找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 x2 K4 O1 q% z) X& s
<TBODY>. u! l5 ], ]4 t  L  Q# u2 m
<TR>0 J2 Y  F1 |5 t$ C5 \
<TD><PRE>Method 01 3 _6 M. E; {$ J5 c" i
=========. b+ [' K% d5 L; t1 U
8 E, e- J/ `* e% Q5 S
This method of detection of SoftICE (as well as the following one) is' T4 g7 |9 i; X4 Y
used by the majority of packers/encryptors found on Internet.5 Y! l- T/ I8 j6 y5 u# u1 `& a
It seeks the signature of BoundsChecker in SoftICE
6 l# m, a, l* w0 e
% Q: E* l6 t+ u* |    mov     ebp, 04243484Bh        ; 'BCHK': Q) a3 G5 v% w7 }- |
    mov     ax, 04h
  j( N: a2 L* I! J8 \    int     3       5 f1 ?1 n: S. V0 J) M" \
    cmp     al,4; Q& a: ?( o) }+ d% H: w1 v- u
    jnz     SoftICE_Detected
. }2 n5 S$ R' ?$ i; R
& A/ G' t5 j$ M1 m___________________________________________________________________________
9 i2 T! h1 B7 t  |3 J
' j# u9 N+ z' E- I! ~2 @! j. m% FMethod 02# x+ \8 ^9 y: d/ t. z
=========9 s7 k# S: Q1 u5 f

1 f! m' T5 i, S6 W3 o& M) fStill a method very much used (perhaps the most frequent one).  It is used* \0 T! L$ S# t& z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 i+ b/ o3 b. _  t7 Zor execute SoftICE commands...
! Q1 o9 _) E: Z0 c  M, M( w7 XIt is also used to crash SoftICE and to force it to execute any commands
$ u+ P' ]/ W- c1 @/ |(HBOOT...) :-((  5 L# w8 c' _( u6 U

6 ^, e  @9 U& }Here is a quick description:4 {! v. J! G; b* d
-AX = 0910h   (Display string in SIce windows)
, u3 \0 u9 V" \2 b# e-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! ]1 a0 y5 j  ]7 ?: A7 {7 ?9 f
-AX = 0912h   (Get breakpoint infos)9 |; ~: S6 i/ o  |4 s0 H
-AX = 0913h   (Set Sice breakpoints); ?8 g8 G& u0 c( M
-AX = 0914h   (Remove SIce breakoints)
; l: k) U  j$ ?+ q9 h( o
9 _- r0 `* y$ g& C2 A" ^Each time you'll meet this trick, you'll see:; p7 Z4 P. l8 C
-SI = 4647h3 `! T8 O' d. W9 F0 R
-DI = 4A4Dh
( t& E3 N: S* ?( Q% t, TWhich are the 'magic values' used by SoftIce.; |" `5 S9 j- k0 h' T! K7 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 R4 ?* c( i: s- ^/ f# g* {

. T% P% l5 W2 A. L+ {Here is one example from the file "Haspinst.exe" which is the dongle HASP3 o0 d# J. Y; `) F! C1 r  f! c5 x
Envelope utility use to protect DOS applications:; @2 E  [9 x& {; |) f
+ S" y- Q' u, |/ Q: c" h2 X
2 {) T& N, j+ `! I2 l2 ^7 S
4C19:0095   MOV    AX,0911  ; execute command.
+ T1 p+ |9 ~$ m4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: b$ x0 h4 m! L, m4 F9 E/ Q
4C19:009A   MOV    SI,4647  ; 1st magic value.
4 V% b6 D; Q$ v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 i* X1 M; `/ j$ n' H( i5 K. r# R4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  O! J+ [# ~5 s
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 t) R5 u. g8 }7 E
4C19:00A4   INC    CX; X5 I) _0 b: ~9 a
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute# f# C. W5 h; r
4C19:00A8   JB     0095     ; 6 different commands.
1 n+ R' Q7 u& }% `! |0 d9 @4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 G! Q# s& c/ a+ r+ s4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! Z" Q7 v6 m, `7 U& x

& E7 l! g+ W6 g- o. L% ?/ aThe program will execute 6 different SIce commands located at ds:dx, which% A' `- R6 m, Q$ l: e8 H0 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." W# ?& }+ p9 O: |# j
7 e5 n; F9 f% _4 N& B5 u% r1 E/ E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 ]" ]: g$ m0 q* X5 N0 ^
___________________________________________________________________________  j% P$ d, h3 ], ~

* T# X; h- T' q7 o
" a5 G# ^$ a0 [  }5 s4 y4 SMethod 03. n" z0 W. ]" }% W9 Q( B
=========) J& _$ U, H$ T) \3 O( b

( X6 e% ]: Y0 r" G* h5 L! u1 f) @Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 g/ l: ~0 w3 R5 V4 }: c2 d3 V. V3 y
(API Get entry point), {1 O4 }0 [/ l: e% F& h- }; J/ i# n
        
1 E9 X, i' m- ]5 @1 R/ }( T% v9 Q8 S. k) ?
    xor     di,di1 r2 |3 L; o  ]4 \
    mov     es,di
' e2 F# K% F3 Q% ]# J# d    mov     ax, 1684h       ; [6 b( o7 l# {1 _
    mov     bx, 0202h       ; VxD ID of winice2 J: V# q5 I) B7 `! `6 g
    int     2Fh4 v- L0 u3 Y6 O# \3 @% P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 X6 c- b7 f& x( ?* f9 m
    add     ax, di
8 ~3 F2 Z5 \3 h& n& e: T    test    ax,ax6 Y  d# k& ~- Y9 Z; y: L
    jnz     SoftICE_Detected& X! T1 I5 F( Y4 e( z0 a* }+ }9 }
7 \9 k+ ~; c; g( m5 v
___________________________________________________________________________
  Q( Y! ^6 g6 s, x9 g
1 ~, k7 ~7 f5 v% l/ RMethod 04
' ?' k) ]  g- }3 D0 X  o8 z=========
4 a; l: C7 W7 B7 v- N4 A, I9 ^: L  x. a" s
Method identical to the preceding one except that it seeks the ID of SoftICE7 w+ D5 s$ u: P. C
GFX VxD.. v: n* Z5 t; f5 v2 ]. Q
$ e! f0 n. d: F! N+ o: x. p
    xor     di,di- U. p* D! k/ v% m- L* V
    mov     es,di1 v. n0 t! h; Z6 _2 X
    mov     ax, 1684h      
8 Q* u9 X7 T4 t& a' `% s3 c    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) c' O& O- K" ^    int     2fh
9 Y0 ~) K3 {% T: K: j    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 H& S6 L' {8 U( \, v" C
    add     ax, di
3 I/ {3 _! r" y2 p/ ?# B    test    ax,ax
% o/ |4 I- k. t2 m- q    jnz     SoftICE_Detected) ?- |9 H6 O* _8 z. Y) f9 L( s

& K; ~; V9 r9 X1 R: V__________________________________________________________________________2 X( }  V7 c, i( F+ f4 X
: x8 c, n; S6 L; c1 ?8 P3 l

! N) |, @6 t9 ]0 v! |Method 05
. h+ V! S6 _2 y=========
/ N# C& ?: x9 H! ]
: z! \$ S8 K& rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) a( P( k9 l8 Q2 W& _0 W1 s$ _debugger. It calls the int 41h, function 4Fh.2 Q4 v+ K& \- O/ K+ P8 O/ F$ U
There are several alternatives.  . k- @1 l4 V  R/ f

1 |" z! |3 c. _5 nThe following one is the simplest:
+ P/ R; p, T- [+ L0 \: Y
/ _5 e4 R' E: w5 }% T    mov     ax,4fh( R; _4 N# m+ k: A
    int     41h
/ \- {) V" Z9 d2 f6 R& \    cmp     ax, 0F386% R" _# E: t$ W/ |
    jz      SoftICE_detected; i% @, T' T! n: z2 _/ X% O
1 G5 {6 e" X7 C1 _  }) D: R

3 I. b) o) p( I8 [, FNext method as well as the following one are 2 examples from Stone's * U; O3 `; M# T& p* C3 g6 W1 h
"stn-wid.zip" (www.cracking.net):
9 E! M0 m! K0 ~( R  }5 T' }* O% A0 B0 S5 w
    mov     bx, cs
( S6 I8 l/ A) K    lea     dx, int41handler2
$ k3 @7 f5 A4 O6 _8 |    xchg    dx, es:[41h*4]
* z/ l( Z/ G6 R* Y    xchg    bx, es:[41h*4+2]
- X5 }) u( n: |, q    mov     ax,4fh
. h$ f( j7 R5 |    int     41h
9 g% Z/ E8 \( \& H    xchg    dx, es:[41h*4]
% @: M- a0 z: S4 H2 D$ F    xchg    bx, es:[41h*4+2]# F# K1 T4 O$ B5 V8 {8 x9 w& k
    cmp     ax, 0f386h
9 Z- h, k4 S  [9 \    jz      SoftICE_detected5 W! V7 n3 m& o* z  i, W4 g9 X
; D3 _2 J. `$ a% f* u5 o( V
int41handler2 PROC
  Q- V9 w  E0 d8 r9 h! Z0 c    iret. m7 ?* T: N* h, e: R
int41handler2 ENDP
' T) P: M3 z% N) W% j
  r# P5 ^# L6 D+ e% q- ?. o6 J
9 h3 O' t: h4 K2 F+ U_________________________________________________________________________
% j$ L$ }9 @8 x2 ]6 @! B. _! h6 K. U- w- `- o- G7 m$ o
# D. O. K" C0 n' X
Method 06
4 W% k' p( C8 X4 D- t* @=========
% a4 e+ P- m3 P9 f' m" p6 J0 G: C+ x- v* d1 D& Q8 C8 z% H" f1 s* Z

+ c! ~, _0 G, d# w2nd method similar to the preceding one but more difficult to detect:
& N: P; f0 ?; N2 h4 D+ G+ ^
0 Z5 i* Y9 a# F# J0 W( Q. |
9 W2 W" ^( L8 D- E/ ?' cint41handler PROC
* U0 }: Y8 n+ {% c4 \& V  {    mov     cl,al
0 Q: S2 b' `) Q1 r- S5 Y    iret
: x* I5 X+ X  |. n/ w! V4 Jint41handler ENDP
7 b; J7 G7 J  k, u' W4 I7 k5 b& u8 k7 I. c

9 s! E$ `' P/ I# p6 j8 ~( v    xor     ax,ax& A" u  q& R. [& y2 Y
    mov     es,ax
: V3 u( k$ z( f  ?8 b* I    mov     bx, cs
# e! U) C3 A3 r$ v0 t    lea     dx, int41handler; M: ?; f/ Q. T! F" N
    xchg    dx, es:[41h*4]
; [4 @5 s( v. U% F  U    xchg    bx, es:[41h*4+2]
! v! R' `& {8 O% c! u( o    in      al, 40h2 V+ ^- b1 T: r: l" z
    xor     cx,cx9 c1 t. D( k" n# X0 m. F$ P
    int     41h
+ `  V8 X) T% r- r  e( r( u* {7 U    xchg    dx, es:[41h*4]# `$ I) r0 h4 U8 t0 H0 e/ w* _+ C
    xchg    bx, es:[41h*4+2]! J  \1 E9 b1 u% D
    cmp     cl,al* s! Q; [2 o) U0 b2 Q* C2 ~0 l
    jnz     SoftICE_detected2 r2 g# E8 S( M5 z+ @' ~

0 `+ p8 b8 C" V7 S8 _0 z_________________________________________________________________________
; g% r4 M, L$ B1 G* c4 `
" Z1 g8 e4 r; O2 k2 A& xMethod 070 K" e1 a: ~& h/ h
=========
  Y; Y% ]( {3 C# h5 S
; ^2 ~9 W6 B& M7 ]Method of detection of the WinICE handler in the int68h (V86)1 _4 t7 f; m& n6 |3 E4 c% K

: P) ?0 F5 B' D. t! Z    mov     ah,43h5 ~" u1 c" S( k8 L
    int     68h& p* `) L4 Q' Q+ O
    cmp     ax,0F386h
: J9 B9 o" l3 ~$ j& f    jz      SoftICE_Detected
" W1 ~! |6 N+ z& z; v. E
1 ^# H1 \* r6 `. U: h- ^8 x5 ?
- u2 H, N* C% b9 c9 v/ I3 P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' ]( }1 c: q. ^2 ~; M/ ]% J9 a
   app like this:- ]& R7 ]$ t; ?! x
2 s9 \1 L: r/ Y3 r3 Z* b
   BPX exec_int if ax==68
2 K/ ~. j5 p. n% E4 }# a   (function called is located at byte ptr [ebp+1Dh] and client eip is
! ]/ T) D$ }% ~- q! G1 a   located at [ebp+48h] for 32Bit apps)6 ]% |- j7 u9 w* Y' ]
__________________________________________________________________________
# X, w5 B/ S- F5 O: |9 v
; X" T3 A& d% g& P
& J6 Q4 N' j1 m# O; Y" N* lMethod 08( K/ N- y& w. Y) v! Q
=========$ `4 U5 ^! _, |
& c5 f# V+ ~/ P
It is not a method of detection of SoftICE but a possibility to crash the
8 m$ K1 |  ]) y+ b8 Z. gsystem by intercepting int 01h and int 03h and redirecting them to another
6 g: [+ B3 K7 }! n/ Droutine.
7 b; c$ y# u0 \& ?3 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ J0 G2 F8 t8 Q& M+ P  R
to the new routine to execute (hangs computer...)- c8 ~! }5 q. z, k! p: m, k5 M

1 F0 e, a+ H  x. \! _' T  N+ X/ u    mov     ah, 25h4 W/ W+ D9 r3 v1 a, |
    mov     al, Int_Number (01h or 03h)! K2 I8 K+ J4 n% `  H
    mov     dx, offset New_Int_Routine
! t2 B+ @& R. r, H    int     21h
" d& C1 E- L- D8 ~  V0 g  |7 n$ A2 n# w4 y' B6 Z9 K, u5 p
__________________________________________________________________________
8 I7 P' Z9 t7 p: K3 e1 d) l6 I
1 t" p" N# m- U5 }Method 09
  J2 E4 r' u. D  a4 E4 Q) f% N9 e=========! D3 }: V$ A" p; Z: j

1 ~0 z( W1 [! z" v& {, WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 W, z+ Q% O! [# ^; Fperformed in ring0 (VxD or a ring3 app using the VxdCall).3 K1 }) b; N( g3 b5 ?9 Z- v+ ?4 b9 e) P& E
The Get_DDB service is used to determine whether or not a VxD is installed
/ a& a' ~' N) W/ l; M1 ffor the specified device and returns a Device Description Block (in ecx) for6 s5 P3 J8 \7 r1 a7 d% f# j. G
that device if it is installed.
" y  i* Q* g% A6 r3 Z: f0 p- a
) b& b' l- ^% w. N; z4 o) R, c" L   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 N% g& D" P. m% o+ u3 l7 L
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& @6 j) C8 E( p3 {, N4 X$ Q   VMMCall Get_DDB
# \1 w% ?$ r/ x   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ Q2 {6 {: x, P, M

9 r! F2 h# Y! f. |' b( eNote as well that you can easily detect this method with SoftICE:
1 J4 B4 u- H" Y' T+ C# o- ~" f   bpx Get_DDB if ax==0202 || ax==7a5fh+ c& w1 l9 t! P; q; Z

" @, \( L+ O, z8 x) P7 b2 r__________________________________________________________________________
3 {$ U2 ~7 v3 c1 j
" j! M7 U, x  a+ I0 b0 S& g5 }+ IMethod 100 t/ u/ F- f/ i: ]- C% j& D
=========5 S% k6 T' n% r9 \/ M$ I# G) E

7 |, U- b  ~# u9 W( ?' L  I8 s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ g1 ~9 r; Z) L$ K$ J
  SoftICE while the option is enable!!8 j, E3 r/ X8 E' p

3 b! A- K5 ^7 _- ]3 C8 _. y9 uThis trick is very efficient:
, x" S( [* F# b  K* H+ Qby checking the Debug Registers, you can detect if SoftICE is loaded
+ u9 m" _- x3 Z/ E% |. _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 }. D; k2 c& w: w! _
there are some memory breakpoints set (dr0 to dr3) simply by reading their) S' O. q8 m7 l8 e5 M. I
value (in ring0 only). Values can be manipulated and or changed as well
$ C; M+ h- D/ v. \, w(clearing BPMs for instance)
- w1 t% n9 _/ p9 v  \& e7 s3 g* `2 J( l
__________________________________________________________________________
* M% T6 B/ C8 p! d4 [: @9 `, Y# l& c$ z, r6 G
Method 113 k; c7 s0 O, N! z2 B
=========
1 g) t- d+ s% @
: {/ Q1 S& w, u: }. J/ G. kThis method is most known as 'MeltICE' because it has been freely distributed
" Z% k4 V; C. L- h9 ]8 C1 b; svia www.winfiles.com. However it was first used by NuMega people to allow
' D  N4 y( \$ hSymbol Loader to check if SoftICE was active or not (the code is located, @; g& ^# N- L0 R2 `! t. n0 f
inside nmtrans.dll).
" J. V$ z$ i, W  i: U
# v* g1 }  S0 {: AThe way it works is very simple:
& e0 l& ?1 ]& T( eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& Z( G: u0 c& ~- g, WWinNT) with the CreateFileA API.
# P/ o5 r; U$ d) Y% P/ R' Y8 C% d) w5 v: w/ Z
Here is a sample (checking for 'SICE'):
+ R3 {) w7 j' @* i: J" ^1 T( ]  O8 I/ f" |; A" Q
BOOL IsSoftIce95Loaded()
, J0 O' ~, |+ K& t3 `, U- i" h0 G( M, g{/ [4 A; P* M7 n0 R% O
   HANDLE hFile;  * L0 ]6 m" Q% W- A
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 x! l. B1 `% |% o: I3 ~
                      FILE_SHARE_READ | FILE_SHARE_WRITE,. b) S" \# U3 s  O$ \4 Z+ Y2 J- ]" E
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ n7 {" p6 G8 V7 H' X
   if( hFile != INVALID_HANDLE_VALUE )$ Q0 R2 w, e, |( B7 c" _1 o1 X7 z
   {0 |4 O5 u. F: _3 Y
      CloseHandle(hFile);
" d/ U% {+ c9 J/ w# M9 Z5 \! \      return TRUE;2 ]/ s$ U: g8 o  m5 D  X
   }. F1 V3 d4 s1 [- l
   return FALSE;
/ ~. _' d- V4 {8 r}
( l6 }& E9 Q; M! @0 z6 Z- P
: m% ?" V7 j' i1 QAlthough this trick calls the CreateFileA function, don't even expect to be$ c4 k, B- F" W* w
able to intercept it by installing a IFS hook: it will not work, no way!
# o2 o6 }0 G% q: s. Y& {# CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# a. ?7 |: y! m# P" a. j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 d7 k1 e, v6 i4 W% P3 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 v( U7 f( m; `! w
field.
* R4 ?0 S/ g  A, {In fact, its purpose is not to load/unload VxDs but only to send a
* z0 @8 B# Z* qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; a  B' Z& }1 j! vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ [- M3 W+ I6 }) \to load/unload a non-dynamically loadable driver such as SoftICE ;-).. e7 T, ~- K" V: Q) w& L/ y% {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) M$ q" M0 X; d9 wits handle to be opened and then, will be detected.
$ n% G+ T) A+ D" Q% s$ }6 D, Z- J# pYou can check that simply by hooking Winice.exe control proc entry point3 f8 E( ?: N& c8 @9 n* w7 R
while running MeltICE.
+ p$ s8 T( D9 w! m! ]6 o% M+ h4 H8 J% F  _. p6 E
  j8 a6 S! }  Q; Y2 U: z& L7 v6 v' e
  00401067:  push      00402025    ; \\.\SICE
" _5 M1 B% {4 h* e4 U* P  0040106C:  call      CreateFileA) B" h& O+ F, }  [
  00401071:  cmp       eax,-0014 S6 Q8 U0 O5 T2 }$ S; n
  00401074:  je        00401091
! A( t  n( \! W6 Y0 h- T
+ V8 ]! Z( t8 p1 ?6 J! x' r5 ]0 g
% L5 B- ~* ^9 g0 a1 ?4 `  @There could be hundreds of BPX you could use to detect this trick.
% M! @( X. t) Z0 [8 f3 C9 v0 A-The most classical one is:
% E% [& A  I' P" z7 x  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 v: Y2 z( u5 f* U2 W
    *(esp-&gt;4+4)=='NTIC'" ^6 [) t# `& g, D1 K5 G4 q0 z! p
* O- H2 T8 |* }. A+ x; M8 o+ g
-The most exotic ones (could be very slooooow :-(3 {8 e$ r" X/ d0 N# e& e3 f
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 |  M/ f: s1 v% A, X
     ;will break 3 times :-(! _) A2 E7 Z$ A
8 ~: _% u4 E2 Y
-or (a bit) faster:
- k9 {" h  G& a$ e6 d9 E% \   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 J* r( v! q5 \" i. T% ]
- C+ f3 {7 P* O. e# J4 h! ]   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* x, C# V* V& Q* |     ;will break 3 times :-(
  e0 V5 ]) x6 ?2 ]" e- ~
/ G& q2 P, h9 d. R" W-Much faster:4 \: r/ H% }* N& |4 h- i4 L; Z% b
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'9 K9 `! b5 b) K2 ?
' A2 O* N9 |/ c" K  W0 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. u2 S* x8 `! y0 Ofunction to do the same job:
. i2 ^! }) ?* {" K9 o0 p. T$ O7 P6 p
   push    00                        ; OF_READ
% R4 s( f+ k  c8 u" o  P% A- t   mov     eax,[00656634]            ; '\\.\SICE',0
3 o0 a1 ^) o) d* m* H   push    eax# I# y7 ~; z4 s  }7 q
   call    KERNEL32!_lopen
: K& j8 y9 F1 ?. H, ]& |) \   inc     eax2 K- I6 O$ z. Y4 f# P7 Q+ i
   jnz     00650589                  ; detected$ J, U& K* @6 [, o! I, S
   push    00                        ; OF_READ
& U# j& D# F( d4 h, k) r# R, h0 M   mov     eax,[00656638]            ; '\\.\SICE'/ C" U; a0 g1 U1 X4 v
   push    eax
4 P% z' @+ b" v6 N) R: s   call    KERNEL32!_lopen
! f$ A4 z3 k) ?& y, \7 N) G% `   inc     eax: n7 l( u, d. a' `' i; V
   jz      006505ae                  ; not detected
* w( l2 D' V3 l6 R% e- q
: g9 C# n% T+ V. r8 Z7 J
5 o3 P. d1 m' r4 W) m7 B4 |/ Y__________________________________________________________________________5 P! C8 e! }' ?/ {/ [
- ?# [. H3 E" {0 p4 A0 t
Method 12( G  J: ^8 n1 L$ }  G1 ^
=========# R5 }( q5 k; D; @% e+ }
* v! \+ Q3 t0 I/ [
This trick is similar to int41h/4fh Debugger installation check (code 052 d% j: `: C, z5 Q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 ?; A% h6 N, S  z/ F( x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 J) r# R$ b' ]7 a5 {6 a0 e5 e4 u2 z& Z! x$ h* n( U. |( g
   push  0000004fh         ; function 4fh  w- B6 h, k9 t- y( M; x
   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 u) {0 ], P9 `! f; h" r                           ; low word specifies which service
+ D( o5 V2 w& u) X; |. ]                             (VWIN32_Int41Dispatch)
8 b2 P6 E9 f8 e; T/ [" H1 I6 F   call  Kernel32!ORD_001  ; VxdCall
, C, v; f, D* |2 T: e1 J+ `9 i! B   cmp   ax, 0f386h        ; magic number returned by system debuggers
" q( u  g% f7 P   jz    SoftICE_detected: \- ^8 K5 `4 d+ Q( K7 o% F+ W

$ o' k+ n2 F/ K6 H; g1 ?8 YHere again, several ways to detect it:
' ^) R7 l3 K( |2 }7 l$ a3 ?& R0 ^- U2 D7 R7 y% l  n9 |
    BPINT 41 if ax==4f' I) \* s) u- P- X$ q
( A; ]! b; O8 z$ n# \, U8 p: I
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: R4 N: F9 `! {- a! [4 s& V- [
- x6 x2 N; I- C: f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 U- U, r# J6 z/ z; s4 N, O

. ^' i2 }  U& M7 `/ f. r5 J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 ?# t3 h8 m4 P4 l4 X

" P5 [& q. R7 [2 R$ h/ N' V__________________________________________________________________________  l( P! y% a$ a9 ~0 f
5 x$ L1 f4 f; J0 G9 }
Method 13' k% K# X+ J* u9 F+ c' p9 j
=========+ T- l( i/ b0 H

6 F  N; h  w' QNot a real method of detection, but a good way to know if SoftICE is1 p0 M" |9 @+ `. F8 ~$ s
installed on a computer and to locate its installation directory.9 O% L0 p$ X7 p; E
It is used by few softs which access the following registry keys (usually #2) :
3 I  e# z( b+ J. ~" H
7 @- E* ?' J& u  a5 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- m" R' N" @: p  I: I  G; J4 I3 ~) N$ _\Uninstall\SoftICE, Y# ?0 E$ |" i% R# N" m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) T' b# R9 n+ `+ e( q1 X% f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 U' j$ j* M/ N$ y* _0 r+ Q\App Paths\Loader32.Exe5 I' E2 u# s! \' s8 }, a. ]4 \

8 U3 c% H8 }4 U. v* k: l( `$ }# A' h) x7 l8 K5 }
Note that some nasty apps could then erase all files from SoftICE directory
4 ~! M( v( _7 R7 h, a, H  t1 M, W(I faced that once :-(
: B6 U5 p/ W8 I
+ b3 \1 q+ S, QUseful breakpoint to detect it:- q: ~6 @9 W% g' e

0 r; c! Q0 k" R) a1 `# n  O     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 v; B9 E/ [9 ]1 H8 ]5 w9 X
! }5 v  d% R% D9 Z0 }
__________________________________________________________________________7 P6 g: ~* D3 }/ ^; v( J! T
( h/ o: j! n" I( P0 Y- k

; z6 x  j& a& Y4 P& G* u) ~, eMethod 14 # V) P  B1 Y6 l# N  ^9 }
=========9 y2 }8 D/ B# E( F4 @4 z

( K0 ?. V$ F: PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 d! s  Q; s+ @! G
is to determines whether a debugger is running on your system (ring0 only).
: x% I1 g7 N+ W: j
; X- i, Z7 b2 J$ `0 ?   VMMCall Test_Debug_Installed  l0 ^- [$ n6 r# G5 w$ @/ K4 E
   je      not_installed6 L; k: j. ]: S2 ^$ \0 \- @

% L/ K) |6 L" z  ?+ SThis service just checks a flag.3 R0 }/ S7 n3 {: N
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 05:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表