找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 k( C; Y% u2 l8 N( y
<TBODY>- m! T/ F5 Z0 U* K! W: C0 N
<TR>/ b% N3 d* ?) ~5 _
<TD><PRE>Method 01 ! R* L: W7 y6 ?+ G9 S3 \$ t  ~1 [! K
=========5 R* f* V9 R+ E4 G
, w/ Y( O$ {. y7 I% x  x) X1 V4 S
This method of detection of SoftICE (as well as the following one) is
  m: B1 u# y7 G3 w9 B' U1 ~1 W- z6 Fused by the majority of packers/encryptors found on Internet.
' M3 t3 ?7 J7 P2 g& ~" iIt seeks the signature of BoundsChecker in SoftICE
, Q& v, z8 X4 g/ C( v$ m
* v; ]+ W1 Q  C5 Q    mov     ebp, 04243484Bh        ; 'BCHK'9 N* s; p# c, q+ c. F( z
    mov     ax, 04h$ N/ X  y. [1 ~6 I1 x8 d
    int     3      
  z  w5 Q! T  ?1 Z% a    cmp     al,41 \/ y1 |8 O6 @1 P& `. S( I
    jnz     SoftICE_Detected
$ [/ ~' m9 U3 I  r. [/ y3 |8 e( W
" {/ k9 W$ ]; y. w4 x0 n___________________________________________________________________________6 @& c. N" ~- T* f2 ]( C3 S

* f8 f# |5 |( w* I, m% f2 i  jMethod 02
: k$ ]* b! d9 s3 x7 c. k  s) J, j=========" ^4 @, ~( f& {8 ^! t
' ~7 V/ [9 j* w; t
Still a method very much used (perhaps the most frequent one).  It is used  t0 v. k& X. f" u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ T( S  U& b. c" p- J
or execute SoftICE commands...
/ W8 v& g" M! x( a( T9 BIt is also used to crash SoftICE and to force it to execute any commands4 r5 D9 J  q9 b4 h  `3 X8 K+ }
(HBOOT...) :-((  
+ W. E& \- n7 j) i. |' S1 V1 ]/ T* }7 Y+ r% r7 \7 d# w5 @
Here is a quick description:# {) y/ x, z1 y& ~
-AX = 0910h   (Display string in SIce windows), ^% y: T0 z5 k3 w& _" d" o
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 V# g9 {6 p7 ?' W0 Q8 c-AX = 0912h   (Get breakpoint infos)
5 w& g6 |$ P& {4 m-AX = 0913h   (Set Sice breakpoints)
! N+ {4 v' z, j( L-AX = 0914h   (Remove SIce breakoints)
- S# J/ U, z$ E- K. @' }
$ G6 K; w0 K4 L1 @4 @" dEach time you'll meet this trick, you'll see:
: N+ B3 R& k  y4 M% l-SI = 4647h& ~& I' f; e: T
-DI = 4A4Dh% z7 j4 k) H. d* f+ Q! H% F1 B
Which are the 'magic values' used by SoftIce., e1 `& J- D) O5 S( ~: ^/ ?' q% C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! W! `# g. W3 o" z6 }( c
0 `! w/ }. q5 B) c% Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, F6 T8 ^. `1 J9 ]8 W, q3 }$ a& A' H) nEnvelope utility use to protect DOS applications:
" E9 M( i; b" w+ `- t. V3 |4 n0 {+ }3 D3 T: f
- V& e! z( S6 d! d
4C19:0095   MOV    AX,0911  ; execute command.# j9 S2 J# t/ Q0 B, ^* q1 |
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 ?" F+ _6 P( M4 U  c/ b4C19:009A   MOV    SI,4647  ; 1st magic value.: E, a! _0 e: p( l) V/ I
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: X8 ~5 p" f- l( k4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* N. f4 `. ]$ ?4 V8 ^8 j2 \4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' v, X) [% z0 B1 r# `
4C19:00A4   INC    CX' \6 ^" `$ f% n& T: @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  e/ R( W- w4 Y
4C19:00A8   JB     0095     ; 6 different commands.: Q* l* z9 ?7 N% |* B3 F6 w
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 i) f: }- D, s2 z6 g& w- t$ C. W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  U- d1 S- \& r9 A9 B( r7 V8 t

  F3 ^& @% s) B" X  t9 J2 \The program will execute 6 different SIce commands located at ds:dx, which
" K( E& h6 N) L4 C, zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ x5 e3 K2 k: |' C" r" j: P& d8 j' n9 z1 R; j' \& d* K! i! z: ^' m+ z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ U/ \  ]: j0 @  J
___________________________________________________________________________
6 b2 n) X) H. S! ?6 M; p: O! W# O# f- P: a: p  w. w3 _
, d* d/ N" b$ P6 I$ v& k1 h; E
Method 03, l5 o' _% q) b; l
=========8 ~* ]  z/ f1 `/ M  ?
1 C2 Y2 L: I$ u. w
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: p, {0 ^* Y- B+ M0 F(API Get entry point)
& ?9 [9 q% ]) e" [6 f! l        
# ^, [- ~0 W2 \" D( q! `* y2 B" m( |3 s6 \* `# S
    xor     di,di
) \- f% Q# R8 I6 s" l& C+ r    mov     es,di
- h4 y4 O5 A+ G, }: Q4 u    mov     ax, 1684h      
/ {/ T$ `$ X- Q( R    mov     bx, 0202h       ; VxD ID of winice
2 c9 |# _! b) T+ s+ m2 c    int     2Fh
/ y" ^! O9 u% I! ~    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# _1 G! i0 s# k2 H4 h. v9 O- q    add     ax, di
/ K% H) W, w7 T  N- e  n7 t& u4 G4 o, I. t    test    ax,ax
' q' E) B- w8 l- m6 f    jnz     SoftICE_Detected- z8 l! I1 J1 |* f3 B& \

# O& g7 p7 O" m6 j7 g+ N  P) D: x0 k___________________________________________________________________________! \: P8 R- k+ t$ x. E2 c! }* J

/ V- ]6 j% _+ d4 Y- wMethod 04. `: _! \+ J9 N2 K* |( Q+ N% {
=========
4 N* p+ k( s8 L# `' R6 w. R" r( }9 i# O( n' Z/ z
Method identical to the preceding one except that it seeks the ID of SoftICE
9 b* x0 z% o4 C* U7 PGFX VxD.$ O7 q3 q3 }  ?1 `: p
2 B, m& h& m. T  G9 w: w; Q7 U2 K
    xor     di,di2 j: y) m/ r' |. i+ o/ z/ t
    mov     es,di4 s; X) s- \: u& z6 K) y; z
    mov     ax, 1684h       3 v% J+ N! ^& M. @& x2 v
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! r4 V& A) V* x1 E
    int     2fh
0 [" ?8 s: t0 {+ h" A' M  j" c& u' q    mov     ax, es          ; ES:DI -&gt; VxD API entry point& D+ c# o& l' n) E# X5 u" D
    add     ax, di7 P) j$ v; J3 D+ C8 r
    test    ax,ax; z) `" w) L( t+ W- y' V. g
    jnz     SoftICE_Detected
+ N3 y  r/ V, `0 D/ l' ~) n
8 w. J7 ~/ z- h9 o$ k__________________________________________________________________________
; ~$ @9 P" d' X8 L; G" y) C4 o8 i4 q" F# ^
7 J9 i/ S1 H- e8 }; P4 B
Method 05+ U+ w) B9 N9 R0 \% U
=========
- O2 f% f, b* O3 n6 B, i, {; e" G
Method seeking the 'magic number' 0F386h returned (in ax) by all system. m- ?6 Q0 O0 p
debugger. It calls the int 41h, function 4Fh.
* z. ?2 b9 |6 Q9 _There are several alternatives.  
% d7 }" S' @2 a4 @$ O. H" k" g% P9 r6 s" }; {, y% l
The following one is the simplest:7 L) f7 L- j- y$ Y; @
- W3 E6 A2 i) c6 E0 o; }/ ^
    mov     ax,4fh5 p* k; Q, `3 e' Q  ]0 f
    int     41h
8 V4 k% [& u4 ?1 }  l. O    cmp     ax, 0F3863 T# X+ a; Y$ `6 h5 o1 j) r2 J
    jz      SoftICE_detected
% c9 z# R$ O! p) n; @( S$ ?
9 N) W$ P8 ?$ A, l% b! q1 \* {1 p# X6 z' h
Next method as well as the following one are 2 examples from Stone's 3 P) W; C  Q* o( u) T) |- i. B
"stn-wid.zip" (www.cracking.net):
) W5 {2 |) l* c( h6 @( m
9 f( l$ A: y1 U; V" a' o8 F    mov     bx, cs8 @6 l/ K' h9 b6 t9 N8 }1 S
    lea     dx, int41handler2; W+ j7 I& D  U
    xchg    dx, es:[41h*4]1 W/ `0 X6 M; Q
    xchg    bx, es:[41h*4+2]
( {3 o# k' S5 h: V& t    mov     ax,4fh
8 |% Q+ S3 ~9 h7 W' q! a    int     41h
2 E: W% Q9 C# R2 B    xchg    dx, es:[41h*4]  G2 A# W) F0 w
    xchg    bx, es:[41h*4+2]: y, w; Y: R7 w. ]  n' T- T- p
    cmp     ax, 0f386h' h) J: |" l3 b, E( v# L* c0 R
    jz      SoftICE_detected$ D1 G3 O) w% h5 I
% R- T) C4 Y2 a' A
int41handler2 PROC
, |8 z+ ], Y/ ]/ x4 p) F6 e    iret8 V/ i9 h2 \( |8 X/ _) b7 L: k
int41handler2 ENDP
+ l8 d& v) t, H6 y$ w; |+ E1 g& q# f. w
+ j4 [6 i6 l0 ?3 l; }! j
_________________________________________________________________________
. Q* W: ]5 y3 s& I* V1 k1 a* u: p& O  E
1 [! A* k1 t$ r
Method 06; F3 {8 e# `4 U8 M3 l! \
=========6 T* e6 K$ r0 d
1 o! V# o) K' I) M% W3 T5 p

( Z+ E8 Z" m: i% ?6 C( q; T2nd method similar to the preceding one but more difficult to detect:
/ s. }* v6 U" B. r( i' Y' B6 G- _8 V# B/ M4 _* H

: n1 z1 T# z$ n# W/ N) i% pint41handler PROC. F1 ~8 ^  I2 [7 v* }  z* E$ m
    mov     cl,al
2 j( \0 |4 J  m    iret6 ^8 e0 R) c: B
int41handler ENDP
, D! [* G- S" m+ W& Z. r  B) H
- e4 C& B3 }& v$ P- A1 ~3 Z3 j* Q. o  \8 O' a: N1 ]
    xor     ax,ax
& R2 U, K8 R5 c) s8 b! I# g    mov     es,ax  C, c" Y6 P# ]2 C3 a# o" p
    mov     bx, cs- I% E+ ]1 m) J+ F1 V
    lea     dx, int41handler( G/ {" l: o+ W6 E
    xchg    dx, es:[41h*4]
7 i0 r. H$ N/ B    xchg    bx, es:[41h*4+2]
1 M# `( P) F0 H    in      al, 40h
% R0 \+ {+ W. s6 N5 d# Z9 J    xor     cx,cx
6 }) f" R$ m+ d3 Q    int     41h
/ P) |1 ^- H; }5 ^' D" S    xchg    dx, es:[41h*4]
# J/ X# y! L9 j/ `( D: }4 i; I. w; M    xchg    bx, es:[41h*4+2]5 @0 F- Q5 [( S7 u. f) m! y
    cmp     cl,al
: ]6 k6 k% C9 P8 e* }* Y  A& E3 M    jnz     SoftICE_detected
6 v6 L8 N* i8 M5 w% V: b# c  a6 v$ s& a+ K4 k' Z6 w/ Y
_________________________________________________________________________
6 z+ c) d% a( {; z3 @/ r4 a2 P; @4 w+ V! l" ]
Method 07
* z& O! {3 W* U=========) @2 c& V& F. E+ D
  U: A- G* s6 v. h
Method of detection of the WinICE handler in the int68h (V86)
6 x' U& e: n( u2 X
: H* I8 ~& O* `    mov     ah,43h
; V  H3 J: k: ^! s! L3 I    int     68h
5 ~  h" g5 n: I$ {3 f8 I    cmp     ax,0F386h
- q; A2 m+ w. u: J. R: g! }; ~    jz      SoftICE_Detected8 s0 }. d& x- M6 I1 k) e
: w; E) a- |: ?3 |. r( }) l( l' [

+ s, b% y: F: T/ m2 b0 E& g=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 J8 y' t  Q( ]6 L$ i9 u( T0 m   app like this:% [) i! i1 [+ Z4 g

0 p: F  X4 T% H" B- c" C# _   BPX exec_int if ax==68
, l- r; |) @" K6 h( k& v   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ f1 `( `2 u1 f   located at [ebp+48h] for 32Bit apps)6 {& Z6 D: W2 o! O- q5 [& K
__________________________________________________________________________9 F8 g9 }9 x1 v* ?

; m; W; C. p, w
6 o4 i" L! X3 ~7 NMethod 08
% c6 L- q2 p- i. y6 ]0 D=========
' h& G2 b0 T8 X$ X  h) V* \* s( e
It is not a method of detection of SoftICE but a possibility to crash the
) r( ~8 ]$ H. L0 {system by intercepting int 01h and int 03h and redirecting them to another
" P. q7 K5 Y' Oroutine.7 K6 b9 {7 F5 l( R3 ^7 W8 |( a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" ]$ c" d3 `7 G# s* z0 rto the new routine to execute (hangs computer...)1 d: t- h' r! D

# ]0 y: _, l. \7 ]6 }3 _    mov     ah, 25h. q' f/ g! f2 s9 w- O7 ]
    mov     al, Int_Number (01h or 03h)
' e8 K  Y- C! a" k7 ]    mov     dx, offset New_Int_Routine
: w, O8 V% y2 c1 G    int     21h9 [6 S0 I* c3 C% F3 B/ x9 F1 F
' X& z5 p# P* \% _6 E* M  H8 M
__________________________________________________________________________
5 q4 `4 t4 n: Y& D/ Q$ o
% g7 ^0 j: ~$ c+ E+ B6 b" ]Method 096 {# }1 }  p6 O0 m
=========' `. L& A% C8 Q4 p5 [6 U! B
! D2 _$ M" Z+ C- B6 W( `0 _9 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" L. C/ W5 r  B( x: Mperformed in ring0 (VxD or a ring3 app using the VxdCall).- r6 E* }1 v0 }( {' ~
The Get_DDB service is used to determine whether or not a VxD is installed
. U- A/ W$ ?* x, c' }( f, w% gfor the specified device and returns a Device Description Block (in ecx) for0 r7 T* C4 r" F+ d; H8 r* ^
that device if it is installed.# |3 `; f8 q; W0 A. W: E6 n) c/ b/ f$ l
9 {& y! Y; m# G& ^# _8 i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; _6 [% k" u2 j& k
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 {; h; F: S6 a- D0 u   VMMCall Get_DDB
7 K$ o% n/ A; Q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) x1 V% D+ P  ]

1 D/ ~) B- F2 S7 c% xNote as well that you can easily detect this method with SoftICE:
$ F' m$ e6 c( E, l   bpx Get_DDB if ax==0202 || ax==7a5fh. B1 r. c1 V. r; s4 S. ?; w2 }9 j
( w0 i0 j9 W. @
__________________________________________________________________________
" S5 h2 `" n4 Z3 ]5 n  W* g; U+ S
Method 10, F; D: n4 ]! U, G
=========- Q3 e# S! D8 y- U4 ~) _4 g
" E6 s+ F- c7 v% m9 D# N- ?" p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 W- R# o& S- \% I6 R
  SoftICE while the option is enable!!
1 x0 U* Z/ F$ r2 l# U$ n( [1 m& U$ [* g9 B, x8 n
This trick is very efficient:
+ ?3 ^5 P9 I; Q3 Y" i% bby checking the Debug Registers, you can detect if SoftICE is loaded" s7 M4 K* J% D- o5 o0 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, _3 v9 x7 u8 R2 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their  C; ]1 E3 Z$ e7 A- ?  A
value (in ring0 only). Values can be manipulated and or changed as well! f+ r# I, \# {' p( k3 k
(clearing BPMs for instance), a: `& ~7 `0 _% y) B9 z/ ]& w

4 ?* I7 g, u3 w& v__________________________________________________________________________+ g8 q4 d) y2 @, ~

7 k7 ], x  x" w% k0 h+ IMethod 11
: X! I1 j8 s& t; ]0 B) v=========
& F& t* k4 g' K8 g- m4 i
" h1 y0 o/ K# e4 j- fThis method is most known as 'MeltICE' because it has been freely distributed& Y; N( o8 W2 u5 A- U' Q6 o- k6 P
via www.winfiles.com. However it was first used by NuMega people to allow
# D0 n" ^) E- J0 v) \- I6 XSymbol Loader to check if SoftICE was active or not (the code is located# c% O  _6 s: y
inside nmtrans.dll).2 Z  R' `6 T# S; O5 ^

4 y5 @. D$ _( }; o5 ]) u7 XThe way it works is very simple:
3 O8 a! r6 N$ _9 G0 d4 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ Y9 }- r/ s  A3 [8 ?* Y8 f8 w" q; [2 \WinNT) with the CreateFileA API.
( v. R  `# X5 B0 p* p, ?3 Y) u& F  T' u. j& B6 ~4 y3 C
Here is a sample (checking for 'SICE'):
* K* ^0 ?( W8 r; e+ B2 L5 ]4 Y; ?
5 q* f9 D* ~+ lBOOL IsSoftIce95Loaded()
( I, f) p/ e& F- V1 g{  D7 ?* _1 Y- \
   HANDLE hFile;  ; g6 Z+ C9 w$ p8 n) C! E- G+ G
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; e/ Y6 z  K3 r5 N0 X, }                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 k4 _' [$ D8 }6 v  |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 W2 e$ r" N# ^4 M8 v$ S   if( hFile != INVALID_HANDLE_VALUE )- g5 X4 y* a1 R  M  B
   {+ N& [5 h. g7 F1 T) \
      CloseHandle(hFile);# P% N/ T, z0 j! c
      return TRUE;  O' D* v: W; Y
   }
) O9 q0 p+ A( q  i( q4 C7 n- m& _3 M% ]   return FALSE;
/ i% r. {  S: `6 ]3 m}6 f! M. @* x7 f% T& B
" A! ^: V  f. k$ I0 B
Although this trick calls the CreateFileA function, don't even expect to be
+ J4 W- g2 x8 t' f8 c- oable to intercept it by installing a IFS hook: it will not work, no way!4 t/ }* @( V8 {2 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; {0 n/ t' W; x2 |6 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% O0 }/ ~  M  b" c# A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# K( A( V0 [, Z3 ]; jfield.) r7 k# ~# R) I( V4 m
In fact, its purpose is not to load/unload VxDs but only to send a / g) t1 Y2 H4 j; r: k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# P6 H  J9 ]+ d$ b1 Z3 e5 L: b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ J' O# N2 t0 p# b& N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 i( K8 O! J( ^* q& P( q5 FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, e7 |- W: U# d' i5 nits handle to be opened and then, will be detected.
0 T/ Z% _& g6 `9 y1 i4 F, u6 zYou can check that simply by hooking Winice.exe control proc entry point
8 e4 U( [* V+ U" N1 u6 P- j6 cwhile running MeltICE.' ]5 B- B) V! V4 @% N
+ _- [6 h9 N: a1 _& K
: D8 J. I! G9 l# n: Q7 N3 V" s
  00401067:  push      00402025    ; \\.\SICE
7 U  Q7 Z4 _7 p0 ~' v" K  0040106C:  call      CreateFileA
. ^" T4 K; `: B& p  00401071:  cmp       eax,-001# B9 B) I6 \9 {( \  K) w
  00401074:  je        00401091
+ J% a: P; E' {9 H% d# i# v3 z' [
% W) ]0 j; M, k2 ?$ D& q
! O/ W8 U; G3 K7 j2 H; Z! ^3 fThere could be hundreds of BPX you could use to detect this trick.
# A& ?  S2 f2 r( E-The most classical one is:9 U* H- l% f0 t6 A7 B
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ s$ H9 k- b* q( B9 J# H    *(esp-&gt;4+4)=='NTIC'. B! I9 j( R& v  j5 g8 W& C
8 f( j. z  i8 w9 o/ i
-The most exotic ones (could be very slooooow :-(4 x. A) e5 d1 }, e
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! w% Q6 r! h6 ^& t- d2 L* d     ;will break 3 times :-(
6 d( ^  B% C4 o+ C2 c* _6 [6 }
- D# s1 T" ?  v8 Z-or (a bit) faster: ( k2 I6 F) L1 F
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) h- P. X- e; ]) o( e5 L/ J0 X' }6 v; l5 R2 \. O$ y) I0 Z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# @, a$ _- c* \* b     ;will break 3 times :-(5 f, z$ p4 t: }, c4 B' [6 c

: `' ]) Y& ^, v6 l1 l% C; C/ j-Much faster:
- D0 y3 H! H- e, e  O( o4 f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) D  z0 k- a( m5 n* m# o. O% L8 Q' I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( J, @0 ]9 M& Z% x8 J  [. R! |function to do the same job:
% E  [6 Z/ r0 Z  C$ }+ x5 Q9 I* a) Y
   push    00                        ; OF_READ+ |6 @! o6 S( K6 _- T
   mov     eax,[00656634]            ; '\\.\SICE',05 F+ f: Y' W+ y
   push    eax
$ {$ t  g; Q' G6 d   call    KERNEL32!_lopen
* ^$ _$ q( a% M1 A0 |1 c   inc     eax3 L( X# f% R3 d6 |3 I
   jnz     00650589                  ; detected7 X# _# Z& p: O! h/ x" H
   push    00                        ; OF_READ
9 R5 ^% z2 d: r7 J# t* m   mov     eax,[00656638]            ; '\\.\SICE') i7 ~, O) p0 ?6 w# @
   push    eax
0 ]% ?7 i! H, e9 |! l   call    KERNEL32!_lopen
- @- g9 c; e: A! O   inc     eax
1 Q% H0 O% Y/ u   jz      006505ae                  ; not detected
) Z/ h5 L- a3 ~' k$ @( e5 p, l; n; `0 W; G
8 }; ?& ^" k6 q+ K& @5 h+ s5 L* h) O5 v
- W; x. b! B% E$ o3 ~! p& U8 ___________________________________________________________________________0 w& K7 A! v5 M/ o  ?7 ~
; ^8 n. i  J6 C$ c' B/ Y
Method 122 K  `0 v8 H7 C# q$ d
=========7 z* G2 K2 h) n9 h' Z* L

  S8 E7 D9 U7 v+ z; l7 H  c, XThis trick is similar to int41h/4fh Debugger installation check (code 052 E  g# d) d/ }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 d% u* |# P% t$ E& w4 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* E+ a( G; Z% \9 V! g4 l3 T3 p
  [! G8 q4 d* n2 m' y) E   push  0000004fh         ; function 4fh" |" N8 t5 P) S& B/ U. J/ i
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ q$ V+ N* D6 u: L6 @. a9 a+ X
                           ; low word specifies which service' P; o- X1 X  l; {4 D2 n0 d
                             (VWIN32_Int41Dispatch)1 W( x; x" t; B  s! {2 q6 N
   call  Kernel32!ORD_001  ; VxdCall0 T3 u6 g) _* n" U9 Q+ w
   cmp   ax, 0f386h        ; magic number returned by system debuggers5 p7 G6 r; z! i; }
   jz    SoftICE_detected
6 b% M( {0 V# v2 O  e; b  p5 V# @( n
Here again, several ways to detect it:# i3 J0 O; i2 K$ V9 X% I( e# b

2 G9 M# d, `; X+ X    BPINT 41 if ax==4f
$ q. O. M( V  b: c9 }7 M1 S3 O$ H6 ~6 T& A8 h& e8 L! M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& P/ i2 [" G7 d! R, u
) W, g3 ]$ H" i5 l6 e4 R    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; F" r  R- M6 }3 u$ |/ z
' q' D6 T# C, @; `  f. j
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! N! q. S, B* y$ h( m- q6 w- j

0 K$ \$ E- L, _4 R__________________________________________________________________________/ K$ e; }; H( K8 E: D' F
$ ]$ C, o9 N) c
Method 13
8 y; _$ G" F2 N=========
. ^0 O' Y/ A: j: Z, E# ~' |# y9 ^
  ^# G- \1 M6 `- q) O. eNot a real method of detection, but a good way to know if SoftICE is+ u1 U  R6 }1 v! z! H) Z6 }; t
installed on a computer and to locate its installation directory.
  o" p( S/ ^: tIt is used by few softs which access the following registry keys (usually #2) :, c4 F1 o! u- r8 L: n

0 Z$ y: j3 ~" G2 x4 a$ X- X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 {* j- `: X5 b$ j/ v1 }
\Uninstall\SoftICE% ^6 c; p6 X" V& Q  b  D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ D& E1 P' ]$ u3 W/ ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 [. K: O2 [" }, M) l
\App Paths\Loader32.Exe2 k4 w9 `4 [8 D8 O8 d1 Y

1 B/ `5 ]. q* r5 p
# w  W% M, V3 A9 G* N$ x7 [Note that some nasty apps could then erase all files from SoftICE directory
# F. J+ l/ m( m2 {(I faced that once :-(7 [) v. `  a! b, r7 X
% r; a$ Q. |6 ?/ k& p
Useful breakpoint to detect it:; N& }9 D+ z) I# J: c
4 e, A( l+ T& E
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* G: `+ ~4 k4 Q- Q: j( [, \. }6 J- v3 w% z: z% [( I+ F2 e
__________________________________________________________________________
$ C& a% y" L, [: `0 C, F5 P8 `- @/ \( R( Q
6 _" m# |- r/ X0 k3 i% J/ s
Method 14
2 ?! w8 A) v4 S0 \=========" z$ a0 N4 o' ]' b; P

% k8 {2 ^; l( K0 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' W( [0 ~0 s6 }6 F! m
is to determines whether a debugger is running on your system (ring0 only).6 Q6 k( l- O  y: t
; n- U/ X% I1 k4 Z
   VMMCall Test_Debug_Installed
0 [6 I/ l7 \) V% S9 e( a   je      not_installed
( f. R+ Y! u; S( Q6 J5 t7 h  v0 {& P6 `4 f
This service just checks a flag.! t. }( p) J5 l1 @* h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-29 00:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表