找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! P9 e8 M- Z/ A<TBODY>
6 ~# M/ p9 a# p  m/ l<TR>8 p/ p* m0 L: ]8 U7 e( N
<TD><PRE>Method 01
2 j( E; t4 \1 L# `( V8 ^# U=========
" e- H  `; G0 P, _% D! [) j6 _" c, K6 g' n
This method of detection of SoftICE (as well as the following one) is
9 k( N3 D3 D7 E7 t4 mused by the majority of packers/encryptors found on Internet.
1 q7 o  T- b  }! VIt seeks the signature of BoundsChecker in SoftICE
# B1 L  l! D* t/ K1 h; k
5 p7 S/ C& }% {- H1 S% b1 j    mov     ebp, 04243484Bh        ; 'BCHK'7 Q, ]6 }7 C' p  M# w6 z6 I4 G! z
    mov     ax, 04h
2 p7 a4 Q% p, j6 d7 W- B/ c    int     3      
: v* _4 f! F1 h. t    cmp     al,4
$ q% H4 I& c1 u    jnz     SoftICE_Detected$ y* k3 b; K3 ~* O! \
7 \5 k2 [+ {% |- h, f, e& r7 Q# S* j
___________________________________________________________________________% s* j  \" Y8 |" {
- [9 h$ D& B/ y) o$ d- E/ I$ P; @
Method 021 l; [( Q6 X) i5 E
=========" u# F4 Q4 W( x+ p6 K
0 d0 ]5 t: c. P% K
Still a method very much used (perhaps the most frequent one).  It is used9 S5 X& |7 j8 k5 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) [6 D1 B4 m  y/ L6 w- F# X0 w! zor execute SoftICE commands...
0 E. X1 l6 p  ]It is also used to crash SoftICE and to force it to execute any commands
& _  F* K2 |! e5 u4 \3 x(HBOOT...) :-((  # t' u( y0 b! A. Q, F0 i6 v5 ?& k
4 Q% k9 ?7 U9 e; a. K$ e# N. @
Here is a quick description:& n9 y; i9 G. @) I, B  a& t
-AX = 0910h   (Display string in SIce windows)4 x& L1 @4 o) P! U  D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
) ]- f4 ]: d+ s2 Z6 z-AX = 0912h   (Get breakpoint infos)
/ h/ h  x  v9 P( N2 {-AX = 0913h   (Set Sice breakpoints)& W  V3 A. M9 x1 O* S0 c. p
-AX = 0914h   (Remove SIce breakoints)
4 o4 n+ a; G* K- ~. k, Z
; d1 F8 g& Y9 `' N8 ~* dEach time you'll meet this trick, you'll see:
9 z$ W( X% \( k! _& B+ i# g-SI = 4647h
0 h' _6 ^& W4 m) E) [! p: r-DI = 4A4Dh$ {, V, `" j+ n0 @0 E7 c; [
Which are the 'magic values' used by SoftIce.5 G* y. F, Y  H) ^' B) h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 c6 b5 z5 ]& s5 G% k( P* {
8 d! _3 q, }/ _# s! z9 FHere is one example from the file "Haspinst.exe" which is the dongle HASP7 A8 z' z8 r5 ?# m+ S: V
Envelope utility use to protect DOS applications:
  B& d9 w/ x3 S( T% w
$ {) D/ D# N, a! m. ]) \% `# v0 g) p2 `( Y2 w1 M3 I+ ?
4C19:0095   MOV    AX,0911  ; execute command.
. u, R$ ~/ `4 c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)., k) D: s$ T1 g# |! {* k& t
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 ~; p$ H) t* p0 _4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ i; h7 G& K& C7 n, N# J
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 \( Y5 Q1 A  z% b7 Q: X
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
5 t. p1 ~- E4 x9 ?; V4C19:00A4   INC    CX9 G' E. C3 i- f/ [) D/ \
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 v9 C4 C( S4 o4C19:00A8   JB     0095     ; 6 different commands.
) Q& `- J7 [! a1 H! u4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& i! z- \; [' b% Q5 ?, V! W( K4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :): X5 r6 M5 b" m' U3 b

+ i6 C% J$ q" S# T* A0 kThe program will execute 6 different SIce commands located at ds:dx, which
. `. z4 _, H9 a, B3 j# ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) i4 {5 k# J$ W* Z$ Z# y2 E

; r! M4 n7 U5 ]4 O7 E" Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& i- N' z. e" z# `___________________________________________________________________________
. G* E! [  G9 g7 `/ l
3 e7 p) Q* {- r: v$ E8 `
" F7 |9 R1 H5 D8 I( CMethod 03
! m$ C6 S% w* a+ ?6 q=========
$ M3 I. r; ~. Q
# ~0 W0 e3 @' N. n/ c1 }Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# s$ d# X- X- Y' o
(API Get entry point)" f' L1 x9 t7 I+ W! r1 b2 u
        
8 M8 l6 x8 Q2 V: [; _  ]+ \8 W: u" Z$ ]% O! w' n/ P# g
    xor     di,di
- w) t, K& X6 q! H' N" g" e+ p    mov     es,di
9 X$ W' }4 B+ G2 E9 R1 H( _    mov     ax, 1684h       / ], B; M3 F. X
    mov     bx, 0202h       ; VxD ID of winice
* z- W  U1 Y& g8 `- P3 V2 c    int     2Fh, ]  Y) {/ o1 d7 O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ E+ s$ l; ~% U; l0 c" c    add     ax, di
$ q* z( Z# r% s) K4 x4 j    test    ax,ax
7 L( `, R! P  E    jnz     SoftICE_Detected8 C+ l* c0 w8 O% r/ S3 Y
2 g5 a4 d4 W8 V( q/ r9 ?& a
___________________________________________________________________________
2 ?$ E, ^$ F% X/ s, c" c
- E. h7 X4 E1 i& o( h3 {Method 04
% f. r6 q; N) M6 q2 P  C+ h1 |=========
2 Q# Q4 O3 c, w3 _6 h1 c2 h
1 r/ g4 O' L+ |' \Method identical to the preceding one except that it seeks the ID of SoftICE# d6 r7 g" |/ b. e- M
GFX VxD.
$ v, l# N; ]  W- t6 U* h- w/ X% i5 ~, ?0 n9 p% q# J
    xor     di,di
7 Z- j4 a; D7 a2 m2 W1 H+ q2 L+ k; Z- M    mov     es,di0 ]5 K; k% a. R; H
    mov     ax, 1684h      
( g; P5 a& T8 Y, D: S0 Z% U' j    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 j- q* u7 j) ~
    int     2fh6 w& ]$ H1 `8 i* ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 I" _- K+ `# O
    add     ax, di4 f5 I9 Q2 _& ?" a2 N
    test    ax,ax
- I: ]7 _) t  k4 J$ ~    jnz     SoftICE_Detected( z4 S1 A: C9 h, x! t( t
- g4 m1 X/ T. ~! }
__________________________________________________________________________: b. |, }7 ~% r  k9 u% }" s

, a# ?; T9 h9 {& b4 q- l, Q0 j
3 ]' k9 Y4 L' e  W1 `Method 05
4 |2 A4 V+ O2 @% G6 l5 L3 x4 m3 b=========
3 c5 f; K+ Y+ X, t0 K- }5 J4 C% A/ X- z: M5 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system# g2 Q2 I+ A/ k6 c2 U
debugger. It calls the int 41h, function 4Fh.
0 a! W: b1 @8 O1 ]There are several alternatives.  
9 @' d/ N' Y# J5 X+ y7 s& E* O4 F: `6 ?% [" L& s2 g6 ^
The following one is the simplest:" d; d8 _6 W; X$ y
( i* J: y5 j4 A1 Z0 o
    mov     ax,4fh
  w5 C5 \9 \" X( }* m3 O. m" F    int     41h3 {4 o9 `9 G8 ?$ {
    cmp     ax, 0F386" r: m/ W1 M( G& P, h
    jz      SoftICE_detected
1 Y% T4 x; `$ p! V" K8 k* Q$ S1 a: G9 Q& ^$ ~

3 R. m0 K4 U# F! t; f2 sNext method as well as the following one are 2 examples from Stone's
( w, a# |1 P9 k3 G6 r"stn-wid.zip" (www.cracking.net):; Q! h8 R! `9 P% a* C; G
' Q, b) G% S2 E
    mov     bx, cs
$ T/ P6 c' I; D% d$ J- ]3 A: Q    lea     dx, int41handler2; U0 B9 |. r( v8 V
    xchg    dx, es:[41h*4]
3 E7 r+ P8 }) e, a) A* B    xchg    bx, es:[41h*4+2]
+ ^) c. n1 g9 G- |" Q8 H- F" Q    mov     ax,4fh
( a4 \- L: g% c3 T: ]    int     41h
  E$ f/ a( N$ `  |; H3 s: ^- `    xchg    dx, es:[41h*4]2 |( a% m. }8 x5 z& n
    xchg    bx, es:[41h*4+2]
: Y, v- y, s3 G" G9 ~    cmp     ax, 0f386h
$ t- C- t( ?1 y( c/ I- @    jz      SoftICE_detected! v; Y9 ]( e: M
2 Z) u, [, d$ o9 N! J8 |/ v
int41handler2 PROC
* c4 B+ ?8 C* h! n    iret. s7 w- _. B! g, e
int41handler2 ENDP
4 u& R& K) p# ?% N  U7 F
. v7 g" b6 N( M& ^4 D7 V8 ?; Z6 O6 `, s
_________________________________________________________________________
% X% V' ^% w( e) w0 O1 R. o* W6 J0 W1 g- v/ Y$ A9 L
6 r% p+ p7 Z" L; a0 N" i, o/ T
Method 06  }+ P. i2 z  W/ O* B
=========& R& J* ~1 l/ ]- L/ X
: w  A3 Q# J& f- \$ j2 m9 z+ u# N
' l4 f# Q  {- P5 G. N+ m: ?9 a$ Z
2nd method similar to the preceding one but more difficult to detect:2 ~) u6 j) v" L8 Q5 {
! U7 O, A! X7 g& A% X

2 t  }/ u; c' r. I3 J" f. U2 D/ |int41handler PROC
! t. c; j  e4 R" r& H# P6 @5 x    mov     cl,al
- Z* x4 ]& {& [( n- Z8 _  F1 A% w: K    iret
  M$ Y+ K9 z" Uint41handler ENDP
, _) G; \' R1 ^3 n3 I
* }) r9 w: B: J' S( N2 v/ p
: j3 \# O1 e% @- K& X    xor     ax,ax
" F3 T" G  O4 L/ v" J1 f3 W    mov     es,ax' f% N: e, i/ L$ L3 ?  p
    mov     bx, cs
9 N: x! c  O. y" |    lea     dx, int41handler! D! w) @8 q' C. e" C& W
    xchg    dx, es:[41h*4]
. r, X9 {3 z' Z2 ~0 ^; u  u& Y    xchg    bx, es:[41h*4+2]+ _6 }8 @3 r$ _/ ~- ~
    in      al, 40h
% D4 P, \# t" `* M9 ?1 W    xor     cx,cx
8 g; D% N& d4 F' ^+ J5 K    int     41h
& r% }/ |, ]3 Q2 F% |! d* f8 F% m7 y    xchg    dx, es:[41h*4]9 L) l8 l1 {/ ?3 Y$ y! X
    xchg    bx, es:[41h*4+2]
3 Z( V' e' l4 ~: x    cmp     cl,al; r& j8 t% }( q1 j) |2 e% ^
    jnz     SoftICE_detected5 T" G8 Q2 J( n5 Z8 h/ K3 }

+ k  w2 m  {9 Y* X_________________________________________________________________________
& R7 }9 o: ]: z6 S+ V" p; Y5 O) o% ^# x# v6 ~  E! \1 a
Method 077 ~' a4 m2 I1 P/ V  p5 W& T
=========  b/ n  Q# T' H
( B% {; D5 W* [
Method of detection of the WinICE handler in the int68h (V86)+ F) [+ m) N' T$ z- a  D5 S

/ @% r; Z5 \# W) y1 F    mov     ah,43h5 n6 M" N7 ^% q* c$ e& Z* m
    int     68h( x  ]* f' G9 s+ i1 |
    cmp     ax,0F386h) U9 t- |' k- \8 Y* }5 a! g
    jz      SoftICE_Detected( n- {! j( x7 m+ V6 r! T
) i0 @- B' y1 A$ w8 @

( X/ b" j0 [0 I* C8 ~, h=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 o! B4 n1 H! F- |. b7 `
   app like this:
; W1 B' x4 v, y' _% c% z& z+ f6 I+ V) c5 A: W( T
   BPX exec_int if ax==68/ o+ c" P, @. D4 O8 ]7 ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! a# z' B, Z1 [/ {: j   located at [ebp+48h] for 32Bit apps)
% Q. J$ h+ c- }( v' p__________________________________________________________________________  M% G* O& @, W0 P, `, ?
& {4 @. `' ~4 I2 [; L% ?: Q& v% P# Y9 E

% u2 a! T1 f' ~1 PMethod 087 E3 X" |) S$ b, R  Y8 s5 t
=========  w( k9 y5 V; L; G% x! e  \

4 I% j; m5 ^& {& ^: @6 hIt is not a method of detection of SoftICE but a possibility to crash the
4 t, c/ ~3 D) z% f8 rsystem by intercepting int 01h and int 03h and redirecting them to another1 ]8 [& f# ]8 \" w9 E; M
routine.
7 l6 \+ _; b9 _. a1 p' T& NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: m0 R3 N3 c6 v, ?- l1 pto the new routine to execute (hangs computer...)% {$ A+ Z& F4 Z4 S( b1 s, k

, N4 f0 b' |' n  g* ?    mov     ah, 25h- @' Z$ Y9 p" k# J8 V- p0 `
    mov     al, Int_Number (01h or 03h)
1 `; O, {* n* e    mov     dx, offset New_Int_Routine
9 x% t5 T) g& H% w8 Q0 E    int     21h* G: e% T' T+ J3 c4 D6 O
0 b9 b& ^, v) V. K) a9 v
__________________________________________________________________________
! k! w& z# l! W7 j: ~2 q/ p
& ^  Z' r$ H. TMethod 09
9 a- _+ T( ~7 m2 ?6 n=========; l- C9 W+ l2 m

7 S# Y7 B% f+ A9 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 |- ]1 h% q& Q5 B( p4 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
! C2 n& d, k9 e7 r* XThe Get_DDB service is used to determine whether or not a VxD is installed. t1 y& L4 c- m6 Q4 A7 Q) m
for the specified device and returns a Device Description Block (in ecx) for
0 r2 x4 b* p$ o) @  lthat device if it is installed.
2 R6 h% K% O) @5 p1 l+ W. |- D/ W: @& ?0 p, J9 W7 ]
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ J* X  s2 e8 Z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ e; l, \; s, H/ f   VMMCall Get_DDB) w) f# c8 V; r- K. X' E# B5 u
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. J1 u4 w  z8 S5 M) Z* X
3 }2 Y% w0 v3 @- v3 WNote as well that you can easily detect this method with SoftICE:
; t/ }7 V& e) E6 R- o   bpx Get_DDB if ax==0202 || ax==7a5fh
( e$ c7 S7 _8 w. S  i2 g( P# u
7 B. U. p, p; ?# ^% m__________________________________________________________________________- l, M% `6 q- ~' R/ y
2 t9 e' p  \7 L3 c: N' s% r
Method 10
5 s+ u, X7 m  B=========' c6 S$ A7 N6 ~: G4 w4 V/ l+ f

& o$ c2 R4 y9 a4 Z8 @6 X=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 x. x: L# o/ v) A( c- C
  SoftICE while the option is enable!!; e1 n' M$ j* z; \+ b- ?6 T

7 X: D( _; M- Z( W* aThis trick is very efficient:
9 z: `. n/ M' \by checking the Debug Registers, you can detect if SoftICE is loaded
( o+ H9 I; g. H! I! I7 g& E5 X* K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 w6 G+ A# t5 E! e$ J
there are some memory breakpoints set (dr0 to dr3) simply by reading their. W2 a) j7 R4 P! o; K' |3 |* Z
value (in ring0 only). Values can be manipulated and or changed as well
% _) O1 e5 n& d. e/ F. X(clearing BPMs for instance)  }2 p' v& V  s- c5 a: Z2 D* O
# `8 w$ u0 E0 d! O; C* |
__________________________________________________________________________* O8 b& R& G2 I
8 W* Q6 Z3 t& ]3 }6 t
Method 11- J. S) E3 p" O: H% _. t
=========
' r, Q2 T6 X3 q; p% v  o8 V7 P8 d) c0 c: n; G1 S- r7 y: g
This method is most known as 'MeltICE' because it has been freely distributed
% v! f" J; k2 f5 G& @8 z5 E% e" t7 Yvia www.winfiles.com. However it was first used by NuMega people to allow
! Z* a" _! P# V5 g8 {) WSymbol Loader to check if SoftICE was active or not (the code is located' M/ w0 X# N) u! n1 S
inside nmtrans.dll).1 M- s7 ~( Z* @, _

+ l! R! j, S; bThe way it works is very simple:
0 p3 i  x  i. k/ o. S0 A7 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 n6 _. v7 ~  b5 t
WinNT) with the CreateFileA API.* a! Z& e5 @, D0 q
5 U9 d3 w# _; G5 i
Here is a sample (checking for 'SICE'):
/ z5 k9 @: Y+ d. B3 v- X# S+ y& }( ^' N4 j, q
BOOL IsSoftIce95Loaded()
3 d5 E; R8 G. X{5 T7 z/ g$ ]: |' v% h* c1 ^% ?
   HANDLE hFile;  
2 e0 p/ Y7 E: V3 M6 y: T! x7 t2 v   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ e; A) O8 w3 R! k+ ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,6 C: ?) Y# a: x5 T- a
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 s  J) N  L7 o; ?7 c5 h' n+ }   if( hFile != INVALID_HANDLE_VALUE )" W. m% l1 }7 g: N: Q
   {5 B) M, W; k2 U* m  S* y$ |+ Z
      CloseHandle(hFile);
; k; U. I. O. Q" Z& B7 Y- @      return TRUE;' a: ^: l+ w* N& Y2 n
   }, `4 v$ e% V* d- [1 o1 e
   return FALSE;
, ^. F5 u- n, G- F, `}
( L! g- {. H, D, a7 U' G, [5 i/ Z. a. N
Although this trick calls the CreateFileA function, don't even expect to be
% i3 P9 v+ K( J6 jable to intercept it by installing a IFS hook: it will not work, no way!
; C7 u6 j' _# {! `( F/ O' a4 wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# n% f  L8 C3 @% |2 a2 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 c# j7 Z! Z; H% G. A  @; p# z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 p4 K/ v# a4 A" Wfield." B0 C4 Y  V/ o4 N- |
In fact, its purpose is not to load/unload VxDs but only to send a
* y1 A' R& j# P- G7 m; AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 B' J$ j/ k: J5 A" S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* a+ p" S  T- a2 z' P$ M) t6 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, j+ m2 _  N  |, p* O/ P3 P3 r. bIf the VxD is loaded, it will always clear eax and the Carry flag to allow# E% C* h  M" @8 D/ c3 L
its handle to be opened and then, will be detected.
: c$ x; d) |4 h" _8 L/ eYou can check that simply by hooking Winice.exe control proc entry point
4 y5 ^: {. S& k+ c8 B" ywhile running MeltICE.: T* }3 L* x! L
+ j, w2 r" X6 C/ E  [
. H- X) x9 k9 m2 O; p$ N6 E8 N
  00401067:  push      00402025    ; \\.\SICE1 R7 F1 u3 L. S) ~1 z6 i' F( r; O
  0040106C:  call      CreateFileA
- o: T5 T5 T8 P; @2 v5 z  00401071:  cmp       eax,-0015 C/ w2 g8 \5 p8 U; r
  00401074:  je        004010916 t  @" h8 ]4 A# S
8 |$ s/ ~/ m- b& l+ q+ Y
3 B# n% {( n: s6 P+ y0 g
There could be hundreds of BPX you could use to detect this trick.8 I4 I* P  e9 M: g1 X
-The most classical one is:0 B$ M, W$ Y/ T& W) j) F$ H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 |) F4 |- G) [    *(esp-&gt;4+4)=='NTIC'
1 y( W8 N/ e' [5 b2 c
6 `& k. t7 |) `% [-The most exotic ones (could be very slooooow :-(
* f% p5 w0 J2 ^) t% B: _   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 L0 j+ M: C9 v, m% v) d- D     ;will break 3 times :-(' ?7 K: L+ @6 h! L+ k, W4 b! T

$ f: [/ g1 K! P1 z, R, }7 {-or (a bit) faster: . W5 U8 r0 y/ e; N  r4 W
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 b* q2 E+ x; g( e, G% b/ g# ]* C: B; |8 w6 s2 e- t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# F( c% H$ Q* G4 P. q/ D2 R     ;will break 3 times :-(0 a4 x) v" T; {7 K5 Q8 V0 O. `
8 ~$ U3 A, K9 M' z9 X6 \
-Much faster:& w3 _* q5 ?8 e: [/ f1 m# x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ m/ g: v7 c. H6 @3 _% z
& m& C) Q, v) d, A0 A. WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( K5 M- G8 y4 d; j9 ofunction to do the same job:
! Q. L, H  L3 V2 {
+ ^6 g. ^1 V3 V  G2 g   push    00                        ; OF_READ) H7 M7 D+ t' Y" Y. [
   mov     eax,[00656634]            ; '\\.\SICE',0
4 P: Q! o0 E0 d% P, U   push    eax
& {  u1 K! b5 h# c   call    KERNEL32!_lopen* t! n  f+ x# {+ r, W, ^( j5 r1 D8 X( X
   inc     eax' y: B7 N( n; Q; W: f
   jnz     00650589                  ; detected2 Q, |) B' k0 h8 R0 g% ]
   push    00                        ; OF_READ2 d6 D# Z$ V- C. ^9 G+ o
   mov     eax,[00656638]            ; '\\.\SICE'1 u) R* H/ p$ ~  X9 `
   push    eax
6 r1 A* [7 Z/ J2 x   call    KERNEL32!_lopen6 N$ g0 a9 `6 ^6 ~  ?. S
   inc     eax
5 T5 w* J( P( Y  ~5 B1 j   jz      006505ae                  ; not detected
* I: K/ G. Q: ?+ m
) s* h  M! E9 i/ \
3 W1 v& \/ j& Q' Z5 R7 E8 U__________________________________________________________________________. i7 Z# Z# k( T8 d* b0 f4 R

% T* O6 \& {( e8 i- o' s& c4 Q4 iMethod 12
& ~+ |# ?$ c+ T: ^! q=========& P5 C& j" z& M. E) \

! j* ]+ C* ?: \0 hThis trick is similar to int41h/4fh Debugger installation check (code 05
: H9 t% s. N& s% I6 }+ y&amp; 06) but very limited because it's only available for Win95/98 (not NT)( z- t  i  ]' d- d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: Y2 h& t5 S9 k

& ]) |' O2 x8 C4 s   push  0000004fh         ; function 4fh6 y+ ]; `- N, O+ F% J0 U- i
   push  002a002ah         ; high word specifies which VxD (VWIN32)8 \( r2 Q# R+ x1 w3 P/ g& w0 s
                           ; low word specifies which service! u* u  u$ q/ x1 H5 W( J
                             (VWIN32_Int41Dispatch)  {, u! J2 P' x9 M2 }
   call  Kernel32!ORD_001  ; VxdCall: I; `3 U5 n' \1 R! i6 x
   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 L$ \/ u# e9 n) k   jz    SoftICE_detected! L. g1 y) y. [9 R

, ^- z5 U2 p: X! X, x# FHere again, several ways to detect it:
$ z4 v  }/ |. s: d. P9 f+ Y6 {: B
5 ~: T* W0 z% E6 C- i3 B    BPINT 41 if ax==4f
! m' `, _( P( Q3 M% j+ H' o. {! A" Y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 {; V3 ~% R0 N3 E

0 B  L' M; Y4 N! G9 J% Q) J( f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ I; R1 F, e& H- x

4 m' o( h9 ]8 ^- O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 f, c% R9 j( s+ a" u  W# @# T2 f4 G- \- @% I+ O
__________________________________________________________________________6 W. K' C  Y. f( @  h! Y% ?

  p# p- L. C# L  Y4 gMethod 130 Q/ I- `9 \# X1 C& B! [1 U
=========: W+ D, D6 @6 b1 L
* \/ A, o$ ?1 s$ ?" B7 ]0 H
Not a real method of detection, but a good way to know if SoftICE is  w! n9 Y9 Y7 \7 q) |( b+ k
installed on a computer and to locate its installation directory.9 y; `# C9 {/ P, _
It is used by few softs which access the following registry keys (usually #2) :
( Y+ X  ?2 F* X
$ E2 k- o7 N8 v( K' p1 K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# o; D' `% }% V$ H
\Uninstall\SoftICE
* a: r$ D, s& `9 _$ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# ]$ z; t, Y8 z8 {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S, S0 a5 I5 p7 U8 [- p" H- Q\App Paths\Loader32.Exe" q9 u# Z' u% O. j

9 K6 k. o9 }0 _& ~5 V
5 q# j9 ?; G; A+ F9 W' u4 ~Note that some nasty apps could then erase all files from SoftICE directory* k0 p0 V  N" i: `3 D/ c% Y
(I faced that once :-(
7 H0 B, N' u2 O, l/ u0 V5 F& z4 x( I, J1 N7 Y) g3 T
Useful breakpoint to detect it:* w* C5 c+ {$ z6 }7 T* U

$ D9 V; h. `) b$ t* I7 g4 S$ R8 y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 }/ q0 w7 O" F0 N8 Q: V& q# O1 e
3 n/ d  Y' b5 E2 R
__________________________________________________________________________6 K0 t7 G, q# v  H+ W, ~) r+ ?( N

4 J4 f) E" k/ x. {3 d6 p: N0 {% w, Q
Method 14
. n! Z1 N' _5 x. G6 t6 }. _) F9 u. P=========
2 ^! ?. K. e7 P. T. B; |8 A6 R9 ^* J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% M& Y( I+ V7 k1 `0 T$ C/ Q/ P0 e' ~# _
is to determines whether a debugger is running on your system (ring0 only).$ s, W1 x$ W7 }1 j3 c& N/ }
# b8 m# k: p$ {3 W* Y& ^* j% V$ V
   VMMCall Test_Debug_Installed
8 R. R1 u1 i; v6 O* V0 P1 N* f   je      not_installed
  E+ j3 b2 J1 t. g& ?+ [" {; ~% r; |) |! ?' F* S
This service just checks a flag.
* ^7 }, [/ M4 Q# G1 g. Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 11:52

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表