找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& u) M3 C+ w! ?3 p! z# r1 V! G0 e
<TBODY>. l0 _9 x7 w7 T. O4 k4 ?1 h
<TR>
: S- f, r# q5 @$ y4 T5 z& e8 H<TD><PRE>Method 01 2 B5 A$ S, U$ V* P
=========
2 g0 K" U( Y5 e/ n9 z( }- R$ W9 k& ~3 T; W8 J. e
This method of detection of SoftICE (as well as the following one) is
8 a! K, V7 _# v' Zused by the majority of packers/encryptors found on Internet.% K5 F; K1 k5 V* H5 R
It seeks the signature of BoundsChecker in SoftICE
- T) V$ m' v" o3 d$ K2 `' M( S6 d; z' Z
    mov     ebp, 04243484Bh        ; 'BCHK'
" p) B3 ^9 ~1 A! t    mov     ax, 04h
9 I- @) t- Q$ h7 t/ g- d# X& c    int     3      
1 P8 [/ T0 ^: B/ h* b3 ^    cmp     al,4
0 L3 Q* B1 D$ x1 n+ n; _/ \9 F$ W    jnz     SoftICE_Detected
' A: {7 ], `0 I; o3 d& y* Y. C0 K! `+ n! _
___________________________________________________________________________, g: E* m0 o+ M+ b5 l3 g
+ r" n  {$ T1 R- m, B2 Z, L
Method 02
5 S3 e9 D# R* q1 P=========0 S& P( U) t- c! D: K8 p
$ c0 n3 S1 |1 |' k" o9 _, `4 Z
Still a method very much used (perhaps the most frequent one).  It is used, k/ i; G" W/ U) H' T  i# s8 K/ D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, E( ^- o4 h: a- a1 @or execute SoftICE commands...+ ?- \& y7 t( `* w) G+ I2 R
It is also used to crash SoftICE and to force it to execute any commands) G/ p, C' R/ F( j, }3 N+ d
(HBOOT...) :-((  ! \( j$ ?* M4 ]/ Y# }2 E/ z4 R
1 z2 G5 M8 C# L" U5 J4 h
Here is a quick description:+ C& J0 ?& H+ w# ?7 Y9 P2 u
-AX = 0910h   (Display string in SIce windows)
! |8 }, b2 l- T0 U! H  y6 i. z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
& C4 x  ^6 r7 u. Q! h-AX = 0912h   (Get breakpoint infos)
: ?' c1 K7 q; ^- C-AX = 0913h   (Set Sice breakpoints)6 `7 f+ @' ?' @' q
-AX = 0914h   (Remove SIce breakoints)
& ^" I& V- B: b$ F& s0 r. S4 l6 P0 Z. K
Each time you'll meet this trick, you'll see:
$ x- j/ f: c! _- v-SI = 4647h
  L/ ]! O7 p2 {+ g* h# ?-DI = 4A4Dh$ E1 `7 U9 n$ }
Which are the 'magic values' used by SoftIce.
' Z3 B3 B. c" o& _6 y( n& `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: K; F1 C$ x, |7 C4 K/ D4 k: n+ f( C
5 z5 X% X# X( z$ o& ], E5 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; l6 _; j* {4 R* x* Y8 qEnvelope utility use to protect DOS applications:
, c" V- }& @/ i! \$ k/ B: Y
1 e4 [; X# ]7 k5 \2 n/ ]
: ]% W# ^9 q$ y9 k# ?4C19:0095   MOV    AX,0911  ; execute command.
, U6 w' [: ?2 d5 R2 c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 T) n/ e1 |8 K& y
4C19:009A   MOV    SI,4647  ; 1st magic value., ~! T4 A% U( f1 T' N- n2 r' _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 p! f# ]+ s) |, @) K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' h- o( A" d' u& Q2 k8 P
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 \% N" ~0 r$ O  V4 V/ K( _
4C19:00A4   INC    CX
! k: ]7 _4 g. w$ {4 R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: s0 I% ~+ z+ y/ O, N/ T' G2 T4C19:00A8   JB     0095     ; 6 different commands.
* r5 B- |. Z% ^% Q4 g6 G- S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% w4 D2 J1 M% j8 s" D
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# N8 m5 l4 k, w& ?1 I% {9 |- N% j. Y: |3 ]
The program will execute 6 different SIce commands located at ds:dx, which
* R& m9 P  a% E& ?: iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  `  B+ M) F4 }0 f& Y# P! {
1 j: j& @/ D6 _) k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! C, q4 V2 w/ J# [) D- K___________________________________________________________________________* A# r8 D2 O$ H: e1 x

7 k- J! D8 e) d& v1 _: m) t" S6 a( z* A/ o
Method 03
2 }0 U; N3 U/ i  g2 {. a3 }=========, ^% d% ^; ^- U4 M4 e, ?

% p- T1 U7 c: |1 [5 Z3 L* q/ ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 x0 `6 Y( a" M& F$ D' M
(API Get entry point)
) m+ z2 ^, g: h% Q        ! \) \% E, j9 @! X: I
% a4 T; C3 N* o! y5 j" g( y
    xor     di,di3 K0 o2 f8 ?) K+ {0 E3 o
    mov     es,di
& ~6 I% R' E# _1 A( M- c    mov     ax, 1684h      
/ }0 h: I9 ~9 `  V, m, ~    mov     bx, 0202h       ; VxD ID of winice% V) a' }+ Y+ y& |
    int     2Fh$ ?: k9 i2 C; B$ m( `- x3 Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 X% J9 r! C: A0 Z2 o6 I$ ~& S
    add     ax, di( Q! f/ @2 U5 W" z, v  `
    test    ax,ax
& d9 H. W1 z% E' Q. W    jnz     SoftICE_Detected, O, V# R* ^( \* S

  I2 l; _, _& J+ x# Z5 N___________________________________________________________________________
0 z" ~: l$ A' d$ j* f' m7 g" T# N% m" Q$ A6 R
Method 04
/ X3 ]( c+ z5 i1 b$ [8 O=========
" a- e3 Q- L- q5 _
; C* i9 }# O& g5 a0 t. @6 c% }2 wMethod identical to the preceding one except that it seeks the ID of SoftICE  N5 C6 g4 _) p! L- i: G  q, O  O
GFX VxD.7 o9 @+ C# y+ d+ |
6 ~1 q3 K! ~2 Y
    xor     di,di
1 W0 f# u2 \; k" H" {" ^" b    mov     es,di
7 A0 {: I: T. S    mov     ax, 1684h       9 G3 L4 D8 c6 q3 p& Q1 v" E1 H; [
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" R( ]! d# A, l( x0 j: J    int     2fh
. g4 J- y: v" M; l; L; P% {, f    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 c; V0 q8 K" h+ r
    add     ax, di
. x( C7 j1 I, h1 X, b8 ^3 e' b    test    ax,ax4 p& n1 A3 ]1 j- z$ t+ e2 j
    jnz     SoftICE_Detected
: f8 D# O/ J, I
; X7 ~8 Q$ h6 X/ m8 z) x__________________________________________________________________________
: ]# ^& L, q8 x  e) x7 I: o) _9 h$ d
: k0 w5 q* \- f
Method 051 }# t, \. o4 ?3 f) u! o0 v5 M9 W
=========9 Y8 m* [9 ]' U+ |* M/ B
: H( c% }; G5 L4 p9 a1 ?+ s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ ^4 t8 Q5 U- n! }- f( F9 vdebugger. It calls the int 41h, function 4Fh.% T+ H( {2 E( X, g2 G7 Q
There are several alternatives.  
7 Q' W5 E9 K0 U  d# Q8 c6 G. Y, m3 T$ v# ]. K2 Y% \$ A2 t( Q
The following one is the simplest:
& T) ~# @8 I& b. k, \: k/ k1 ?
1 G/ h( L# Y! e0 ~' P3 O    mov     ax,4fh
# y3 E. Y: e2 l/ h8 t# H3 W    int     41h
- {& C% O' ~2 `/ i  Q* V' l# `    cmp     ax, 0F386
$ |' O5 X* b6 r4 [1 X    jz      SoftICE_detected
7 q- |8 O! s0 m  H$ z+ }, B: [2 i" D9 C3 y3 P

9 ]) W  d8 s  Z" V/ c: eNext method as well as the following one are 2 examples from Stone's
8 P" |7 I; `/ T"stn-wid.zip" (www.cracking.net):4 w7 C- m+ f( D3 Z% b7 y* X+ J
- y, B' [7 ^* Y* o; L$ K: V: I
    mov     bx, cs" r; X0 n: n- L! g) c" c4 D( T+ [
    lea     dx, int41handler2! ^$ E" y1 b6 r  ^9 u
    xchg    dx, es:[41h*4]2 N  D2 d. Q3 w4 @5 a; g
    xchg    bx, es:[41h*4+2]
* _6 X- e% I# G2 O    mov     ax,4fh
" P1 I$ S8 f- L0 }    int     41h/ W$ d7 M3 a% `6 q/ L
    xchg    dx, es:[41h*4]
2 j8 D+ e. N" ]* ]* i) J    xchg    bx, es:[41h*4+2]
* \- c# E. A& f+ M! G' N- |    cmp     ax, 0f386h
2 e8 I2 F  \. z0 i& {2 Z% @1 n    jz      SoftICE_detected
  Z) Q5 A, K# x/ Y. `1 k1 T% o& |
int41handler2 PROC
5 M0 V5 ~" l3 j* j" D" V    iret; p" n3 _# W: H7 D: H: x
int41handler2 ENDP  {: W) q# f1 l3 l; F
" M( x% P" ]8 Y8 J( c( L' n" _

1 ]  g! Q1 {$ n, m_________________________________________________________________________
" ~2 P, m% `" @3 i. `/ \& t4 T- L" l2 D  N" g& N/ S4 l$ b# Z

3 t& D! I7 I- a& h+ W+ m8 ?. VMethod 06- A" e: w2 a; n
=========- |8 d5 Q5 u+ B' w

" ?- @& P* ~" q3 U5 Q. g# t
! r& h1 |9 m; }2nd method similar to the preceding one but more difficult to detect:
8 g  E6 \8 H3 H9 b3 R2 M3 Q# ^6 Z4 R' V
6 J; {$ U* `$ p5 H! x
int41handler PROC
- C. \0 a- \0 K& `" o    mov     cl,al. B2 ?9 b8 f% C
    iret
1 |2 q/ t+ h6 p* [1 O8 x% r4 pint41handler ENDP- I7 g8 U2 U2 k

1 o4 `5 M- h8 Z7 I7 v& g! M. o( z+ x2 Q5 Y
    xor     ax,ax
: Z) J$ M& r) z) I$ r8 h  x    mov     es,ax, I. g  Q  N7 B" B1 Y
    mov     bx, cs8 L3 r) X7 j% F( \4 k
    lea     dx, int41handler
: v4 Y2 o, ^" S* l7 o    xchg    dx, es:[41h*4]8 K/ P! `8 m% v% m
    xchg    bx, es:[41h*4+2]) s) q- c+ i6 F
    in      al, 40h6 [' a* _1 _. f) }6 H$ b
    xor     cx,cx7 F& }; K4 Z4 H# E0 g; }# W
    int     41h
" n( k9 K( v: T    xchg    dx, es:[41h*4]
3 L+ n" a, d) [3 {) v3 _/ _    xchg    bx, es:[41h*4+2]
: ?' ]. x& W. J! u  p: N2 N    cmp     cl,al
. s% Q* ?4 O8 W& F3 a9 L    jnz     SoftICE_detected1 G" c9 \/ A6 ?- T4 c
& v$ J$ o5 _9 C9 s3 R$ F) A
_________________________________________________________________________
  X/ g8 n5 a! r+ g( [# t, c
3 E. R- W. N+ z1 E& Q$ rMethod 073 ]& w& q; v4 v. d6 E) X; h* R/ g
=========9 d5 \# b/ p# G/ t" ]

* r) e9 |$ V" S. n5 j# b- ]Method of detection of the WinICE handler in the int68h (V86)# k/ M6 O, L- |/ E' e9 T
$ k7 H9 g" @$ v  n
    mov     ah,43h
' _& v+ O  c, N5 }    int     68h
: }9 p* d2 F: @% }    cmp     ax,0F386h
$ D6 r, b! K2 f    jz      SoftICE_Detected
8 r, z2 |5 P/ _/ m! a4 y' P( {$ t2 N
  A5 ^5 R  E, x4 o! W, N; \0 t
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ q: T; U/ Q( D* I2 e$ b) m
   app like this:
. p5 x4 d/ A! H- o: B$ @9 N7 G1 u5 u% m7 |; C" z
   BPX exec_int if ax==684 s7 Y; S) @$ ^7 p
   (function called is located at byte ptr [ebp+1Dh] and client eip is
( `; u! O# T6 u9 `& n% o) \6 ?   located at [ebp+48h] for 32Bit apps)
: j9 a8 v/ a; P6 v/ D__________________________________________________________________________
2 [3 w) I$ f6 N. M; ?$ \
% |& o: I8 N8 T! ]
' l. d1 S3 r/ I. S, e. d  h. xMethod 08
) J' g' v# r( j6 Z=========1 d# ^3 K) c8 D- \6 D' ?4 w$ N( B

7 U3 P) M2 _% R) c6 |It is not a method of detection of SoftICE but a possibility to crash the
$ w5 l( ?4 m- isystem by intercepting int 01h and int 03h and redirecting them to another
+ t$ u! R- a8 I) Jroutine.
6 ~# a, z+ M1 ]9 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ C7 v9 R) z2 S9 u- Kto the new routine to execute (hangs computer...)4 Y( I/ {( T3 h
* t& J; L* t) B" p9 Q# ]
    mov     ah, 25h
4 l# n4 H- s* H% u    mov     al, Int_Number (01h or 03h)$ q9 X: e4 D5 N0 K3 \
    mov     dx, offset New_Int_Routine
! z5 v6 J1 ^2 ~& V" J    int     21h1 A4 H3 T- d# b1 g" T
8 p6 v' Q$ C9 z
__________________________________________________________________________
. L  S6 g& h0 }
8 z$ `+ |& F# P1 {1 `2 NMethod 09
- I$ y. k& S) R$ Y$ q1 F/ G+ W=========
# d0 O) N% F- m( K) c6 @
: q7 L- L0 U' n* V% NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 R1 x; n0 Q0 j! Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
. }  N0 ^$ ^! C! E9 |# e$ RThe Get_DDB service is used to determine whether or not a VxD is installed( [9 K1 V6 K6 o6 Y4 L4 c- B
for the specified device and returns a Device Description Block (in ecx) for
3 W" Q- Y9 p# ^+ ~* n5 `that device if it is installed.  [7 [7 ^: e3 `$ i7 ^- ?# Z

+ U' [* |' O. y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  S1 u1 N$ W& O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& Y5 c* `3 q6 {2 x8 |, L) t   VMMCall Get_DDB
6 l: J7 }- [: T  N8 x1 ~2 \1 U   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ X/ }; x! E" v( p. z6 o
" ]5 h8 `* e3 a# f/ |3 U& ]Note as well that you can easily detect this method with SoftICE:
) @1 i1 F- n' s# {" }. w3 q7 o   bpx Get_DDB if ax==0202 || ax==7a5fh
6 ]+ `+ k& g; p" l, H- Q8 R2 S0 W' E3 G4 o& \
__________________________________________________________________________$ x& i. m: e% _4 c8 O
8 ^4 o! t/ Q8 Z' j8 |% L
Method 10
; i! t; ?0 O3 x* c' S4 ~=========
4 Q) l. v  s% a0 F. h- Y$ u. w/ ]- j; |6 t& Y+ ]
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
( h9 j, U/ K4 M) p6 Y  SoftICE while the option is enable!!
5 D7 O4 U6 j+ T1 Z2 u5 B# Y5 }3 f) f8 {& M
This trick is very efficient:
/ e% \# H& T: U" `8 S- g! p' Y+ Gby checking the Debug Registers, you can detect if SoftICE is loaded" J- F* q  X$ |: m' t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! e" ]2 P0 h' N& kthere are some memory breakpoints set (dr0 to dr3) simply by reading their- |. V8 S8 a: I0 e' o1 }/ _7 P
value (in ring0 only). Values can be manipulated and or changed as well
8 G+ [: D/ C5 B' v7 e(clearing BPMs for instance)4 D; C# t. b9 W/ g; k9 g' B
2 e; Y# `5 O5 ^7 l! C0 H6 X; c- q+ p
__________________________________________________________________________
  X6 U' `6 ]0 Y$ _; a, g9 P0 h: i, }* x  {( d1 ?* _4 J
Method 11/ _6 r. m6 h* {; ^: t
=========. i2 L% V/ e5 @8 O  C
2 j; O7 y+ u0 s: o- d
This method is most known as 'MeltICE' because it has been freely distributed2 |& F3 P4 D2 q3 L& y0 q* o; t7 H
via www.winfiles.com. However it was first used by NuMega people to allow' X3 ]& [* x' Y1 P- f: ]
Symbol Loader to check if SoftICE was active or not (the code is located
# ^. n. h8 Z7 k6 g) R. Linside nmtrans.dll).
! P: @  n, ], [3 o: f6 n7 T' t. P" v3 o5 N5 N0 T9 ^4 u/ e
The way it works is very simple:9 {" L" \* Z- O  v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 S. {" e4 C8 W: M$ ]) S2 IWinNT) with the CreateFileA API.
# e2 K+ a* q. ^3 a' l: e0 c0 i3 R7 o. Z1 k
Here is a sample (checking for 'SICE'):
* o0 A$ M# y5 A% H& v
# f9 |- i' T$ Q4 {' bBOOL IsSoftIce95Loaded()$ w2 Y  g' _8 v* h  N6 ^
{
7 c: Y, E: g* `. f   HANDLE hFile;  
# O$ }: X, N) \+ c% H1 c0 r, C% x   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; H) Q  C( K$ R$ c' l
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g* K. l' B! ?2 H& t( |# P                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% \, x$ h- [5 p" h9 S( C5 U  ^; {   if( hFile != INVALID_HANDLE_VALUE )6 L4 A. p2 |; X4 f& G( f7 }
   {
" h5 [. L) z8 @0 ?  h      CloseHandle(hFile);) N3 N( z1 ~* q" }& i9 X
      return TRUE;
6 u9 m, P! [$ U  U3 W/ ?   }9 w  }# z) g  O# e/ H. [
   return FALSE;
- i4 v5 D" h9 I$ ^; t# \}0 y. n" }# `  L' \/ J
$ ?( `& `& R7 H( [/ ~6 Y
Although this trick calls the CreateFileA function, don't even expect to be
, H7 t5 j$ U; n% qable to intercept it by installing a IFS hook: it will not work, no way!8 E. c9 t9 L  Z% o( o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! i8 E) U; I6 l7 q- L! E4 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 X- d( y, i, \' E' ^4 @. Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
( ^& {6 F/ g* Y0 n) E3 H6 cfield.# d5 U+ m9 T% U& f3 T* ]
In fact, its purpose is not to load/unload VxDs but only to send a
" k  U/ [9 c9 s8 G  ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  U" T( x+ p* X8 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try% e) n+ A: N/ H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 H$ o  b8 |5 w7 C% P- ]' cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 q: ]& B: \% u+ P  wits handle to be opened and then, will be detected.
9 K$ [" D% ^% Y# d/ ZYou can check that simply by hooking Winice.exe control proc entry point) Y4 W. i( e# A- O9 _
while running MeltICE.+ L/ b0 g3 `6 A! c0 {8 Y& p) _; Z
" ^) E8 l2 b$ l2 B9 U

5 {5 l7 {! o9 d5 r, O  00401067:  push      00402025    ; \\.\SICE5 J( k* j  v9 M! y
  0040106C:  call      CreateFileA* C7 L) Y% G9 u
  00401071:  cmp       eax,-001
, m/ d! m/ @* ?# ~9 \7 X- ^  00401074:  je        00401091; p# G4 S- s& z4 B

+ X; W( d- Z8 d0 `4 b# U$ ?7 U3 m$ c
There could be hundreds of BPX you could use to detect this trick.
0 {3 |7 a: u" `-The most classical one is:
" R" g* U/ n) `; G# r  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; @6 V# H" j6 k& P5 b    *(esp-&gt;4+4)=='NTIC'- x6 E7 P$ {" I

! S1 k5 I5 r5 O! M3 C-The most exotic ones (could be very slooooow :-(
, A" c% v! A' R% e/ ^+ g7 o) J   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) u1 q: s3 g5 \7 `8 [$ _  F/ b     ;will break 3 times :-(
5 j0 Q) R4 B7 |
# C" G; G, ~# f: x+ j8 e$ W/ L-or (a bit) faster:
0 b' ~- u7 M5 c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ p! @, Q( r5 X* D  o# l
' H4 G) T9 L% j  ?( [/ V5 \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ X. i9 s" I5 f' |& ]/ C$ {3 q     ;will break 3 times :-(. m4 F# S' B: C' C& m( H4 u8 D# b
: q/ h+ n& v- q* H, F! l3 y
-Much faster:
7 T! l. x4 g  h8 l   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 r2 u: c4 ?9 r9 c
/ [; ~1 q2 w8 t& [0 X* n1 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( f+ r# U+ B4 }! F, U5 |
function to do the same job:
: h$ `2 u2 O  p) Z" ~0 r# o
, _" s- E5 W$ m0 s0 u. f2 F   push    00                        ; OF_READ% @- |3 g7 B' R9 V/ w( i
   mov     eax,[00656634]            ; '\\.\SICE',07 ]+ I9 K/ z3 v, ~
   push    eax
4 O4 e. p. d/ ~   call    KERNEL32!_lopen1 T0 a" q" L! q! j
   inc     eax0 I+ W4 g7 ?" G1 D- _4 s! [+ w
   jnz     00650589                  ; detected
$ B4 M4 h% f$ n, o' F7 I   push    00                        ; OF_READ; L2 S9 f; [. _8 I, I1 @
   mov     eax,[00656638]            ; '\\.\SICE'' s! F8 G! f& v5 a# O+ \. j0 T9 @& D
   push    eax
4 X( ?( g  b& a7 S8 l. }   call    KERNEL32!_lopen
" W- T% o' g7 o( I   inc     eax4 ?6 y4 G' q, W, Q& k
   jz      006505ae                  ; not detected
! o5 i9 ?0 z/ G  L* g2 u
, f9 f9 G3 A2 t. t  r) i0 E$ t" _; c9 z& B! @" V; L
__________________________________________________________________________
5 G$ B5 y" R# L* K% b
4 E# G$ t, U' U! J( g8 cMethod 128 ~# X: k% \+ t9 [
=========
- k; b" {! ?# X( t0 E7 i# I+ X# `: L, {& g6 r5 i- q$ X* Q9 {
This trick is similar to int41h/4fh Debugger installation check (code 058 \; [& g; |. \0 n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 [4 O- S& \6 N  kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 M7 C: Y! V# ^0 X8 V, z
4 u8 _( ~/ |( _" f8 u
   push  0000004fh         ; function 4fh
3 k0 M* g+ @& `: m; C6 W; d   push  002a002ah         ; high word specifies which VxD (VWIN32)
% ^( u4 a9 e) \- w                           ; low word specifies which service4 I) Z* o$ P) x) L# y
                             (VWIN32_Int41Dispatch)
" p7 H+ k: b8 C   call  Kernel32!ORD_001  ; VxdCall
1 H7 _; z& M' N% C" \& Y2 o0 M   cmp   ax, 0f386h        ; magic number returned by system debuggers
: O% D% c. v/ o) a" H  K# i7 r) w   jz    SoftICE_detected
; \* e( M7 _* I* K( g# I5 E7 Q6 d: H3 [
Here again, several ways to detect it:5 k, r& U  W( t. S5 r
, F( m9 b0 Y+ b: |
    BPINT 41 if ax==4f- o# L- O- r9 o5 c+ s" R# ?
" f" _1 d  u" N' ]7 ]5 i* q' x
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ C$ x- ^7 j) b3 j
7 r. w0 i9 _4 `+ W3 Q/ O* s
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% ~/ N: j, [4 K6 Z5 e- q  j1 T% w; `& J+ G$ C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( f6 F# c7 H2 l9 t. v+ J/ A
1 @4 \, i. `/ H- w
__________________________________________________________________________
# l( g& J0 S# V( o9 F( }) ]% C& y* z5 p" e1 r. J# O, _' C
Method 13# |: b: P, D, x4 R; f! Q
=========
( Z. k' K  c/ f5 d# @1 J1 s6 \9 R' y! K$ }3 H
Not a real method of detection, but a good way to know if SoftICE is
' z+ N% H: f' `: }installed on a computer and to locate its installation directory.
. e! k6 X! n2 \! E0 ~It is used by few softs which access the following registry keys (usually #2) :5 x7 |& u! R0 ?1 {0 v

( u0 I3 v- g, A; K9 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' e  F7 B- |* s' c! A1 M
\Uninstall\SoftICE* P8 k2 z- _5 `5 K, l2 z& S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! _5 w$ W: ]/ C0 y  W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 o1 o+ O$ B  m& ]3 X\App Paths\Loader32.Exe8 c# |2 j: W$ g$ H7 r

$ v+ Q  f: G2 f7 N( U: J: x8 l0 q
Note that some nasty apps could then erase all files from SoftICE directory
3 W/ L- w. x0 p( U(I faced that once :-(4 W% O5 v1 u) z8 n. U6 I8 H# v6 y

) J) Q1 A, }. k1 J8 k4 H1 fUseful breakpoint to detect it:
9 ?) g  R5 }( ~0 r% I3 g
  B; N6 p; N+ ~     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ H+ Q) E6 t$ I
5 N: V6 R9 O, ]  J8 D% S__________________________________________________________________________
& H5 M" N9 t2 K2 |% j1 |% A9 a2 e/ _: E: x+ D: L4 h: ?2 b; S

4 q8 B# P! U4 |' o1 KMethod 14
: G# x. [+ v$ @: w4 `1 q=========
# U" F/ g. i' h) K3 x
8 h4 x8 x- G- r. G  h& ^: LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# ~( G7 o. S" l0 _! w1 bis to determines whether a debugger is running on your system (ring0 only).5 a/ C4 |/ u# e) A+ m# P

) ?* n3 \- l- ^   VMMCall Test_Debug_Installed4 q# S4 H. o# `3 j) ~+ k! U2 E
   je      not_installed
6 c1 n$ l3 E* E2 q) G
/ i& u2 s/ b, b8 E- SThis service just checks a flag./ ^; ^6 l8 f5 S5 h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-30 21:12

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表