找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, f/ \8 X3 I# T<TBODY>8 ?! l3 B( D1 D! w. o. k
<TR>; a; k- R! l0 o6 h
<TD><PRE>Method 01
5 V' R% I$ ^# F( B5 G  s- f=========! O# V0 M# |# n
+ f! a% L) l( Q1 L- d* J
This method of detection of SoftICE (as well as the following one) is
+ q" h2 P/ M- s: W% _2 aused by the majority of packers/encryptors found on Internet." Y, G1 R& R4 Q, _
It seeks the signature of BoundsChecker in SoftICE
9 A# W4 L& q& _# ~$ R7 W, }$ @  T. F' x" c' h5 O$ E
    mov     ebp, 04243484Bh        ; 'BCHK'
9 Y2 s6 p4 q7 d# s* z% I' K. Y    mov     ax, 04h2 q- Q7 l* I/ u: M' @! |! A7 B9 i
    int     3      
2 U& x1 E% R% l; W7 ?8 l5 _    cmp     al,4/ W0 k. Z* F: g1 J3 t
    jnz     SoftICE_Detected
9 I, o1 M# L" ]3 V  \* \6 x7 F$ V  I2 F# l+ i! p' p" X
___________________________________________________________________________
' Y) ?$ x! A: d$ N% j9 E/ o4 O# ^3 b# H8 d* O
Method 02
! K) v6 i5 L+ g% z. u/ k=========
- G  S1 ?3 v" g: }5 j
3 e& v+ D$ {# p% m2 t5 lStill a method very much used (perhaps the most frequent one).  It is used
( ?2 z4 i! G; d. U" C# gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' v% d1 @6 p9 y- F5 S; J9 `
or execute SoftICE commands...5 l4 ~5 S- p# y
It is also used to crash SoftICE and to force it to execute any commands
6 Z/ J5 `6 h3 [" Y# y8 G; j(HBOOT...) :-((  
( A/ Q3 r! [& G: ^& A5 E9 A" s* s" m9 l: N1 ^
Here is a quick description:/ D- ^, l4 }0 |$ Q! y9 K
-AX = 0910h   (Display string in SIce windows)9 E( U4 G. K* E* @& A
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 W, g0 x8 P8 P% ?-AX = 0912h   (Get breakpoint infos)" G$ b, W* \1 r5 U, ], ?4 Y. U
-AX = 0913h   (Set Sice breakpoints)& _5 ]0 b. l% d& Z6 [/ k
-AX = 0914h   (Remove SIce breakoints)4 v: _, ~) X9 C( x) Y
  ?  C5 l3 y& _1 t2 \  Y
Each time you'll meet this trick, you'll see:
$ N6 @2 a9 [/ O-SI = 4647h9 F) l# d" o$ L4 k# M7 [2 _" F
-DI = 4A4Dh4 t; A& K  I8 s$ n
Which are the 'magic values' used by SoftIce.
5 P4 M8 }9 L. H* T/ J( I# VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( N4 f5 J6 M& I2 V* a9 W1 q
! \# @: [# K6 i2 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, Z$ X. E3 P' z/ \Envelope utility use to protect DOS applications:
# S) x4 h4 x- [$ A- C+ W" c: x! t; s/ n* E

# o5 y- D- P9 {4C19:0095   MOV    AX,0911  ; execute command.8 W' Z2 `1 l- X) Y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- A+ Z+ p4 r' P7 P4C19:009A   MOV    SI,4647  ; 1st magic value.
' B- [3 i6 f, m4 w4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# x, [5 l" N# d$ T2 D' r
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 `9 Q0 T. [; ~) q" D0 L( Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" |1 M1 W7 s1 ~/ z/ g6 x& q' e4C19:00A4   INC    CX
/ K- |1 L0 J) v5 F8 p4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* {3 D' w  J2 Y
4C19:00A8   JB     0095     ; 6 different commands.
+ t5 H7 _+ v- ^3 Z% i4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 t, d  ]5 [) |# f" x7 a3 Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
  n1 x; G1 Q3 I' D7 Q
6 q. |/ E/ a1 }. J7 M9 yThe program will execute 6 different SIce commands located at ds:dx, which
) k0 U) k7 g2 o+ \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& D0 S; B: E) P4 Y) ?0 R# o

. \( q+ x% y: y: z( a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! E, y; ]6 K6 k7 ~, {( }9 T" L
___________________________________________________________________________
7 A5 y5 c" ~3 {; {8 G2 e# S
5 R0 z. C; m8 U$ Y8 n& E  ^! L% j0 u' l9 D- w8 `# U1 u4 c6 y) L8 v1 L
Method 03
! j1 l- a" C* P* A. Y  {=========6 n2 W3 p3 S. B
; {+ p' g% J# N9 G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 u' p, Q. c# \(API Get entry point)
/ ~! u  A( t- Y8 t2 S0 j9 o' o  W        % @& V' G  I- [- I' Y

1 _2 A1 @9 _% c' l; j9 ]    xor     di,di
! e% W) h# x  ^% k" z% |+ b9 R  s9 o    mov     es,di; l- R" P1 e9 }2 I; t( `
    mov     ax, 1684h      
: X( g/ ~- D" `/ [- {    mov     bx, 0202h       ; VxD ID of winice
  B) V4 g4 _; J/ J8 I4 p1 v    int     2Fh. k3 t; U9 }  s2 v3 Z1 W5 k9 m* D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 J  k# e+ I0 `) d; P# Q) ?$ ~    add     ax, di9 [$ j% h, K8 o1 H9 R
    test    ax,ax& X3 j# d0 \$ g; [
    jnz     SoftICE_Detected
" X1 `% w. X7 h6 N. b. ~! E7 a* G: p8 D* ]7 c5 d) O; J
___________________________________________________________________________+ Y4 Q8 G" S) ]

; ~" i7 G& k0 n; Y3 GMethod 04/ b2 e, g7 E  I$ `, u5 V0 p7 ]
=========
* w# g! c0 m: W/ n  k( _& `% @' D" P1 `: L4 P+ x( w- A
Method identical to the preceding one except that it seeks the ID of SoftICE
( x, G* X$ `2 j% C, FGFX VxD.
  F2 W. e' b, q% R1 k5 X, ^) [2 g
0 k' X: H; H8 c) X2 y/ D    xor     di,di, [- `  l4 O+ _0 p- Q( P2 g% s
    mov     es,di
- R) r. i3 @' O6 t& _6 {    mov     ax, 1684h       % W/ D% |6 t5 F8 Y* R' U' Z  i5 x3 i  E
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ F* S1 R* ?2 K! y% u+ q5 `    int     2fh$ Z" u: @0 J  c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) `% o# _. A; t9 Y    add     ax, di+ `- o- u; X; x7 k+ ~
    test    ax,ax
3 L' @# f& [) }9 e  d* o- i6 }: K    jnz     SoftICE_Detected& \$ n& |0 d! A  `, I8 R/ B& S6 d

7 A7 Q: S+ J* z3 L& f7 J1 n__________________________________________________________________________
* u" Z+ m8 |  F6 X8 t: L* T, Y- q7 `, O# }5 \

1 t8 _- f2 g) ]9 Y& z9 `0 x! g) ~% MMethod 05
" K; g' Z- B. q" t. n=========
3 S! E* m) _9 H: `% G6 m/ G) J  _" Q$ J6 d  R. f' L2 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' A: y. o, f; u+ k. \* z" N8 ydebugger. It calls the int 41h, function 4Fh.
& q! O  O/ F, E7 }There are several alternatives.  2 M, e5 @$ W% x

: t0 o* h* M) O) SThe following one is the simplest:
" r. Y# J7 @% U2 \$ q% L% W# X: _+ t, g9 b
    mov     ax,4fh
2 U2 A, \$ I- t8 d* R    int     41h
+ d- f9 Q0 j7 }/ J8 d    cmp     ax, 0F386# ]% R5 Y1 ^* M( n3 L
    jz      SoftICE_detected# z! R& V7 _' [
- T! D7 I) i, H& L8 y. H
+ L- T; R0 w* H5 W, ]! ?
Next method as well as the following one are 2 examples from Stone's
/ \( o- z) e- E; ~3 ]"stn-wid.zip" (www.cracking.net):) _+ m% F# l1 E+ z$ t1 ?0 w  P. H

6 {9 W% A, k+ Z- |/ I4 c3 f$ g- U' {    mov     bx, cs6 j; g  K2 E* a
    lea     dx, int41handler2% ^. H* k# y. V
    xchg    dx, es:[41h*4]; P4 ]4 Z& C8 a1 z
    xchg    bx, es:[41h*4+2]
  r4 Q* A0 l( ?; D; T    mov     ax,4fh
& W7 _) d/ m8 S- I0 ?2 ]+ G    int     41h
7 ]/ a  L1 u* r    xchg    dx, es:[41h*4]
6 h! Y6 q8 |# o# k/ p& d* U2 h/ J0 p    xchg    bx, es:[41h*4+2]
. q2 e. ]. Z0 g) F    cmp     ax, 0f386h% P8 k5 i1 A, @9 C( M$ t5 j' ?( r$ z5 B
    jz      SoftICE_detected
/ E  [$ [& {" ~: E) j% `4 p0 `- c" Z3 B  u3 T
int41handler2 PROC# ?2 Y8 K4 D0 ^
    iret
3 o9 m- `7 ?0 r9 L' E% Rint41handler2 ENDP
8 Z. g( g# \: D9 |$ s) |. X$ o. D: M# Y2 R+ O0 ?
5 B- Y, W% }1 g: f/ o9 o
_________________________________________________________________________
* s1 e2 W" ?* K; M" Y' ^6 e
! x. S, }0 {& P& F6 i6 A" h5 ^/ j: u  Y+ ]! b
Method 06- J  l% O% {# w3 \" z  }* |
=========. b4 u+ t' C: T0 H3 n2 Y
9 m$ M1 `) u* V4 w/ k2 p; e/ y/ h
( f5 J* m0 B9 a6 O# A4 h
2nd method similar to the preceding one but more difficult to detect:3 z" x- q3 Q+ P
! u2 P+ X2 v1 e5 O$ x; x9 r

, K/ ~, K/ R" h1 r6 w2 j& |9 Wint41handler PROC6 j8 K. R& r* I. P8 X
    mov     cl,al/ j6 D5 x" R: C2 {4 O" `
    iret
' F. w" h8 M! b8 ^% [int41handler ENDP- X6 U6 E5 V8 y6 u, w! Z/ A. P

" P, n  b% n. g8 ]( e" W
/ p5 D- R4 s, t; X! N8 Y    xor     ax,ax9 x5 [: U8 m% G! t1 t3 e
    mov     es,ax
' y" Y* P2 Z% N7 s    mov     bx, cs
0 W0 l/ q+ u" J" W) g" g    lea     dx, int41handler9 L3 V' M+ O& }! e1 U
    xchg    dx, es:[41h*4]
7 \, n0 ^+ \1 z6 u: j    xchg    bx, es:[41h*4+2]
5 h' O2 T& k9 h: G8 c( [$ B    in      al, 40h7 a8 W% |- G: Z0 q6 v9 m4 k5 a
    xor     cx,cx' D* ?7 c5 k  m8 `" G
    int     41h
5 }5 C* [( y9 k! H. ^# B3 ^    xchg    dx, es:[41h*4]
2 d8 S. s0 a8 p3 T+ a    xchg    bx, es:[41h*4+2]
) M( K6 m7 [/ I6 e) S7 y6 I, O    cmp     cl,al3 F% V2 @! x" _2 Y# C. j4 X7 c
    jnz     SoftICE_detected3 V4 W3 y5 |9 i& @$ w* J% w
- D$ {- G: ~$ D7 b! ]4 X" Q
_________________________________________________________________________4 x# j" L: b& u6 ~5 x5 u: o7 T3 `

- [, y) W8 V1 q  C" m' U* M) qMethod 07
* o1 O! b1 f, [& d) J9 r=========9 f5 W* J6 J' p1 ~1 `

6 C7 \" O' A0 ?- K( lMethod of detection of the WinICE handler in the int68h (V86)' t# o1 {9 l, O: Y( l- b* r
0 h! a$ R1 k7 Q5 }, v
    mov     ah,43h
' e% _# c( z) e$ w* o! F    int     68h! S$ a0 A8 N- ?$ G
    cmp     ax,0F386h
* f6 P$ u/ J" K8 r! V' p0 {  Z5 a    jz      SoftICE_Detected
8 k+ i, Z2 V3 D# m( q  J
0 S9 s2 G3 g4 Y$ M3 X  {' f$ a1 D0 E; l* j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 S" L2 L0 f; |   app like this:
3 T% n' H+ T0 Z2 ?' Z6 o7 B' G7 S* o' H' e
   BPX exec_int if ax==68
4 y# |! S0 q6 ?7 @   (function called is located at byte ptr [ebp+1Dh] and client eip is
; v; b9 g& V5 {! c5 j9 [   located at [ebp+48h] for 32Bit apps): g- D% K- b3 \% e2 v
__________________________________________________________________________
# E' }$ T; _% P9 P: S. ^& ^
% t+ c, c3 p# H9 f( h% D% k. E$ v
6 d  V- w0 f$ x1 i. o/ fMethod 08
! ?% k' d% F" a% M- e=========; x; R1 X& k) ?, |: P- n9 m
  o4 Q) b5 A( D- U( q/ q, w
It is not a method of detection of SoftICE but a possibility to crash the' y- y+ U# N, k$ w
system by intercepting int 01h and int 03h and redirecting them to another6 c4 {. K; b1 a+ I1 _9 }5 ~' `
routine.
% g* I: Z9 L4 r. k( M9 y- \4 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' S* X! H2 Z+ q, O0 R5 Q* n. x2 h
to the new routine to execute (hangs computer...)# @+ V( p5 g% t

$ e, ^2 L1 W; O. D" E& R- u2 y    mov     ah, 25h
3 D- r0 ~9 U; t4 ]    mov     al, Int_Number (01h or 03h)/ ]. o* E, L2 ]8 s. s& v  M
    mov     dx, offset New_Int_Routine; |1 h- I6 b! K1 |9 K
    int     21h
- A; s$ o. w; a% h2 i
" L2 X: k0 `, Z& C6 b0 D  b+ b__________________________________________________________________________
6 C5 Z4 R  s/ m* d7 s1 \3 }3 I+ f1 X2 S7 }' r6 R* u0 W$ t. z
Method 09
/ M1 H: {& A% I  O# P=========
% a8 X- W% C: y3 B" l  o1 `  Z
/ G- R; L) k6 c1 ~" `: r! L* ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 h! d, I8 _& B* C7 C' F& p0 k- uperformed in ring0 (VxD or a ring3 app using the VxdCall).% ~& N& W% }  L6 @
The Get_DDB service is used to determine whether or not a VxD is installed
$ y3 A/ u8 G" }1 Z$ U3 afor the specified device and returns a Device Description Block (in ecx) for
8 b$ ~  Y& R( w) t8 Gthat device if it is installed.+ n+ D/ f2 T: `. b6 v

+ e1 e! P' d6 ^   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ {) a/ y& j. j5 ?, m
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* G4 Z, i/ L$ P2 L; a   VMMCall Get_DDB
6 {$ v6 Y# b  X7 j# [8 ?' y6 D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 e- g' N% ?& b) C0 n
( Z' a. R* r0 l) V4 {1 A0 R$ w2 VNote as well that you can easily detect this method with SoftICE:& H$ m0 F  J$ t9 D. `
   bpx Get_DDB if ax==0202 || ax==7a5fh: A3 a" J+ Z5 p) ~+ P
$ q( Z( y8 r6 |1 r. q
__________________________________________________________________________
. l3 K( v4 Y; K& n: J
$ D) K1 P. Y( [% i& P+ z7 yMethod 10
: p- Y/ U7 W/ y=========
9 P) W7 J5 B7 C" w) q
& [* X) a2 R4 ?0 ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 m" c4 y& B1 X4 X2 ?  SoftICE while the option is enable!!3 \9 ^4 r* _/ l7 D

0 @6 E. [# s/ d! V3 oThis trick is very efficient:
& |. X. E2 j9 lby checking the Debug Registers, you can detect if SoftICE is loaded$ _- ?# }$ h" L$ Q3 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- t" D0 C( f1 S4 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their0 y+ q3 n7 ?5 k* ?) ^0 p  [0 c* g+ Z
value (in ring0 only). Values can be manipulated and or changed as well
- H& _( m; E' |0 N9 g(clearing BPMs for instance)$ d( o6 e8 @7 r/ R+ o
( m2 E; {" x( x2 ?
__________________________________________________________________________
& x- U8 a$ d5 P, W3 }2 K
) o8 q- `" E2 QMethod 11
! z' j1 {. i, @/ f( S=========
* s8 g5 f& P+ p! s% A; k: c( S' O
; g2 h  @7 Y" V6 G4 a* nThis method is most known as 'MeltICE' because it has been freely distributed
6 t  i& T( T& h) }/ r4 h; ]via www.winfiles.com. However it was first used by NuMega people to allow
( @1 i' u; X# F! N# BSymbol Loader to check if SoftICE was active or not (the code is located
# k) o: v9 I# |  C2 `' T3 Kinside nmtrans.dll).
& l0 U0 j/ @$ e$ z* Y2 v* Y2 E, m( ~' _( ]0 ^& N
The way it works is very simple:
5 I+ Y: V# d) l6 X6 L/ G' X! p  mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  B7 n: S( q0 wWinNT) with the CreateFileA API.
$ v. I4 v& z" G  b
! q+ R/ k2 Q$ g3 n' ^. m% S9 THere is a sample (checking for 'SICE'):
0 ?4 d/ D# A4 X6 p; Z& R% U
5 k- C1 ]; K& I0 KBOOL IsSoftIce95Loaded()' ~* R/ y+ ^2 i* [- N( s
{
7 g" b; r- Y$ \7 }5 j& I   HANDLE hFile;  
* }! L7 v. f) B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) \$ U; h4 \1 ]5 H$ l) e  f9 ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,
9 Q; r: x; J( E$ N8 n  [( I3 C                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 i/ i( d/ V" a3 P4 u
   if( hFile != INVALID_HANDLE_VALUE )# t8 s( }' W# R! {2 }- `
   {
9 J( @6 Q% n9 H( e' [      CloseHandle(hFile);
' q6 X+ [$ g: W5 x      return TRUE;. o5 {3 v3 c$ ~; m& e! q
   }
# V! c- y% G0 G   return FALSE;# K9 v% E9 m! }' V. @0 M( O3 ~
}
: V' y4 V* G2 D7 O7 y# A; E2 H0 I- z2 Z/ X, _/ s- {
Although this trick calls the CreateFileA function, don't even expect to be
' H8 M5 h% B( d1 Q7 j& w' r! Jable to intercept it by installing a IFS hook: it will not work, no way!  j9 R: t# [1 `7 \  p, I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 u- g4 B2 `; Q' q. P& }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 E  d4 g  ]  u8 e8 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ o8 g8 d* o; @, W* h% Z7 a6 Kfield.( a! S2 G5 ?7 K7 k- `# S
In fact, its purpose is not to load/unload VxDs but only to send a 2 y. X8 v" b) V0 q+ }5 @2 N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 c6 i+ j- ^& {3 \! [7 Q; U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# J$ U8 @0 ?( t" Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).* _2 n) f! a* a& L, @" W
If the VxD is loaded, it will always clear eax and the Carry flag to allow) }7 B5 }* d3 L9 Y
its handle to be opened and then, will be detected.  p$ {* m. ]6 F/ p" ~2 r; P
You can check that simply by hooking Winice.exe control proc entry point
6 W$ M4 f% Q, b7 E5 @* k( ywhile running MeltICE.+ n8 A# _# c7 Y
6 m- A( R: f2 c5 y
+ t. c( D& s9 d$ Z" x% v
  00401067:  push      00402025    ; \\.\SICE1 P; E' \7 e% b; ]+ e# L
  0040106C:  call      CreateFileA% M$ R7 p6 D1 t
  00401071:  cmp       eax,-001* o- \8 [5 f0 z1 q. ^* B/ h
  00401074:  je        004010918 \  v, r% R7 N% w3 z% G
& q- ^( q2 k% N0 ?; f7 X+ M' u: S$ X
9 ?3 p5 K9 @" F, g9 m, ~
There could be hundreds of BPX you could use to detect this trick.
+ I% k3 O' E9 _+ b; k-The most classical one is:+ I0 p# w! t7 ]8 h+ y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  \6 ^. l2 O+ {  i( N: d
    *(esp-&gt;4+4)=='NTIC'3 k! J2 W+ h1 f9 Z# [7 I
% X6 g* m  J6 I' p
-The most exotic ones (could be very slooooow :-(( T# B- i( I: {' l
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ N7 p: j7 P0 e; L/ Z- G     ;will break 3 times :-(
% e" v* l# T8 r* l5 b$ Q
. l$ F4 R. r7 R. H7 L-or (a bit) faster:
  H- ?1 O  I) p+ D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ o0 p) p8 }0 L3 O. Z
( r& B+ J' B3 u0 o/ g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
/ g6 \, n& s  D- Y" {     ;will break 3 times :-(8 l, A  E- d& ^: G3 J

) f. k6 B9 O9 j-Much faster:" D2 T; u  k( x8 B. K( |' S" t+ e
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% W) @/ O, c7 M1 N
5 }; ?: x3 u8 h" R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- @2 |3 R2 g% i
function to do the same job:; R1 i5 H- H, I6 @

- M* N! |& Y1 k4 _# [   push    00                        ; OF_READ" d3 X: _; f1 |: m  O2 k1 H
   mov     eax,[00656634]            ; '\\.\SICE',0. w$ M: \9 S' B1 L$ m
   push    eax
( o4 i, m8 D6 V7 C1 Q: u* V   call    KERNEL32!_lopen1 ^. l: r9 ~4 D3 g+ o
   inc     eax* X! a, p% B6 K% j. P  H
   jnz     00650589                  ; detected
+ i& u# m; O: a; ]! g! t- }# z   push    00                        ; OF_READ8 G3 w7 \  Q* B; t
   mov     eax,[00656638]            ; '\\.\SICE'  f: i8 P) o+ E: M
   push    eax
4 ^+ `3 h" i1 v8 S   call    KERNEL32!_lopen- n' k% ]1 O2 ~. m' M
   inc     eax* G; J( i6 b  q) ~2 U% D. T. U0 C0 X
   jz      006505ae                  ; not detected* Z6 b; N: }5 B1 k

; q# K: ]! X4 K2 R# i) f' h6 \$ m1 ~0 J0 ?7 x) C8 l/ j7 a
__________________________________________________________________________& N, ?6 c/ U# ]
! y; j' e; y/ ^9 \
Method 12  v+ U" `& K7 D4 W- p) a, U' C
=========& s6 m% y0 X, P+ L- I

* u* F. T5 A! KThis trick is similar to int41h/4fh Debugger installation check (code 05- x# F3 X- R" b2 d$ c! H- @
&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ s1 I. n. O# }) a1 A& M: T, W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 ?% U+ p0 |, v6 P9 c9 j7 @
+ p6 k  A8 ~7 g9 b. F   push  0000004fh         ; function 4fh( H/ s6 t* r2 Z# o" m
   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 @/ V9 F  _0 O+ V" ~2 s                           ; low word specifies which service
' w+ M& W" ~" R' k/ u1 ~                             (VWIN32_Int41Dispatch)$ z7 {+ A+ X5 }, A! y
   call  Kernel32!ORD_001  ; VxdCall
* {. r& s. K0 ~" V) Z0 _$ D% P   cmp   ax, 0f386h        ; magic number returned by system debuggers& p$ A* K0 }$ |3 }: h5 |3 w) ?
   jz    SoftICE_detected
; c9 H$ q2 ~" S) n! P
- j- \( q( L4 }  `* }Here again, several ways to detect it:
- g# M' A' G0 N' Z: B0 ~( H0 W( e' A' I) }* a% m
    BPINT 41 if ax==4f
/ b% p' P( f! Y" O- t* y0 N& J4 H2 L% c. y( u( e; u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
! S: i) f- S+ d$ x# {; u
2 z0 n' e/ F9 i3 z' M" X# P1 A    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, V: X% _: x3 ?6 t: z7 R

+ s% [7 j) T3 E- L3 E    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 M  T6 m' {( W5 f

) v/ c5 T8 {- ?" {__________________________________________________________________________
: b1 ]* x3 H; f; b
& Y$ A: R) f6 i, JMethod 13' t" j% `. f' O  v9 M" N. f
=========
2 w1 m; V% i# O7 j$ `6 |+ P
& g' o1 e+ y* f) h9 I8 g# TNot a real method of detection, but a good way to know if SoftICE is" x: U/ Q. P) J4 m0 y
installed on a computer and to locate its installation directory.- T8 [, T! L7 L* u3 \- g
It is used by few softs which access the following registry keys (usually #2) :4 k' A& M; v6 W5 A4 p9 P3 L4 Y
  k' d( N9 A' M; P( V" j+ ?& @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 H- J* q  [; c# C2 E; i2 o) E\Uninstall\SoftICE
7 s5 t6 X6 q  }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 K  b% `9 S, y8 l: z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 _  O7 k, Y+ }( Z
\App Paths\Loader32.Exe4 G0 e; }: f  ?' p8 o" s

% d' f% c4 L0 ]) H3 {' v( h$ S
* K; K* [6 M& m; q% K0 i" sNote that some nasty apps could then erase all files from SoftICE directory
$ O' L( W& Z4 L: L+ v(I faced that once :-(9 ?# d$ J' t* w$ \4 ^
$ \6 Q$ H, d3 o; Y0 A
Useful breakpoint to detect it:
3 O  k5 u* m: I: G7 h3 c4 l3 L- Q( Q+ Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- f5 P1 f1 ~0 p4 {9 G9 D4 h, V3 ?( X
__________________________________________________________________________2 {0 q3 l' W% e7 ?, O

" i* o: ]( f& T% _: N
  Q5 |  C0 q% I. h2 b- y: ZMethod 14
( r5 U, B* v  g. D2 I=========8 Z, J  g/ V: ~5 k7 b

9 o+ k7 m6 V# E; x% }' SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 f  j. ^8 r+ j# qis to determines whether a debugger is running on your system (ring0 only).; ]3 m! |% O, v7 b$ o  e
. s% s* N. W* |
   VMMCall Test_Debug_Installed
$ j$ w5 l0 t9 X# n, t   je      not_installed" G9 B- b% M. \2 T

) W, X* s  h! LThis service just checks a flag.
: B- @3 u% a" q1 N$ U! Y9 D</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-22 17:01

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表