找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ r( D( I; D. {' y% @7 ]  s
<TBODY>% O6 u1 H' o1 y4 l# i+ B* `. t
<TR>+ Y' U. z+ _7 W4 k: t2 ]6 e6 ]
<TD><PRE>Method 01
/ f+ X+ `5 c, V2 Z; u+ A5 o=========
$ ?$ a% l- s- u0 d# @- E
5 e% v. R/ _0 ^, \This method of detection of SoftICE (as well as the following one) is& L8 X+ a0 s* ?3 v" j
used by the majority of packers/encryptors found on Internet.! ]$ m$ k$ f+ A
It seeks the signature of BoundsChecker in SoftICE+ ^$ H# y. }. b  F* Z6 I: ~

. U/ v! d' W" F' L    mov     ebp, 04243484Bh        ; 'BCHK'
8 E% N% m; E" h: `0 H/ p' p7 |    mov     ax, 04h0 f. V2 J, _5 W5 @7 E
    int     3      
; w: z  m, C; p7 ^( l    cmp     al,4
9 B. E* o$ ?% D8 U    jnz     SoftICE_Detected
+ T) H0 k& B' {% @4 y$ O- ^6 I9 i, ^/ I
___________________________________________________________________________* B% G+ A0 |2 x2 V2 e" \  n% j! h

1 A; j" M: L/ V. X* s8 e. ZMethod 02* B4 J$ U$ U7 b9 Y( A- G
=========/ [( e4 b1 a7 _
  R. `; B- {7 O* S; H" c6 O
Still a method very much used (perhaps the most frequent one).  It is used
  P, M, k( `% e- o; I3 P1 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 |/ ^) ]; c. ^/ g: e! C! N* P
or execute SoftICE commands...3 M# A0 ]" `* p1 Y6 q1 L
It is also used to crash SoftICE and to force it to execute any commands6 ]" ~/ Z% O" ~
(HBOOT...) :-((  
$ u2 Z" C  \6 y
. {* a* C7 _' |/ W# L+ s' H0 WHere is a quick description:8 \+ }1 W/ x. R
-AX = 0910h   (Display string in SIce windows)- U7 i# o8 G+ ~0 [" T# e) \1 L9 }
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! X' }5 m0 R! d
-AX = 0912h   (Get breakpoint infos)4 @. ]  m, k& W9 s) V7 d! \1 s
-AX = 0913h   (Set Sice breakpoints)
  q6 R  ~- q! B2 u-AX = 0914h   (Remove SIce breakoints)
0 C: V5 m0 F" J* |. s* v3 |% o  K8 n+ u3 f+ P9 D' m% B
Each time you'll meet this trick, you'll see:0 F* w# _( Z5 x4 d! a/ H% A" Y
-SI = 4647h
, u4 P6 v  M+ s+ i: \-DI = 4A4Dh
' A) K" V+ N1 y' r* sWhich are the 'magic values' used by SoftIce.# l$ q) k4 Y) z9 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ {' M- A* T5 e) e0 l
- h# O/ ^- t) n8 I/ ?9 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 v# R* ?* e( |7 zEnvelope utility use to protect DOS applications:
' }! B- n) K8 p. o; \/ j: j6 o4 e4 P1 k1 m9 c$ W: g9 b

: y- e1 C$ a* B3 I( H; s4C19:0095   MOV    AX,0911  ; execute command.
& _, J" R3 w1 M/ T' `( c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 ~5 ~/ k* p3 m  n2 O8 _
4C19:009A   MOV    SI,4647  ; 1st magic value.. m2 s, L. ^6 H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 {2 G$ w4 S8 [& w' q) O% t  I- A6 H0 H
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; t0 R. ?; m1 _0 ?+ S4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ ~; v" }$ O0 F/ y4 p7 @% V0 A4C19:00A4   INC    CX
9 ?8 l8 Q# `8 H. T: `/ Z0 _6 P4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
0 N) @/ [# J8 i1 q4C19:00A8   JB     0095     ; 6 different commands.
# e9 V7 Y. [/ N: g1 R8 W" {9 M1 l4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! o: Z+ l! [; o9 q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( L9 b: ]  t- h/ y3 z2 c) G2 l6 Y! T9 W8 a6 s, P# B6 K9 _; `
The program will execute 6 different SIce commands located at ds:dx, which' T4 c- ?9 L4 y: `: O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# s. T6 X! s- H4 G
: v: i0 I2 r1 x: ^& z2 ^' x8 L6 e# B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ?( u4 p7 W# s  e+ ]) _2 O2 j$ ____________________________________________________________________________
/ f, c: p! u* @$ a
  o7 \5 L2 N& u
, P- M' B9 z& v7 }/ [/ v% N+ YMethod 032 B9 B9 n1 y* e. z, L
=========& @! n  P5 M* I! F9 w/ N, |

: m8 ^" i7 z8 \, b- c; @) g  H+ BLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 ^( n  z) N1 D(API Get entry point)
! Y4 D6 e  p9 d' I# x( [* O        
0 q7 R) {+ K3 q1 g, k  [/ n8 R! M" ]3 [$ G8 y; y9 z
    xor     di,di4 @5 P% u% G' _3 ^, }5 Q" x; [5 O2 `
    mov     es,di- A5 g( \# o0 n' e" c6 c8 F
    mov     ax, 1684h      
( t1 @$ H4 I# K. X    mov     bx, 0202h       ; VxD ID of winice
/ ]( n+ T9 @3 z6 }& Z& L    int     2Fh$ s  f3 F6 x9 ^( s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( L) g! O% a8 {6 _
    add     ax, di
8 d% }/ a3 b" `    test    ax,ax
( h7 w% F. z4 l6 N( w+ ^    jnz     SoftICE_Detected
. H  b5 z$ x3 [/ q7 ~1 u
3 ]/ T2 u' @- f- k. X0 l$ H7 Y___________________________________________________________________________2 A' O8 B3 `9 U
, E) F9 t' M" t5 P* b
Method 04+ p# z1 R9 c: b
=========
" U; y8 C) \3 c; C8 ^0 g" G
" M# s. x, L) p! D5 A/ }. t" dMethod identical to the preceding one except that it seeks the ID of SoftICE
- ~  Q6 |: b. ^5 ]GFX VxD.
, o5 B" L! m  V2 x  ~! p8 P1 @! h9 ]
+ ~5 i8 b, R" p6 q1 o9 @/ L    xor     di,di+ A, a7 V4 j( k$ `/ t
    mov     es,di
" m  Z1 g! z) {+ O0 A7 I    mov     ax, 1684h       ) M; ]( [+ r) x, c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 q7 ~. Q4 s* o7 T  W# d
    int     2fh
- Y6 z! P2 E7 B4 o0 t6 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! K1 p- ~! o$ P    add     ax, di
% _6 U8 S2 u: V0 a. b& F    test    ax,ax
6 I7 G2 i$ j- f  g. X    jnz     SoftICE_Detected( e1 i; g5 R7 _% \- n

. f; s" J5 f6 S; l- C__________________________________________________________________________4 Z0 o) O0 m" o+ {$ H

$ V7 f4 Q5 z0 [  {+ J
$ N, q0 i: y" L7 [& a* kMethod 05
( |# ?( c8 W/ V+ \=========
) p9 O* a" m$ r* `# H! z* D5 }( k% n/ r9 J+ G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- d2 G% n" \1 S# b3 tdebugger. It calls the int 41h, function 4Fh.
# C6 A3 L- p, @. Z" b4 ^There are several alternatives.  
2 ^7 C8 T8 l. I, _% l) f2 x0 g3 c) p& D: E
The following one is the simplest:4 S; U% i+ o5 Q! L4 A
* X6 q6 I# P/ x$ P0 g1 P2 I# `
    mov     ax,4fh' J! y. O7 B& v
    int     41h! @" O. ], G, u
    cmp     ax, 0F386
+ Q8 j) e7 j& l9 v    jz      SoftICE_detected
% }3 P5 k0 Y  w9 H/ x) c. f! @
+ K% g2 B- u6 O; E2 n0 W0 r( {3 f( g
Next method as well as the following one are 2 examples from Stone's
- K& M. H& J/ y7 V, v3 k"stn-wid.zip" (www.cracking.net):: J" X+ }. {* ]  P

2 `) t% U+ e1 j) p% g1 I6 j    mov     bx, cs5 p& I! H" T0 s: [# K8 Y6 J
    lea     dx, int41handler2" P% \" j( @7 ~8 A$ q1 V' c
    xchg    dx, es:[41h*4]
5 r- P) r6 {# c2 `6 d    xchg    bx, es:[41h*4+2]0 r2 O' [7 F0 c* n* p( Z
    mov     ax,4fh
( x: q: z5 X; ^; L5 \, o" u+ S    int     41h" e3 K: n' b7 d6 r
    xchg    dx, es:[41h*4]% K8 O9 |. x$ e7 h- b' }: t" q1 ?6 n
    xchg    bx, es:[41h*4+2]9 z4 {" X) V4 G6 \1 V
    cmp     ax, 0f386h
& A& R) }. [$ a4 B: k0 C5 E8 Z* K    jz      SoftICE_detected! U: v6 O" o. E: }9 d% D9 \+ [
3 e/ N& n3 U) l+ Q% {
int41handler2 PROC
, w( j5 n: V* S7 G( e    iret
  P8 E2 q$ H. c" nint41handler2 ENDP
2 B) A8 n" @9 W  Q
  C9 d+ p( V" m; l/ @; O; J! v& ?# L3 y% f( [
_________________________________________________________________________
6 C7 P: v# C7 k2 y; Z9 l9 b' H' ^" h( y

/ O2 v5 T" p1 xMethod 06
( X% t  D; D6 |3 t=========' `& ?. l7 w* S1 Z

# {! u$ P' k) H5 r7 h# M: m6 O. }# N( {  S1 ^$ Y5 B: {
2nd method similar to the preceding one but more difficult to detect:
1 |& x- p% x8 N9 c% c- |& N, p$ M
9 d1 v3 n3 h  F0 q; Y7 I
! K+ H0 l" w% R: o0 dint41handler PROC; i4 A' v* s0 I$ p9 y
    mov     cl,al
" s9 P* L; |1 R: F' S- e( V; {    iret; P5 @* e% H4 u; C, @
int41handler ENDP9 O7 q- r8 K5 M, K0 W
# S/ X# N+ k3 e& @1 P( J

/ `) u! ?7 ]/ O7 x5 H) ]0 l    xor     ax,ax
0 w7 W! M5 e& j6 a+ ]) R( z    mov     es,ax
- @* k4 \+ V# w0 D+ k    mov     bx, cs, B3 u/ W6 v/ \1 W
    lea     dx, int41handler
- F, b) r% f- P  B2 I    xchg    dx, es:[41h*4]+ Y; J9 O  n: P5 d/ D
    xchg    bx, es:[41h*4+2]
0 M& V) E* ?3 J1 t    in      al, 40h' i0 s3 V" K% s0 }7 z$ \
    xor     cx,cx7 Z& W# F! D  t* V, v3 u$ i& V
    int     41h  C- T8 y9 }- W' d5 ?0 f* f
    xchg    dx, es:[41h*4]
  U6 Z/ l; b. B; h# p/ f    xchg    bx, es:[41h*4+2]" M: |+ e0 z1 W  f, ^
    cmp     cl,al9 D$ _1 [2 n3 o# ^2 j
    jnz     SoftICE_detected  {  G1 d. M6 C

. C0 W/ K: O. B1 Q: B_________________________________________________________________________' i/ b* c: F9 q6 t5 D! b

9 S# ?( \, K  B$ T& j5 vMethod 07
0 }8 `& u3 N4 u0 z, Y3 {=========8 o: y/ ]0 i0 b

& r' h. }5 L' R$ bMethod of detection of the WinICE handler in the int68h (V86)  h3 M* q: v# R/ z' l
- S# \$ b( Z' P3 Y
    mov     ah,43h. N% j7 a0 g+ |9 T* B
    int     68h
& s' Z! T- H" r    cmp     ax,0F386h+ m, |. f6 K. y1 ]* w. F
    jz      SoftICE_Detected
/ E+ ^6 m- C- x  A/ G  x; B8 D* w5 f3 Z( i8 |9 U
; h4 W3 Q1 Z: ~9 \3 Y) h% c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ Q& X, z( E. S0 D9 S5 n* K
   app like this:
5 a' d5 d, {- V2 B5 `5 |$ `3 H0 H3 O: a' p( i/ d9 l
   BPX exec_int if ax==68
' q1 L# O! \9 |0 E3 O& E   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 T. ^9 L! H# x; s' b1 ?8 v   located at [ebp+48h] for 32Bit apps)* c! Y7 }  Q* [  z
__________________________________________________________________________
2 m4 c3 ?/ T" G6 h7 A! a5 U" n4 d! X) y

' b% b" M& U/ O6 lMethod 08% |6 `! y% l5 e, b* ~" k& i" L
=========6 W. L5 A6 A; v2 O$ D5 ?; c9 g
7 {$ e8 Q% t$ q5 g+ Z) ~! @
It is not a method of detection of SoftICE but a possibility to crash the
' C5 a& X% x( y4 o: j7 I, k9 p0 Bsystem by intercepting int 01h and int 03h and redirecting them to another7 z  t5 R' o' X6 a: n" Y+ G
routine.
" R* c) U  H* o& ]+ [5 s/ {  {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: Q4 v$ T' S4 `to the new routine to execute (hangs computer...)" E$ |% o% D, m1 o+ b9 T

; a; ?6 H; B4 Y9 W0 G! F. x- Z6 ?    mov     ah, 25h
" r. l; |- R7 C& \    mov     al, Int_Number (01h or 03h)9 M1 \" W, \4 d  L
    mov     dx, offset New_Int_Routine3 G# v: x8 S, |  V. S7 m
    int     21h  W2 A( e6 b7 @* \

9 d# o- O# k7 d+ m* |* f7 m__________________________________________________________________________
0 ~. C  x5 \6 o9 ?8 N' [: J2 d
1 B! e" `5 z0 @6 m$ zMethod 09* Q4 ]) c% G  J& ^  \4 U
=========
& a: N& N+ D3 W+ r5 O( y. k: _. \. \4 M* ~% o9 C( N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% @5 C! F, d! R! c- |' @performed in ring0 (VxD or a ring3 app using the VxdCall).8 f7 q$ C" \# F+ P
The Get_DDB service is used to determine whether or not a VxD is installed
# A1 u3 J; ?7 n# V+ e* D: z% d9 Efor the specified device and returns a Device Description Block (in ecx) for7 ]3 E( Q" u2 S; L
that device if it is installed.& @- i* N7 C) P+ m3 b
: Z; N1 c$ m/ Z5 P5 W! T/ C
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 x9 l3 p5 u4 e, M5 [   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ {$ T, R3 y# w" g3 q5 S0 e   VMMCall Get_DDB$ a$ f* d# @: W, B+ c- d8 p* i
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% U% G" B* f$ ?. e+ n
* V7 M' W9 _7 I& V) q+ h: g8 c& G& H# [Note as well that you can easily detect this method with SoftICE:
- e: ^1 n# \/ W$ y9 e7 B; |& v   bpx Get_DDB if ax==0202 || ax==7a5fh* i: ?# l( i9 Y: O6 t: @9 t" f

/ X# h3 G. o0 t! z1 k) o__________________________________________________________________________
6 ~" S* D' C) W. }2 q3 w
4 `7 @& d4 U- e% p; TMethod 10
8 D4 V% {! v8 h- }=========
. \2 N$ U2 p1 _& C
3 R6 w  [. w; \! Z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 z8 @( d  O: N! G$ E- n  SoftICE while the option is enable!!
3 G5 t2 d) A/ ^( o1 o
8 ]8 ?3 |5 g$ ]! [This trick is very efficient:+ [" c, e9 W- ]2 p% i1 k% Q. G
by checking the Debug Registers, you can detect if SoftICE is loaded  u# F. I( i8 \+ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 t4 I6 }! j7 a; x% z0 I6 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) W9 j9 ?) \' s# X5 Qvalue (in ring0 only). Values can be manipulated and or changed as well% R  T$ L- {+ H7 ?- J; i
(clearing BPMs for instance)
+ W1 b- _: r, u: M# p
4 b2 p) c0 i, }__________________________________________________________________________
: K7 W' G1 S! H, k3 R
6 I$ i+ C6 N+ u& l+ G1 L) RMethod 11
) n1 T1 |& s3 A9 m7 W, C=========
% o/ i$ J! n$ n$ h6 Z1 u, U/ H
4 B' d0 m) ~& k/ O) U2 L- PThis method is most known as 'MeltICE' because it has been freely distributed3 m! B" J; }$ Z1 E6 [! ^$ C
via www.winfiles.com. However it was first used by NuMega people to allow
. ]- F1 h2 t% I5 q# ?Symbol Loader to check if SoftICE was active or not (the code is located2 \$ E8 R  S' ^
inside nmtrans.dll).% w# S( a+ x  X

9 J! K9 q9 P/ t8 @The way it works is very simple:1 g4 ]- z7 j* I1 M4 d' l( U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' A# q2 j% N* f$ g* Q0 S
WinNT) with the CreateFileA API.1 k( u$ e2 r. O

# g6 ], q1 [) eHere is a sample (checking for 'SICE'):& D9 h$ O" w2 A, O; O4 ~1 u

/ T# j2 I( l  B7 r  \$ n# uBOOL IsSoftIce95Loaded()" U$ m) y$ i- H% A9 h/ P8 J
{
( m# M: g! X; |' r3 A& l   HANDLE hFile;  + k) o% g. w- W; j3 h; o  b9 G% W
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 }5 q3 X! r/ v
                      FILE_SHARE_READ | FILE_SHARE_WRITE,* P* }4 b! n; v, u: K. O9 }
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! r9 p0 a/ U9 ~& S   if( hFile != INVALID_HANDLE_VALUE )
, j4 M# D+ Z0 e/ m# Q   {: X$ }& t6 g7 b+ K, X9 N0 `9 M
      CloseHandle(hFile);4 e8 v7 N8 L1 D4 u: L
      return TRUE;: R+ b  U0 J; V' n. K7 O% k
   }
% E# w' n9 Z" F   return FALSE;
& u7 N& Z0 j8 Q' @}
6 v; L$ O& q+ ~$ Y7 B4 N9 i) x2 q& v: _$ @1 r
Although this trick calls the CreateFileA function, don't even expect to be
; E7 w6 o$ Z6 y+ y4 Oable to intercept it by installing a IFS hook: it will not work, no way!
- T* ]' Q1 ~" B( a5 J! oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 A; |/ S$ q' wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 {& y# t5 a& L, O3 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. r7 ]- H! a6 [1 [6 u9 N2 I) ~
field.+ X8 J/ R' G0 G1 _% H% h3 Q+ E; F
In fact, its purpose is not to load/unload VxDs but only to send a
% V7 d0 m$ O8 f  G& Y! `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# e  D& r' m- C+ P) ]9 M" Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 w5 O' D) v+ x0 ?" N  B' Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 w/ ]2 D$ l* g9 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow* t* B1 x& ^8 N8 k2 V
its handle to be opened and then, will be detected.
7 w7 H. l& {, l1 ]. f- GYou can check that simply by hooking Winice.exe control proc entry point, ], I& a# f" S" \; P
while running MeltICE.
; B$ ?$ a& F5 C3 H0 z9 t, q0 E8 I+ q# P; |& i6 b' x3 w

) Z- k9 ^1 f6 e% Y5 m8 x) J  00401067:  push      00402025    ; \\.\SICE& {. L! {+ S8 n# c  P+ B; W
  0040106C:  call      CreateFileA
' d1 E4 v2 ~: D% |% Q  b  00401071:  cmp       eax,-001
9 k" S& B8 w# m+ H" W; S) ]" X  00401074:  je        004010910 D7 e6 d. P  Z9 {6 Y9 P0 o- Y
! d' x: B7 n7 p

6 q$ e/ a, ^- [There could be hundreds of BPX you could use to detect this trick.
7 o/ n8 ~" V2 }$ o1 G' d-The most classical one is:
+ }! A3 w- j, `8 {) B6 t. d8 W  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 t8 t0 w# Z" P* X) P$ s
    *(esp-&gt;4+4)=='NTIC'
& E* _/ P4 ^9 T- d& C1 [/ W/ e+ P' r! A9 ]! P# B# w" t  C- \  e& P$ e
-The most exotic ones (could be very slooooow :-(. p& H7 Q/ }$ {* D3 `
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 M6 a) C) k; `; S8 Y) q
     ;will break 3 times :-(! e+ [6 g% |7 I2 u# E5 g! _

8 G8 ?0 n/ p/ F- z* y' d-or (a bit) faster: - E" A& C' Y: v+ Z+ p: ~$ I; _
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) B/ e- g' _  u" D8 Q, {/ M# A' ~, y' A( L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 t4 W- R& @9 O5 M$ E. N3 b     ;will break 3 times :-(
0 x4 e+ ^( X# T1 Q0 w
, r$ k3 A8 V& N" p- Z: ]  c0 X' h-Much faster:
: u0 W' O2 p% X+ C) M, q   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! S) g/ e& U5 B! _* t
0 U# u  z) A3 ?8 L$ o2 DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ p% {. Y5 t0 Ufunction to do the same job:
& f9 S" x3 L$ c2 O0 \
+ q4 @! g& w) J" V( \   push    00                        ; OF_READ
" N  R; T( z2 j$ F/ x3 g   mov     eax,[00656634]            ; '\\.\SICE',0" ]+ ~. a2 _8 e; [4 C1 x
   push    eax
9 q3 i2 X! d+ K% b6 k   call    KERNEL32!_lopen2 x% a5 B7 ]2 y6 A5 x
   inc     eax
$ D% m1 v! \6 a- H$ Z   jnz     00650589                  ; detected
% ]' k4 C# K3 [5 @   push    00                        ; OF_READ$ L, K' ^- y& p7 Z" ~6 u
   mov     eax,[00656638]            ; '\\.\SICE'. r4 Z# o  ^& m+ E+ W, Q6 m4 Z
   push    eax+ |7 K# ~; b2 e) p
   call    KERNEL32!_lopen
+ @' ~# {4 c8 M6 r   inc     eax6 D( j8 F  Z! Z: q1 T, _
   jz      006505ae                  ; not detected2 H3 v) N0 Z9 T2 z& q/ s

) [6 K4 q: Y2 A; K. Q: v8 ~9 M2 z. z
__________________________________________________________________________
1 p* u5 \, U3 E! x
0 J9 c, a- k# Z& C# yMethod 12. ^: v: U) _! s8 c, O
=========: r6 X+ j1 ^7 b5 a& V- G

; G4 ~- J( }  g7 k2 G" A+ |This trick is similar to int41h/4fh Debugger installation check (code 05
% Z! f' e8 c4 V: y6 }&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. e/ B$ }+ t5 C$ J2 e6 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 q. J7 q: V( m# R8 Q
' q  G8 J  e, ^2 `1 r   push  0000004fh         ; function 4fh
$ s; A, I# X9 A) n' m8 K  I   push  002a002ah         ; high word specifies which VxD (VWIN32)1 B. l/ O1 n4 Y$ ]& g
                           ; low word specifies which service( F) h- ?; L3 W# y. T
                             (VWIN32_Int41Dispatch)2 t3 Y0 F! n- Z
   call  Kernel32!ORD_001  ; VxdCall
! W  b& t4 H( d% B/ m   cmp   ax, 0f386h        ; magic number returned by system debuggers
% r) r6 N# ^% R; k. E; L   jz    SoftICE_detected: k& d8 C& ^4 Y" k. G
$ s$ J0 z7 g$ n( U3 m
Here again, several ways to detect it:1 |; M! F: D3 z0 y" E: E

$ X3 N8 L$ g# `9 o- i$ D    BPINT 41 if ax==4f! c  R3 j* C$ V$ `1 Q- D3 |

! Q/ o; {) p( ^# T% |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. w1 |8 ?3 y) t9 y. C5 [

! {5 w  D) `0 l, y( O    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 O9 d/ N: B% L8 I( n: S
, l  o3 o7 s# d3 ^1 h! u8 B9 H
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 P# ~9 [- |2 D% g0 O" \; x
, ]7 Y& ^- z( a. G( w/ i7 u$ `3 e__________________________________________________________________________
/ i; r' t( Z8 k& a
$ J$ _" R+ m4 t9 ~8 e8 J8 rMethod 13
2 G5 k( v2 [  q1 R. o" D  o=========, m* y; L& f) O. |0 X- p/ F( m

: G3 p% S' G5 C. J9 [Not a real method of detection, but a good way to know if SoftICE is' }2 n6 J! N* [! T0 g3 a* r& `
installed on a computer and to locate its installation directory.' I+ M, n  @9 W3 ^1 ~
It is used by few softs which access the following registry keys (usually #2) :
+ K7 E, v4 u7 ^# V
) j- r3 m8 P% \: n$ ?' r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 I% }0 j+ L5 \6 m6 @( o3 w! p- L3 R
\Uninstall\SoftICE. i# c6 R' ^2 s; ~2 Z# q$ {: k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, u, V4 p" F" `4 {, i- v1 o* t0 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% d4 O+ Q3 R% ?\App Paths\Loader32.Exe
8 d9 k3 r/ `2 y5 s5 T  j
2 z# o4 g" U& o# h6 Y
$ \% I4 e. n8 g& LNote that some nasty apps could then erase all files from SoftICE directory
$ X* a& {2 S" s! k(I faced that once :-(" r, ^+ }9 a! c+ |' {
! m' O. o& s1 N8 B6 o/ [: Y4 y
Useful breakpoint to detect it:. `# Z4 _; o2 ]! u8 T
- d# C4 a' p8 c# P- z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! [2 }9 q) s( ]  G4 L7 O- X* Z

3 W+ S7 k0 k! @9 t5 [+ M$ Q__________________________________________________________________________1 @* S0 ^( [. V7 a) t( y0 }( V' i
. |8 R7 h7 I; y/ c/ K
' E. ^. M( I! k5 C0 ]& I3 J  w
Method 14
( K# j, h% W. m2 Y; S/ e& S( [. s=========, o2 w- N& {" C& @

7 n3 g9 R) ~- |& h4 T1 B9 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 J+ m2 S8 }( i  o3 r/ Pis to determines whether a debugger is running on your system (ring0 only).  L6 d  r; G- Y% Y& t5 m

- @$ |% o  ?! _* R. N# X0 ^0 [9 k# |   VMMCall Test_Debug_Installed
! q5 h% C5 @- Z' R- Y3 _   je      not_installed
! \6 `) r6 W* G5 Z
: ^, H9 s  \' h, O# V  O3 I% UThis service just checks a flag.% W# i8 P0 _% x# F& ^
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-16 08:09

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表