找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" l- A) D" I  J0 I<TBODY>( i- ]# {3 ^( ]8 `8 X$ p
<TR>
) Y  Z' `% v& s$ f7 v+ M<TD><PRE>Method 01
# S6 e& s, {: b5 L6 _. N=========- F% N, \1 y2 Q

; f7 `6 A- o( j" i5 A: SThis method of detection of SoftICE (as well as the following one) is
0 M( y5 n# _' H0 lused by the majority of packers/encryptors found on Internet.: F/ B" f, @1 c
It seeks the signature of BoundsChecker in SoftICE
  z) s9 c. Q% @8 a4 e0 D# B+ V1 e# T+ x- C6 ]0 B( _
    mov     ebp, 04243484Bh        ; 'BCHK'* n+ X. y7 \8 w3 J# [) M1 O, `. d% S
    mov     ax, 04h
4 G/ e( c7 N5 Q: M9 Y$ T    int     3      
; m+ l. v* l( C" l+ C- P. ~    cmp     al,4  B8 }/ U9 ]% m7 B+ B% ^
    jnz     SoftICE_Detected4 D! x4 @" d2 O. a
8 E( a- N! u( n1 b) Y% A: k9 ?' G0 o
___________________________________________________________________________
  `9 M$ e8 l  M" p7 z2 F; m0 j$ H$ \' W; @3 h' V8 c
Method 027 ~, |8 Q6 r5 b8 M% C
=========
( v$ d& r: F. B% P7 c  s3 y4 ^: R) o- I) Y3 E
Still a method very much used (perhaps the most frequent one).  It is used! I7 I/ x" y) L  l6 [, E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% r% A& q' ?- `1 u$ g
or execute SoftICE commands...
# h: x  f6 p! M( Y+ ~! p( VIt is also used to crash SoftICE and to force it to execute any commands
$ c  S+ I: Z9 |: {(HBOOT...) :-((  
' D" M, O3 @( n3 E3 |& @) t, E8 r, Q+ B
Here is a quick description:/ H- L2 a0 J" }1 f; ?  ^: H
-AX = 0910h   (Display string in SIce windows)/ y: r8 v; M/ ]/ r2 l9 @2 N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' b; `, O" ?; R( ?/ |8 M
-AX = 0912h   (Get breakpoint infos)% k% _" d/ H8 F
-AX = 0913h   (Set Sice breakpoints)" S# F) U5 s: h: O$ _: b' T  T
-AX = 0914h   (Remove SIce breakoints)
4 A( D( I1 G: G! g0 ]3 _+ i5 Q9 i3 D$ I0 N
Each time you'll meet this trick, you'll see:" x$ h( v/ G6 N0 {( j/ l" v$ R, }0 E
-SI = 4647h
0 p! x( E8 I0 @4 k& _-DI = 4A4Dh2 I( p0 h8 u7 ^! }' x
Which are the 'magic values' used by SoftIce.5 F7 u. m1 ]6 Q6 u1 u6 P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 r" P! F/ ]% j& K5 y+ R/ Z
' M  {8 O" N* H7 A$ t$ x$ ^$ kHere is one example from the file "Haspinst.exe" which is the dongle HASP' f+ j' O- O  D& ]
Envelope utility use to protect DOS applications:& c- D( x# A6 c* H& l, e# |! v
: b+ f3 L7 ?, i9 P9 j* ?

+ f1 W9 w& U% I, E- F1 v4C19:0095   MOV    AX,0911  ; execute command.
$ H& G- Z. b2 B& r1 t8 S7 I3 i4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) f& j% j: F- o# w$ a" J
4C19:009A   MOV    SI,4647  ; 1st magic value.
7 d) H( w2 L; s5 j) ^4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 [! L+ E5 g* q$ b: X( g. {5 y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). Y) U, R$ Y6 P& c4 J% Q( _  W
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 M3 x0 ?, u, c5 B- o0 n7 w" K
4C19:00A4   INC    CX
: R  a4 g" W  t' F: ]4 b% Z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' ~) e3 E3 C' s. f0 b4C19:00A8   JB     0095     ; 6 different commands.
5 T" m( x3 U  V) {3 B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( M: G( j! ^- V2 [4 w% {  {! P3 l9 m4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  F8 l4 S$ E! ]  U; k/ T& q  X
0 D+ ?: [1 U! Q3 H
The program will execute 6 different SIce commands located at ds:dx, which5 s3 x8 R( i, {0 T2 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 J2 D- v* H0 A/ G: g! j  V& ]) h9 J  T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, a7 L, H) ~! O# F# b! T  |6 Y___________________________________________________________________________
( R' f' y6 `% J6 L
5 X* E  n. \0 a0 ?3 @0 H2 Y& x: B1 ?+ z+ x
Method 036 M5 m  q7 S( x* d$ J# J
=========
: K" \+ W& Q5 r, }% \3 T  a. n7 n+ L. e" w0 [5 f; B4 j+ C
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 a  n. Z& ?. y1 J* f# h. s(API Get entry point)4 u2 V0 [3 a8 G
          c: Z# q. \' Z4 d. |5 m" _
8 D% p' R' F6 w- v% z
    xor     di,di
& _. h( A0 t. R* e: N. ~% B9 \/ ^    mov     es,di
' d+ P1 Q* ]- M5 v    mov     ax, 1684h      
6 _3 B; V4 U* E7 [    mov     bx, 0202h       ; VxD ID of winice
9 b( T7 U& d- H$ o$ l    int     2Fh
9 f( x4 s% `+ P    mov     ax, es          ; ES:DI -&gt; VxD API entry point) l6 o9 D! C  T3 Y# D
    add     ax, di6 V2 N5 z8 ~  k* h( r/ h: k
    test    ax,ax3 \" \8 y) m# C" j) C4 ^
    jnz     SoftICE_Detected& P/ \: h2 ?  m: D7 \% j- |6 f7 j

7 \6 j' [% f( ~3 I* G. Q& x___________________________________________________________________________
8 X3 ^# Y& q/ @# }! W4 s  D" T
$ v4 l. Q+ V. b/ k- D0 i9 t) ]4 vMethod 04  ]5 M) ^$ ]! T
=========. |1 w5 C  \/ b# ?4 \
1 s; ]4 m) Y) H& t9 n/ R
Method identical to the preceding one except that it seeks the ID of SoftICE! s" T. T; ]7 K$ \4 k) }* Z
GFX VxD.- \: }3 Z5 W4 X8 Y  r' f& s
9 A1 V$ S3 P" J4 w+ E( d1 c
    xor     di,di" @" d6 J9 E7 J8 q/ v! U+ p9 m
    mov     es,di1 Q" d. g4 ]( B1 _* F
    mov     ax, 1684h       $ _# N  A8 R# x* ~2 ?
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, L. }) r0 h; {7 G3 B& P. i9 B7 m    int     2fh, U0 n7 t2 Y: T0 P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% A7 q( }8 H$ g2 j  x# ]    add     ax, di
3 N0 q0 [# ~+ I" m" p  f    test    ax,ax
+ P9 @. Z. ?6 V* t4 p+ \    jnz     SoftICE_Detected; E$ k! n) e+ F* @" N

7 w. {. s- O- e" a; O__________________________________________________________________________) f# a- ?' W+ D2 s& e% ~
) l# a# j# W0 b  ^: ~0 e- Y

- \, e1 i/ }. \: b! t8 ^5 MMethod 05
* }4 U+ d; R/ F  S$ q+ ~, N=========8 o, K3 d! S( s9 t2 J  B4 m6 F
: b; M3 [5 K: w" n1 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system" s6 ~5 X+ ?" s; L. L; p5 l* J- K
debugger. It calls the int 41h, function 4Fh.
+ ^9 j1 X5 v$ ~8 t3 m9 UThere are several alternatives.  
4 B+ r' w9 R; V4 v+ Y+ E# x; x, G) _
The following one is the simplest:
- `7 z  T+ L- H8 p2 Z( s! |' |" v1 P3 L, m# N+ g2 I3 H
    mov     ax,4fh
- F2 S1 k/ ^! n2 r8 A  d    int     41h9 G& I9 z% s; s  c
    cmp     ax, 0F386
# i" R5 e9 W, p+ R9 B    jz      SoftICE_detected0 c2 }9 Q/ L+ p# h' p# K7 Q. U
; g6 w( L4 ~( m/ Q0 L- I

: ~) [, c/ q% o/ o7 ^1 pNext method as well as the following one are 2 examples from Stone's 2 o. x+ B# N8 O" E
"stn-wid.zip" (www.cracking.net):
) ^5 S" S% [5 O; K& e& I4 x/ k' w  }* _9 n# d$ _% ~; a7 _
    mov     bx, cs
& a& F  ?! G% P1 Y    lea     dx, int41handler20 }! r. }( K- t5 R7 R) }
    xchg    dx, es:[41h*4]
2 J3 e* W# Y, D: w$ _- Y3 n! E$ Q    xchg    bx, es:[41h*4+2]! m* v! l; a; |1 T# F
    mov     ax,4fh2 k* ], ?6 s4 t- b$ y$ G& X
    int     41h
2 H  ]2 j7 e% \4 u$ b; f    xchg    dx, es:[41h*4]
/ Y' L1 w) D2 V& O) v    xchg    bx, es:[41h*4+2]0 w. P( r, @. X3 I8 g- {/ }
    cmp     ax, 0f386h
8 r. v0 ?6 G' B& w4 o1 u% v2 g9 i    jz      SoftICE_detected5 {! M: ~2 I2 r6 X- I' G# Q' e3 M

7 s: x( c4 ?+ f+ Q/ J( P  U' dint41handler2 PROC
, I: s5 @8 P( K( I    iret
% E, N3 h* M( b  T3 f/ Dint41handler2 ENDP
6 g) e. Z, F' w, x) s! z3 n' \) E/ Z# n4 o( L2 \. E5 U
, N0 v  j2 a9 [) V( g. \1 j
_________________________________________________________________________
: Q" ~! F7 v6 h3 |, \$ c# ~7 I4 ?( ]8 C& K; l& X& g
) B; A8 S  Q$ e; l8 E  g
Method 067 p9 y& B" N" i9 v  a9 e' U, M
=========
( l8 B( g- v3 ^3 ^7 c/ q6 T
2 }+ v% j. P- E% }' f
2 \; Z" D8 N2 i2nd method similar to the preceding one but more difficult to detect:( B) e$ U* t1 z
; U( U+ |  G* |9 h" i
: c" w4 f) e, T( m
int41handler PROC
3 S) E4 L1 t2 Z/ d: J    mov     cl,al" M; h7 W5 \* p
    iret* J5 Z3 j0 B1 I, t
int41handler ENDP
6 v, S- c8 \# B; d2 J# u2 k; S' e6 ~  A  e# s9 y& N3 K" L. ]

! ^# o+ m' N. J$ Y' |    xor     ax,ax/ W8 k# i8 i* g" [  y" y7 [
    mov     es,ax3 M9 a, F9 `: [2 Z  y7 R& i
    mov     bx, cs
% ]* k/ K* z! h7 h) b: D    lea     dx, int41handler
% u" S8 u* D; [3 o; k4 j, p    xchg    dx, es:[41h*4]* a$ q, F- Z* A9 Z: l
    xchg    bx, es:[41h*4+2]
) n4 \2 q; e* h3 ~9 V- S  Y& v    in      al, 40h
" W& H8 V! f; \' M* `7 n# s    xor     cx,cx
4 f% D( G8 W( }( I* ]; w& b/ c    int     41h7 e; }( k- }4 f8 P
    xchg    dx, es:[41h*4]5 y% f' Z; k9 L
    xchg    bx, es:[41h*4+2]
7 p; a6 n* ^' f( D, n! w% \    cmp     cl,al
/ V: S1 s# O1 k1 ]    jnz     SoftICE_detected3 b( h, s- {# |- O0 ~; T
& e0 l- T0 q/ f3 G# G
_________________________________________________________________________$ Y4 g) F0 S. [1 P
/ C5 o6 X% b- i5 U
Method 07
2 k& \' d4 A3 n=========
) d+ ~4 c  m' h/ r
( V5 ^- n7 X" }! f+ o7 R# v8 WMethod of detection of the WinICE handler in the int68h (V86)
' J" ?5 f" n- U" s; }% i/ z$ B- U' v/ o/ e$ O& g6 {
    mov     ah,43h
7 v1 m. ^0 N% S0 |7 f+ [3 \    int     68h
9 G6 U- ]& Y  h% u. I    cmp     ax,0F386h
5 i5 [! v' x' w( t    jz      SoftICE_Detected2 L( @$ E& h& Q

* Q9 i& e% k" `& [( i4 b8 v- U* \" f! n; M5 w2 [
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, l! i+ F5 ?, L: d! j
   app like this:, p! B# p! `! F
0 u0 V/ g4 w4 l/ B" P3 m6 H
   BPX exec_int if ax==68) J- Z/ V3 d" N5 o. _$ ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 k2 x# [" O2 {: W! a9 h   located at [ebp+48h] for 32Bit apps)
  p% l, @- h& ^' X: v__________________________________________________________________________. u; g$ a& ~4 h5 M, t
4 G$ `6 @2 X( Q1 G& Z
$ t6 G) q$ [# W3 ^6 ]$ A- p& T
Method 08
# {' ]) P; U4 s=========
; J1 N9 o, D' @# f" O) ^$ u( p1 V4 x1 X
It is not a method of detection of SoftICE but a possibility to crash the2 B7 }) H- C: E& D
system by intercepting int 01h and int 03h and redirecting them to another
! v# d. b, a: O: v" v# {; proutine.
; E: s7 U1 e3 b1 U0 ]# v1 m' oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 u+ M) r8 N7 B+ tto the new routine to execute (hangs computer...)0 f+ G, a+ Q  V6 W" ]6 {! J5 k

- \) Z6 x2 g+ f" }- ^6 M5 d    mov     ah, 25h
' p+ I$ U% S" X6 f' ^3 L    mov     al, Int_Number (01h or 03h)
8 E( Y$ y! x1 l    mov     dx, offset New_Int_Routine; X& d4 R5 x0 f) F
    int     21h
8 i1 W! x9 A0 S6 N! K: e5 t& }* I2 |; F( j2 ]! S
__________________________________________________________________________9 X9 D1 j2 L+ q! F

# J/ S; ~7 _5 K4 M( Z% _% mMethod 09
4 ?, L* v, h8 f! T5 H# y=========
8 J; V- H/ T, E" ]6 h- o! N8 Q% w% T! Z& Q- p4 ]- w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ?  c  {5 O) O# s' a0 p
performed in ring0 (VxD or a ring3 app using the VxdCall).
: d0 g# V2 j; J6 x9 f  Q+ ]The Get_DDB service is used to determine whether or not a VxD is installed* a* F! b6 C3 P' H- X2 j) ~
for the specified device and returns a Device Description Block (in ecx) for
* E4 q# I  x( Lthat device if it is installed.2 V5 a2 ^( e1 k. T; ?2 [! B+ o' j

9 r# s5 c& I4 o1 }( D   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 {6 \/ {7 U3 `: w. ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 \& c9 o6 ?: I9 x8 x
   VMMCall Get_DDB( K3 E0 V9 ^7 N* r0 k) l+ B
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 l& R) u* A% _+ b+ U/ E) H: }

  f8 z& E7 \4 w! V/ yNote as well that you can easily detect this method with SoftICE:+ ?- R! C( z0 E; ^
   bpx Get_DDB if ax==0202 || ax==7a5fh8 ^5 ]( o$ d  W% y+ R' I
, j( w- Y& Y4 \& \! @
__________________________________________________________________________4 |2 f. d) m& _3 d
; Z3 P( C' o% I" D
Method 10: w$ v6 W6 u7 N* o" |
=========
, a  }; T& k) M" D, B2 C# h9 l. m+ @" X* U1 m. Q5 ~
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! z% y; t+ I" J3 Q
  SoftICE while the option is enable!!
' h& G! S" {* D. G8 A# d  k* ?; L0 Y" {% p! Z
This trick is very efficient:
  P4 t8 g) C  xby checking the Debug Registers, you can detect if SoftICE is loaded! ^# D. e- \5 g% o  [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, w3 F0 Z. O8 Y6 C: [; m+ g9 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their# c5 Y7 r4 u0 g1 d* d, J
value (in ring0 only). Values can be manipulated and or changed as well0 f, G* o% m1 P
(clearing BPMs for instance)) \0 J6 y7 @& j5 `
+ g8 Z" b' B% F) D& M( `" a: O( q4 ]
__________________________________________________________________________" D! y' @% d4 g+ U4 @
: @0 g( h, n8 u1 \/ |
Method 11
" B" J2 j* L1 p( T=========& o% g' U' K: ?+ k" i( {
; L6 t* ~8 X* G2 A4 M
This method is most known as 'MeltICE' because it has been freely distributed# P" B+ e$ t' k
via www.winfiles.com. However it was first used by NuMega people to allow
: G+ b; j, h- P, }5 pSymbol Loader to check if SoftICE was active or not (the code is located
& t/ {3 E$ |9 F3 Zinside nmtrans.dll).% S$ {3 P3 K, G: H9 e8 f
7 ]  f/ F8 U1 l
The way it works is very simple:
5 [9 x8 L7 ~$ G/ @" lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 \7 Y& [: N4 G* y9 s! o
WinNT) with the CreateFileA API.
+ @6 D. g; Z5 d9 [4 O, r5 x5 N' Y5 \
Here is a sample (checking for 'SICE'):
2 |' F2 p) D- H" D7 i2 \( ?! N% x  @- [
BOOL IsSoftIce95Loaded()! ?* F8 `1 ^- [$ @7 h5 P: \
{2 R, T( b& W& d6 \' o' m1 ?9 j
   HANDLE hFile;  
* \3 W# R. C1 w3 i% z; L   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ y& F8 O- n3 D                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 o, Q% W5 g: S5 r
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: }# j% x6 z1 M8 M$ g
   if( hFile != INVALID_HANDLE_VALUE )
  w* L) u3 }) u/ S/ H8 G   {
% `4 e; J& ]# T# w      CloseHandle(hFile);
+ p% y- Z8 Q, Z- i6 |4 N, V      return TRUE;6 r3 Y3 f! B5 m1 B
   }( o9 U' K* k" S0 q" ?! j/ k# M- _
   return FALSE;
4 F5 s; G; J; H9 w; Y- a}
6 p' R4 k5 o  B; Y- m+ n5 |
2 j% \, ~/ V2 T. \) u- J3 ]. rAlthough this trick calls the CreateFileA function, don't even expect to be1 k, }, u- S/ p& f; j% y7 Z2 n2 N
able to intercept it by installing a IFS hook: it will not work, no way!
0 i. B- N& _+ r$ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ]8 Q' i# Z" f( g9 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 E9 U4 c8 K( m8 P/ sand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 S$ U/ ]1 ]( ^  {1 k" p. K, s
field.
# Z; T' i# b& R  M. g7 `  d& wIn fact, its purpose is not to load/unload VxDs but only to send a
2 T+ ~% \! b6 Q7 C& zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): Q" a% p* j2 _  G! Q  G4 @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; C' `$ R6 J# l. R0 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. I; v5 H) c- d" d. IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; q# a! }* D8 u9 f$ H% P7 g4 p; Iits handle to be opened and then, will be detected.
1 |2 J) Z1 Y3 w" KYou can check that simply by hooking Winice.exe control proc entry point
5 ?& B6 P' o0 v' w% Z6 _: @9 a, X8 Ewhile running MeltICE.
  z3 f( J# y/ p8 Y6 N: Q
! J# w2 a$ u/ u6 B$ v% Y- ]9 |8 w$ c2 h( c* `
  00401067:  push      00402025    ; \\.\SICE
! e3 J* r2 z7 J) q' S  0040106C:  call      CreateFileA9 i; Z( J' u6 p/ L, n
  00401071:  cmp       eax,-001/ }2 @& c' o! ~( ?$ ~
  00401074:  je        004010915 ]  l6 d7 c) K: d- n
* Z, l1 I, v+ V( p, T
) R% G- D# _" H# P# r2 u2 `
There could be hundreds of BPX you could use to detect this trick.2 @/ O2 _) C: i/ A. l! G
-The most classical one is:
% l8 j; j5 ?$ o, z% S0 @  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) @8 g, f7 ~5 q) O4 T1 e4 O
    *(esp-&gt;4+4)=='NTIC'
4 z. f3 T1 x  [$ g, P3 }  l1 _; m) n0 S
% |/ \1 u7 m$ T5 ^/ O-The most exotic ones (could be very slooooow :-(# h( O3 V1 y) T3 M
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 |& e3 K3 i2 P8 R1 X+ }+ Q" M( t
     ;will break 3 times :-(
; I& R! W/ C% Z2 u6 l0 c: y8 D
) G8 Q5 O8 S+ c8 C* q, o* m1 ^-or (a bit) faster:
( m+ a% L! V9 ]: x1 g% Z9 k5 y5 s   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ x# `( S1 @& |+ i

% r4 i& m" d5 H# `# j   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) }* g# _# V7 Y+ V' H
     ;will break 3 times :-(
7 T& A% O0 [  `8 n
# o5 ]( x8 C% @' M-Much faster:
6 U% B3 Y+ G, ?+ M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', y. Y! O4 T2 K: O' f* w( t; q; R% {1 U/ }
* f# z; ]& ^% _9 L3 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F" z/ s; M& f* P
function to do the same job:
# j4 c* S$ u5 ~% Y: H; c
& x- U' g4 K5 n1 e% A   push    00                        ; OF_READ: h. W7 ]4 \- O1 O5 {) r# g8 {* s
   mov     eax,[00656634]            ; '\\.\SICE',08 ?$ }. {  n. w1 q
   push    eax
8 ^/ x' |* }! S! q   call    KERNEL32!_lopen
( O& H9 y. z6 m( C   inc     eax
" F+ Z9 u: Z& Y/ ?   jnz     00650589                  ; detected
; L( a9 W- G0 R7 H   push    00                        ; OF_READ6 t6 H8 }$ {) y6 C. b* W% \
   mov     eax,[00656638]            ; '\\.\SICE') I! q5 s) R0 D" r8 Z/ w6 G
   push    eax% H( H3 B# b+ v% p/ ~6 d& f. I
   call    KERNEL32!_lopen& r! Y( \0 h, C/ J# o* R
   inc     eax
8 O8 s! Q2 r! k7 m4 Q( a   jz      006505ae                  ; not detected9 Y% A# a. l5 B5 a0 M. m
. j2 ^5 |( _6 ]( c7 @8 W( ?; c
! x( `' `( o9 d& t  Z
__________________________________________________________________________
, |2 |7 P* }. N' N
; K0 I* H5 S0 c# t9 {& @Method 12) H- e; l; L2 z  ?, T& A! w! e, d  z
=========
5 E1 u! U' e- p: X/ x6 K+ s% Q/ ~$ ^
This trick is similar to int41h/4fh Debugger installation check (code 051 z0 m4 j" D; k- B& i, a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 \* {) @9 j" P4 X8 D3 P/ E8 p. h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 e4 Q! C- {1 G* b5 Y4 g4 }  Z. K6 W8 k! ]
   push  0000004fh         ; function 4fh
" }+ J) u# ]! N& G   push  002a002ah         ; high word specifies which VxD (VWIN32)
% K& [, _! d3 f; \6 C                           ; low word specifies which service- ]+ j  u% S; [' f; c' T
                             (VWIN32_Int41Dispatch)
+ p" ^$ ^  H" ]" l   call  Kernel32!ORD_001  ; VxdCall' X3 a! T1 B4 L& _/ W/ s" u6 B9 V4 Z
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 _( o0 c& `$ T8 D$ ~# w( r   jz    SoftICE_detected
9 a' U; g* j5 c. R. b7 |
( Q( o9 [% z  O3 X/ ]8 PHere again, several ways to detect it:
8 q) X& y# a" S8 y  M9 B" }. m6 w; E4 R; v
    BPINT 41 if ax==4f
, u) {$ w& w" D/ P- q' `6 s3 E  {
( ]0 Z) G$ H2 {1 F+ f    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' B" _0 G+ H( r2 b3 x( \8 \' T' v( e
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ G" Q" x1 P6 g8 i' @' u
4 ]+ M3 [" E6 o, N1 L1 m8 V
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 M# ~2 u& R+ w  g7 P
8 h, }: [" q) W) Y& a__________________________________________________________________________0 |. `) J+ W1 M. i

! G+ @* N$ K2 H2 E& U3 SMethod 135 m+ M% l6 a5 I) e3 _
=========5 R0 s+ X% @9 e* y/ |5 o, H
9 @' B2 u2 C& _) z' [) N* d
Not a real method of detection, but a good way to know if SoftICE is4 p: }, S3 h& o6 M/ a- e: H% T) O
installed on a computer and to locate its installation directory.* _0 T6 A, x1 a. e4 N' g
It is used by few softs which access the following registry keys (usually #2) :) Q- r# X. B- Y# M# y
* d- J" a4 V( S$ ]- `% c, j) }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ K0 ~  Y+ e8 a- n( j
\Uninstall\SoftICE1 [: P2 v9 o( D1 I3 X9 h. z$ m% }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& `+ S  ~; C) e% u; J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' ~4 \) d% x/ a' u: E- c0 ~4 ^\App Paths\Loader32.Exe
5 U, b+ L4 z$ E( D5 x# h; D- e+ U7 C/ W  R3 Y4 _. |5 y: Y: f
* R- x- t/ O' E3 V, V+ _+ d
Note that some nasty apps could then erase all files from SoftICE directory
9 Z0 x2 ^, C- [4 J8 |. s0 t6 @(I faced that once :-(& d, n$ |' a5 J0 T0 ~* a4 D& x
0 x+ t+ R3 o3 o" [1 o# ]( G9 T
Useful breakpoint to detect it:
! h& @$ x* @+ `5 b) P. {! r# {/ i4 e- R2 y- g0 O
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  u* m. G9 v7 D3 q" K1 U) ?
) Q; F# Y# f/ i1 y% c) g) F3 P
__________________________________________________________________________
* A) b5 Q' |+ a. Z( ]& \
8 K7 p) o+ u! ]& x4 N0 D( r9 O  l" H
5 U# _; n, q* T& L' T8 }" XMethod 14 : X% f3 V2 D* s  H  n9 g/ ~! c
=========
  N% j- V4 p  m
; m- D' E6 N: s3 S+ }4 J: x* {! w6 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 N! @! v7 x, C
is to determines whether a debugger is running on your system (ring0 only).
6 g/ L' a$ \& Y% L; Z3 @0 o$ c5 z, e
   VMMCall Test_Debug_Installed" c( Q. |+ q0 _- A  x1 y% t
   je      not_installed
" G3 l2 X2 o' y
2 W. M& L4 y2 ~5 EThis service just checks a flag.
( M! I& x5 f% [. x</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-6 16:12

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表