找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# H, H% ^3 y/ q3 B& h4 k3 O5 |<TBODY>8 z! w$ _1 m1 s( p' ?: d
<TR>/ }" }$ n9 k# W5 b8 ?! f4 j! e
<TD><PRE>Method 01
1 F7 v3 c, J  h; }# |=========
% l9 B; w! N* m+ u5 C% q. t" g2 Z" A5 h, a3 r2 p0 a9 w# c& n1 i
This method of detection of SoftICE (as well as the following one) is( o- F; T4 N: H! c% z0 I$ b" ~
used by the majority of packers/encryptors found on Internet.
$ W# V  q5 U7 _0 o. }It seeks the signature of BoundsChecker in SoftICE/ {. ?1 f2 P$ [3 }, m8 G$ d

  Q1 ^8 h: `  V+ ?- F8 l    mov     ebp, 04243484Bh        ; 'BCHK'
9 O7 y, k) Q/ e  m' F9 ^# \# A7 v    mov     ax, 04h
& L9 I5 s, f5 \4 D    int     3       , [' Z+ d2 j& z9 L
    cmp     al,4
- [" y. a% d, a5 N    jnz     SoftICE_Detected5 A2 z. W/ n3 q; }" W( R
* P# S/ Q) I+ ?* ~8 I* Y
___________________________________________________________________________3 Q& ?6 @' h' G. X
* u! b" d0 G; d# E
Method 02
5 }$ G0 W+ s4 f1 g/ `( ~+ L=========6 J! m4 C5 W$ z1 I, l

& I8 c& }: v. `  c; YStill a method very much used (perhaps the most frequent one).  It is used
+ o! W! t# u$ m" w9 P6 }9 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,! |" g& F: n1 O, Y9 j: \
or execute SoftICE commands...( c0 {* e; D* ~/ L) F6 c
It is also used to crash SoftICE and to force it to execute any commands
9 J. F6 m) I1 ^; L6 t(HBOOT...) :-((  
, {" `6 f& v3 n7 ?4 O$ b" M
' A* L# N% S, a7 z& EHere is a quick description:6 k2 g$ |3 f, A9 T
-AX = 0910h   (Display string in SIce windows)& w- y/ B7 [# T7 \9 s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! J. U( h9 {/ E/ z8 C6 p7 Z
-AX = 0912h   (Get breakpoint infos)! r' H# O3 y+ d6 U$ G
-AX = 0913h   (Set Sice breakpoints)# ], W& O4 |. m. }$ u6 A
-AX = 0914h   (Remove SIce breakoints)
& w% K! e' l$ q) ~. ~8 e- p  f8 d
Each time you'll meet this trick, you'll see:
7 [! h; |4 s; z% I  v; q$ n! G-SI = 4647h
$ e- ^) m( E8 {" K' K) D: a1 R( f-DI = 4A4Dh
% H  o4 T7 O2 Z5 eWhich are the 'magic values' used by SoftIce.' h+ y7 J8 K9 g+ O/ k" c: B) s2 \: Z: d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" J, C% ~/ Y0 c. ~/ s* O
% W& |! h& O' J( x+ cHere is one example from the file "Haspinst.exe" which is the dongle HASP1 l% s# D2 x( u8 f% o" Z- @
Envelope utility use to protect DOS applications:! g9 T" p, l3 x

& v: |/ ?# {1 S+ x& L* t7 T7 H% t# ?2 z5 B$ E7 ]6 k0 @- J/ ~9 ]9 J, A
4C19:0095   MOV    AX,0911  ; execute command.
  z3 ^  s6 N* Z- T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).* h( L. L- j- O8 p" u3 M
4C19:009A   MOV    SI,4647  ; 1st magic value.
/ ?, ^$ e4 L, j& w1 _* T! P4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. h7 A2 {- ~9 L1 t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' a5 ~7 B7 ~" \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
5 I2 q+ S, f. ]8 F4C19:00A4   INC    CX+ k. v0 E, I1 H: c* S  y  s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute# I/ X% Y- l5 n3 A
4C19:00A8   JB     0095     ; 6 different commands.
) X0 U7 j1 H7 g, Y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 a8 O9 @6 w/ K4 K: c' J3 T5 A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" s9 l# q3 L5 g4 A* C3 `: t* j6 |+ ~
The program will execute 6 different SIce commands located at ds:dx, which8 c4 \8 ?+ w; p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. S, }! ?- D' E2 g9 w
( S+ H" Q3 ~  g6 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) z# q! M& f! `' f  u. i___________________________________________________________________________
4 I2 p% B7 }$ u6 I5 k. a# D. v3 C7 f/ R& K# U
' \9 e3 p) m% j
Method 03
1 d+ Z  ^6 u/ j/ P' {7 D=========* B; ]0 x/ A  E( t. [3 y3 x3 Z4 I
& x# Z3 E, m8 k) F8 U4 t2 t* u
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 V% H3 `& w% F* P" y/ r: E
(API Get entry point)
/ }! Q. V3 P" ?/ d0 i4 N" p  T/ E4 {        
, j# U. T. x0 A6 P4 r$ _
0 A5 m, T) N+ Z7 m    xor     di,di
1 A& d+ e1 ?7 V. @! V    mov     es,di1 S8 T, k( c% ?) v
    mov     ax, 1684h      
: w' ]' u" C# }) s5 N* j2 U9 E$ W    mov     bx, 0202h       ; VxD ID of winice$ S% v' ?% {) b# [
    int     2Fh
7 h  O7 }; ^' {7 Y. i$ c8 G4 Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 k& a$ O5 B, e7 w% l4 m    add     ax, di
1 @% K# ~3 B9 ^; {, n# Y+ Q    test    ax,ax4 p8 Q4 ?$ m/ G" r0 C$ c
    jnz     SoftICE_Detected
4 N( D  u/ |5 k+ q+ z$ C8 `0 c9 S% A. _9 q; u9 d
___________________________________________________________________________
5 A4 B9 a7 V( @3 E6 M5 R# B5 F, G+ [7 I6 e. G) e( W0 m( O# L
Method 04' \2 i( U' {% {4 \: k
=========
7 i; F, ~4 V4 t( A, U/ c
  R2 [$ Y( \& }! E! C3 x7 \Method identical to the preceding one except that it seeks the ID of SoftICE- ?0 h7 Y/ A/ z
GFX VxD.  i  G* D! J+ U: U' r3 C8 [
1 K( b/ c5 a8 X# U* ?3 R8 t
    xor     di,di
6 V$ j+ H$ U0 A% ?    mov     es,di7 ~& m. r) d- h! Q, r7 n) q
    mov     ax, 1684h      
6 |4 N3 E5 p* i: z' J4 g) e    mov     bx, 7a5Fh       ; VxD ID of SIWVID# f1 f- N8 S% A* v$ i* y
    int     2fh
2 s' K/ p6 a! ]3 L- y# |4 N    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 b4 _  l. x" d* y& k9 \6 t
    add     ax, di: R+ o; C3 n/ o( Q; }  F
    test    ax,ax7 R" T9 F9 ^( ?
    jnz     SoftICE_Detected
3 H) n! M: L8 _: F; a2 i: P! P; o2 F! z$ M1 f! B, ~0 c
__________________________________________________________________________
# z' M, D* a! X2 l
0 ?9 W6 I% G% \- _# {
' w  B* [- u6 z& S; L( K3 KMethod 05
4 [0 i2 E/ ~1 s" |4 y- f2 D=========
: b+ p* k$ ^/ C$ Y4 J0 H  h9 _& D5 D5 e; I' o: U6 t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 a/ L" M8 n4 @1 V  D( Kdebugger. It calls the int 41h, function 4Fh.
( e% r. h/ _6 _There are several alternatives.  
% [6 W/ M. I/ b& C3 [2 ]8 S$ j  i4 p; Z
The following one is the simplest:2 \" t+ A6 R2 D

( h* p1 I/ {7 T+ R8 t( N    mov     ax,4fh5 G, {; R" }9 n6 e/ `1 `
    int     41h4 b& U$ k  c7 i$ `# ^- M
    cmp     ax, 0F386
# L8 a( S6 v8 j    jz      SoftICE_detected
' l; H# @! t5 y3 i% L5 e0 q
! P4 F9 Z( k' |) P' j2 W
! P; Y0 k% _% W) A- c  RNext method as well as the following one are 2 examples from Stone's
! l2 x/ J7 V" S8 a5 Y1 l9 E) E"stn-wid.zip" (www.cracking.net):
, a0 Y; C( z  ]' w, F# b  \2 D1 v& e9 l. G) f4 l( O
    mov     bx, cs) l1 `& K6 ?: ~6 }# ^8 E
    lea     dx, int41handler2
3 l+ R' {: y  t6 n/ ?! P- G/ L& j9 @2 q    xchg    dx, es:[41h*4]
. K5 @3 c/ a6 a    xchg    bx, es:[41h*4+2]5 Y  B9 X: n3 k3 p
    mov     ax,4fh) e% v) I" g5 s6 z% \
    int     41h5 v" D0 T1 N% E) I
    xchg    dx, es:[41h*4]& M4 K2 b6 ^/ G5 ^
    xchg    bx, es:[41h*4+2]( ?0 \  g' P' i* a: }/ F4 p
    cmp     ax, 0f386h
1 y+ J( A: O3 u, B0 z3 c% O, u. v    jz      SoftICE_detected
# N2 G3 h; T; ]5 \( q- |4 i5 V( Y" k" a5 G
int41handler2 PROC
, s/ r6 U; K8 n$ W* H( a    iret9 w! g9 K& e3 f5 B9 ?% X
int41handler2 ENDP8 i3 Y- ]0 X( J4 K# _9 e. n/ J9 q% O5 Z3 P
1 M3 }2 A7 v) J, ^
- {4 q& x* P* f' z9 t' Y+ y: |. i
_________________________________________________________________________" ]" K; R" d$ v( M7 O
5 a* ]' A! d$ [  ?/ \

9 T7 H) f6 D" r1 k* [Method 06
( X$ g# I* E9 b: J+ }=========
3 f1 L/ t/ L! y, n2 p2 f0 [0 Q$ @5 ~  J. `  |5 D3 n
% ]: V* [3 ~0 X( v* }
2nd method similar to the preceding one but more difficult to detect:8 T  C! G3 w: n8 |7 Y
$ L+ C+ y& r2 L3 u
* g$ [7 s9 y2 i& r( M7 c6 s
int41handler PROC) n8 j9 E' A# c$ d
    mov     cl,al7 D3 U7 m; U) g! a! A+ U- `- z
    iret
% F3 d8 s* {0 vint41handler ENDP
" s8 N& T$ T$ ?- q) E$ v
, K: D5 _) ?  w- X; y3 Y+ e  S) A+ J0 c- Y- u* y7 U
    xor     ax,ax
4 r! b$ l0 K6 ?6 k% @    mov     es,ax
) J; C- N0 d% E2 U/ k    mov     bx, cs
: h$ Y- }. T- H$ ~( C& M+ K! c    lea     dx, int41handler9 o$ q$ W8 N. ~6 z! m3 D9 u( x3 \
    xchg    dx, es:[41h*4]4 o  t2 `5 b1 [6 K. y8 L4 {
    xchg    bx, es:[41h*4+2]4 L" F4 I8 B+ i( E
    in      al, 40h
# x+ F: [  {9 K    xor     cx,cx
3 r% r0 ~$ d4 c2 T+ t    int     41h! R( p0 \' R+ P, b
    xchg    dx, es:[41h*4]/ }. S2 @- V. l! G
    xchg    bx, es:[41h*4+2]3 }) _" u; F' _; l+ b) t" K! f
    cmp     cl,al# Q5 z! B. h( b4 l) ], j! {' |! l
    jnz     SoftICE_detected
0 ]2 H7 N2 U' \1 `3 n; w; Y3 q! @8 \8 n
_________________________________________________________________________
( f3 o  {4 k9 a  @
- i6 P9 F' Q. R! VMethod 07* C6 \! v) s  A' M- \% Z7 K
=========# S( [6 o. m- Q* D7 ?: @% _/ s

3 K1 h# O3 |6 h! Q4 O) N3 h3 dMethod of detection of the WinICE handler in the int68h (V86)
+ T6 n) i* \0 n: r" w* K. q7 I
- l9 r6 n$ i/ L) f    mov     ah,43h
8 o: o& P' r& o( E    int     68h
- A' S' m& M7 A7 A    cmp     ax,0F386h3 V4 J/ @/ o# G6 T9 K6 R. W
    jz      SoftICE_Detected
9 ~. E: h- s4 U9 V1 c7 q6 _: T- q& B
0 r) |! t) F5 |3 ^, ?) w0 s. N8 r/ O7 W: X# ]* J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 {( p  d& `9 Z) v8 ~0 ~1 o
   app like this:( g+ Z3 w$ o5 k2 ?
% N/ i  |3 o/ i4 t! B3 F, J
   BPX exec_int if ax==68
. F  S- S" c6 s4 _   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ k3 T: J& ^* z# g  b  p   located at [ebp+48h] for 32Bit apps)3 e. x% U+ t! t( E- e
__________________________________________________________________________
5 M* f' v1 c" r7 [4 X) Z( `( v0 H, i. ?
  u8 `" t  m( Z
Method 087 V3 n( F8 {& x; f; Z
=========
5 P5 D% ~8 P( M
& U4 M9 P. V7 L1 P( uIt is not a method of detection of SoftICE but a possibility to crash the1 B  Q: t# X: X% m
system by intercepting int 01h and int 03h and redirecting them to another9 {2 T6 {+ i' i2 A! m
routine.6 z& X8 B! D" K; I. D7 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* c4 X2 ]& I5 Q# Zto the new routine to execute (hangs computer...)$ ^- O- J* n* L  B
, F; L# i& y- i  T
    mov     ah, 25h/ b' W( E& J0 @' @( D" h
    mov     al, Int_Number (01h or 03h)
4 X; \1 p$ C! S$ D    mov     dx, offset New_Int_Routine
" L' g& H2 T6 H+ ?/ g* J$ j    int     21h
( S; _" d1 d' q* [6 N$ H9 O/ m: I, r1 b
__________________________________________________________________________9 m6 T/ ~4 ~9 _# j! B3 \3 v2 }# X; ?

$ i* }# v" @7 A2 [. Y0 E% J0 b# @8 J$ x6 JMethod 09
2 w. L. X- C9 ?=========
5 C- Y8 v! D( T+ I$ h% p+ K: U9 p- H- Z) t8 M0 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# K9 U! J( C# N4 e" e) H* E3 {$ Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
% G/ Z9 ?4 C/ M# {: F7 f9 c/ Y. tThe Get_DDB service is used to determine whether or not a VxD is installed
/ w2 B3 g8 A' N! _; ffor the specified device and returns a Device Description Block (in ecx) for
3 k# [3 N2 K" `, Wthat device if it is installed.
+ l/ L. Z9 \5 R9 q0 B( x9 {
9 f. ?; _  P9 {- W, v, [! O9 {  {2 o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 k9 |2 _7 O$ N
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) {0 D* ]2 G4 G. J5 ?" n7 }
   VMMCall Get_DDB
. o2 T2 {9 G& W+ `   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 i  Z0 w0 E  m1 g/ Y! b
; b  x1 G7 T5 J  S6 \Note as well that you can easily detect this method with SoftICE:8 y+ I. b8 E' Z$ v, o* v: ?" A
   bpx Get_DDB if ax==0202 || ax==7a5fh
$ r# h1 z6 u/ |: e& U: M* q* z  l/ N! k$ v5 Q( h5 S% _& R
__________________________________________________________________________( [+ a* w" f7 ^- c
1 F( S4 d9 i6 [1 a) n1 W
Method 10) B  ~. k7 [  d1 V3 C
=========8 W! h: v7 L# @

/ d- m+ O: F2 H9 {=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
) @* i1 k0 _, O2 Y- q/ \  SoftICE while the option is enable!!
" Q: E% I. ], m0 {% D- K+ ]
+ s/ b2 {- A7 f3 O8 g8 O* hThis trick is very efficient:5 e7 Z7 K/ y' d: u; P3 b* n
by checking the Debug Registers, you can detect if SoftICE is loaded3 ?( _  C$ {+ g% \, K4 y& W6 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  u. @( K. V. V% T* _# I$ P
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ _& b# X1 Z9 u8 l) r; T* W& ~value (in ring0 only). Values can be manipulated and or changed as well# q3 Z6 G. }: L
(clearing BPMs for instance)- i: Q; d5 \6 j* [8 W7 \

, l9 O" v2 @+ D' R8 g__________________________________________________________________________
3 ?% f* L1 L4 f4 E1 L
: W. U3 j9 w% O, j4 I( CMethod 11
9 X: C0 Z5 B: d=========
- r0 ~: i3 w) i2 o) i  Y, }  B. G0 C) x
# ^. o% C# N& j) t, yThis method is most known as 'MeltICE' because it has been freely distributed# ~# v; z; }  i
via www.winfiles.com. However it was first used by NuMega people to allow7 H% u  K0 D0 g  B/ U
Symbol Loader to check if SoftICE was active or not (the code is located, z3 w4 s' Y+ C% R, j5 h, J
inside nmtrans.dll).1 K6 v! i; }8 I, ]- V0 C7 w

( U) ?& z. A/ QThe way it works is very simple:
6 F/ Q4 A& M* V# i5 R5 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 B% }9 s  M- L4 VWinNT) with the CreateFileA API.
; i5 J6 w% [! P( L0 c
) H7 O' u7 F; M: pHere is a sample (checking for 'SICE'):. P* ^0 k0 g/ e! P+ r& x+ Y" d, i
" q1 U. A+ l/ N8 |- ]- k& `
BOOL IsSoftIce95Loaded()- d: d* G5 `/ B8 a) P* ]: W0 C
{
4 s# V! @$ `- Y& @# n( M- q   HANDLE hFile;  
  U( F! w8 ?* t9 A' C   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! X* a4 z3 W, a+ L0 I& S/ S
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 t$ H6 ^# l) F! E; s' l7 N                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 m  l/ i- N" F7 f7 Z  I
   if( hFile != INVALID_HANDLE_VALUE )
/ ]! l0 s& _% g& S   {- M0 w# \* r2 R
      CloseHandle(hFile);
# d+ x1 D- u8 u' t      return TRUE;
& |: g" x* r. q2 X3 R   }, f2 @# M; E  u# |# a" v# g
   return FALSE;
6 @  ?" m% q" R  b! B}
& o8 v0 U+ F- d+ G
: T# e$ ^) t1 p- oAlthough this trick calls the CreateFileA function, don't even expect to be% _- o6 s* e. O$ f" q6 b: q3 O2 b
able to intercept it by installing a IFS hook: it will not work, no way!
9 V2 o4 f. X( U. bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* b9 m+ E7 g% X" f: j3 Z9 cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. |: C) r9 Q) n; l7 x/ S1 T3 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 e3 Q* t. a0 f( b4 Z3 p" tfield.! q) X# v1 y- h' X
In fact, its purpose is not to load/unload VxDs but only to send a
5 G& A5 ?/ b7 ]3 [7 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* X: Q! z  O# s$ u  k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 i+ B8 X, ~; ~% B( pto load/unload a non-dynamically loadable driver such as SoftICE ;-).) x% K0 `  B) t# t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. i' o7 T# M/ Y; t6 W+ z1 P! ^( Nits handle to be opened and then, will be detected.' X) y$ H  h% u/ b2 ^5 ]1 l0 I8 z
You can check that simply by hooking Winice.exe control proc entry point( u2 f0 L6 N. N* j+ @* F. v
while running MeltICE.
3 {8 \: z( \- O% c2 c$ I. F* X
4 v. z( w- G* |- [" U+ C2 l6 z- t& C1 M
  00401067:  push      00402025    ; \\.\SICE
; N. T: `# v/ s1 d  0040106C:  call      CreateFileA
8 V, L9 F# y: u3 L7 f% w  00401071:  cmp       eax,-001
" \' K; ?6 k6 o* U. v! b: ^& N  00401074:  je        00401091
; H( f! A. Q! N
# {7 C) i0 K; i6 a: q
" o# N0 C/ K2 K- Z2 `There could be hundreds of BPX you could use to detect this trick.
% A" O* h2 l) h) S, n% _- F% A-The most classical one is:
: t/ A% Q7 F% ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& T! J* `# i/ y9 R
    *(esp-&gt;4+4)=='NTIC'
+ {6 T  z+ I) f' z( T8 K( ^" _5 F" y! V8 j- q" y% s
-The most exotic ones (could be very slooooow :-($ ^+ r% O) h# F% V* e  ?+ [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' ~2 o% R5 }% [7 A: G8 `. ?     ;will break 3 times :-(- `" O/ I; T4 ~1 F8 s3 Y

' P* R: K- e7 G- l-or (a bit) faster: ' z0 p! C. X2 A. P- s7 d1 O$ b3 O2 H
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  G9 P: ~9 m  [

: y8 v8 n$ E6 K7 `+ W   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  5 x, w" J- v6 s( c7 _! v
     ;will break 3 times :-(
( V+ H) k( G! M' x1 y7 `
3 ]. z0 R& Y2 o- }* ]-Much faster:, R+ _8 `" L9 T
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: u; \: g1 k6 I; p6 N' }: O+ V5 H3 {( M4 ]; C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: C' }* q+ d9 @function to do the same job:
: ^7 U, `' T1 n) O* ?
, |# }& Y4 `1 }# c3 {+ R% K5 g7 B   push    00                        ; OF_READ
' L8 w5 Z" O, j   mov     eax,[00656634]            ; '\\.\SICE',0
( }  u9 Z; n; N: s   push    eax- z! M" ]7 c* Z4 |' V% i, W4 N# T0 G
   call    KERNEL32!_lopen
% R8 k: s$ l3 }: r4 V   inc     eax# `9 H$ z) g% ]- F4 _6 M8 T
   jnz     00650589                  ; detected
2 `" d" v% E" G   push    00                        ; OF_READ
5 B  b% {1 t/ o0 V! |   mov     eax,[00656638]            ; '\\.\SICE'  f( F. p7 @+ }2 a5 S
   push    eax
4 V. D! {/ f4 r' u' O% U   call    KERNEL32!_lopen) z; s/ ~3 Z( Q- D  B/ d( s  j9 c* q
   inc     eax
9 P* }7 Z. O* D8 i9 c   jz      006505ae                  ; not detected
9 _% Y1 \; ~9 [
4 Y# U7 u" l+ e( l# j0 f3 `2 F5 t' u$ v2 s: u; Z7 x
__________________________________________________________________________
  c& z, A* G) s# F& @0 j2 A
  I: j- ~4 k# ]& b% N/ \% G# pMethod 12
3 Y5 u7 z8 S( T3 _=========
0 e+ D. {4 c8 J5 A! P- ?& a3 i) e$ _9 v! l1 b
This trick is similar to int41h/4fh Debugger installation check (code 05
' `, C1 z, x; i& {7 F* A  U1 y&amp; 06) but very limited because it's only available for Win95/98 (not NT)# t- t/ T% G! T9 _. u% u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# {7 h1 R1 N: U, ?. g! N+ x
$ l2 N" `7 [7 c" O+ K2 O+ |   push  0000004fh         ; function 4fh
3 {1 G/ W; N: \  ]/ u1 ^   push  002a002ah         ; high word specifies which VxD (VWIN32); z1 A/ s$ E2 U  R$ u+ K% v
                           ; low word specifies which service0 T2 f- y' |. T$ C8 i
                             (VWIN32_Int41Dispatch)
) g- D' x; i' ?0 \) L   call  Kernel32!ORD_001  ; VxdCall- |% g& r4 M. q3 p; N3 Z
   cmp   ax, 0f386h        ; magic number returned by system debuggers# C. E2 Y4 b- V
   jz    SoftICE_detected  [2 [$ s' g% F( d
- y& J: V3 ~8 `2 ?8 G5 w/ ]
Here again, several ways to detect it:
) F. U  q/ j% E. i" F
& m) o& r4 L3 ^9 T    BPINT 41 if ax==4f5 Q8 b# `: T8 q; J* K
# V, F! n# `$ e% L( u5 Y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& V* l) ?8 t# |

  g% t4 Z* |& L1 k5 A2 x6 X, c5 l$ h    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& m  j1 u  d$ v. O( Q

% w- u+ B* ^2 e; h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% w- |  I6 I' a7 N+ ]4 |1 }; _  \% {3 |' N' m: t1 O" }6 l
__________________________________________________________________________
8 R$ k/ [" X6 m3 |, R7 a: p7 g6 ]& J
. h9 M/ K/ ]. V2 rMethod 134 F8 x5 N# I6 L* Z
=========. S7 C) [: @( I
- r- w7 I5 _# {* O
Not a real method of detection, but a good way to know if SoftICE is
' @2 @, c7 \& _# Vinstalled on a computer and to locate its installation directory.( l  H! w: L& d
It is used by few softs which access the following registry keys (usually #2) :
9 y6 K. s- b" d. F3 b) T. @) s+ l5 W- l) x, g& p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: y% @5 i- Q* ]8 Y! j\Uninstall\SoftICE' h' {7 A# J& Z7 Q1 Z; ^/ i* {. D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& |2 \& l2 h7 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& P2 a( E; r2 H7 k5 V" J\App Paths\Loader32.Exe' p" t. [) @: }
9 g- A/ w: S/ a1 s% Z1 I8 K% N  _

) G; E* Q2 p0 X  t* V  kNote that some nasty apps could then erase all files from SoftICE directory
. M* W$ T' g7 E4 p# P+ A! ^% H(I faced that once :-(
& D9 k* ]2 v& r9 q( H2 J& A
+ k% Q$ G4 Y$ g: P3 X- qUseful breakpoint to detect it:& q; [: k0 P) ?" w9 l1 `( |' r5 z

* H/ g' _; k2 m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! [; S8 H( w( B

' G: ?( F5 M3 V+ ^9 O# C5 n__________________________________________________________________________
2 V! t( f% c7 r7 N
1 |2 b1 m6 V/ A' R1 C
: ]/ ]) T. A9 B& u0 d" B0 MMethod 14
1 t) z  `6 c- A# _=========
& O4 t/ q, i( m& V3 Z# e/ X% k3 k
7 d# f: _" o5 j* g! w9 ?& T, K* sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ A" T* {( n* I; V2 B) {7 b- _
is to determines whether a debugger is running on your system (ring0 only).. E) c! ~$ S3 U7 I3 [: Z) v. w  p
; b% Z* R; K  H. Y. a! a
   VMMCall Test_Debug_Installed
& k+ d% H: c% r* }2 ~& @# O   je      not_installed/ m- |5 d  Z5 _1 Z

' K& t+ l& c# W/ {  g# IThis service just checks a flag.
8 e6 D3 o7 q2 v' ~$ I# B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-12 22:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表