找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ ?5 m8 D) [9 I, z8 m4 O<TBODY>& {6 ]( I" r6 u' |% Q
<TR>$ ?- x1 ], F1 m" E6 _% W
<TD><PRE>Method 01
6 R2 F, b' j7 v- S. `=========
2 X* A1 O7 o( d3 t/ y  }( Y. U4 W( V+ m* o
This method of detection of SoftICE (as well as the following one) is
" K! I; }3 z6 eused by the majority of packers/encryptors found on Internet.0 q" S5 `( Q" w/ p3 |1 |. p
It seeks the signature of BoundsChecker in SoftICE
; S* c* F& f+ c% d6 O/ f1 g5 {% |+ D; ?+ L* ~
    mov     ebp, 04243484Bh        ; 'BCHK'
, B8 E, f) b$ p' P9 Y8 o    mov     ax, 04h2 F1 V2 e4 [* g- l" e9 M: F
    int     3      
8 W( D( a( |: O5 ]9 n) k+ g; U    cmp     al,4
; P' ?. Z. {* d0 N5 v# P    jnz     SoftICE_Detected
" Q+ {% S" ~! f  D: U9 E7 r5 F2 A$ x* t
___________________________________________________________________________& O3 @$ K% N  n2 K$ ?
' [1 u& O  G% ?7 E
Method 02
$ C: A. h8 A+ u& v5 I=========% h5 j3 Y/ d$ b. R& C
7 p- V7 J% F4 j
Still a method very much used (perhaps the most frequent one).  It is used
) W( I6 y; a) c# z3 l# ^, a% Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! u& F4 X, U+ c9 I$ X7 dor execute SoftICE commands...
1 \% v( b! X  D/ ]/ zIt is also used to crash SoftICE and to force it to execute any commands
! R* G7 ]+ l3 p% G; v3 y+ G  E6 Y$ C(HBOOT...) :-((  
& q  R9 ?$ D. O- ^. B; E! ]3 g( W0 _, ~' ~
Here is a quick description:4 i$ c4 y3 R" F; x! h
-AX = 0910h   (Display string in SIce windows)
3 H) H6 S! B! T-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)2 D& j( }3 K% s$ s0 q9 O; k, [3 w
-AX = 0912h   (Get breakpoint infos)
9 d7 C& i6 V5 Z-AX = 0913h   (Set Sice breakpoints): x- W6 o, R0 Q7 }/ W0 d
-AX = 0914h   (Remove SIce breakoints): C9 L- H" O6 [6 l7 d- \2 M

0 D1 ~; S7 H3 B: Q* q+ EEach time you'll meet this trick, you'll see:. B8 ^- O6 D- U, V( E8 a
-SI = 4647h: R# {6 s, J0 u
-DI = 4A4Dh4 [- [, R- [/ w" a; C) Y
Which are the 'magic values' used by SoftIce.2 [8 h5 Z2 ]( X% t; }8 I. L( f6 u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 b# [( i3 w! U8 q/ j0 c
! v0 s! }. t" @6 [& E- n2 b* r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 J. g9 k7 U* H; _% `# ^Envelope utility use to protect DOS applications:
! b" Y% |" n* p: O; T/ d9 k! {  n4 X+ u  k" l) h' {- c

1 [! W8 F2 L1 r( V& ~9 r9 a' s! P4C19:0095   MOV    AX,0911  ; execute command.
& |- M2 e" G' i4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 a, p& p& j& G: G+ O- {' D8 f
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 }" y/ V# }6 X2 p1 c4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 Z+ P' N+ F  _' r2 E2 I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 {5 h& I6 t7 u: q* e2 t* y, |' m4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 \+ n/ m+ X; z9 I4C19:00A4   INC    CX3 ^8 G7 k7 m" i
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' C# ]( f+ _3 I+ h  ]. |9 M; ?3 _4C19:00A8   JB     0095     ; 6 different commands.
6 ]3 h+ ]' @# N. m$ u4C19:00AA   JMP    0002     ; Bad_Guy jmp back./ E; Y6 z' {: A. D. @8 ^
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) J6 Y. K- y3 L* p+ j5 o6 |
3 [& W4 H5 h" I
The program will execute 6 different SIce commands located at ds:dx, which
4 G6 Q  d% z. i2 r' Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- D  ?$ I7 T3 l+ {. V
% d) g  Y0 H! e: p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 u# n3 D- C- P& z
___________________________________________________________________________
; a* |" C2 o; P$ [; i1 L& n2 [. e
/ ]2 c4 P% P3 [4 p  r; o# {
Method 03: m. m& p& s% J+ M; f
=========( D* d$ l& O8 V( G) n9 \0 c

( G4 O; H9 s4 w# I& V  ?/ KLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ H8 G4 K& ^( Q" `- {(API Get entry point)4 x" R6 B8 q9 b9 I% B
        2 e- H; n: I3 O/ P/ j& B( S5 [
& n7 F, P* o$ w- L
    xor     di,di
0 p. f* H1 _- b" ^    mov     es,di
4 E& X: c  }- a! w2 ?: K3 {1 M% O    mov     ax, 1684h      
5 d+ N$ M8 p# k8 O4 j    mov     bx, 0202h       ; VxD ID of winice8 g2 _2 `" Q9 S
    int     2Fh
" r( k: ^+ G* F6 m4 p$ l* [2 L    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! x5 V5 P/ W- E( I8 ~    add     ax, di0 j& d+ l" w, ?. ~/ N5 s
    test    ax,ax
% r; J" h1 p/ X! H7 ~    jnz     SoftICE_Detected
/ C  `# E7 a; I0 C7 B! R' P5 ^& @/ b4 L
___________________________________________________________________________: E) h& ], p: t  r

7 P* Y$ D3 k% m9 B7 o) KMethod 04
) A; O! y( w; F/ M# q& }% [=========  T. a7 l9 w5 o3 g8 Y9 g& s

- S) {8 m% n* l* x$ A: L/ zMethod identical to the preceding one except that it seeks the ID of SoftICE5 Y! k7 _  E9 Y$ S% x% M$ w' t
GFX VxD./ L" u1 c4 y' H7 o( R* i8 n

/ S$ v0 N! Z. x( Z- G! d  m    xor     di,di
. T( S9 V5 L6 h6 b+ p/ N    mov     es,di
. d! a  ~  u2 J& e; \2 w    mov     ax, 1684h      
/ Z5 {* V% Y! D: q) \    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 y' `2 H0 t1 _5 V2 O4 w) f
    int     2fh) n( z: Z5 N- C+ B  g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. w- {/ b% J$ K, M8 L& U% m    add     ax, di, K' ^3 s. B. h5 i' c; U
    test    ax,ax
! J3 K( N7 o8 e9 u/ M    jnz     SoftICE_Detected
- m( C1 {: p3 D8 H% y3 j# }7 @; U6 j, T, I: m
__________________________________________________________________________7 O+ ?3 i( B0 m: F
: v3 q( B% J& i7 J

1 e6 F, W& F; G7 z/ F+ x9 aMethod 05; W  o; T4 I/ G% k
=========
% k: P! h; l/ w' s
  I) [6 P5 t. O5 k( JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% J% E/ `; C: K$ J1 wdebugger. It calls the int 41h, function 4Fh.
) z1 _  s" D; W' [$ v! |9 y/ h. EThere are several alternatives.  , o. r$ X1 z& v( K8 U

6 p4 K1 f# ^) R9 x) `) t; @The following one is the simplest:7 u3 D* G- V9 b2 w2 F  P1 k
& @% C) J0 _2 l& i$ F6 a  L! D( e
    mov     ax,4fh
& a; m1 i" e5 J6 N5 ?2 u% E/ W; k    int     41h1 q/ b! y0 D1 `4 m7 i: m& x
    cmp     ax, 0F386
" L: M4 }  B6 C0 i; d$ ?0 y. e: n    jz      SoftICE_detected, Y9 c! k3 j3 T# A# g' S

- a# K4 J' k% \  E/ W: x& V; m7 ^8 K& K$ v
Next method as well as the following one are 2 examples from Stone's
- ]1 v- s9 \2 K; M6 T% Q: B# L4 c"stn-wid.zip" (www.cracking.net):
; ^/ ?9 K( R4 O: p9 x: v+ S; z8 B' V, C; y3 ]  D5 k- G1 k
    mov     bx, cs8 X5 r- ?" E4 T. \& r0 R
    lea     dx, int41handler2
2 C& d& F; a! k/ Q2 n    xchg    dx, es:[41h*4]
! v8 G3 k% j2 A  r2 v. I    xchg    bx, es:[41h*4+2]
) A# r2 N3 w* H) m6 P# g# D    mov     ax,4fh) V+ w5 v$ M7 `/ l# V4 F3 p
    int     41h, O& [! \9 I' K' d
    xchg    dx, es:[41h*4]  I. J8 E- m% _* r
    xchg    bx, es:[41h*4+2]
0 \# y- l) W9 m    cmp     ax, 0f386h
  w0 l1 m( O1 U4 n    jz      SoftICE_detected& l" Q3 ]; D7 Q! z' g! r2 D
5 n# {8 \8 H. W, n1 C2 R/ C' U: l
int41handler2 PROC
: i( A( u+ q$ T1 r' Q$ v4 t2 v    iret
' C: _$ v5 c" y$ u/ ^8 O+ E% W+ Tint41handler2 ENDP( u/ m! n0 w% @
2 I. ]+ A, {( o
$ d6 [* V) R9 o4 Z% G7 _" \
_________________________________________________________________________7 d4 t. d* x& r/ G  j# c

( |5 N5 m' m) z, c! N; T
+ Y6 F( P8 r$ ?0 |2 x) {Method 06. ~' G- g7 J1 ^' V2 G) K0 L1 Y5 w
=========
' I2 h- k9 H! A; |4 @2 |& E* P
8 @) S; T8 ?/ h2 ?0 W; r. H! U; I4 p& a# q: O4 F. t3 i
2nd method similar to the preceding one but more difficult to detect:; r; z2 S! G0 W" B4 q

) B5 V8 Z' W3 @( E4 R7 p
' t3 }. P+ j& J6 q. v7 Zint41handler PROC
5 q& w( [- T7 w; c0 g    mov     cl,al
( Q& M7 I& N& ?% G9 m6 u    iret
2 ^4 ?4 z/ G/ N8 @3 rint41handler ENDP
% G' d1 l8 P. W/ [- k& Q, J
" v. O1 X( N" B. ~! M
  t1 B0 l6 \3 N; ~4 E7 W4 Q    xor     ax,ax
+ }" z( x/ p4 P- v) x) c    mov     es,ax/ ?$ E6 k8 w# ^4 i7 l& w1 O: Z6 L
    mov     bx, cs
- g! n, B; O( Z8 X2 U4 Y- C    lea     dx, int41handler
& x* F3 S9 }3 [! e9 ?- w    xchg    dx, es:[41h*4]8 J+ I1 U. {/ E( G6 i, w: a
    xchg    bx, es:[41h*4+2]
; g' x1 X: `6 D2 e' Z    in      al, 40h
6 j$ v# ~. k8 m- y2 |- H2 `    xor     cx,cx0 h! Z' b9 L: }+ c/ N# b. P/ l
    int     41h, R1 I& M# Z$ N& I8 S
    xchg    dx, es:[41h*4]* R) l: D8 w0 R/ a* @0 f
    xchg    bx, es:[41h*4+2]% D( N' X$ l& P  J: M% }6 }  d
    cmp     cl,al1 m, H* y) I9 [) c0 W
    jnz     SoftICE_detected) v3 O, x. V6 J4 b! ?1 B

6 S% C2 y) x# M2 ]_________________________________________________________________________# f3 L$ [6 w* O9 G2 F9 p" i! O

. P0 J6 p, Z4 @3 v! L; UMethod 07
8 @$ n* E6 u+ U7 s8 J& j% L=========% B4 G2 H- j  n% Z: a0 y

- j8 D' o, Q0 _Method of detection of the WinICE handler in the int68h (V86). t" e0 K7 t3 Z5 K" \1 ?

& K+ S% L6 r  i/ w5 ]" ~# U: P# q    mov     ah,43h
/ X. ]! _* ]4 Z. B# j+ o$ ?* Y    int     68h
; ]3 z# R7 d3 ^; q5 R    cmp     ax,0F386h) q$ Y% r: n+ c7 g( ^
    jz      SoftICE_Detected
1 H  k3 R  v5 n( [  l4 {/ {
. b4 d+ x: g' v1 Z7 d
- F, {3 Z8 ]" C; C1 }8 ~=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ]8 {9 J% M% K: ^7 A) s9 ~$ Q* P! T   app like this:
! k$ m7 F6 k' i9 M
. }( P( q0 I2 b4 I   BPX exec_int if ax==68
  u* k: a& V9 B" D& I* s   (function called is located at byte ptr [ebp+1Dh] and client eip is& Z3 {9 B, ]. j) o
   located at [ebp+48h] for 32Bit apps)1 ~1 k: j8 q: l, w5 O% T: p
__________________________________________________________________________
0 f; M3 P9 P  `$ t4 ?! }  P; i- j! I* p. i0 _& ]! K$ H0 ~" L

3 u. V& ?# s* hMethod 08. d/ }+ y7 h9 f( t% n' B  P; a, `
=========
; I4 ?3 A7 D$ q8 |* x6 U, e: J  I/ w! r6 w( W
It is not a method of detection of SoftICE but a possibility to crash the1 B; Q  R' B, Z. m5 L' g* n0 g1 n
system by intercepting int 01h and int 03h and redirecting them to another
; ]( r- d9 B2 I$ j) d, xroutine.5 q- M) x# J6 o( w5 c7 l1 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ n/ b& ^( d) N8 G# O; F+ r6 v/ s
to the new routine to execute (hangs computer...)
# P- x+ o6 c* ]4 `9 L+ l$ s
6 e4 N, U8 c9 F, S- c* ^: t" a' ~    mov     ah, 25h
& y- o; C5 N* z( p    mov     al, Int_Number (01h or 03h)0 `/ k* M% o1 S9 z/ ^1 b
    mov     dx, offset New_Int_Routine& H1 ?& E6 H& v& \$ n8 A
    int     21h
  r2 n" c$ k% ]1 l
+ q* ]+ w& Z8 ^; F! B7 T  ]__________________________________________________________________________
* P+ r: [; K. r, @0 Z# F% ]! h$ g4 v3 j! q# B& ?  g; j
Method 09
) w2 w; w& J- s. y=========
; _+ U. C8 k! X3 N4 x
6 b- D0 c* W# q/ n7 X; RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 k* \0 j; r. b$ h
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 d$ U. V( \2 X, w# D8 ]The Get_DDB service is used to determine whether or not a VxD is installed
9 s" L/ Q. S, ~* Pfor the specified device and returns a Device Description Block (in ecx) for$ e' u9 q, A9 K$ ^4 y
that device if it is installed.
- P- L" b. C1 @4 Y7 j' e6 j
' d4 R2 R6 y: k   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: x" g$ @1 N: |8 b  B5 o1 M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! N# c! P) W( g) Q. X1 w   VMMCall Get_DDB
% P. W1 b. }/ H- T   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ {! b# I3 R( U1 h7 z

! w. W& F% t, b3 d$ g7 O2 t8 f  gNote as well that you can easily detect this method with SoftICE:
: D% ^! }- W! g! B) a2 g   bpx Get_DDB if ax==0202 || ax==7a5fh/ @5 P5 n% v7 j: ?  n2 |8 h
, j- p: N% x4 l+ _
__________________________________________________________________________
8 K" K' L" b- n% a6 I% c# x+ j5 p) a( e7 i- b
Method 10
. ?7 y, K1 l* A/ w6 N6 I=========
+ Y' U( w5 P. Z, I* o
% U% c0 P& L$ }4 X4 q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with" v3 Q! Y& M9 y; j6 \- B
  SoftICE while the option is enable!!
& C; L+ Q4 u3 {9 |/ S# m8 j) C; N
This trick is very efficient:1 s  E" W9 y5 P* ^
by checking the Debug Registers, you can detect if SoftICE is loaded1 P$ P; g  T. O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- w+ x; d! y( Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 B0 w3 j# ~  g" zvalue (in ring0 only). Values can be manipulated and or changed as well
3 \' |* f" M$ W3 X2 S(clearing BPMs for instance); J7 \  c0 H' b
) l8 |3 N3 L/ R$ ?$ F5 G+ z
__________________________________________________________________________" P, P4 |. w# ~! q
7 m, p* I  o0 s# C! G
Method 11
" r  A: W: N4 h5 P  I- E=========$ W/ {$ c7 r; E7 N2 m/ @/ w- Y
) v! g. b6 Z' V# [( ^
This method is most known as 'MeltICE' because it has been freely distributed
% ^2 r1 D- ^7 wvia www.winfiles.com. However it was first used by NuMega people to allow/ k$ v! U; J! n5 o% S' L+ Q
Symbol Loader to check if SoftICE was active or not (the code is located1 O3 e6 p9 t4 Q- `
inside nmtrans.dll).
9 d6 Z6 `0 I  i9 g0 }: D; E- a. s3 \9 e$ ^" Y) \) \* M
The way it works is very simple:, R' c1 b" p2 @" y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% p% G$ I3 _% [4 P. m
WinNT) with the CreateFileA API.
4 U/ [8 t% ]. z7 |# u* O& l
0 Z% A# L4 P) M0 @Here is a sample (checking for 'SICE'):! W- q- t: Y% ~' ]7 Y* K" K

. ?) P$ ^( {8 r' D! tBOOL IsSoftIce95Loaded()
! R# ~2 S6 u: y$ ]3 R! t! ]{2 K7 T3 A2 J- T) x: x1 k
   HANDLE hFile;  
# _) R# t4 V) p; g$ e& T) M+ O   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 r' G6 y$ @' l6 e" A( X; K6 e                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 }# u6 S6 b/ m5 ]                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. G8 f4 `1 V9 F! J
   if( hFile != INVALID_HANDLE_VALUE )
6 X% `4 n' V1 i  m9 k, B2 Z7 V   {
* Q% s/ R* k5 \% g# f' L$ @' {0 c      CloseHandle(hFile);
. n; b* r0 Z7 O- p3 `; `      return TRUE;
& D( x. r1 q! e5 c+ P   }
- G9 G" }$ T% o9 R  i9 P/ W1 e   return FALSE;' m+ q9 @! Q/ d5 M' g$ H* R, G
}+ O' L& B( |, [1 y9 I
8 p3 f( H4 I( n3 x) j, z
Although this trick calls the CreateFileA function, don't even expect to be
& K4 V. z7 I; h+ N) Kable to intercept it by installing a IFS hook: it will not work, no way!
0 }; q. d6 ?1 d3 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* q" Z. W9 ~% e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 L' s9 O9 R& L) r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& l! u2 f; c1 c* Q
field.. u6 `6 c- `) {" _+ K8 i; m
In fact, its purpose is not to load/unload VxDs but only to send a
- v0 D# I  Z; m5 M+ i) G! OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 u% n" }% c4 F: U8 Z) H3 d+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" ~5 `, n/ f$ ^1 L7 T1 e9 h9 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).% y# Z" a# s" b5 t( r" V, u% K
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 q- a3 |% T0 }/ `2 w- M  o
its handle to be opened and then, will be detected.* i1 x; Q- \0 h7 |& _! e6 [( y
You can check that simply by hooking Winice.exe control proc entry point
0 @+ m& V& o- q0 D- lwhile running MeltICE., a0 G! _0 ?# S# u# Z* e
1 F/ R- U" N. S8 H
1 K! L" ^4 @! H- b. z; J& ]- C
  00401067:  push      00402025    ; \\.\SICE; u3 F" T. Q$ s2 [
  0040106C:  call      CreateFileA' F7 Z) ^; Q2 U# {
  00401071:  cmp       eax,-001
! n& F$ Z6 J& w- X1 L2 c  00401074:  je        00401091
" N) \1 x9 [0 Z- c( B$ P9 ~; P+ ^5 k, q7 @
0 Y6 ^- i: o; J4 X. ]1 ]* }# H
There could be hundreds of BPX you could use to detect this trick.
4 n" K& W; w( Q9 p$ t3 b' ~-The most classical one is:& h! g7 N. T$ g: b* b$ u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) J8 n. L9 z8 f* S
    *(esp-&gt;4+4)=='NTIC'# B5 t# a% ]1 h& J3 L1 z
' v6 k4 K) W6 {* m
-The most exotic ones (could be very slooooow :-(5 j) ~3 k# m0 R5 F8 \. M
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  }3 ?& P/ ~3 C- k' c' b" B! I     ;will break 3 times :-(2 h) \. w  I  ~* O

, a/ F3 F2 [% E" H% {3 Q8 u7 e-or (a bit) faster:
: z2 v/ d% A) }  [4 o* \$ y& w   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" j" l5 \: D/ `- [9 t3 Y
9 t: N1 s1 o/ |0 s! M8 i) _7 a   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 s+ m# F0 d" A# r; S) S: z* q
     ;will break 3 times :-(
# A! }3 f* f! \' c. {0 a8 r
/ H4 j; Z; T7 }  J-Much faster:
2 C6 Z. M& N( k8 T5 o/ p5 J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ W7 o+ a9 w, f5 W; ~: r2 `) }, P) M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ^1 R0 P7 l/ I! }7 j2 mfunction to do the same job:; j+ j& q1 G! {% S, O' x& {4 J- H
9 |8 {+ M, K( a' V$ D. H! Y8 P
   push    00                        ; OF_READ% H/ c9 C0 J$ c( \; z' A/ n% k# P
   mov     eax,[00656634]            ; '\\.\SICE',0
% u, T: D/ _0 Q7 ?/ l   push    eax7 z* }9 [2 T# ^: j
   call    KERNEL32!_lopen: b1 B6 d3 j2 I. n+ @8 C  |
   inc     eax( S) ~) P7 `: Z* M. g
   jnz     00650589                  ; detected
6 D: `7 F, m2 A4 ]0 c9 [   push    00                        ; OF_READ
8 C7 L. x$ r* [4 ^   mov     eax,[00656638]            ; '\\.\SICE'& n4 x, N! \/ M
   push    eax
. @2 R+ F( K$ R( u- E8 z   call    KERNEL32!_lopen
$ y- u: g, b; x! W/ c% [$ {   inc     eax; ]$ L' z7 x( j* x; H/ V3 F
   jz      006505ae                  ; not detected: [$ k$ y% X. r5 M, c( U

2 b9 \" v$ p5 Q- @
2 r" O6 v' w9 N__________________________________________________________________________1 u" I# k; b1 K1 g3 a: ?
: i6 l3 T* W$ R- Y0 Y6 _6 S# \- V& s' H
Method 122 q6 d4 t3 _1 `2 Q
=========
- \: ]6 I& f: J4 d6 ^
7 u) u( `, m+ z6 bThis trick is similar to int41h/4fh Debugger installation check (code 055 A# }8 W# U: Y) |& g
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  N4 \, M9 u$ f% O0 O$ p" J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! ]1 x7 s: V  r& p+ h9 X0 l. b$ o
8 k8 R( d5 H; n
   push  0000004fh         ; function 4fh
% Q" |# p# H- N- b9 c& g8 u   push  002a002ah         ; high word specifies which VxD (VWIN32)2 n" K& p' M/ D$ c3 O
                           ; low word specifies which service1 E) v4 \7 L: V; q; j$ n4 `
                             (VWIN32_Int41Dispatch)
" Y( P% h" J$ i, F$ Y- a  h   call  Kernel32!ORD_001  ; VxdCall
! ^: S; w' e1 [& R- V! {   cmp   ax, 0f386h        ; magic number returned by system debuggers% Y, [$ I. s9 a; T. B
   jz    SoftICE_detected
3 E( y2 ^- ?+ S: I! S
; n% t3 r& m& S! B: `Here again, several ways to detect it:) A3 h" `( h; ]
0 c$ }- a- {( f6 H% w
    BPINT 41 if ax==4f
  Q% k& D8 X/ `9 X+ ~( V9 Q+ g& ^2 q6 C; S2 p
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one; }/ U5 L2 ^6 ~& N  r! w

+ a( y5 e/ f4 n- \- \" F1 j    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% U# s& A9 H- U' B: r+ E
6 \: k4 ?* r# X4 ~; [# G3 v  A    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  L1 K1 k/ L3 \) c. z

& a% I+ I' h7 M' f  @* \! Y__________________________________________________________________________! F' j" h1 L6 q# ^1 E- s2 m
3 ?$ h0 B/ M7 }- p
Method 13" ^4 d8 p6 a4 U5 C2 Y3 h# n
=========& Q" F1 W" z6 z

' k- c9 C- S+ a( iNot a real method of detection, but a good way to know if SoftICE is2 f# s+ f; _: A4 P" c6 G# L3 K
installed on a computer and to locate its installation directory.3 X* L- D' J. h" m
It is used by few softs which access the following registry keys (usually #2) :) s2 T9 l' v9 j" e4 D& R
- r  m. a& e# ^2 d1 o6 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 D) _" q. E7 M2 V5 u  j\Uninstall\SoftICE
1 ?1 E) n, S5 p" |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
  a$ J0 g  [( B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 \* W& S+ u, w3 o8 Z
\App Paths\Loader32.Exe  C- {. M) {0 _1 O' v
  e) n2 h4 ]( t
8 H4 H. h7 G7 P/ G" Z2 d
Note that some nasty apps could then erase all files from SoftICE directory( A# z: B2 \/ _1 X/ ?9 b
(I faced that once :-(
4 {" |3 O! f% L9 K* K6 j+ @) o, q9 D5 T+ c
Useful breakpoint to detect it:
' L2 O4 U" R4 f0 M+ y
9 h8 `" ?, J& ?- C* {  R# d     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* \6 ?0 \" p/ }) |' U' e* ?; m3 Z% r6 i
__________________________________________________________________________
* O/ a  \4 ^# S2 y1 r% t+ [! m0 L/ a3 r( V8 X9 J

7 n. s6 Z2 e' ~* S! e  lMethod 14 - ]/ m% G  \% ^# ]4 M. q
=========
# V/ ~. A4 i1 u' ]. u3 E0 x% q% {5 w4 \# f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- |& d( u# r4 K& F
is to determines whether a debugger is running on your system (ring0 only).
) E  u% X" P* k9 F: D" m* ?& r3 C0 c" l
   VMMCall Test_Debug_Installed
' i" i# ~9 m& U8 B1 q, @2 i% ^7 O   je      not_installed
) [8 y9 j, _9 C7 i
7 C% y( J6 T) C+ ]7 R% I2 oThis service just checks a flag.
/ Q2 T/ z2 l9 {& H8 H</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-20 17:16

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表