找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 c, ~, T1 w" \! [3 }. Z<TBODY>5 N7 M$ [) B5 g- p" d
<TR>
) E- C) r- I& s( b/ Y<TD><PRE>Method 01 ( T' d* u! p2 w* ?
=========
0 n' ], g1 C7 w* J! M- E
; P" q3 z' Y8 V( JThis method of detection of SoftICE (as well as the following one) is
, F6 l: o% \( Y8 w. B) P: k, j1 Lused by the majority of packers/encryptors found on Internet.9 C7 c- N" s' b/ O. i. r- Y
It seeks the signature of BoundsChecker in SoftICE# n$ y7 E9 n. W: o! N: ~7 q# b8 Z! G, P
. b$ V* K: J" P2 d# s! X& X
    mov     ebp, 04243484Bh        ; 'BCHK': P0 C0 O% L4 G
    mov     ax, 04h8 _: g1 ~0 F0 a
    int     3       5 y1 ]1 i2 s2 O! i9 T+ Y, ~
    cmp     al,4( E5 D# Y: z4 n5 a: E( K
    jnz     SoftICE_Detected+ d2 U. h, y( m- w
- e5 o4 T' p( T) \
___________________________________________________________________________
! }/ [* b2 r* ~8 A% x
$ q0 f3 h* E$ H( c8 a3 y- {: l2 jMethod 02
/ C# \$ Z7 Q* V% P3 f' Z. A+ b4 u) L=========
( V& s$ u, x: ]0 o* [+ I, f2 M+ P1 r9 C# @4 K
Still a method very much used (perhaps the most frequent one).  It is used
3 `  w# b  x9 q/ g" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: t! e/ S+ ~* ?0 Q; ~0 M
or execute SoftICE commands...
. @. s5 G5 ~# P& FIt is also used to crash SoftICE and to force it to execute any commands
  x7 p/ J" z* ], k! o9 b7 x(HBOOT...) :-((  
' z$ T; s( B( s4 h' o# O  H+ Q' `+ ?
Here is a quick description:# Y% |, |% L; s- l; k* J
-AX = 0910h   (Display string in SIce windows)' A& A! [8 q9 E2 ]
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, c" t4 f- ^" r8 p" ?' @-AX = 0912h   (Get breakpoint infos)
1 T/ @% V) z7 w9 `9 ]; Q8 B$ u1 D-AX = 0913h   (Set Sice breakpoints)
7 p5 y+ Z  l5 g- V-AX = 0914h   (Remove SIce breakoints)
. v/ C& _$ r, L& [7 N9 o9 o0 f+ F; @( L& r- P+ h/ m
Each time you'll meet this trick, you'll see:
8 |; X: ?0 h; |4 V% J) w( S-SI = 4647h$ u# Y. X7 u* p$ s9 G
-DI = 4A4Dh+ C0 u& b' ]0 E' a# ~
Which are the 'magic values' used by SoftIce.
, _# r5 u! T9 r, P; t) fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 L$ j0 W! @: i! j2 T% [9 {; A$ i) L# M4 \1 S9 p, a+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% R" M% X) x2 F6 e* HEnvelope utility use to protect DOS applications:* z& ?: K' t2 W: b! U

* E0 {, p' M5 m2 X: ]
, H$ `4 P6 o# O( H! l( T' |' V4C19:0095   MOV    AX,0911  ; execute command.
: m/ t. r: h' C3 F; l4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 Y. U5 F% S: Q+ @4C19:009A   MOV    SI,4647  ; 1st magic value.% |5 K# S# r/ N( h' Q& Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* {; J3 v& y; B* k' m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 `1 P" f# C5 F1 L3 l7 D
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 }+ A4 p& y$ M8 g2 H, H
4C19:00A4   INC    CX
8 y# T/ s4 d$ h) i' A, ^+ ^! \4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( O  z  R% {2 U4 x1 x- X4C19:00A8   JB     0095     ; 6 different commands.! Q# l% i" B2 g9 z, q- l$ q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: w; R# m: }5 a5 {& @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' m$ F7 E3 E  Y$ |

3 w- Z% m. P& z. JThe program will execute 6 different SIce commands located at ds:dx, which
1 d- Q. A" k7 m1 \. |9 V$ hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  W1 H" H, v$ e9 Z+ ~1 J
" i/ E& @. g3 x5 U' e- e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 j: [+ `2 [1 b
___________________________________________________________________________
$ z" _3 R( a8 o, I7 V% f" |& s9 l& r& ?4 I7 G. b# \
# \( o% }! [4 C1 E! Z4 o
Method 03
( x' _" N  H: n9 Z=========& `3 P/ j  s" U& W- o+ N

3 R5 C- Z% T! [Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h* A8 m3 t4 d  J$ K% t
(API Get entry point)6 n8 y9 Y, ]8 |5 ?
        
# q4 D: ]2 X: i3 u/ D' h. i+ x% X
+ H) J3 X! O; E    xor     di,di
# T# G+ m/ ?: v( g# I8 n    mov     es,di9 R" F0 J+ M; O3 H( o& i) y
    mov     ax, 1684h       ' D0 _  i2 R" H: g9 M. E6 a
    mov     bx, 0202h       ; VxD ID of winice
+ c9 W0 p  L5 F! h7 `: i    int     2Fh$ h# j4 f: i. @0 w1 b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ y4 P! @7 @  ^) p9 U' t  F1 l
    add     ax, di) b; j9 i2 p/ z# @5 ]
    test    ax,ax) x6 a  l! \: Y+ ]7 D5 ?
    jnz     SoftICE_Detected- t2 h$ h" V& I1 l' H/ @! c

5 N( W# s5 U6 W2 p7 o1 m0 P6 A/ w___________________________________________________________________________( b8 y  }, d) B  h
* S8 u- G* c$ F2 g+ J: c1 j: T" P
Method 04
. @9 n" h# Z# N1 x! B* L! R2 ~0 \* d=========4 s( Y, M2 z7 Q9 q- V% s

  b/ t. _( [- h+ y- z/ N: gMethod identical to the preceding one except that it seeks the ID of SoftICE
1 C0 M% G. B+ n# H0 }6 F: oGFX VxD.3 h) y* B9 L" W+ t* C* L( B. L! @

8 v, n& a7 B0 x! i' ~3 t- x4 |3 ^: ^    xor     di,di
) y) h8 M5 m/ b) j1 `% B    mov     es,di
5 K1 [* ^, }/ i8 E1 h( |- B    mov     ax, 1684h      
" l( j3 s0 k  z' z. ?" h/ H    mov     bx, 7a5Fh       ; VxD ID of SIWVID. Z. [! i2 y# @' c1 x
    int     2fh
- u* r2 J3 t. W7 h$ Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point  M+ W; o% O/ ^: ~
    add     ax, di3 T0 u2 W; X$ z. Y7 c
    test    ax,ax. J1 W# |2 R( m  s) @9 I" L' }8 U9 z
    jnz     SoftICE_Detected/ h6 w3 x0 D% u6 [

% S+ L$ n9 w) i4 v" V( k__________________________________________________________________________
& O8 U2 W8 m2 \+ o3 Z+ Z
% F8 C1 r3 n: a
" v$ p: @# F8 \1 g5 MMethod 05% v  o! \- }( ]0 t3 d; U9 \
=========
. O5 o6 V* ]6 ?7 y6 I6 C) e0 @; V4 ?, p2 ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 O4 ?% d' ]+ C( y6 _
debugger. It calls the int 41h, function 4Fh.* A* |$ O6 \2 g6 ?1 [  ^0 |
There are several alternatives.  
( J; m6 v1 \+ ]  W
- P% [5 L% R3 L2 S: {* e5 w8 VThe following one is the simplest:
& q9 V; k8 E4 P: v% G- q
0 }9 W% w+ {2 \6 k2 X/ D" l' q    mov     ax,4fh+ L, D# D; D+ Z* j, _# l+ {
    int     41h% z- r! A! g8 @- \8 ^9 |) F' G
    cmp     ax, 0F3864 A/ B! ^5 `* r& e" p( ]
    jz      SoftICE_detected4 f1 u1 M4 ^! J; b) S

% u6 C) u  S" [1 [! J
( y/ P$ P0 M9 V& n- A/ J; gNext method as well as the following one are 2 examples from Stone's
' l0 p! k% L2 f6 D"stn-wid.zip" (www.cracking.net):
! P3 p. D% t8 L7 n- i
9 |2 g" a( l& s1 x# m: q7 d    mov     bx, cs2 R% K5 y' J" C7 m( ?
    lea     dx, int41handler2! Z% Z) c% e* h$ C- ]9 ]
    xchg    dx, es:[41h*4]
! V$ I8 L8 V& }) z/ V7 r# R    xchg    bx, es:[41h*4+2]7 L- B0 n& l5 C) s7 ?
    mov     ax,4fh
/ H% W3 w: _7 |- }& _! G8 o. z% z    int     41h
3 t! {+ I9 a6 K2 t# I  {    xchg    dx, es:[41h*4]
. e* V' @) x% g7 k5 `    xchg    bx, es:[41h*4+2]) z! o( A8 t0 d  u6 w5 F
    cmp     ax, 0f386h
9 m  b) g3 h) S9 Y# G    jz      SoftICE_detected
# F: p3 g$ I* A, i/ |* [1 D6 o, {4 H/ K
9 E) q- C& f9 T& v" N% d$ gint41handler2 PROC: ?' m6 @$ K7 M9 R3 e8 B. l9 h
    iret, E2 ~' ?2 z1 A8 M' ~
int41handler2 ENDP
! {2 W! c8 Z5 t0 D; f
% ^! l9 w2 [5 G/ o
# ~1 `/ G. N/ v# `0 W, s& T2 R5 r_________________________________________________________________________; H. D- [7 u% L( A- _% k) q( t

2 X1 {) H0 O' V* E& e& o
1 f  \$ b% e2 Z! V- Z- JMethod 06
' k& X8 ^# u. y& Q=========
& l2 \$ I: H% B. n9 J% W8 w, p, p9 G$ _" v# w& j) t7 I
4 l6 I7 P% Y9 ?
2nd method similar to the preceding one but more difficult to detect:! j% t5 R* X9 X3 K7 f  Q

' G0 k  l2 ?, I& i/ _
4 t' |: o5 \  G9 T, Xint41handler PROC
2 u+ b* _! f, u3 [  g, G+ [    mov     cl,al! r3 ?& S3 d1 m9 d, A
    iret
5 z) ^& g. }" f5 W7 e6 w- Q2 H" Aint41handler ENDP
* z* q, ?5 o2 d  ~% u0 T( A
" L3 b0 h( X3 r9 r: s. ?( n7 O1 B  ^2 E2 s$ D
    xor     ax,ax  U: s4 Y8 E/ Y$ U9 L9 }
    mov     es,ax9 G: C- k, m( \# ^$ t$ j' r
    mov     bx, cs
/ C3 {8 C) H0 A    lea     dx, int41handler
5 [8 E5 V) r* H) `6 X    xchg    dx, es:[41h*4]
! H, h+ g8 }1 B( }    xchg    bx, es:[41h*4+2]2 l6 K$ w. f* s5 A" @. t6 ]
    in      al, 40h
" _4 ~3 X& v# o    xor     cx,cx
% W4 b' u/ q( o- L    int     41h
! m: Y% h3 A5 x  l; C    xchg    dx, es:[41h*4]
" C' F% ]5 j, e7 K: A, v' U    xchg    bx, es:[41h*4+2]
5 x$ f9 d+ }  G% r    cmp     cl,al/ h; X9 X" I# o) v
    jnz     SoftICE_detected
& s8 N) Y, A- r
0 J2 i7 Z4 x) C; P_________________________________________________________________________
& ~7 L3 p' t' [8 E: n0 ~5 i
, e$ }2 z$ }* I" \3 PMethod 07: w7 a3 X' U* G( X7 _8 ]0 L
=========0 [! V1 [) i8 W+ h, c

' K) d* z0 @3 NMethod of detection of the WinICE handler in the int68h (V86)
' l6 L$ @/ M! ]) v0 {1 n; S6 O9 K1 j5 I: @& J' X
    mov     ah,43h4 j2 M8 M& R& V: D; x* r
    int     68h
4 u& Q- R3 Y1 H0 B    cmp     ax,0F386h) @( ?6 p2 r4 G
    jz      SoftICE_Detected1 N( ]8 d/ T+ k
8 `! H& R, j) T$ j; W' z# ?5 R% t
6 N" n6 z- k9 ]3 p5 c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; B: ~3 I1 q9 v, Y3 S1 i
   app like this:  Q" J$ Y5 p6 h- ?+ l  N
* |% }/ F$ e8 [# e% L1 s, J, q
   BPX exec_int if ax==68
8 ]7 W/ y# X4 d; g   (function called is located at byte ptr [ebp+1Dh] and client eip is! E/ [* Y  Q9 S
   located at [ebp+48h] for 32Bit apps)% O% N- w1 i% u6 U* n
__________________________________________________________________________
4 m. l# D; H6 e9 i9 S; u  Z2 y6 T) z" W1 w# X2 j6 B2 P

1 Q$ d$ X  D' O2 e& D! eMethod 083 z, a1 ]# @( V) |8 |( b3 f: Y
=========8 T# }, H( f! F2 h

& s' u$ {9 [) NIt is not a method of detection of SoftICE but a possibility to crash the* l' k7 @( U9 Z6 A+ @5 Z* C4 ?* P
system by intercepting int 01h and int 03h and redirecting them to another; p$ h* n' o. Y( J0 o% [8 m
routine.+ l1 R/ A% ~1 M7 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* |1 Z# k( o- {; O- S. W6 xto the new routine to execute (hangs computer...)
# [( Y( F( L$ P
( B. P6 `& N/ @! P    mov     ah, 25h
) e. L! ?0 N" s. p: ]    mov     al, Int_Number (01h or 03h)% z7 Z8 Y4 n, I' T: n
    mov     dx, offset New_Int_Routine5 q: c9 u% [' j+ E4 {: Q
    int     21h
- q5 i4 U7 j% c( U3 W- Y* i" m; \% G7 W& h" W
__________________________________________________________________________" x: R, b8 h8 p

! k% G! H& n2 I2 t3 I& DMethod 09
2 g7 s/ j6 C) W- G% `=========
0 R7 T4 h0 O; w% `# L- e
7 W: F* F- g* i3 YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. o0 w2 T/ f1 o$ f, O1 G5 Lperformed in ring0 (VxD or a ring3 app using the VxdCall).' D! S: j- \5 n% Z. u7 b: W6 F
The Get_DDB service is used to determine whether or not a VxD is installed- U4 u% A8 W( k( D; l( ?2 {
for the specified device and returns a Device Description Block (in ecx) for
$ y! S4 u% R5 F( q$ g: L; mthat device if it is installed.
; k1 \! P! B" d* t
5 {7 y! u. G6 @4 y' _' i$ q. b3 q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* D. |/ ^8 l2 q3 a' W; ^0 q. m; D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 R2 v$ |1 q+ P* p+ t, b! o4 [   VMMCall Get_DDB
, p- {- C8 @5 `- W! W) ~" B" @   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. d9 R3 B) x: d6 Z$ g' }  F' {; J5 ~- J4 I4 {
Note as well that you can easily detect this method with SoftICE:
2 U6 S( d0 D! e  `" o- V: N   bpx Get_DDB if ax==0202 || ax==7a5fh) t  x* u+ {1 P' Q0 h% l6 b. J
6 b9 u" I2 C- f! c
__________________________________________________________________________2 b6 M2 ]% L) l0 W# W

1 y6 Y$ {' p. @! N( H. G7 B. ]7 e. zMethod 10
5 x. V4 w  ~9 h0 F3 G=========
* M, G" O3 R- a2 Y/ Q6 n' V# G
+ K  c. H. u. X=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' o* U; J( I# N% l5 A* ^  SoftICE while the option is enable!!
  `; \% G" g& ?/ J  L
* z7 A% n& D$ ~This trick is very efficient:
& I/ w7 }* A/ G5 [. l9 {8 hby checking the Debug Registers, you can detect if SoftICE is loaded
( _! {$ n5 L1 E% {5 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 F0 v; l( b  A4 |' \$ X& L1 D, U
there are some memory breakpoints set (dr0 to dr3) simply by reading their; j) a3 {, G8 v
value (in ring0 only). Values can be manipulated and or changed as well0 H0 i4 A# _  ^2 b1 y! u
(clearing BPMs for instance)
" D8 ?. e8 D# M/ y0 W! v+ `, g. ]) c
2 m# @7 m3 R" p+ n' R: v__________________________________________________________________________% b) x; ]' Z  W% T
* H- L0 Z* Y( r
Method 11( [! Z2 X, i3 e- o
=========: r) j) |: z4 z! k5 I. p" |' e

8 U; p7 j- I7 ]* C' tThis method is most known as 'MeltICE' because it has been freely distributed
( n) W' ]& ~* C4 s& ^1 L; Z( i0 zvia www.winfiles.com. However it was first used by NuMega people to allow1 ^6 N& U; ?9 M. m  ~" u! m! r% e# T
Symbol Loader to check if SoftICE was active or not (the code is located
. c0 B6 I) Z! _8 N/ u. x  W1 Q3 ]4 @inside nmtrans.dll).5 T/ w* g% C" N8 p, z' |9 N4 d

( b3 f# a* Q% X: L1 aThe way it works is very simple:$ G' l- I( Z5 V8 F7 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 p% ~8 [1 d5 Z, C+ m5 f+ e+ EWinNT) with the CreateFileA API.
: H; g5 z( P+ T$ @" o" P0 W2 ^, ^3 _, z
Here is a sample (checking for 'SICE'):# \: a; a! T8 C3 [' d

: Y6 H# M. K6 z: iBOOL IsSoftIce95Loaded()/ C: a7 H, J0 ^0 W1 g3 ~, `; a
{
1 ~8 w% L' y' ~, v% ^   HANDLE hFile;  . G- F& J# v( a+ e% J6 J1 E) [
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 H) b2 f0 X; [" J/ E: _                      FILE_SHARE_READ | FILE_SHARE_WRITE," O% T- q/ p# l/ v! M; p
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ~% s& L+ p, T, r, a( P$ k
   if( hFile != INVALID_HANDLE_VALUE )
: Y* f8 }/ S7 Q; R  m7 p   {, i) V2 a0 U2 [1 N
      CloseHandle(hFile);) T3 ]) A$ |4 s6 i
      return TRUE;
4 J/ o3 Y: x+ m- W   }
8 P2 u! E9 e) d   return FALSE;
/ x4 v0 S( E$ V6 }5 h7 o4 t}
) d/ }% a) ~; P$ u
% ^; r) |7 [! c8 @& O# [Although this trick calls the CreateFileA function, don't even expect to be
- v0 E% ?' a+ f& p0 _" B2 Bable to intercept it by installing a IFS hook: it will not work, no way!9 w2 K; @1 Y; G+ I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 D2 J. b4 K3 M5 n# B1 }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 h' E7 d6 X/ k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* V8 h0 @( O/ _% E7 pfield.- r, @* L$ O5 Y
In fact, its purpose is not to load/unload VxDs but only to send a ) n0 T1 P# p% W* B1 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% v6 }! _' l2 g. ~9 q* }9 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& d5 ~% L3 }) S# j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 L1 ~/ p, C0 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* i) r+ x( X0 |its handle to be opened and then, will be detected.1 v* X. A! A6 U) R* R
You can check that simply by hooking Winice.exe control proc entry point2 g: |$ I8 C0 t7 F+ Q5 F2 C- V5 T
while running MeltICE.; \, X' |- M3 r0 f, K

. l5 \$ g1 x2 l) }' J8 Q8 |: c
& [, T. o; T4 m( D) ~4 L  00401067:  push      00402025    ; \\.\SICE
$ U( a0 k7 H! V6 m% b" s* o, @3 o- S  0040106C:  call      CreateFileA
  }. I  u% _; a! c+ G2 f: s  00401071:  cmp       eax,-001
2 E* F5 a$ ?( \% \: u# m% ?$ M  00401074:  je        00401091
- ]; m4 D/ |2 x& o
- `0 h  k: k9 |3 A' g
' m7 q  m0 a& d) g3 |There could be hundreds of BPX you could use to detect this trick.+ V$ x, Q) u: w
-The most classical one is:
9 [0 L5 S$ `/ `9 k$ ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 W) \# C  A8 h, n$ _
    *(esp-&gt;4+4)=='NTIC', {  x+ `# ?0 v. C7 p2 W' R

$ }3 B- r( e; J% r% t-The most exotic ones (could be very slooooow :-(
; p6 I; ^0 [5 _5 ?, ?' f; v+ u   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 o  C0 V4 ~, U; x     ;will break 3 times :-(+ N" y% @# g; b7 m% q0 h" K( d

# R8 w* W: J2 F5 f# V0 @( M0 u-or (a bit) faster:
' s3 ^1 V+ Y, d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( e4 t1 }. g! |, a& H4 y
0 \+ T3 k& {5 m# }% d" Q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( F* f0 u( O/ }
     ;will break 3 times :-(
9 U. j: O3 o8 X- e6 q) B; y% ]4 ?, B1 P8 P: @0 t+ x9 Q
-Much faster:& `( i6 Y% a( C/ G7 \# ?* J1 i
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 Z+ o5 s. t, M9 o+ J" r4 Z

0 I# J  S$ m+ FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) }6 {. I5 `: x" ?. t+ d( Sfunction to do the same job:) h7 y0 M5 f6 D5 q' j

3 j9 n/ p5 D) \' _) B- L1 V" X   push    00                        ; OF_READ
; r8 G1 [% Y  f2 c4 W   mov     eax,[00656634]            ; '\\.\SICE',0# D% c- Y5 v. }) }
   push    eax
. m( }" T: Q0 L; C   call    KERNEL32!_lopen* @4 b9 X2 C) d
   inc     eax1 b( ~2 Z' M* P0 y
   jnz     00650589                  ; detected* y4 d2 Y$ K& J1 k! u, y
   push    00                        ; OF_READ& k8 s' s  c% V) d
   mov     eax,[00656638]            ; '\\.\SICE'; u0 v. d1 \; f8 g1 b
   push    eax
3 g- P. C4 i( j* w   call    KERNEL32!_lopen
2 u- G2 J( t+ G- }9 b   inc     eax
$ n3 X9 y1 T4 ?! H7 i3 q3 R   jz      006505ae                  ; not detected" `& n- ^3 O9 |; e$ C& G
$ H% l; @! k8 _1 S4 t+ h
! u/ o; Y; I$ Z9 `4 ~5 T. P- F+ T
__________________________________________________________________________
6 s( d9 K! h. D) }8 m" I  V
5 J- ?" W! M! ^8 T4 J; m) pMethod 12
+ ~, p* @' q  b1 R2 ]=========7 @7 b  S; _* P( z
. f  M- z, @( _! z6 y2 ]/ R0 {2 V
This trick is similar to int41h/4fh Debugger installation check (code 05+ J5 V! h/ \# J% f" E
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' m$ m0 M0 w* f5 Q+ p0 c4 z6 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 O/ S7 y; m! Y& X" ~3 t. E: U; {8 B2 E6 w7 d: x
   push  0000004fh         ; function 4fh* ~6 }) L' v& X  U! Y2 R
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ J( i" N3 F/ `" U, @                           ; low word specifies which service5 [/ i/ J) A! g" T
                             (VWIN32_Int41Dispatch)4 H, ?; L! D! U8 b/ q5 e- y
   call  Kernel32!ORD_001  ; VxdCall0 n$ O7 _( z: x9 {+ B9 u
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# @  s1 |* N0 p7 ^   jz    SoftICE_detected
# D" w6 H1 U' m' q; W. N: _3 c$ I! E* U% \+ y8 ^" C; I
Here again, several ways to detect it:
/ b8 M8 w/ t5 Y
, L) s* }2 r& \, Z% s    BPINT 41 if ax==4f
, ]- t) ?0 D- Q  F
% A9 P/ y, `) n2 g2 |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) W# X& _2 p+ E( _& @2 w( i% M( X2 D
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" R2 ~5 I7 A2 y; }1 r4 h3 Z' S  n
1 L/ M2 h7 Y  Z1 k& L* `8 v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ i4 r8 Q4 g: E3 S% f' }0 t
0 t$ \$ S6 K" G' j+ e
__________________________________________________________________________# D  u3 u- Q! C9 v+ M5 h! k: W
  e! y  E7 y' j% ~0 A. _# b+ Z
Method 13. ~  R! C8 f! y) s' {5 i
=========
1 [4 Y! Q$ |3 V& [, h: A
/ g' J) @+ O1 c5 W/ BNot a real method of detection, but a good way to know if SoftICE is5 p# R" J2 w5 k2 [& a
installed on a computer and to locate its installation directory.; g6 @8 H: m* q2 v
It is used by few softs which access the following registry keys (usually #2) :9 z" Q2 k' J2 S1 [3 n. G2 X
8 t7 l8 z6 m8 Y0 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @8 O5 f2 L% ]; C, o# r. q
\Uninstall\SoftICE
4 K1 Z0 Y, v0 N/ O5 V7 R5 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" Z+ H) ]: s- X# ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- c2 N7 E! N) g7 }3 _0 d5 J+ A\App Paths\Loader32.Exe% r8 C6 o. Y( L" {8 [
" D3 h) X+ n5 J/ N" l

) h, Q7 i! N" Z$ ZNote that some nasty apps could then erase all files from SoftICE directory
$ ^& O8 t6 ~; x& S  k# B(I faced that once :-(
, t2 u4 x! }$ y5 p3 L3 A& z- Z  }4 c- T# j* X
Useful breakpoint to detect it:" d3 e, _/ h9 Y( I' ?& i3 v
- F" E" _/ V- s7 i% M0 I4 a: D% m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 |( E+ z4 L5 I; T! N' F" t1 q% x2 F" G' g$ k2 M* t! m
__________________________________________________________________________
8 m4 V% \" u! ]
! O+ u+ h3 ]! k( m+ z8 n
) l+ F# b9 M9 Y6 b+ dMethod 14
; M; Y; `& j+ K0 V7 t=========( Y# G0 p; s# ^8 {8 _
/ y$ T6 t" H0 Z7 h( g3 E- l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ s+ g, n9 N; s" V
is to determines whether a debugger is running on your system (ring0 only).! L0 P+ p5 e0 F* h) |4 g& z

% q5 ]1 C. w# U$ a   VMMCall Test_Debug_Installed: @# q8 Z8 S& V0 z# L
   je      not_installed
2 B+ T! [/ X' g' H, ]. W- U; D5 @" p. v5 }
This service just checks a flag.+ [$ r  g4 @: r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-15 19:09

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表