找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
6 v# `; |' [( b( M5 \6 c<TBODY>
) A6 \9 B* x5 J/ s) k" W<TR>
9 z4 ^' i7 \0 F<TD><PRE>Method 01
) p% ]2 w3 U9 M2 ?5 P=========  N  Z9 y! P- b
1 g# ?  y. U% d- L
This method of detection of SoftICE (as well as the following one) is0 U0 U% O/ |, a  Y: `1 @) S' S
used by the majority of packers/encryptors found on Internet.- p& Z) ]" _, c8 L( u( C% ^
It seeks the signature of BoundsChecker in SoftICE
: g/ e! v* h. c. M0 ?: D& [
  W7 V1 x6 n! i; S    mov     ebp, 04243484Bh        ; 'BCHK'' M) T5 x# _; {' d) u" ?
    mov     ax, 04h
/ `- v" D. B5 @  m( u3 z    int     3      
; _- y, ]/ z( u5 G8 h" l, ?: _    cmp     al,4
! T6 p8 m9 K1 h  w* B! U- j    jnz     SoftICE_Detected& Z1 i( [" R! |! O8 x; Q

2 U  u- z6 R% c$ J___________________________________________________________________________6 O" \& X7 C* z' m* V  Z1 u

# g3 F1 Q5 b6 R5 z5 s- ~! uMethod 02
  Z1 E1 {4 P( u0 y/ q+ F- j7 W=========
7 e* K! L( M. [% q- G. R; w- V7 a9 q  @7 @/ Y( |- G
Still a method very much used (perhaps the most frequent one).  It is used% U1 z4 o5 j! t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 G3 i- ^7 N! h4 O' ?4 F
or execute SoftICE commands...
- K& x  \+ G  P# ^& X) p3 jIt is also used to crash SoftICE and to force it to execute any commands  @3 t* }& D- X/ E+ A# z
(HBOOT...) :-((  7 j* ^8 J! N" c- h; a
$ {) h% V# v9 v8 ?% L
Here is a quick description:
% l& f, c* l; [+ l! q, f-AX = 0910h   (Display string in SIce windows)
1 h7 n4 ~  c9 @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  a; \4 l3 T: k% S" n9 ^6 ?
-AX = 0912h   (Get breakpoint infos)3 D3 r( O9 j  H% M; m5 E- c
-AX = 0913h   (Set Sice breakpoints)- X" i) Y6 t% x/ H- K
-AX = 0914h   (Remove SIce breakoints). v- I! R4 s4 r2 R# k& i
4 H0 q7 T( Q& G; i0 ]3 \# V3 g) y4 _& f$ ^
Each time you'll meet this trick, you'll see:
& g9 Y4 Y% Y3 H-SI = 4647h
5 a  Q) M+ Z4 C3 |( W! S-DI = 4A4Dh
- ]/ M. c+ O8 O' s( tWhich are the 'magic values' used by SoftIce.4 e) I' Q3 Q2 U7 `# B0 |' e2 [, J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ n# u, D7 \- C" K( k
. n1 F1 `! }/ G) n! Z) S  z6 F9 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ j! n( p1 [& }* k- _# REnvelope utility use to protect DOS applications:
! L5 a: }* P) o# g% `7 H
( ^5 Z% t6 f: G4 g: b
7 B+ u$ W3 F4 y1 `/ o4C19:0095   MOV    AX,0911  ; execute command.: L+ c, w8 W* Y  Y2 Y1 [
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ O8 k" A) O" G+ K
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 b' D  r% y4 f% b9 T6 {9 A4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 i& ~  W0 ]: E2 K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 ]4 {, |8 ~" {9 {) [# Y4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ z- ?# M: z% |  I  c7 f4C19:00A4   INC    CX
' f' b1 M  S( d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' S: `& {. h8 `( m$ k4C19:00A8   JB     0095     ; 6 different commands.
$ [; [! b5 Z8 Y6 t! t: }( i* c4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: ^4 p  }4 U3 j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 f/ x# X0 L$ W% i. K" F9 C( v/ S0 @
7 F9 Z8 H( d8 K2 f1 l4 P1 G1 u& u) t* V, qThe program will execute 6 different SIce commands located at ds:dx, which
& U2 X9 X8 u5 `5 ~' V  xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 {1 z! h* P' g1 _, o* t  ~7 E( d. N2 s2 P4 c6 i7 q( }$ ?. ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 X( F  ?: P# u" n$ B___________________________________________________________________________* g! Y5 l7 T( R! e
' \2 M& m$ E9 ]* p. G) ^

  p  m! P9 K; g' tMethod 03
+ C) ~7 P# \- s6 L- N! A5 C=========9 H3 _! d- ~/ x( _& \- P1 b

3 X( k# }0 N: L# t8 ~- a  }5 `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% |: j. F9 ^/ x8 u+ {6 Z
(API Get entry point)0 g1 V: i; `) j8 l; B. M
        2 D$ g; ~) C$ M8 ?; Q
9 \, S  b  _+ f% C, ~6 x
    xor     di,di
6 C  m' u9 i; y/ U* V/ X    mov     es,di
' `% m$ `" X3 j4 @' O, _6 T' n    mov     ax, 1684h      
  D  A$ ~; m7 S% M2 G    mov     bx, 0202h       ; VxD ID of winice
+ s7 K, W. p# R. e' D    int     2Fh- X4 Y4 D  T( E: \: m' ]* P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 R7 [7 ^3 {% r: c    add     ax, di4 ~8 P. f' g2 P8 x& p
    test    ax,ax
1 O( \8 A. v' V0 p3 z2 m    jnz     SoftICE_Detected
# ~+ P, w- m  m0 A+ q
) R. t1 J! m" d  A% e/ q8 b___________________________________________________________________________
2 E9 f: T) e) F  ^& J4 e! _
5 t9 {3 \0 |$ O8 s5 m& e3 Q& a, NMethod 04) h* g( B  `4 _! \' i3 s& V
=========5 Z/ q! F# P6 T
1 a  z2 P1 Y5 U5 p: ~
Method identical to the preceding one except that it seeks the ID of SoftICE
0 x) P0 }+ C" ]& c1 q0 w. M! OGFX VxD.
9 v. T+ A! j& f+ u7 x/ u
" e" R& i9 ]" X' o3 z    xor     di,di
5 q" \. `% Q# C    mov     es,di% J3 [7 g/ R4 j# }/ d5 \1 N
    mov     ax, 1684h      
: f, V: Q) q- T. F3 z) ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 L9 v# m. R" |0 p, M    int     2fh/ }, s# A4 s# o0 J' J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ Z; E, }/ S' Q    add     ax, di5 |$ A. R: }. p- T
    test    ax,ax
0 w# M& Y2 w. V2 k( p. Z% A0 X; `8 N( O    jnz     SoftICE_Detected
; {/ E% z6 @9 M( P
, \. r% _7 T% x- A3 A) e1 C3 ?__________________________________________________________________________- p8 F" h5 u7 W' R- |7 ^0 {: r

7 }! @7 h+ Q* S, D; W& ?( V7 n
Method 05# @2 d' P4 P. R4 X4 O4 w  v1 N
=========( e: ]; n1 {3 X' Y

6 w. {, i+ ~( |Method seeking the 'magic number' 0F386h returned (in ax) by all system$ ?- G, s6 F7 z5 t6 q
debugger. It calls the int 41h, function 4Fh.
, b) {. @! U, M( {! XThere are several alternatives.  2 S' ^, r+ F6 n3 I& K- k

4 B8 q& O3 I" T% E9 f% WThe following one is the simplest:) ]8 \$ T5 ~) o

" W7 Z: b3 _0 y  [9 n* |! v9 g    mov     ax,4fh
+ P7 c0 {4 m1 k- T$ W    int     41h
2 u/ |+ J+ [6 Z8 h; i7 ^4 z' V    cmp     ax, 0F3868 }- T% r7 @5 ~+ ]/ T
    jz      SoftICE_detected
9 Z1 P1 ?* n6 X% ?
5 S) K: E6 S0 c1 B2 H/ e& h  O
9 l; M5 D$ {) s% r! ~Next method as well as the following one are 2 examples from Stone's
" L$ g6 M! s: U: c; Y4 b"stn-wid.zip" (www.cracking.net):; w4 f& w1 i9 M" S, ]0 m# x& L; i
" [$ H7 u* g* L0 {% J
    mov     bx, cs
' T6 |- m- N) x4 d    lea     dx, int41handler2; w. n' W( b* D' Y
    xchg    dx, es:[41h*4]* k$ z" \3 p7 I
    xchg    bx, es:[41h*4+2], O7 u+ B/ O3 D: {* R7 T
    mov     ax,4fh! r: g8 t7 i' O/ t) k' n
    int     41h& o) w: l0 b8 F
    xchg    dx, es:[41h*4]. N1 r% A- d% E2 o1 G
    xchg    bx, es:[41h*4+2]
! R9 `: x' R5 ?: ~; b    cmp     ax, 0f386h
  d* @4 l1 m! f& B# S8 H; h    jz      SoftICE_detected
  c+ v2 l0 p# \1 ~; }" x8 U
2 @, W. V( ^& Xint41handler2 PROC
; H# J1 d1 T, P8 z- Y) J3 p    iret1 g3 {0 Y, s' n0 d% G
int41handler2 ENDP
; j( z: P, Z& j7 l7 a4 k# K' |
) E% m, x, d- d: m
4 h) }  `1 P% m3 h5 I_________________________________________________________________________
5 w$ b0 s" c4 N1 {) m
+ K* c2 D5 {$ Z
0 p9 u& G9 F6 L; Q# q; SMethod 06' V7 E& ], u* B, X
=========2 J  D# e  w* t6 J0 N
" i5 p- E& m# @; t

' w1 \/ x7 D! G2 z( E& s* n# `% p2nd method similar to the preceding one but more difficult to detect:" O! S: e2 @4 K+ ~8 [

4 C. ]* C9 S  e7 z- @
: l! _- C. S- [# o/ n, I7 {( hint41handler PROC
% P% X8 q% p( W0 u, e' s    mov     cl,al8 v+ g" g* z' z6 Y; o
    iret, h, U4 d5 q8 O9 }( f9 c; n: l* |& |$ h
int41handler ENDP
5 i  p' v5 d' N4 Z0 ^/ R2 D8 N
& q: u" J) d+ _
5 V) U( L1 k; I: R4 ], l    xor     ax,ax1 K3 n+ k; O/ V8 T4 }
    mov     es,ax0 i3 d- Q0 g$ x0 T' w2 A  o
    mov     bx, cs, b8 Y" S4 ~: K! L$ F
    lea     dx, int41handler
6 ?: p( T, ]! G' @1 O' m/ P9 J  K    xchg    dx, es:[41h*4]
$ A9 j3 Q+ U1 b0 V" @5 m# y( d# l    xchg    bx, es:[41h*4+2]
0 ~4 v3 M3 N$ l! }. F' D2 e! i    in      al, 40h
5 E$ g; I' o  ]  \6 i) K- _1 `    xor     cx,cx* `% y  z- V0 x. h" m
    int     41h3 X8 b; F. X$ C( S, L& L
    xchg    dx, es:[41h*4]' G4 S1 @- S5 i1 P# a
    xchg    bx, es:[41h*4+2]( o) C' A) e3 i8 s& ^4 W1 L
    cmp     cl,al
4 z: P7 _$ N  n1 o    jnz     SoftICE_detected" x) \5 _3 x2 ]' P% O! E9 \. Q
* Q& r/ _( ]$ Q& F# O; k
_________________________________________________________________________* n- L4 \4 p* W+ g% A: _
0 V9 H! u& P" A# i+ D: v
Method 07' V) s7 }5 U7 X
=========
5 F* o( z$ y$ i! c* O: @- I# H1 \1 u, A& Y5 J# ^1 q* t
Method of detection of the WinICE handler in the int68h (V86)
) v: L6 E. D0 F. V  T! |7 c  {* Y
8 Y* l# D- M; `7 Q/ u0 l    mov     ah,43h
8 q; y2 K0 @( f) B    int     68h
8 w. f0 w5 |+ l  D    cmp     ax,0F386h/ X7 U4 \, G2 [# S/ h2 I* @
    jz      SoftICE_Detected* I6 m$ k; n* S! T% t

* M) c8 P' Q9 Q" C0 {3 I: A
" R- O' O8 Z  V# C) T, K  o! L=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ N% \3 |: u. c) E& @   app like this:9 [9 t5 b2 Y$ o3 {( _0 e

, h% {) L+ }' M. j   BPX exec_int if ax==685 N2 ?. S, N* J# w
   (function called is located at byte ptr [ebp+1Dh] and client eip is- e8 a& C. u8 L' Z4 Q  [7 x' e
   located at [ebp+48h] for 32Bit apps): Z( @' s1 t9 B! I# W. Y: T4 C6 C
__________________________________________________________________________. ^7 Y4 v0 g& M: ^/ y$ m- w  B' j
! H% H1 m* g# d* G

4 S- x% @& c7 _% f+ eMethod 08
! g. G/ |. P- l: u7 ]. c1 T=========5 y% N2 x& P& S8 K! J1 V

, M, a( A8 }( f" {, YIt is not a method of detection of SoftICE but a possibility to crash the
5 n5 w3 p) U2 s! v  wsystem by intercepting int 01h and int 03h and redirecting them to another4 b6 z  k- M9 j4 r
routine.
9 k. w" ^6 _  d2 f. M7 G8 k8 w9 E. yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& {/ r$ B7 D" J; r9 f4 f9 n3 l
to the new routine to execute (hangs computer...)
: @& s' ?! e/ R' a
) h$ J/ a1 M9 H4 f5 z7 v5 ?5 \    mov     ah, 25h5 i) a% r0 R1 l+ W: C1 o; f6 \
    mov     al, Int_Number (01h or 03h)! L( j; B( V4 P
    mov     dx, offset New_Int_Routine
; h# T" Q' v3 Z; |) f: ]6 t% U    int     21h
8 c- l2 z7 J8 r6 y$ I5 D- ?% ]. B6 e
__________________________________________________________________________' d5 t  w; j& ?) K* i7 d. P

6 p: y# T1 \" WMethod 09
8 O' a8 s2 o' n, G8 x=========1 y9 P3 b; m1 e8 c  ^
3 y8 R) |6 }$ ^+ W, L* v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) b% Y6 G, `$ n! a4 J. @& {! Mperformed in ring0 (VxD or a ring3 app using the VxdCall).9 _0 v5 |0 c5 J
The Get_DDB service is used to determine whether or not a VxD is installed
, Q7 h8 I1 A% I# Dfor the specified device and returns a Device Description Block (in ecx) for
4 o4 p- b' z+ L9 q. @' y" Ethat device if it is installed.
' r5 K" u6 [9 l( {! C! n. F% Z  ]
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ K: }* u% @6 F
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 Z6 l# E' C8 o' s8 n# A. F   VMMCall Get_DDB8 _" g* E4 k& }. [" f: c2 ^
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% s5 t3 P0 `/ b9 i

% P- a- k8 L" |3 o* ^Note as well that you can easily detect this method with SoftICE:
( v4 j8 q$ L/ j) M1 K* l   bpx Get_DDB if ax==0202 || ax==7a5fh- r# F5 G- G* I- Q

# x6 c( _0 `, a2 j( P3 N__________________________________________________________________________
9 o8 G6 m+ \* `7 f# j6 N0 O7 _
' P3 A8 f! Z% H! V! KMethod 106 m1 Q& n# z1 k3 x/ L) I3 m1 O9 E4 S
=========
% c5 Q& I# o$ n5 i2 P
# c. [5 F' ^& u0 ~7 k( t/ _4 C=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ X4 {' w# X9 k- W0 \3 E  SoftICE while the option is enable!!2 ^" e# E. [' O  F# q
2 S, r4 b1 w) @& `
This trick is very efficient:" m% v3 z- |3 D/ m1 c
by checking the Debug Registers, you can detect if SoftICE is loaded" U) h" t6 p0 [3 s6 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 y& \8 ?  ^, T+ _' ]: c# D" H" Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 I" w; D' J/ ^8 g8 n% Rvalue (in ring0 only). Values can be manipulated and or changed as well
0 X( I$ m/ z/ S; D* Y% }1 |(clearing BPMs for instance)
- ^5 K8 Y3 w% ?
( x! R' y- o+ X# t- R9 I__________________________________________________________________________
0 t. M) e3 }7 }& a8 t5 x8 G; m2 |( k
2 m, m" r5 W! n+ zMethod 11
3 ]% z( t+ D4 t; z  }=========
- l/ }8 p" H$ R7 m+ D3 ?/ d" v) S0 s. `5 v: k: I
This method is most known as 'MeltICE' because it has been freely distributed
1 c# Y$ w0 O- Q3 a$ I6 ?# s% |via www.winfiles.com. However it was first used by NuMega people to allow; e% n. F( C3 D! H: w
Symbol Loader to check if SoftICE was active or not (the code is located
9 K, @$ c" n. i5 X# Linside nmtrans.dll).9 n3 M# @. e9 L

  G# }/ v/ Y/ z( R3 N7 l, U6 j0 DThe way it works is very simple:
. e; M" z& O. u# xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 o* q9 O* _# p  B( H% e5 p" f0 wWinNT) with the CreateFileA API.. G8 O  x" P# K* K7 F
" p8 U: V7 b2 }* e
Here is a sample (checking for 'SICE'):4 Q4 R  U& a% x3 n  A
7 t  l9 i% E8 v/ e" z0 D) E
BOOL IsSoftIce95Loaded()  O6 C( y; I0 [/ `* H! D/ W, E* ]
{- M+ o% S  t- U* d( O/ L
   HANDLE hFile;  * n. \+ e) l& r) S
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 c& t/ m) i( ]: f3 O4 ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" Z5 @9 A2 ~* c2 z; o                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 b4 i/ L7 ^9 c' R1 E* n4 U1 F   if( hFile != INVALID_HANDLE_VALUE )
4 z' v5 A/ d8 Y/ ?: G, o   {
& H9 R6 j  T- L: f9 [      CloseHandle(hFile);
( A8 N. V. Y4 a) H1 ^$ ]9 V* d0 D1 [      return TRUE;
! |5 Y" x0 x9 [# t+ B' {7 j, [   }& }# F6 [6 G% O) A- _; Y) l
   return FALSE;
' Z% T5 T8 y5 x! B1 B1 l0 X}% G9 A0 @4 y7 F2 v" h

1 |" x0 m) H$ Z/ O4 _Although this trick calls the CreateFileA function, don't even expect to be
: N8 r; r; X- X0 \$ f8 f# h* pable to intercept it by installing a IFS hook: it will not work, no way!
! [/ A* T$ X, HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, U( Y! m3 X3 M+ e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 n1 o5 W8 K: x) }& E* K$ H4 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: |2 B; A0 E% L3 X9 ?2 E; v$ q
field.& {  N2 S' o/ x) K% b6 P$ Q4 l' R
In fact, its purpose is not to load/unload VxDs but only to send a
: d9 G) F. b; u6 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ F! x2 X" L/ Z: Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ]* J3 {! m: R% V1 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).% T4 y* Y# s! a  ]3 {+ Q, W8 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow' j6 n9 F! g7 I
its handle to be opened and then, will be detected.7 r* j- ^! d6 N0 g1 v5 h
You can check that simply by hooking Winice.exe control proc entry point) d3 o$ m4 |7 r/ ]6 r. n
while running MeltICE.8 \3 h: D& K9 W; m- g* K. d0 ^
$ ]0 K! G# ~' p
+ d. R: m+ Z7 s9 }* h4 @
  00401067:  push      00402025    ; \\.\SICE
/ T0 V3 p  W1 N+ E# m! K  0040106C:  call      CreateFileA0 B' A! f5 P1 q5 Z7 r
  00401071:  cmp       eax,-001+ B- c  M) z2 _+ W) v- }; r4 Y
  00401074:  je        004010911 N% a1 N3 Q* t2 P/ w  n

' B3 ]7 J* \, a* j1 K6 m; U4 r& V- Q
% `& Y7 J# @. rThere could be hundreds of BPX you could use to detect this trick.8 B2 s8 c. d( Z  O) H/ X
-The most classical one is:; t% b* c/ L+ e: p. F0 V: h
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 n% y( @; V) `6 J2 c9 M0 l- i
    *(esp-&gt;4+4)=='NTIC'
* `$ e2 I. K0 Z' g: o% O& O/ ?# g! @) K; ^4 p7 L
-The most exotic ones (could be very slooooow :-(8 F# [& p) \4 c; U) Y) D4 g
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) r0 L- W9 ]4 o. _& z; x- h* i1 L     ;will break 3 times :-(. \2 s$ v* I2 R* P1 D, F

5 X1 C* Q, s% x0 C1 E/ U& j4 {3 r& ]-or (a bit) faster:
3 n" l/ q, R8 l& @- H   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): c2 E: j& U, L3 t3 Z2 B7 \

2 ~- p7 B; w  a   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: v- W' R8 `7 J# f     ;will break 3 times :-(" z2 y7 q/ ~5 u$ E+ O" C
1 e; R1 \$ x& W0 t/ T
-Much faster:
, ~" R9 ]8 {( H' D( J- B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% J& @! J3 H% T- `8 Y' I- z# P7 I- w0 ?( E1 B% B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' Z4 X/ b5 I" D/ |8 @. q; d
function to do the same job:
, ^! d: g0 X& J' _* V  i# A( z8 j
0 z. c1 l& ]6 @7 \  p   push    00                        ; OF_READ* O& a1 v9 z+ o3 l
   mov     eax,[00656634]            ; '\\.\SICE',07 m$ x  w2 e# k
   push    eax
/ `: ~  C1 a& [! J3 a   call    KERNEL32!_lopen
8 {0 m% v" `1 B   inc     eax
- i. ?( H" G! K# Y' a   jnz     00650589                  ; detected
% a. \0 i- D8 E) j   push    00                        ; OF_READ
7 t5 ?8 l2 }0 T1 N   mov     eax,[00656638]            ; '\\.\SICE'
' F, Y0 Z* c+ L, Z   push    eax, J* V; g" O5 D1 f7 w. z- X
   call    KERNEL32!_lopen
5 R  R6 ]4 k8 `1 g- _* z! s/ i   inc     eax
/ p" x- u; J# m9 Y; \' `   jz      006505ae                  ; not detected
' {2 ]( @1 w8 U* {4 e
9 M, E  M0 B6 F$ Q& V  s3 e% ~, B+ Y5 h! C/ T% P. ^
__________________________________________________________________________8 v. `+ F! x" w. g/ N) D5 O

7 |5 b/ C: r2 H4 e5 wMethod 12
" B0 b2 Y. S, j% a; r( R& w=========4 `* b- g' @, a

* u; ~  C  W6 pThis trick is similar to int41h/4fh Debugger installation check (code 05
& X+ X& A" m& h$ Q% B&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; F7 a% N& C1 Q( @' h9 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 Q1 J# h+ Z; `+ }3 Q0 [' N- x) n+ H; i4 x# m
   push  0000004fh         ; function 4fh/ A% _( m1 }' e; n
   push  002a002ah         ; high word specifies which VxD (VWIN32): ?" i; J: |  K$ O9 X
                           ; low word specifies which service8 F& v7 ^- M# |0 C# u6 S; p- g9 P
                             (VWIN32_Int41Dispatch)
: ]/ D$ _1 ^( D/ w6 w   call  Kernel32!ORD_001  ; VxdCall
% i/ E# o# e$ F, {6 ~1 g1 L   cmp   ax, 0f386h        ; magic number returned by system debuggers
9 ^- {" O- @6 a$ u   jz    SoftICE_detected2 h. `4 l1 q- _( ^* G5 y
+ M) h* J! U8 D) z# M
Here again, several ways to detect it:
% N$ I$ B; k$ u' B
7 N# X* h' h; Z9 Y  ~    BPINT 41 if ax==4f' @! E/ f) _2 I5 e, F
- D- w9 @3 ~* S9 B, T+ C
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 Z/ N) L  k0 q( Q8 l8 e/ k1 c) c3 Q! j/ q- e2 h
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& \& [  N3 P4 W; N& U: z
, b6 Y7 K: J0 |; u' f# h+ A) c
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( _, A4 G6 k/ K5 B6 J1 J0 P
* \! b3 q' m) H  M. z__________________________________________________________________________3 x- U7 t% M2 w, Y7 n
* S& W+ ]$ L$ x* ]: a; W3 H
Method 13
9 X9 S( z/ o- b- S=========
+ J: A4 U3 m# y# a0 z3 B3 v! ]3 C
Not a real method of detection, but a good way to know if SoftICE is
! g# v* g" F& S! Iinstalled on a computer and to locate its installation directory.
5 Q  P: L: x( [+ {) D* sIt is used by few softs which access the following registry keys (usually #2) :
3 a# C1 ^8 K9 E( N' u4 I$ e5 U- y8 d" C3 X4 x/ U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 A$ L+ n2 P/ ^' z7 Y4 Q. E4 l/ ?
\Uninstall\SoftICE' r: E. ?% \* o+ [& Q& p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 c; p# [( C- A& z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 L1 f5 F8 `: L- V
\App Paths\Loader32.Exe
2 S- O5 p$ D: L4 W+ @
* t% z7 v8 @# ^2 g% s
9 i  r, w; i0 E+ X6 KNote that some nasty apps could then erase all files from SoftICE directory( p8 d; u. ^1 L) [- a4 a
(I faced that once :-(6 `, ?, ^$ @' U5 `- c
. I+ ^8 g# [  m& f0 o9 l
Useful breakpoint to detect it:; _$ p4 r3 L0 p9 Y$ H/ I4 A" \" |

. K" V# u$ Q: `" H# y6 K' B' i* l! G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 B# p  ?  @& J8 P5 b2 K# [

" F6 v+ S1 \( v# w* Q- {__________________________________________________________________________0 T$ ]6 j& j; r8 {
& ]$ X; |. x9 ]+ Z1 ~2 x
' i5 B1 T  d2 N9 U/ E
Method 14
, J7 ^2 C$ w. n/ N=========+ \$ a" ]/ {) D9 D% }5 M* [# R4 u

' B% q$ ^: M2 u1 O9 ?& k% S; I$ Q# gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 Y2 F% K6 v& P; L- n5 u: ]% q$ c
is to determines whether a debugger is running on your system (ring0 only).( Q+ }' F7 F' ?5 H7 l
( P; O8 N1 L6 X2 \8 W& D
   VMMCall Test_Debug_Installed( ~# S* r1 x, X$ g$ y- `4 @
   je      not_installed# k$ x8 \8 t- k" c' l% S
' D9 Y' T5 @! k) w
This service just checks a flag.
8 R, S& H5 p  ?; u2 f+ u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 17:28

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表