 V) g/ |/ I/ R, r/ por execute SoftICE commands...+ Z) j' j' ~1 a% {
It is also used to crash SoftICE and to force it to execute any commands
3 C" j. W, T4 G: s' {  i! N' {0 d9 q(HBOOT...) :-((  
0 g  ?4 J- u9 d, g1 Z9 [' N* w/ a: t2 ~- Y
Here is a quick description:
$ z7 M, n; O& _! w3 N6 u: d5 }: m-AX = 0910h   (Display string in SIce windows)) k- m8 f* Q' R7 B
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); i* _" E- o' g! |3 j$ d4 e
-AX = 0912h   (Get breakpoint infos)! z: V" \$ p2 k( R& {2 Z* w
-AX = 0913h   (Set Sice breakpoints)
( t7 o- H  T. a  d1 Q- o# a-AX = 0914h   (Remove SIce breakoints)
( y; G8 m. j+ m1 n& T- c, S2 j. j6 M: S1 ^
Each time you'll meet this trick, you'll see:1 S7 g. f. q4 X  B& R2 M! i+ Y
-SI = 4647h3 I6 a% M# E8 U9 `' V
-DI = 4A4Dh
  [' Z3 J9 M5 Q+ H: Z4 N7 [Which are the 'magic values' used by SoftIce.! c4 v, ^3 E( x: K  Y5 u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* |7 f& ?7 _- a( {% Z+ Y5 {

- \4 q8 Y2 C8 iHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 C  `* v- _* ~. [; j. o) kEnvelope utility use to protect DOS applications:
- @; L% Y" o) }/ A$ a1 n9 ~
$ h1 z2 H- Q# b  R. X* I( |. u
, A7 I" l3 t% e0 F" i5 W- D4C19:0095   MOV    AX,0911  ; execute command.
+ g9 _) A$ w! i" z; }  B$ h4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 O. @9 r9 X6 m# e4C19:009A   MOV    SI,4647  ; 1st magic value.
5 u( O6 D; r7 ]" v# s3 g4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ T4 c8 w; r- |- A) B0 X
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) a  }) i% ?# u/ u, b" c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* i( i+ g0 l' T; [
4C19:00A4   INC    CX
! v1 u0 i8 S* ]1 l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) u# k2 R' ]  z7 F: z2 X4C19:00A8   JB     0095     ; 6 different commands.
4 B; G* K8 f6 C: v( _& Q* }" q$ m4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( i, w- z0 J1 Y: t* c& Z: f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; y, X1 T/ z+ C, }9 ]0 B9 `. a% Y
The program will execute 6 different SIce commands located at ds:dx, which
- z$ D7 C  _8 F1 h8 ]+ s: care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. X& ~5 J5 N, a1 }

+ n  D; C6 J  k0 J1 ~' g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& l2 \) r' i/ A' e  U! L  f
___________________________________________________________________________
6 w- ~  p' L6 ?2 E3 G# n( I1 M! s

! O9 c: I3 t* H  [4 dMethod 03
" y1 v) d3 y& i7 h( r=========4 ~0 C4 h! f6 n8 t7 Z% I* ^! K

3 L/ b# ~# x/ d4 c/ HLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 Z/ d0 m% j$ S  s(API Get entry point)# n  f4 Z6 X3 O4 v
        ; \) e, A) ~2 U

# Z% K% L+ Z2 I% X' \+ \0 R$ N. l    xor     di,di
! g9 m& u) p: k1 j2 F    mov     es,di: f) k& V0 x' `  J7 @# o+ K+ _
    mov     ax, 1684h       2 Y/ A) P) x- |5 H: J
    mov     bx, 0202h       ; VxD ID of winice5 n8 ]& A, r, ?- y- }
    int     2Fh: Q8 a. p8 Z& t2 q8 l3 a& E% F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, C) y; @, T, K# q# X7 M) I
    add     ax, di2 ~" Z2 A$ G" B. I5 |+ K
    test    ax,ax" M7 Z+ D( \4 B4 j. t! p
    jnz     SoftICE_Detected. \; F( r* Z* m) K3 c9 U' q. ?
9 u1 o) w' M$ e1 C; A
___________________________________________________________________________- O  e+ T8 \+ B! X/ ?
  r$ l$ M# _6 q  {. k7 B7 N3 ^
Method 048 r$ a# x% c# u: ]0 n8 \. M/ t
=========+ g2 o! Q# P3 E

$ ?( C8 r0 g6 M( p% z  ]Method identical to the preceding one except that it seeks the ID of SoftICE* W; [8 P$ h# v2 {& \  y! R/ c% X: O
GFX VxD.1 d" C, P9 T" G" `; @9 A) D

& {/ [0 t2 b& Z! @' a+ M' R! ~    xor     di,di
% G2 d) x* h- r3 r# W2 s    mov     es,di8 N! D. W. ?2 V
    mov     ax, 1684h      
/ M* `, K! N4 G3 e: F  b: ~8 t    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 U/ A( i9 X$ Q3 W3 _
    int     2fh
5 t! c' v: }- w' W4 U+ v$ O6 r    mov     ax, es          ; ES:DI -&gt; VxD API entry point& \! I6 V- ?) Y( N7 e+ e$ t
    add     ax, di
& t) b+ m* a0 y* ]* S    test    ax,ax
5 s. D, A2 l. ~( M$ O6 S" r9 m/ O    jnz     SoftICE_Detected
8 z7 B! M# [$ \# U( @
3 c& D* p& C% J__________________________________________________________________________% `7 N& ?6 U2 y4 U  [1 M9 g
, J. a7 N. D+ m3 S1 {$ z  M
% O. B, v3 J0 w$ B4 ~$ a' P
Method 057 m0 d4 M+ T! C4 P5 }: z( c
=========
+ ]: z! w. `; f) [7 r8 k' j: X- }" B( I
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n: v$ v8 Q$ n; s
debugger. It calls the int 41h, function 4Fh.: Y* F0 Q3 }1 y0 s
There are several alternatives.  
: ^/ i& s0 {0 f9 Y! W) Y9 L$ }  u) ]+ ]8 s
The following one is the simplest:. C2 m8 |( z- j. A- K$ T

% J' e' S& q2 O    mov     ax,4fh& k* w, h6 f  n1 R: j* B
    int     41h
: l/ {0 ^/ |) i, l1 J    cmp     ax, 0F386
+ ]6 Y7 P( i0 f4 U) X* [    jz      SoftICE_detected
. x% i% z' m+ g2 l. z
: R  l) C% S: I& [# U
6 ^& {0 K' S8 QNext method as well as the following one are 2 examples from Stone's ! n0 v/ _. _3 v9 d- k+ J* I) j" V3 m
"stn-wid.zip" (www.cracking.net):3 c- c; Z4 {& \- F. I/ [
  a4 ]6 X. ]0 I/ ]2 A' `
    mov     bx, cs! l6 c' O4 B( Y/ H$ i) s4 b
    lea     dx, int41handler2# f, A2 W: r9 m3 h: o' M; O9 y+ ^
    xchg    dx, es:[41h*4]* Q6 V! r8 N& F5 W% E) O
    xchg    bx, es:[41h*4+2]' X$ |& q7 n% y
    mov     ax,4fh
, o- [5 B" ~/ G4 W    int     41h. \8 X! ]" `% |) X. J' C& ^2 h# l( h
    xchg    dx, es:[41h*4]7 |8 ?/ P9 K, R" b* b
    xchg    bx, es:[41h*4+2]$ Q* m9 t: `/ f6 ?
    cmp     ax, 0f386h: @. m: a  S% ^* L; p/ \
    jz      SoftICE_detected
, L) J( a  U3 a9 C. }  b, b- c% }7 @3 F. @) o; ^
int41handler2 PROC- y5 x5 F$ c5 d2 n0 e0 h" g
    iret9 A7 ?' `2 `$ f$ S) i
int41handler2 ENDP
& c, d& f5 |5 L* f' U
. B" k/ i) H# D. q% M$ J
; ?7 f' l7 @: ?0 Z_________________________________________________________________________
+ Z& w% I  u) C+ Q$ A+ T% x  R+ @3 r. d9 x2 A+ I% K. K

: W# s7 s( {5 [- `* D2 G$ F. r7 V8 zMethod 064 I6 i) f# z5 N$ Z' ~4 [2 @
=========% c6 P0 x/ H) z& U6 D6 ?5 R1 U7 Z

: n( r* _% D/ V, g7 _3 A( P: B
* h, _; y% m+ n% ?; f  [, d2nd method similar to the preceding one but more difficult to detect:
* R3 D  Z8 n7 g
6 |  i% u6 F' x, J) `
/ Z1 R# b5 ~* |int41handler PROC
, c7 x+ Y; {0 W5 I3 M) o# d    mov     cl,al
% \& F2 [' t$ y$ s    iret
0 ]# z  B! J5 ]6 rint41handler ENDP( h6 Y6 S% O# ]* z

+ ~: x% S9 P& \! L
8 T8 P3 g7 a  H8 \, A    xor     ax,ax( ^. {/ r  w# h; V7 }
    mov     es,ax
0 }$ g7 X$ u" T7 |: @$ b0 e+ l    mov     bx, cs1 A. I  U1 C& U6 V
    lea     dx, int41handler" W/ L: z* s4 k& Q& i, d" v
    xchg    dx, es:[41h*4]
0 y0 H9 ]8 o8 d3 D  `2 S2 k    xchg    bx, es:[41h*4+2]2 D* W' H6 H7 }9 N0 t
    in      al, 40h
# R) l( u5 ]$ b    xor     cx,cx" F/ I( x2 H& {% c
    int     41h1 b! q( A! o7 C; n( _* a# @' B
    xchg    dx, es:[41h*4], l: V9 s% H3 |- `# _1 P
    xchg    bx, es:[41h*4+2]7 L3 K3 F' p" O0 w' }: Z2 P; {
    cmp     cl,al9 D* d& L: F  j
    jnz     SoftICE_detected& ^- ~1 K/ [# B$ S: d' o
. d. J8 b7 v$ Z  q4 L! ^# ^1 P* _1 i
_________________________________________________________________________
+ x. V6 b7 Y' R( v2 j( l0 y/ @. J% M4 j/ i; p3 L
Method 076 x' w% x2 J* Y* ~8 X3 ]) o! l
=========; o) G+ z/ _. u) \
& C1 i# _! V: d8 j0 Q: Y
Method of detection of the WinICE handler in the int68h (V86)
  `3 O1 D/ \$ R) C$ k2 q; X- X( C! [. {9 S
    mov     ah,43h
) i& W0 M7 r3 c3 |) I# D' D  I    int     68h
9 N1 H$ |- s) ~    cmp     ax,0F386h  H1 f0 f8 k; v% Z5 q
    jz      SoftICE_Detected
# ]' Z/ @; o+ n0 w- }, G5 F
3 _0 w4 P& h, n
  ~# i! D- J5 j2 [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) |- `# L3 r0 @0 Z& W5 b! h
   app like this:
/ n4 V( B4 j; q
4 N. Z! i0 ~/ R$ Q  \# C4 B$ b   BPX exec_int if ax==68
+ Z) M' J0 T, k; n' l( \   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ B2 d/ P- i# x& [7 c   located at [ebp+48h] for 32Bit apps)
1 m/ B2 B9 X8 }) [__________________________________________________________________________
9 O$ T5 m; Q) S# D# _
5 Y5 V7 ^7 x( l% [
! b  d# T- @* R1 t8 ^! PMethod 08" {9 F+ E; M# v# F
=========
( @/ ~& Q( o0 z, z% `' q
" l" f9 r, l; O* ]8 cIt is not a method of detection of SoftICE but a possibility to crash the
* L! j/ Q5 }# L0 z- y0 F  j3 h% Gsystem by intercepting int 01h and int 03h and redirecting them to another
6 A8 k: w6 V. }* S8 A+ Broutine.
/ _1 j$ z6 J# W" R5 Z* FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 N- x' x4 p$ k4 ?
to the new routine to execute (hangs computer...)3 c& I+ \7 H/ p; w" K

2 n8 u8 M. m# Z8 A& S) u$ U3 B/ N$ n    mov     ah, 25h
: y! e( J" i& \+ |1 {/ ?    mov     al, Int_Number (01h or 03h)5 R4 }/ B0 G/ Z$ Q7 [4 j# E
    mov     dx, offset New_Int_Routine, D( v/ T$ U* Y) C
    int     21h
, u2 k- O  O5 N: S. P! m+ h4 M9 u* Y4 Z7 u7 t% s' G* L
__________________________________________________________________________
' w( `- g8 V7 H
9 s) X4 U  N: X. P+ iMethod 09
! i7 R6 P' Q/ N( {- V8 H=========
: @' O7 U1 W7 J1 {7 E) [/ X# r
* V, T0 I2 T. M) `" {. [/ k5 {5 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {4 ^$ u7 v  s3 A; E: K5 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).& C. N: a3 u" Q/ M
The Get_DDB service is used to determine whether or not a VxD is installed8 e3 Y8 u- Z" R/ G
for the specified device and returns a Device Description Block (in ecx) for
: r% u- o6 L0 D# v$ E: D3 F* A. Mthat device if it is installed.
' {* |9 X5 f' j8 \3 o6 `( `' b9 u) o" C3 z4 [) p; `1 Z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ \: A, K* i: O6 E% g4 G( m
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 [* J, s+ b! S0 g   VMMCall Get_DDB2 t- u. @( Y" z' R% V- L
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ u2 {6 _: Q2 b* \% g. I
/ ^4 U( v/ p2 |% g6 C
Note as well that you can easily detect this method with SoftICE:
' c3 L. N3 a5 S   bpx Get_DDB if ax==0202 || ax==7a5fh' p/ P% j* C2 a6 \5 J

9 q8 N$ x* m5 F# ___________________________________________________________________________. ]; Z/ q+ C; u* c, `

5 Y7 m% q2 ]0 }# f( D: F  MMethod 10
) S1 c; o' D6 l=========7 ^! T4 l7 C/ u( R
5 c$ [& o5 s* E% D( B
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 i# w+ O: P: E. G* u# @7 c3 D) d
  SoftICE while the option is enable!!
5 P1 U/ r( ?* S- {) _! p0 t. ?2 p' ]$ ~9 g
This trick is very efficient:
2 u" R3 ?3 A) ~% vby checking the Debug Registers, you can detect if SoftICE is loaded* J! ^1 j8 H) s1 l/ o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 {1 _  F/ l6 [+ t) P7 A( a6 }- \  B5 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 E9 G# `3 s( [( b8 R
value (in ring0 only). Values can be manipulated and or changed as well
$ b0 o' V) ]# A- E8 T3 @4 W(clearing BPMs for instance)
" B4 |1 L1 e' \. `  v5 H; l7 {2 A  B$ H
__________________________________________________________________________
" Y( m" u" w' S& T, b  v# j# z! r7 h5 ~
Method 11$ a6 z$ \) w1 `( G2 r" }" w
=========
* H  b9 m0 g, n4 B; l% i8 B' z, D, U6 D2 g! G+ U1 d
This method is most known as 'MeltICE' because it has been freely distributed
* G5 }% h# }3 l$ v* wvia www.winfiles.com. However it was first used by NuMega people to allow# K: S: M' a% |: z
Symbol Loader to check if SoftICE was active or not (the code is located
# D9 Y: @  s2 sinside nmtrans.dll).; N( L# m' m6 \2 m' e% y+ K
* p- U5 @# @! {6 n
The way it works is very simple:
: j4 [, w$ P% P  |% Q  \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Q" D1 n/ p5 R0 }0 K7 S9 |) xWinNT) with the CreateFileA API.
4 l; A  i; g- f, }+ n  f& A- \  W- K8 I: ~/ {7 `( U2 Q5 J2 `
Here is a sample (checking for 'SICE'):
9 Y* [5 ^6 {' T- J1 l( G4 e
) r4 v. L8 ?5 O2 V3 ~+ G4 vBOOL IsSoftIce95Loaded(); ?4 h# W# X, l" h; @' I* A) I
{! y* t) [. K7 W. _; t8 f# ^
   HANDLE hFile;  
7 ?% A2 R5 K6 G# E1 V1 o- ^   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: M. [, n" ?7 p
                      FILE_SHARE_READ | FILE_SHARE_WRITE,) _- V0 x: a, P: M
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 m. t0 N; @% H4 C; U
   if( hFile != INVALID_HANDLE_VALUE ), I% [) _, Y, @+ ~
   {
" j. k. {5 B3 B* M( x# [+ k  h      CloseHandle(hFile);, S+ }" \/ ^' z5 ~+ Y# X
      return TRUE;
) s( s1 ~" v. w0 B   }) t7 y( [1 [9 k' T
   return FALSE;& E7 Q2 S3 T- f! e1 ]8 u* X% c
}7 I8 s/ l) ]5 u8 T( w

1 x' w3 S/ ?  m/ EAlthough this trick calls the CreateFileA function, don't even expect to be
' M7 }' R$ U/ `5 d& [8 Q# T5 fable to intercept it by installing a IFS hook: it will not work, no way!
7 I% Y" q6 a, V- O# z, U# h. u! OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 j, A+ S1 b1 |5 x3 C  kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! V  H9 f' l2 s9 p1 p5 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- a3 H3 a: d$ K; n0 `field.
* ~* H; z) Q. u7 mIn fact, its purpose is not to load/unload VxDs but only to send a
5 X6 L& ~+ D( H8 O3 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 c+ l& B8 y/ u! [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ?* E5 r7 v$ i4 ?9 Q9 x( \5 Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 D" b; ~6 Z# l* Z) YIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 `* g% ?9 F6 a3 l
its handle to be opened and then, will be detected.' @  S6 _+ Y- O& z, D' g* J
You can check that simply by hooking Winice.exe control proc entry point
0 g+ q$ n+ d4 Ywhile running MeltICE.
( ~! e/ U* b4 J$ T! {- y
0 z5 O7 t6 r' T1 L
3 l& \. W, |/ N/ A% _9 [% B7 X. @  00401067:  push      00402025    ; \\.\SICE$ u4 X: D5 W+ V3 j, D
  0040106C:  call      CreateFileA
& G; H* ^- K+ S5 r. d& P. Z  00401071:  cmp       eax,-0013 H* F( X4 s; \! N$ w
  00401074:  je        004010913 a: ^6 |# O0 E) p( ~
+ J8 X( {" U+ y/ `% F. B

1 o5 U& q0 h8 \' S* M" |) LThere could be hundreds of BPX you could use to detect this trick.
7 {# k8 f& k" {, ]0 g9 q-The most classical one is:( i) H; Y  _* p8 r% o
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. w* g  p/ w  W- X) u
    *(esp-&gt;4+4)=='NTIC'/ w3 Z; E4 t) ]/ W; f' W- y2 d6 K

! Z  ^4 J# A' T* `/ g( A! |-The most exotic ones (could be very slooooow :-(% z$ L! l; O' n8 @1 [+ S& t8 F
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: |  ?& `1 O$ M3 U" H. L' f; N     ;will break 3 times :-(8 T/ ]$ g& o1 c# u& ]0 h

: L- Z) s/ v! I2 I, q% N9 H-or (a bit) faster: # i  z0 t, b% [& P
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! ?2 H: q* B0 A% Q) H

  m9 S7 h& u. |# w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! x* ]8 }- d; t) z+ G* X2 o( g     ;will break 3 times :-(
0 Z% |4 J# n) G4 U3 |. D. \7 E2 ?% }/ K4 F
-Much faster:
& J: k' B% P9 F8 h   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% u  z/ g! Q' v  a4 Q" ?
6 w, h% [& W: w* T6 q7 pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 @6 K0 C/ R8 v# x+ Y% ?function to do the same job:
$ B, B, Z- |/ B0 b6 f+ C' Q% Y
  c8 q& O: y* ]0 k   push    00                        ; OF_READ. p7 |# n) W1 l1 ^) h# Z& p/ h8 t; g
   mov     eax,[00656634]            ; '\\.\SICE',0
+ _- V0 ?6 O7 R$ T   push    eax
/ k. h( }# S  u" v$ V' j   call    KERNEL32!_lopen
3 s9 W6 s( F/ L8 g% h   inc     eax2 W' z" R/ A% i# [
   jnz     00650589                  ; detected
5 b! p) B& I" k/ _- ]   push    00                        ; OF_READ
: R' q# L" z% W   mov     eax,[00656638]            ; '\\.\SICE'
0 @" Y2 L/ i  G* n* a+ e& _0 ^1 k   push    eax0 e4 L( R6 v3 C
   call    KERNEL32!_lopen
5 Y! w' s$ [( O8 R4 Z; g8 a   inc     eax
( A& ?  U; E  C* n" N# ~' _6 b   jz      006505ae                  ; not detected8 o$ k" y6 G' W1 S1 V0 F
1 g' c/ F$ }: O

7 f$ X9 j- \+ H+ k4 a3 C% ?0 Y__________________________________________________________________________
- P. D  O& I1 o& n. e2 S* ~, v6 ^# B, e8 U$ G1 h; |) ~, c1 e1 j
Method 12
7 e3 [* f9 x$ i8 U# a" ]. S. s8 C6 k=========  R: P$ i9 u: _& N  Y0 p7 O
5 \/ \; Q2 p* g7 P
This trick is similar to int41h/4fh Debugger installation check (code 05
( y( U  V! a, U# m& {5 x&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; t& \) L+ H5 j1 g0 D# Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ h1 H3 K7 L. E5 r) e. d  V! ~1 Y; i) q6 H
   push  0000004fh         ; function 4fh' f2 T8 q$ G- _+ y, a1 t
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, }( X( ^( S( ]7 U- k! n9 _7 W                           ; low word specifies which service: [" r+ E( w1 @/ F  q0 g1 _
                             (VWIN32_Int41Dispatch)
& U) c8 F$ R+ e+ J   call  Kernel32!ORD_001  ; VxdCall
; I3 p4 |1 o+ @; y* U4 F* ^) h   cmp   ax, 0f386h        ; magic number returned by system debuggers, Z% p3 O+ _; d/ j$ E) A0 }, m
   jz    SoftICE_detected) w& U5 t! p! |; ]* z% y( ?

, h% l- i/ j* YHere again, several ways to detect it:
5 s6 S, s; A0 @& G3 k' l4 {, v# |
    BPINT 41 if ax==4f/ f8 \+ u, ^/ m+ a8 z! }
5 W* ^- U0 B* s5 ]$ ^
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ M4 l) I! w4 Y' X/ O" u
  ~' s0 X8 f) Z2 ^. ^, {* E. g
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 S+ r: c2 E0 V' |0 t! n* l+ U& h/ h' n1 F
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- Z! s* s$ |" S, M; s2 v

- H( C: @2 @8 s5 Z$ _* j__________________________________________________________________________
; W6 s& I" W+ P8 |. h' |( F* w) S6 \: ?# d4 I5 X0 I& D
Method 13
# ^( h! D! j8 ?  k" T=========
! l4 C. z0 z4 g2 E
% }: k6 k( d1 C* Y. B, u" v) pNot a real method of detection, but a good way to know if SoftICE is, `) [6 |2 z+ I6 n( @
installed on a computer and to locate its installation directory.
/ F% L- g9 n. L% H" P; G6 k& ]* S6 c3 ^: OIt is used by few softs which access the following registry keys (usually #2) :
! Q( G! Y  S, P6 H7 ~
  j! s4 h! t! F: @5 Q" D# a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 l, S0 s2 }4 Y+ \* b/ M0 z
\Uninstall\SoftICE" p+ k4 Q0 U4 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& a# p" w& V: G2 e; @8 g5 |# I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, E& \; H% Y, B4 E" h1 F. T
\App Paths\Loader32.Exe
- S# m5 v1 F, Q. v0 s7 Q$ d6 P$ {( V9 w' a

; ~7 {, D2 a2 L+ `* b% F7 ^Note that some nasty apps could then erase all files from SoftICE directory6 S& P; U% A1 _6 d/ z5 y( \
(I faced that once :-(
6 I  i3 L! {1 _! i8 m' g! B- P4 C  l( O0 u  V. b$ H
Useful breakpoint to detect it:
* b. T) J& c3 z( ?9 ]
& }  A) |8 `: y; D) e     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, q  d- e& a! l  B# K; R3 D8 e9 [6 f! `- \  [- s& S7 u
__________________________________________________________________________
  V( P8 X+ K6 M9 z
- `& J& F' _8 P
' H: z/ P8 L3 T. WMethod 14 % W! F& k' U+ `5 I2 ?+ y
=========) B1 n, n& Y  a( K0 C& m6 F

' s/ i, M5 l, T: U4 h6 U0 A- HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- T9 J* N' G( g) {is to determines whether a debugger is running on your system (ring0 only).6 Q9 Z8 P6 ^4 ^/ [6 ^9 y1 U
  r" e9 y, a/ E0 ?, }
   VMMCall Test_Debug_Installed
, o# r4 t: C) @/ J, P   je      not_installed5 d. t7 `+ c4 _* r# R3 s

8 k6 \, Z9 y7 n7 d- j4 d, E8 d/ o' @This service just checks a flag.0 ?; Y  \3 L  r/ \" Z, p
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-6 20:53

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表