找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
8 v8 m/ g. F7 K<TBODY>
+ {$ e/ a7 M5 O& b$ k& L4 H- o<TR>8 M# S% `+ L8 x: \
<TD><PRE>Method 01
$ W7 K4 f. `( D' k=========& U$ B3 z/ t9 i0 u4 ^2 }
0 v) Y7 j2 d6 E5 S. A3 a
This method of detection of SoftICE (as well as the following one) is3 J. }! }# Z$ H& ]% G, M( R- ^+ T
used by the majority of packers/encryptors found on Internet.
$ y; g% ~9 N5 a  zIt seeks the signature of BoundsChecker in SoftICE0 i" E0 O4 h/ q: ?9 x
& e, T  Y: L! @
    mov     ebp, 04243484Bh        ; 'BCHK'
1 b8 I5 r6 ?- h" r  ?- W    mov     ax, 04h( F* N7 `& ~8 Y8 f/ [$ b
    int     3      
+ }; h: g& b" q    cmp     al,4& s* ]' o' Q" w# o* l
    jnz     SoftICE_Detected
5 c4 o) b( {* F* Z+ Z% \
0 g) k. ]" M, y4 g( N3 ~: ?& e___________________________________________________________________________; |8 s6 u- g% I4 r' K4 B% c
5 g- ?, v8 [1 E3 l
Method 02
" g; W- Y. t5 T' h=========6 {( S" [/ A* M3 X8 k3 M8 @; V7 ^
2 M! A0 F' {' S# ^3 H
Still a method very much used (perhaps the most frequent one).  It is used2 D1 z& y  c, u4 @  r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ u  \; j1 m) l. [8 \' Uor execute SoftICE commands...  ?  j% C; W: p7 o7 e2 b' M
It is also used to crash SoftICE and to force it to execute any commands: O& A: \8 C, B" L+ H- w# o" V5 Q
(HBOOT...) :-((  6 x4 P6 ?9 i4 a& u$ L* L' E

  V" V5 m- E+ H) p  pHere is a quick description:
. z5 y, B- O5 o1 @, e& L% G) A* C+ o-AX = 0910h   (Display string in SIce windows)( O7 j" p8 a* i3 }9 P3 D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ q  f0 Y" B* e$ H8 _3 q0 F-AX = 0912h   (Get breakpoint infos)5 R) r; M( P3 k) u1 x
-AX = 0913h   (Set Sice breakpoints)# d5 G$ L; ?6 w- q; K& S8 T
-AX = 0914h   (Remove SIce breakoints)
+ Y9 g7 C- O9 G$ _2 R) F" ~
7 E  M% F' t! }. n9 T4 x" lEach time you'll meet this trick, you'll see:! q& U: t5 z6 b* Y9 U* H
-SI = 4647h: M# ^& m, H# x( G, @4 n3 H* W: ~2 m, n
-DI = 4A4Dh1 A  \+ K! Q! r
Which are the 'magic values' used by SoftIce.( s: C5 t0 I/ z% @6 {6 K" G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, X  e( r& r* s
  z+ v6 @8 n9 ~0 g6 l& l+ PHere is one example from the file "Haspinst.exe" which is the dongle HASP; m8 D/ ?- D0 E" s% d7 U' x
Envelope utility use to protect DOS applications:
5 I! A5 n& B" I0 J% g0 `8 |0 J3 x" X5 F8 n! r1 D/ E4 _( h& ?
" Z7 `( i0 ?5 S, z: _# n
4C19:0095   MOV    AX,0911  ; execute command.. {% w  s- Z" b) ^" x' ?5 h
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ V' C! Q) d/ K  q1 d3 X
4C19:009A   MOV    SI,4647  ; 1st magic value./ S, k% K, D! Q& B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  O: n4 H3 R" T4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ J" y: B) w: @4 r! Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 u0 D  L% M" G
4C19:00A4   INC    CX
5 n( k# O# h0 u* j4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 m" z5 J, z* X) ^( V( g' U% }
4C19:00A8   JB     0095     ; 6 different commands.! G7 m) s$ m/ `0 q; B" K
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; R; }* o5 N- ~( c& P4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); d- h. s5 s$ v# ~) Y9 }( H
) G( v. H9 z4 e' X
The program will execute 6 different SIce commands located at ds:dx, which
  W, ~6 H- w  V5 }2 `: A6 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ]. t$ W8 i% O1 r& ~
( A- Y2 d' x! B0 j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 j7 s0 B/ R% w2 n# t___________________________________________________________________________
3 e% x9 W! C- t, B- S. q1 o; t5 o% G7 R
5 b) y, O0 P. q- r9 D* S# T+ h
Method 037 U) \# F" @+ `' l7 b% X' J4 ?
=========
8 k7 z: Q# [2 y  G: w4 G. u1 o  v3 c3 A8 a! d) t+ s7 U4 _6 ]8 M
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. _% [3 x2 F3 Q; z
(API Get entry point)
7 I+ L$ I" t% c        2 H  [2 [& }* Y. E
. k# F& \0 D  h" M9 o' q
    xor     di,di
  v! k! g$ p- r9 u( O" q    mov     es,di: ~1 O8 T2 P2 J1 K6 c8 B
    mov     ax, 1684h      
; X/ @1 w* e" \! P8 @0 U    mov     bx, 0202h       ; VxD ID of winice& P: R/ k+ r3 z7 `3 Y8 S5 ~
    int     2Fh
' B4 w$ M' _: y; P0 F/ w, R$ J9 n    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ v6 m9 `! ^% v" u    add     ax, di
# h2 [2 x0 d7 Q# R) L  ~3 f0 ]    test    ax,ax' z* p$ Y4 v7 N
    jnz     SoftICE_Detected% g7 y, h9 s! O0 h/ S2 b8 ^

9 x" L& c1 T. i( W  K1 V___________________________________________________________________________
( F( G& D# Y9 D/ M6 {5 |, }. ~' U9 T- g! v. s+ c) A
Method 047 `1 E* r  q% _: n
=========
( n$ \7 S# f" T- {; z6 K( }
6 k# S% I5 Y" Q! ?; _Method identical to the preceding one except that it seeks the ID of SoftICE! s! k: L, G8 r: Q4 x
GFX VxD.: @* F1 K4 N; E8 q  v$ y- \

: ~& Y! k/ h% k9 g0 b: D# ?: l    xor     di,di
. }1 k  v/ C  [2 }; n1 E    mov     es,di. q6 b7 K8 D! u6 L) h6 Z" u3 W/ q
    mov     ax, 1684h       * |# e6 q4 N; |3 [7 u- D
    mov     bx, 7a5Fh       ; VxD ID of SIWVID% e2 D5 r9 W7 T) y8 e4 B& S
    int     2fh% l* V! l# V  `8 U0 d7 K! y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) V, ?( x1 V/ x4 `* M* s2 \
    add     ax, di) j$ a- m7 l& c; q# ^+ m
    test    ax,ax
2 i' o9 W. \  a6 v: g    jnz     SoftICE_Detected' m6 t, F. _; ^( z$ h: t% h
. y8 I8 \0 M4 ]0 J! V" j
__________________________________________________________________________
# C6 m7 S% O  _/ G. i! w* x  [* c2 E3 u% `% g5 L

, {, ^$ I7 `+ g" A% k* r& _Method 05
# s; d. j0 _* U0 @4 r=========
2 X3 F1 F  s" @( ?, o; h5 L8 D9 A, i, t9 I1 R1 Z$ B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 ~3 S+ ^6 ?1 ]$ hdebugger. It calls the int 41h, function 4Fh.. F; y: `$ l1 O3 x
There are several alternatives.    h+ n7 ^% D% x6 U( S

( {/ i; i' v% ?; O$ k# F3 p$ Y( vThe following one is the simplest:
+ l0 S' Y$ X! Z( `# g- C$ z" P2 v7 A- V, t
    mov     ax,4fh! k0 [& w; O3 o/ n% ^+ S* I/ f9 k' S+ x
    int     41h
2 x* _' V5 K3 }/ a  ?5 i+ x  N    cmp     ax, 0F386* }* r) D4 U, _3 M4 E4 D8 n
    jz      SoftICE_detected; S& M9 m- ^/ F) o3 c

) t/ |# ^  L! `& }; A. d* E& a9 J' w7 S) {7 k, G. z$ u) A+ H
Next method as well as the following one are 2 examples from Stone's . G( b. T: P# A3 ], h2 c  w
"stn-wid.zip" (www.cracking.net):' H, ]( U2 n& }$ T( c. T( C) O
& w; Q6 N1 ~" R
    mov     bx, cs
, ?6 U6 n8 ?/ A2 F" n! K0 s6 n! b    lea     dx, int41handler28 h) ]( \2 e& @; v" ^
    xchg    dx, es:[41h*4]
1 k" I/ P) x, L( l! k    xchg    bx, es:[41h*4+2]
. {- I1 a7 M. F: [# U    mov     ax,4fh1 \8 D* k1 B( \8 t; u% \3 v
    int     41h
* m; q* P, T' R+ b7 O- Z3 x7 N$ Z9 ^    xchg    dx, es:[41h*4]. U) E& t( H' G, {6 E
    xchg    bx, es:[41h*4+2]
2 u- S: b, a3 l5 X3 P    cmp     ax, 0f386h2 t# F' N+ K; B; ~7 Q& m6 z
    jz      SoftICE_detected5 D3 @- B. p- b" m
" _5 d: S8 I' R$ @7 t
int41handler2 PROC3 D0 s. p# s: h* n' ~+ |
    iret1 \% Y7 C7 r6 D0 M8 I& O" C/ F
int41handler2 ENDP
; c# K- g. _# U' E3 F5 w! D' m
& a6 B4 j4 g3 u' H! @8 v
& _8 [0 N+ U% V_________________________________________________________________________
1 T3 |2 X. Y! N. L, J9 \* t6 @
, l! S% m" E. c$ Z" h* E  j, v9 J
5 I6 ^4 e1 r8 ^; B/ PMethod 06
  k8 R4 {! R1 `" m=========
) g0 i, b7 ]' O0 ^3 r# I3 X- z% t7 f& [9 b; j3 e- T7 W: }7 W

: ]8 F1 j3 s* f4 {. R5 Z  ~2nd method similar to the preceding one but more difficult to detect:
7 Q1 D5 R- {$ n3 b1 s
1 }" ?0 j. @( }+ p9 J& r3 @  [7 O7 p( a- W1 j& D2 E+ {
int41handler PROC
' @6 z# p) J) O    mov     cl,al, M/ F& I  P5 g' D4 d
    iret/ i& m: K% Z: B3 b
int41handler ENDP
9 X  ^$ x$ d' o/ O/ T7 r- ~) L5 u5 |& i, q5 _

( e, ~$ V" f4 d2 E% e; Q    xor     ax,ax8 D. \* o& [4 i
    mov     es,ax
9 c" N% m$ x& S" D    mov     bx, cs
/ v- E( r& o4 u    lea     dx, int41handler* O" K' z* ?  d; O. d2 u. _
    xchg    dx, es:[41h*4]
  B4 `, c7 U8 W5 j    xchg    bx, es:[41h*4+2]( M" d0 P$ n0 z, S9 K2 g* `
    in      al, 40h2 ~, a8 L. Q. @2 z5 W: T" v
    xor     cx,cx
5 l1 V( f) V' s0 K) O    int     41h3 L7 W- w8 y8 f' @
    xchg    dx, es:[41h*4]
% }4 `- i" k' S0 R    xchg    bx, es:[41h*4+2]& q+ G4 R& V4 C$ R( `( b/ {
    cmp     cl,al
, V7 h9 A/ a- F* j    jnz     SoftICE_detected- J- W5 A/ z" M; D% N
( j( c6 d  a/ {% g' v& Q
_________________________________________________________________________
* e: `& T) x3 r' z6 ]  R) Q7 w9 j5 _& H* ?" f
Method 07
* v# C* ^8 z( {8 ]2 j. J# M+ J=========/ \6 }/ g* N; u' q: y: X. a# e( G
4 J9 x  C6 Y7 ^3 g) x6 Z
Method of detection of the WinICE handler in the int68h (V86)" z8 k7 ?8 |7 P

) N3 X) l* v; S/ f$ n    mov     ah,43h8 D7 n# G! E+ h+ ~/ J; O
    int     68h
& F& O: ?- s6 @  |7 G0 h' m    cmp     ax,0F386h4 |% \8 L; s( y0 u/ P
    jz      SoftICE_Detected
) L4 C4 R4 b: y* o, a1 ^% _! I3 b6 D" s2 T
4 Z% H2 O0 o2 @6 E: o4 e2 q* b
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 h0 ~! Z) ~. D# s9 d
   app like this:4 N7 b2 G& `; U( q' t
9 a$ J! r4 F5 W" W9 [6 H
   BPX exec_int if ax==68: |& A( U& K! S: W2 c
   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ R/ C9 x6 x) C) b2 O9 v   located at [ebp+48h] for 32Bit apps)
# c' M+ L- N1 a6 D, l/ C__________________________________________________________________________  G: Q1 T( z# G5 B. K
3 H. {& A& @( E( Z7 @6 }
+ T, R% S- K: F$ k7 J4 {
Method 08- M( \6 a+ o. w" F8 L! I  S
=========' A  W  z1 u* n% z  N" u4 I' e, `
) F" g: O9 I" ?/ c/ X  _1 f! H
It is not a method of detection of SoftICE but a possibility to crash the
: }" Y$ m, l/ U4 Msystem by intercepting int 01h and int 03h and redirecting them to another
8 W# s1 o' r0 i2 r0 S: k3 croutine.1 {( a- _0 Q. Q7 R3 V: r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 W( j: e# U$ X8 Mto the new routine to execute (hangs computer...)
- ~# T0 }. V5 W& R( K; ]- c5 p) j2 `+ s% `( V1 f
    mov     ah, 25h
3 J% a" u8 t. g: I$ q    mov     al, Int_Number (01h or 03h)
, B4 v% n: h; _! ~1 F    mov     dx, offset New_Int_Routine7 r* \8 ?9 X* c0 f8 O  \
    int     21h
/ Q4 S$ A# F$ ^7 K3 @
3 w  S" K' G* U/ ___________________________________________________________________________+ [# s+ c5 ^, ?

2 Y0 d5 k' @* x& O; cMethod 099 p& y) E/ U/ k' n
=========
* [5 ^* {4 p/ `5 B- m2 n* U
/ G, w: i/ D, F+ d. ^$ D1 k! DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 f) g4 c" D$ h
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 P2 A* T: @( y$ x3 U- h5 N6 BThe Get_DDB service is used to determine whether or not a VxD is installed% S8 z! u2 U" y2 B( f% G( F
for the specified device and returns a Device Description Block (in ecx) for5 Y+ w: X: j. r: I: y/ q8 a3 b
that device if it is installed.
& d# p; x' x* c" A2 k; n# l2 Z4 V# _6 r! h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! E& \$ o9 M: O4 D& _& u
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 {+ ?+ R/ c+ y( T# }! W- S0 E2 ]   VMMCall Get_DDB
+ T  C0 Y3 x1 h- E: Y+ i: b( u1 d0 m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' m6 Z; E6 N1 P; O$ p
( O: B9 e# O+ f1 zNote as well that you can easily detect this method with SoftICE:
" H- N9 h; h  n0 I) n   bpx Get_DDB if ax==0202 || ax==7a5fh
8 Q+ K6 K/ z( d+ H! }
4 X: b% V) U# i: B2 B  X* ^__________________________________________________________________________
3 Y3 E$ Z' x# x& m$ w+ H: G+ v: Z& W! @
Method 108 E' p, ]# @& `3 j6 b
=========
4 z, @; Z0 A9 O. u7 O5 R, y7 x2 K0 r3 J: r
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ [3 P' @+ y% S. j/ \  SoftICE while the option is enable!!
* ]" G) a" `2 N# N3 K7 H# y$ b3 V/ r0 q0 D5 M3 {6 r  ]
This trick is very efficient:- s- T6 ?) {) X3 M6 [$ N1 C5 q+ ?
by checking the Debug Registers, you can detect if SoftICE is loaded7 _  p2 u" y, D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 d" I/ S7 {( k3 I) e4 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: r, T; i) w7 Fvalue (in ring0 only). Values can be manipulated and or changed as well  C: a. j+ z, E7 U8 m* J4 i
(clearing BPMs for instance)+ O6 k. c* R% m! K. {

3 J; @5 r7 j" o__________________________________________________________________________/ E1 [; E# z4 S

! L- t4 T; L, v6 W: I3 EMethod 11% w2 @) \- X8 w# `" t! ^5 U
=========( {+ C0 t$ n# M/ h1 G# @

7 |$ R& i+ }( bThis method is most known as 'MeltICE' because it has been freely distributed) B& z5 h+ w, V* Z2 w3 `. K! w# e
via www.winfiles.com. However it was first used by NuMega people to allow+ @: W, e0 {8 x7 q; b
Symbol Loader to check if SoftICE was active or not (the code is located
" u- s" r* O2 i$ M  h. Y3 Minside nmtrans.dll).9 ?# I4 S3 w0 d! H# j5 r& h. @& k

3 z; r& ^# D, r' e& Q  VThe way it works is very simple:* e; S; `- T4 w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 z! d: W' q8 t* s$ mWinNT) with the CreateFileA API.
' P4 v9 N2 n5 V& j5 F- S
- O+ t5 j4 a# V# J7 B; ^+ IHere is a sample (checking for 'SICE'):
# \8 _% Z1 f# H7 e9 l9 V2 Q* M# [
; U* R6 C4 D6 b# g8 O4 ^2 o" MBOOL IsSoftIce95Loaded()7 r7 J2 J0 l/ o2 j, I9 r2 Y8 W3 U
{
7 |8 e7 I! V1 X, ~# L& r( G. |   HANDLE hFile;  
; ?7 g0 t" `( Z  m   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& |4 g3 [& F/ g4 g/ @                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 m8 v% ~" U5 `& v
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 h6 B$ G+ ?. m
   if( hFile != INVALID_HANDLE_VALUE )
2 W' N' s4 }7 z8 L" O  l   {" Q* v& o& B8 O# c: Y4 B; `- f* J
      CloseHandle(hFile);" G5 m  F6 |3 p2 A
      return TRUE;* ~" v# }9 B, A
   }* v" b" o8 c- A1 k& w0 ]* q/ K
   return FALSE;# Q/ b( x$ w, V3 c
}
2 a% i  D7 }0 w. l: o- B
& {9 _" e3 X: y% D6 C+ j( DAlthough this trick calls the CreateFileA function, don't even expect to be
( w' t5 x" }0 t' v: t/ u. Y% Zable to intercept it by installing a IFS hook: it will not work, no way!7 C) r5 G2 I8 y  w9 F2 u" X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 r% e* J- ]9 ?% lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ g7 d" o! w2 r5 l8 P5 land then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ M* d0 S3 l) ?& R: @6 Pfield.
! z. H( P" M4 Z9 {8 NIn fact, its purpose is not to load/unload VxDs but only to send a $ W4 e7 J0 K/ i0 R0 o; s8 k9 w% V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 c/ V$ Z4 [+ Q6 f$ uto the VxD Control_Dispatch proc (how the hell a shareware soft could try% ]+ }. d, s( O) ?! C: R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; d2 e1 O1 B% R* K* RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, k) D2 ]% \, H' C! zits handle to be opened and then, will be detected.! W9 R4 q9 G1 `/ m$ G: }, {
You can check that simply by hooking Winice.exe control proc entry point1 L2 S, l1 b+ t* i0 v( Y
while running MeltICE.' e- S' d7 g" E
; U6 }8 e3 r( a2 i2 Z& N/ l
. v- A% ~: Z8 w3 `. b3 T
  00401067:  push      00402025    ; \\.\SICE% I2 V3 V: Z$ S- i9 e+ g2 q
  0040106C:  call      CreateFileA( @9 X7 g7 w# {% A: L1 {0 h
  00401071:  cmp       eax,-001- B; R: P( B& n
  00401074:  je        004010917 I7 _5 ?6 [2 L8 q

& {) V# A2 h' I9 C$ Q% b
3 Z0 v2 p/ W' _* U4 WThere could be hundreds of BPX you could use to detect this trick.
/ ]) v9 f3 g& K$ Y! o5 {' v-The most classical one is:
* z& H3 K# `# x" s7 Z# G  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% h: m/ M/ P- J; d% P
    *(esp-&gt;4+4)=='NTIC') O) q* A/ Q& D

, Z# F7 `, U, b+ e& k2 U-The most exotic ones (could be very slooooow :-(
0 P( l, \% d) @% @8 X2 N   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 s. X+ @% `! @5 }" f6 F& E
     ;will break 3 times :-(2 }, Y2 Q; b0 u7 M
9 h8 M: g/ o1 _, o; i0 \
-or (a bit) faster: . Q% T; n0 F4 |: X5 {3 V
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 d; l  Y& q4 i* h; S( ~  r- \! H
# e, [  E* G3 ]2 q6 Y; ~
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 V  G6 C: k/ ]     ;will break 3 times :-(- x$ m9 H* Y$ p0 N7 o2 a0 m

2 z% y" F9 E0 E- L3 B-Much faster:
1 I* a3 D) w8 B3 v) }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', {; z0 S% O2 x
0 t' K# g; L2 W5 @9 z$ i, B9 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  ?* D; p$ b9 l) _( C& \& e
function to do the same job:
3 {: \; K7 _. E- a( d  M5 N: z, q+ t/ ?' y1 H: U7 I/ z/ r1 B3 x
   push    00                        ; OF_READ2 x# x. X0 p7 F/ B3 m
   mov     eax,[00656634]            ; '\\.\SICE',0
( ?( l6 W# y! T% H5 M   push    eax
, K7 v8 A* \$ u- U# Z& I' R0 i* j   call    KERNEL32!_lopen
' [$ I( x) F- M   inc     eax
% D) c1 [: T" \. Z7 `   jnz     00650589                  ; detected
- s1 Y2 G# S/ ^' c   push    00                        ; OF_READ
$ i, }% _) {! c4 u2 @   mov     eax,[00656638]            ; '\\.\SICE'8 B6 o$ C/ Z; f. d6 `& I& z
   push    eax
9 j/ E- j1 [, X0 d4 l! h1 {' ?" r+ ]" ]  m   call    KERNEL32!_lopen
9 z8 q3 f# |* Q8 A   inc     eax! B) D( F  C# K/ v9 p$ c
   jz      006505ae                  ; not detected
' F/ H! r+ j2 Y3 [% F9 D0 }( a$ h  E& l9 A. x

, f& F5 r) j- I) f+ b1 ___________________________________________________________________________
7 y' c" f  f& l) d$ n+ G/ u+ |
: F9 h" o3 b6 N$ P# e' n* iMethod 12
3 n: J! {" M& _3 _1 H; K- Z=========; D/ k2 b& y7 w# x  l& i9 r! X8 v2 {

- V# M/ ?/ K# A  C" f( U6 WThis trick is similar to int41h/4fh Debugger installation check (code 05' G2 W( ~4 F, q3 e
&amp; 06) but very limited because it's only available for Win95/98 (not NT); C$ \* T$ b5 m+ Y1 r1 f* E7 u' u' h: {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 n2 ^  H& |( c* t: v! c
5 ]: @; q+ P. a9 U: t7 r- E$ I% A   push  0000004fh         ; function 4fh' y/ @* S% O9 ]9 N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# \( ?/ D% l5 N9 e                           ; low word specifies which service
; c( Y  D6 }' z2 k                             (VWIN32_Int41Dispatch)
% m& w* F- w/ J: y1 Z9 F   call  Kernel32!ORD_001  ; VxdCall
+ y6 n1 z! G! A8 r, i$ }5 ^" n   cmp   ax, 0f386h        ; magic number returned by system debuggers3 ?1 C3 ^; L" l8 T6 n) S
   jz    SoftICE_detected# w- c; U' f+ o' k! w+ o
$ E0 \; `4 L4 I' Z* z
Here again, several ways to detect it:7 G2 k) C4 c$ c7 \$ n$ U
# n+ |% O6 b2 _; c
    BPINT 41 if ax==4f
4 P- C1 X4 c) w1 ]2 G" s0 C' z% y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 s" _3 l; D5 A& P1 l7 y4 @+ \

) \1 G) Z: a, x9 D; ~* h* ]    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 g# s+ g7 G  X, Z! w' a) p1 f6 D! q4 d& ]
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& \. ?$ o/ S+ w
6 {: Q0 |5 I7 k__________________________________________________________________________
2 v/ s* m3 n3 r0 }( o* T1 {
1 W/ i6 d, D! i! I: ]1 z$ X0 [Method 13- P) U. g$ n  e/ I
=========% l) ~/ B( y1 F1 G" `1 O" i

5 Y& F/ q' {/ j& G4 ]Not a real method of detection, but a good way to know if SoftICE is$ u5 ?9 A- G* R' h- J
installed on a computer and to locate its installation directory.
! D% a, Y& L+ k( _% k4 V  `It is used by few softs which access the following registry keys (usually #2) :
% G* @" j% S+ [+ _3 E
) L3 ]" A* C# C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 }, X3 n: U+ J0 v" u# U\Uninstall\SoftICE$ J; O; U7 [; l. r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ I3 a3 y4 \  ?% z6 W# k$ @# p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 V- _1 |( j2 `2 A" N; ^3 B\App Paths\Loader32.Exe% |; W1 x# y2 t/ P( t
9 N; |% ~- e/ x
8 @2 Q% G$ Z2 r- |6 m
Note that some nasty apps could then erase all files from SoftICE directory
% e: d. x+ m) \3 [(I faced that once :-(
; u" H; W, ?& b
# o! ~7 p: Y  o5 h3 K6 x8 F0 wUseful breakpoint to detect it:. H" j8 |6 R0 N0 c! u, A% l& M# \6 y: l! C

& t( k" Z" V" w# J: m2 h, c. f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- T$ C( w, `% m% w( P
5 c- N. e2 V9 R% _0 S
__________________________________________________________________________
6 t: F' D& E5 j- n$ x: D% |7 i7 q% c2 K8 g
# V9 M6 w4 }" i3 B
Method 14
2 K7 F" x3 f! _/ J=========
% x& W% a3 q) G
( U" J8 J  }) s) cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! o/ q1 W) G' j  g. n
is to determines whether a debugger is running on your system (ring0 only).
- t+ C# f* w6 q. e' ]% a6 T" w* v/ T" X  b( J
   VMMCall Test_Debug_Installed
7 s4 ]! s- D" [7 d5 x2 U   je      not_installed9 f2 P: [# R1 p8 j% e" b

2 s8 O; O' j: b3 c( ]This service just checks a flag.+ f4 C5 u% W2 v
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 13:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表