找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 t2 B& {, \1 u2 g. N  W- x
<TBODY>
. K% z% y8 w  W/ T<TR>- j' w! Q0 W3 w; G1 C: l8 x/ R8 m
<TD><PRE>Method 01
2 \1 d5 _1 c7 S+ y=========; ]. g' C9 M; ?
! B" M5 ~/ Y, C3 D/ a1 \
This method of detection of SoftICE (as well as the following one) is
' W* ?  z" d) P2 Q4 g! a' fused by the majority of packers/encryptors found on Internet.  W# g% V' \5 G7 l
It seeks the signature of BoundsChecker in SoftICE7 G6 }  S" f- r2 X. G

2 l) B% }% y+ n( b) V' D    mov     ebp, 04243484Bh        ; 'BCHK') |$ ^% N" _2 \" |# Y
    mov     ax, 04h
# y9 \2 H4 E  Z( O6 y, x! N; S" M    int     3      
5 m2 ]* i% R- A& C0 A    cmp     al,4
" @  [" {; N4 G/ t# G1 e8 d1 y    jnz     SoftICE_Detected
4 p; {; |+ o# m' r3 f
1 b8 d! G  ~. s. v___________________________________________________________________________$ H! n& ]5 u0 U: n: B. E8 `6 d3 y4 X

+ @' t9 |; A1 l, |; h* J+ `Method 02
( \4 W3 Q5 ]" m  U  K=========- O' d+ k: ^# d/ D" e# }4 ~! Y

3 ^/ h- i- Y. E- N6 e# qStill a method very much used (perhaps the most frequent one).  It is used
2 @! [6 ]6 s% H( S( E3 b' `: ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ F8 A! u) o8 y0 Z7 Xor execute SoftICE commands...& p: r6 {; ?, J# S5 C7 B5 D
It is also used to crash SoftICE and to force it to execute any commands
0 L: }* }- V% T8 C(HBOOT...) :-((  4 F, F2 K7 K6 S0 X7 s

9 F1 Q6 u, L5 R; K# X3 F5 `- bHere is a quick description:1 P  v* r5 b3 t6 ^; U5 @4 W
-AX = 0910h   (Display string in SIce windows)
* f2 h' v9 S* ^$ O  E) z( H" r-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' G) S  K1 o3 _6 L-AX = 0912h   (Get breakpoint infos)+ J4 h- ^4 }7 ]% a( z" s
-AX = 0913h   (Set Sice breakpoints)/ j; I7 c7 S, r2 z6 M' c
-AX = 0914h   (Remove SIce breakoints)1 R" \5 q3 U' A" x$ w

' Q* [5 A/ H, k! @9 P) wEach time you'll meet this trick, you'll see:& z+ x3 u; v6 z( g( K
-SI = 4647h
% Q( J+ X& p# Z! ^-DI = 4A4Dh& s" i+ E2 e& D1 U  ~# ?3 A7 a
Which are the 'magic values' used by SoftIce.
% m8 b4 K' i- Y1 A/ q2 t3 q9 `) j. i6 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" x: i8 N+ l' r! r. j& s8 \5 Z# ~9 A/ T/ |% Q$ M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ t6 b1 A$ I* M1 SEnvelope utility use to protect DOS applications:
: k6 E# ]- ~, [1 M. f3 F! B4 r5 G! _
- I1 o4 F  f9 l1 d2 f) d( R
! v) N& u# p4 y( l! h) S4C19:0095   MOV    AX,0911  ; execute command.1 Z2 N6 q( W( ]
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 _1 O) O) R5 E7 S+ Q
4C19:009A   MOV    SI,4647  ; 1st magic value.
3 }% E) r1 I  i8 W4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 V8 A% i- B9 S( `1 G9 l% V
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 d8 A+ F" O6 P1 u" `3 N: a4 S4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 |& Q. X/ R" ~. ~! }( p
4C19:00A4   INC    CX: V: n2 H, e* a
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& Y. r2 s/ Z+ s3 c$ w, k8 t1 S* w4C19:00A8   JB     0095     ; 6 different commands.* b# Q) {( p+ {* z$ X+ r6 t
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 k0 v1 ?) E* v% S: Q7 z9 f4 X4 C% e: p4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! O6 |2 o3 L9 }9 }( C& D9 k

  Q( R' {5 ]2 B0 I2 M+ E9 o' MThe program will execute 6 different SIce commands located at ds:dx, which
  O' m: v+ K# c1 j% O) r4 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 L3 @( s% g0 k/ R* V3 M

* N# l9 g9 W" d% `  ]9 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 [6 A3 s* s0 d0 q% U8 ]
___________________________________________________________________________9 }8 A: y! s- V: O/ W

" o, N9 A' g% q! J2 O, P0 M
: N  U; X2 `6 {2 N7 V4 BMethod 03
) o9 B2 @% Y# ?. _/ s( M7 h=========5 K4 K& [3 p7 q2 ^8 Z
1 E% W/ e1 k' r5 z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, L6 E/ [- z1 n0 a4 |, G4 h(API Get entry point)' [; k9 v$ y# Y4 O
        
1 ?9 M6 ~+ F4 ?. w3 Z7 k) H
0 W4 p8 d# y3 c8 r    xor     di,di3 j) w/ [. d+ R5 @( s. S
    mov     es,di* E, Q7 e' Z" Z9 y' y  X* {. h
    mov     ax, 1684h       6 i; A2 {5 o& T0 b% ?+ g6 `+ o
    mov     bx, 0202h       ; VxD ID of winice
( }- ^+ `( e: p+ o    int     2Fh
% Z9 M' ?8 Y/ v8 k# [' `) n    mov     ax, es          ; ES:DI -&gt; VxD API entry point' S! K9 j* l# h/ D5 }. r0 ?: `
    add     ax, di3 g! k% w" \5 P& C9 h
    test    ax,ax
* g6 G9 \- x5 _5 K. {    jnz     SoftICE_Detected
$ ~9 {# c, A7 H/ G4 E) d, z  f+ a% H8 I) |2 [, V1 a
___________________________________________________________________________( @3 M' f; @: B  w& H) `9 w
$ P0 Y- p  h( Y  y
Method 04. O3 f0 W! p( F, V
=========$ I; V2 I: P9 w. L5 F
" K' \3 F8 h7 i8 Q# ~/ W$ }
Method identical to the preceding one except that it seeks the ID of SoftICE/ S5 z4 h' e5 _. Y
GFX VxD.
5 y( @/ i% U8 w, F7 U6 G
5 ]" {1 q$ f. `, ?# a+ ~    xor     di,di
8 W. c' Q" B- [& x' V1 Q1 {# y    mov     es,di
% [: N& C1 C9 t% F& ~" P    mov     ax, 1684h      
) Q0 d  P8 `0 v2 K# X6 G    mov     bx, 7a5Fh       ; VxD ID of SIWVID* q: ?- S! p7 i1 w7 j' j
    int     2fh
  F2 E1 s8 H* |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 x* ]/ v( F$ s    add     ax, di6 J% _& t5 @$ p: R
    test    ax,ax4 b- }3 d7 M. A# o( `( ~: w8 T
    jnz     SoftICE_Detected  J$ i1 E- `7 Z6 T/ F
8 H1 N" J. v" V" h. s
__________________________________________________________________________6 X2 {) Q, ?$ P  w  o/ y+ p$ h

. k/ B( `0 j4 I# x! \5 O% M# C  t  X) n
Method 05" V6 {3 Q* `; a1 N) T
=========
  ?$ @3 H$ m+ L* c3 j- K# Z* f$ f- u; r. T3 d8 ^( l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# ^/ U+ A$ {  H8 e7 r$ Zdebugger. It calls the int 41h, function 4Fh.( T7 ^  y8 @: u# H, i- P3 \
There are several alternatives.  : Y; g( t8 @/ Q# ]

, B5 c3 g: G3 D* t' iThe following one is the simplest:
; |5 G" [: |$ s4 I$ X, t# L6 `
: d* `, E" C! g! O7 q1 W, w! r: X& L    mov     ax,4fh% G* Z; l! K( z1 n
    int     41h: N- d' I9 }5 `' ]
    cmp     ax, 0F386( [8 R1 K& }  a1 s" J
    jz      SoftICE_detected; [+ [( V+ F! N7 p( z
+ _5 E( Z: Z% l/ o$ n0 E/ A" b
/ {0 n0 t/ L0 q! r) u' c- F
Next method as well as the following one are 2 examples from Stone's 5 \& y6 m; w: A. ]* B7 u$ o. q
"stn-wid.zip" (www.cracking.net):7 Q) p4 K6 ^7 r& g1 u; W
, E! B( W  U' S1 U: d# e; H' z
    mov     bx, cs$ s$ {) ?5 E2 E! J. w
    lea     dx, int41handler2
. B5 z& @* v# M6 J% |& L: }* O    xchg    dx, es:[41h*4]9 f3 R4 ?1 A  b. i/ r" o9 g9 u
    xchg    bx, es:[41h*4+2]
; Q; U) W$ }& y6 B2 m    mov     ax,4fh
, l2 H9 ~6 m0 m2 o    int     41h8 b3 t7 d4 \# ?+ E! ?& c
    xchg    dx, es:[41h*4]
  M: P6 t7 r" i1 \6 L0 s7 g. F    xchg    bx, es:[41h*4+2]
/ @* d& {$ m9 j' L( {/ u    cmp     ax, 0f386h8 I& ~9 u+ @* @: V) `. P
    jz      SoftICE_detected
9 V9 q2 u$ R3 O6 n$ z2 q/ X
  E# n. |+ Q9 dint41handler2 PROC! R% D4 ^9 |7 k5 K" l; j
    iret
% \3 e7 u% i" t9 K* a' m3 l) N! x) S+ yint41handler2 ENDP
% W& r( ?2 ~& T+ ]$ U$ ^
1 n  N; g: P' X9 m# C0 y+ p" g0 d! M: q1 Y
_________________________________________________________________________
' J0 x2 `2 R$ h+ ]2 d8 a! W9 x  _+ g- z* F. m4 O- x! S
8 c( w& }/ b0 e
Method 064 f" K8 d: ^  C$ ~
=========
/ L5 T* e2 n; E6 J# {! K$ U; l5 F% R+ U
7 r  Q- Z  R) |
2nd method similar to the preceding one but more difficult to detect:
& m: E% x- x3 j" s1 Z( R
. @- b7 L" g; Y% w9 p; N
' b& r# \/ W7 [/ K+ uint41handler PROC
' f+ Z) J$ h% z' O1 q* m, a+ \) j    mov     cl,al/ N9 A" ~& b. L, Q0 `1 X  F
    iret( }. o. H' T: {1 d  K2 ~
int41handler ENDP: x- [  `& F- C4 x% ]" I

6 ~- V8 e# z  E+ W8 @5 k: B
3 H, L- f! X6 U+ g5 g    xor     ax,ax. {! S; b1 W9 Q4 h+ J/ k1 ~
    mov     es,ax
4 @" s5 w8 R" J" b; Q0 a6 |    mov     bx, cs
: d( Z5 ~; h! N) D+ J0 G* Q% @    lea     dx, int41handler
( c& i) v* X- u: y  x5 W    xchg    dx, es:[41h*4]4 ]1 B) r" c6 e! W7 b
    xchg    bx, es:[41h*4+2]' ^& F, q& E4 g
    in      al, 40h+ x0 j1 e" B  g' t2 V6 J9 v
    xor     cx,cx- I& J8 ?  E4 y2 E! z4 v
    int     41h! N8 i* c, ]2 s  K
    xchg    dx, es:[41h*4]8 ^4 U, h% g! e3 x# ?# ?
    xchg    bx, es:[41h*4+2]0 b9 A9 G- A$ ]8 A& ?+ w# B! b
    cmp     cl,al$ }' H7 l6 D+ U  @
    jnz     SoftICE_detected
# C+ e) p8 r% y6 A9 W! g# ~- J  Z' N) |9 W& v9 E
_________________________________________________________________________
' B/ U% r: a! l. r8 V1 U# C( q' B" I3 U  k( g4 E+ ~* n
Method 07
6 [. J& D4 ~. o=========
8 @* {% E6 {8 Y" p6 m! x
& E: r8 X7 B& N2 u. l1 RMethod of detection of the WinICE handler in the int68h (V86)5 I( T" _! |2 M: \/ @& a
$ K) t4 |' I9 q" i
    mov     ah,43h
  W8 q# Q, w* V* M    int     68h  E8 d* j* ^" ^" G% _* ^
    cmp     ax,0F386h
$ u! H$ {. L- E$ y8 i, c    jz      SoftICE_Detected
( `5 w7 y) G6 O3 o0 y
5 e9 U3 f0 q( @" H
4 A0 F. w/ s3 P1 L! g! P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. ^  M2 F0 F5 Q3 @- X
   app like this:. [% T1 c: ^# R9 a, b
- G; i/ h  k5 L/ j. n2 G# @
   BPX exec_int if ax==68
% @0 [; [; x5 R9 `4 `/ z   (function called is located at byte ptr [ebp+1Dh] and client eip is) Q. w9 m. ?# w+ B& r
   located at [ebp+48h] for 32Bit apps)
; x# y' }1 u  c" L__________________________________________________________________________
, _" a, h3 ?  M
2 F, D+ E/ W) ?$ a& G- [4 @) I# c, y" C, G/ k
Method 08
) T+ h& }$ L7 F$ d1 \+ g- N=========5 w& b# x+ Y( U. j
- h" f3 [* Y: B9 y* a" m; a
It is not a method of detection of SoftICE but a possibility to crash the- N& T1 V; V+ {$ s6 L& R& W. ~
system by intercepting int 01h and int 03h and redirecting them to another. l0 ?( v; s3 H4 P' f: c
routine.
3 z+ b3 }: X4 N4 J- I( z; NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. w3 j2 ~+ q' h6 ]7 f( F. C
to the new routine to execute (hangs computer...)) U( {; v  K% O) U
# o2 V& W% k4 Q) j5 n
    mov     ah, 25h4 Z% O5 f8 N6 P# }% |# A) A, {
    mov     al, Int_Number (01h or 03h)
4 s$ {4 w* m/ Y2 a. O! ]    mov     dx, offset New_Int_Routine* a' i* q7 b; s& C( H1 l
    int     21h0 M) |2 k0 m1 @* M  W

$ U% C6 ^. m$ ^8 \6 D+ N__________________________________________________________________________, Z4 p6 a+ l+ G0 W: L/ m# b$ W

" A+ f2 B6 C' B+ bMethod 09
& U% b5 {9 W& Q* v2 v9 o- D5 ^=========
' n  j8 G6 I1 B2 j0 r& \
: y5 ~3 P4 j- X6 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 C- W: U  X' L+ }8 D5 K7 operformed in ring0 (VxD or a ring3 app using the VxdCall).
- z. U+ [8 R4 m; `$ S( gThe Get_DDB service is used to determine whether or not a VxD is installed
9 C, G/ @  Z. m8 L, B9 vfor the specified device and returns a Device Description Block (in ecx) for
/ r, [2 v' \) [that device if it is installed.) T. e4 |: `7 {* r/ y* v6 S8 s
9 P1 G! {# E6 D8 X5 h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID- J+ t( p% j4 _
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 ^& m5 P, O/ k0 c, E+ l   VMMCall Get_DDB! \& l4 t, X8 `) u$ o: J# A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- k+ ^. B0 l5 T$ Q8 {- @  P

6 P/ R% n  x, O: xNote as well that you can easily detect this method with SoftICE:
! q. F/ A: z. N2 U: n2 Y   bpx Get_DDB if ax==0202 || ax==7a5fh
) u( ?6 z" ~2 i% Y% ~8 X; [
0 h9 v& y. j3 P4 m  R, p1 {. h- O__________________________________________________________________________
+ l& D9 [6 ^) H0 M' Y
4 `: W3 a/ i4 b7 c$ e% fMethod 10
& F* ~& ~1 t9 K& u=========4 t& ^3 V- y6 n" J# ?$ t

1 A* v' h: ]. u# N$ S1 T9 G9 _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 d8 r$ B, `2 v, u% _  SoftICE while the option is enable!!2 ]% X9 B8 C- z) M3 M" L" B# E
$ g; ^) s* l6 w, H
This trick is very efficient:* T* N; `' y$ R! |& i) s
by checking the Debug Registers, you can detect if SoftICE is loaded
1 F$ s6 t3 A4 V. Q5 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 D% i9 ?# I! K* ?' x0 ^0 w) @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 m$ H$ O( w8 V0 f. i, n  dvalue (in ring0 only). Values can be manipulated and or changed as well
" U% a6 M. q$ c9 y4 g(clearing BPMs for instance)
0 F9 T% R" \/ u8 t. M9 M0 P) ?3 a0 W0 J' Z' \; h0 c
__________________________________________________________________________
3 v0 n4 @. X1 ]1 R% f) X, ]: b+ B% ?) Y9 n5 l7 @
Method 11
! f" i0 b  [7 m6 M4 J( ^- d0 \=========
! I7 q2 k9 R+ I
* r- z$ i* I8 S, @This method is most known as 'MeltICE' because it has been freely distributed
! n2 a/ H- d4 D* {3 q. R0 y* ?via www.winfiles.com. However it was first used by NuMega people to allow  o( c5 h$ H8 t
Symbol Loader to check if SoftICE was active or not (the code is located
# @/ T+ H/ {8 M6 z6 Yinside nmtrans.dll).
' D+ r) ?6 l9 W! F, D  I7 r6 L7 }3 i
The way it works is very simple:) f! |: }/ @5 i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 ~. W0 _# B4 `. Z. R5 L
WinNT) with the CreateFileA API.
: R( J( f" G7 y& D& x0 e0 K8 `* r, I( f
Here is a sample (checking for 'SICE'):0 Y7 u6 D' g. s2 ]

! }/ _+ J  ?% x! o9 C' nBOOL IsSoftIce95Loaded()
; a; G& q- L- c: G{
, g4 B" G5 o5 P   HANDLE hFile;  
. D3 h. V5 b" |; Q   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 Y" i3 P0 M8 M! w3 o% ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,; T. v0 a6 ]$ z- Z% |: r" o
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" @3 S+ l) g* [- O7 C
   if( hFile != INVALID_HANDLE_VALUE )
- r& D6 Y6 y- j' {4 a' l6 ~( t' \   {. o  t% \' W1 G" J- k9 c
      CloseHandle(hFile);0 E- t  ?) |3 n; I  q3 \
      return TRUE;3 y, {& U. G  h7 B9 d5 {1 j* u
   }. b% R  N2 {0 [2 M
   return FALSE;
4 x8 `& T% s2 O5 v- I/ e! l}
$ z" K1 }0 \( k( Z2 m! r
- }, W6 D6 i6 b3 o) H( vAlthough this trick calls the CreateFileA function, don't even expect to be2 m& d1 S6 |# s# `+ R
able to intercept it by installing a IFS hook: it will not work, no way!0 i* w% _8 q& w" o: ]9 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ^& \3 l: ?. v: `; [6 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- @$ d2 I. V* O8 y' Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ C/ E* y. a4 ?
field., }/ e# V7 j8 W9 W0 [6 T  _
In fact, its purpose is not to load/unload VxDs but only to send a / I( G5 P0 `4 q9 E$ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# q9 Q% s& X$ Y% U- vto the VxD Control_Dispatch proc (how the hell a shareware soft could try% a% o; A: Y# T  h1 p1 F0 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. C9 c' z6 _4 S9 R! `4 YIf the VxD is loaded, it will always clear eax and the Carry flag to allow% V! p, Y8 r3 x# _; C, ~: m
its handle to be opened and then, will be detected.
5 O7 s  L2 ?( k: D; QYou can check that simply by hooking Winice.exe control proc entry point
9 d$ c5 a* _2 ^3 Swhile running MeltICE.
$ ]- y% w* K) w, A! B: H! {' S% ^) A5 W3 \) }  N

0 ]: S1 n7 \0 U4 p. }8 u; @3 g  00401067:  push      00402025    ; \\.\SICE
( C, \% h0 s( I0 L  0040106C:  call      CreateFileA
$ N" g1 m5 ?0 y, R  00401071:  cmp       eax,-001: ~5 V8 o; Y6 {" {# F
  00401074:  je        00401091) P$ x, V/ |2 J9 C$ p
" M; u# u7 V6 {" w9 a$ N
/ T2 |. c4 m5 {: ]0 S% R. [( f
There could be hundreds of BPX you could use to detect this trick.. H9 J: ?4 Y9 C5 m  L1 h3 h
-The most classical one is:  U/ i1 P, e1 U
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! w, g" ^0 i$ F# m    *(esp-&gt;4+4)=='NTIC'
, N( L5 ]+ _" g( R: F* }9 o+ S; ?6 |2 V% q2 t
-The most exotic ones (could be very slooooow :-(( q, j) M4 \# F0 L- U" T
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( A2 K$ S8 ]( a8 ?6 ?     ;will break 3 times :-(: @6 }5 d1 W* |6 h% d& l) e8 K7 O) E6 e
9 \$ a* L8 h/ O( E% x0 N! _0 d
-or (a bit) faster: : M. A0 i% I' Y' A  }2 v
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 S; F2 r4 K  e0 y/ P. O
9 N; m0 x% ?' }! A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  H; G9 R& o" e: A     ;will break 3 times :-(: S" f% w: T( l8 d' I
( p8 Q2 a% s. v# y$ Y! f
-Much faster:! {% y' R2 ^6 f7 b0 x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': B* A& u6 W. |" l9 f/ L/ Y% ^- y. w: [

' Y& t7 X; [2 a0 M# j& [: s. I# P+ iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ D! Z1 I3 s. }5 N
function to do the same job:
1 c- @  c& [! `* `
* s) h# F2 s; u1 F( Q- @) n& r   push    00                        ; OF_READ
( q! W7 c. D. `7 r1 |* t   mov     eax,[00656634]            ; '\\.\SICE',0
' D% M+ c! H) F2 t   push    eax
8 X, W$ G$ I; m0 x! K- ?   call    KERNEL32!_lopen
9 n8 b5 ]1 ?/ [% U- r& I( S   inc     eax
8 e  N1 ^, \( r% t% m; k   jnz     00650589                  ; detected
! F$ @$ d% _# `$ w$ t   push    00                        ; OF_READ: M9 [! n0 ?. }  M/ Y
   mov     eax,[00656638]            ; '\\.\SICE'0 n$ |' e3 Y& h! u! N2 K
   push    eax) p0 ^0 @* W/ Q: y* e
   call    KERNEL32!_lopen
, L0 d) N$ g. p4 W$ h   inc     eax' }+ \* N, C0 z4 q7 F
   jz      006505ae                  ; not detected( @! [; h: ^0 x! a: Y
* f% e; a) Y9 r' I

$ `1 r1 L! {7 w- V6 O0 h__________________________________________________________________________, @: @6 L0 A9 T5 O
9 }* s# X! {6 S! I
Method 125 ?$ o1 t7 a4 W4 X5 M. h
=========: j% _0 |& z9 L1 \! [# T0 ?
( W2 c7 V$ K' B7 p  |  B
This trick is similar to int41h/4fh Debugger installation check (code 05& \- n9 B2 X4 j# v, ^# t$ H4 I
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* e$ l+ O6 ]* _9 @2 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 O4 [. u0 m. D: U+ G9 p+ A
1 @2 z2 ~" T6 c% M' {7 X' j   push  0000004fh         ; function 4fh
4 I7 E9 {: g  s' T   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 D/ z1 Y& i7 H: T; }1 L                           ; low word specifies which service5 Q0 F1 r$ w+ r; _* K9 ]* S
                             (VWIN32_Int41Dispatch)  x; n; J1 g! Q1 A' c0 O
   call  Kernel32!ORD_001  ; VxdCall
& s- V% G) \9 g, b& v   cmp   ax, 0f386h        ; magic number returned by system debuggers# T7 r5 M1 W( c2 A* E4 \8 `
   jz    SoftICE_detected; _4 W( W. ]5 V4 R
0 e$ N0 f" z6 t
Here again, several ways to detect it:' J/ z% i8 O1 D4 a

; V+ U  \/ N% L/ y* o0 y    BPINT 41 if ax==4f: j: y$ h2 V" x3 e- S+ d
; I1 r- {9 S: _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 y3 z7 F4 j2 D, f- W$ ?
, p9 B) J9 Q. p% i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
! W% t. x5 W) K0 _( C
* ~# t  a$ g( {9 c' O9 y5 ~    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* g+ C; \1 a8 d% J# m
. A5 j4 S# S* F- x__________________________________________________________________________
  k; u  G# P) ^- Y) G* I0 g% u, R2 ^/ ~/ s* C9 _
Method 13; D6 z3 {# d0 e+ h/ ?
=========
' v$ ~* P* s8 }0 x6 M" `8 }. w, Y. t
Not a real method of detection, but a good way to know if SoftICE is; a( J3 ~- @' L; u4 P' @  b
installed on a computer and to locate its installation directory.
1 P& o- G" J; D# d, nIt is used by few softs which access the following registry keys (usually #2) :
  ^$ N+ H" o4 J0 {) o. L5 s: L% h' E2 ~  ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) x% z! Z$ m( C
\Uninstall\SoftICE1 k) G- M# I9 V0 R! J% R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% t4 `) b! l5 Y8 m6 S+ ]+ a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- d' \$ u+ Z* q& B\App Paths\Loader32.Exe" N3 X7 z+ X0 c) a$ }/ n. n
/ L) B  g; e- _; G- \- @# \0 ?
* h6 D' t( L% ~& V3 V) }/ B/ o
Note that some nasty apps could then erase all files from SoftICE directory2 D$ q; k) a8 @# e$ \% C; `1 C
(I faced that once :-(
* L  R  c! r  _5 s& B5 |! K5 \" }1 o- P/ T" Q4 V
Useful breakpoint to detect it:' C8 G2 Z: K# c* Y% t

% [4 s' a  o6 r" a3 \6 B  R     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ D& Z( U3 l5 J, {8 c
7 k0 Y( ~( ^6 W__________________________________________________________________________
8 D$ R8 F( a" B* u
6 ?* Y" _! u5 f
9 U0 X- J% {2 S# x! r7 IMethod 14 1 F7 @! s" V7 Y/ [5 j
=========
  s- ^) D) ]# W& T7 v/ Z$ k6 B7 ^" q6 l) c( @0 {1 ?2 }. Z8 T+ n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- V4 {% D* O+ S0 c: [: [' xis to determines whether a debugger is running on your system (ring0 only).. c7 q' [5 Y: g, G  Q

# o" u! l) y- [" S! x6 P/ K6 e   VMMCall Test_Debug_Installed
% r  j/ G/ V& X+ p9 L0 Q* L  e   je      not_installed# Y2 S0 v  M  z% q

8 }6 @( ]+ _2 uThis service just checks a flag.4 ^5 H, s& W, c' F0 N* q) y$ _. s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-2 10:38

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表