找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" |( Z  H' y  W
<TBODY>% [# K5 z9 O9 E0 X$ m
<TR>& e$ D1 G. c& C
<TD><PRE>Method 01
  T: g. p! ^. a$ E0 L( U=========8 F# I: W+ D0 _5 o7 D! q3 b4 ?

. C4 h( U) X( L3 p# VThis method of detection of SoftICE (as well as the following one) is
7 q$ i" }3 v; e/ o2 [used by the majority of packers/encryptors found on Internet.& \; e: z$ e7 V& G& ^& H% `
It seeks the signature of BoundsChecker in SoftICE5 _+ _: H' J# `6 Y$ Z/ F. H* ~" a9 ?- c
( D. a& @4 T1 ~$ k  z! V7 ^
    mov     ebp, 04243484Bh        ; 'BCHK'
% L' d+ u+ R+ i, j# \. i. f' T    mov     ax, 04h2 l3 ]- r1 c& h' S" U
    int     3       5 y! D" u  h: @; w3 C* P1 X) r
    cmp     al,4; k, `' W* Y6 y( h( u
    jnz     SoftICE_Detected/ }9 s$ N& b) {1 ~: v7 _1 N; s
1 Z# H6 b$ @9 j4 g2 l; {) \* z
___________________________________________________________________________
  g, i0 U. I6 y
: R* _4 w4 _; Q6 F% vMethod 028 C7 v6 C: b. f" r
=========
3 q9 u$ }, ]! H
& P( a& e2 E7 B0 k7 n" YStill a method very much used (perhaps the most frequent one).  It is used; X1 Q# I' `2 H# P: p8 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ k4 N' Q4 y1 H8 F+ J' eor execute SoftICE commands...
' M* M) [/ x3 X* K4 cIt is also used to crash SoftICE and to force it to execute any commands
  V7 |2 }( s$ W& T8 {. X* ~6 j(HBOOT...) :-((  
2 Z1 G0 n$ S  Z1 S  [  ?+ ?3 f
. j2 S6 k" i" k( [Here is a quick description:
, Q/ s. b" C& F( l8 X-AX = 0910h   (Display string in SIce windows)
5 y5 ?: ~2 Z9 T  ]8 V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 \- ]0 J2 [$ f/ {. b
-AX = 0912h   (Get breakpoint infos)+ d( |) }3 u- a5 `( v
-AX = 0913h   (Set Sice breakpoints); z( b% w3 b# o4 g
-AX = 0914h   (Remove SIce breakoints)
5 Z9 b# C% M- V( u+ o0 Q3 `! [( e$ t" ^0 j6 Q( z- |
Each time you'll meet this trick, you'll see:
# N( ]- k7 Z0 v. L-SI = 4647h2 f6 p$ P+ x  {$ [5 K) N6 f
-DI = 4A4Dh: A, m7 }9 I6 Y2 O; \/ b+ ?
Which are the 'magic values' used by SoftIce.
$ w( Q3 t: [5 k' X  n6 a. hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: H9 [% @. q0 X. A3 {

# K* v, }9 p# ], J3 MHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 H$ C* }- O: h7 B  mEnvelope utility use to protect DOS applications:7 K) }3 a. M, s, a2 N5 S

, |# `, k. s; z$ L! g5 L$ u* X& N3 B, ?* c' a* S, f3 e. b1 U
4C19:0095   MOV    AX,0911  ; execute command.
2 G4 L' W7 I3 K  o: x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 r! `( S$ y  u( `* C. Q% \
4C19:009A   MOV    SI,4647  ; 1st magic value.4 |3 X8 ]3 A. F# V
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.  s2 |3 U: }1 ], {7 d
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
, t7 a7 r! {6 I* H1 x5 s4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 _8 D9 q# P+ I; J- |, @# I
4C19:00A4   INC    CX* r8 H3 k: N) |* ]: w5 f
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  b' |* i) L: o$ ~" B9 `/ Y4C19:00A8   JB     0095     ; 6 different commands." Y9 f$ _( P2 T
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 c3 |0 I0 v% }2 b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! {, J% ?" z' J9 ^2 F5 j# v( {, V5 N* F" X, X
The program will execute 6 different SIce commands located at ds:dx, which3 Z' m$ S8 i. F1 Z" g# `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; n) Y$ }$ c  s
2 I1 }: x; M8 t: m2 I3 [! Z* }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& h" v# o% b* O$ J9 ]8 j0 f2 V
___________________________________________________________________________3 h' ~: k8 M! [, o5 ~6 P% J7 m
2 r/ ^4 q6 R# r+ N: K

  s! V8 G2 J  M* vMethod 03
0 V+ @3 S5 [6 n/ Z$ r7 Q) b=========
" n# d) A) G  k) x6 o. Q
( U9 u5 ?9 A$ zLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ g( R4 H# j5 Q; P- R6 N, d(API Get entry point)+ p9 \% q, O1 u6 f
        ' p( L' \% ~9 S3 i% L, H
6 W1 z& y4 _  r" C: k8 y$ X* c* \# `
    xor     di,di
, H; y+ J: u& a6 f" P7 N6 u  i' v    mov     es,di6 W2 c' }5 D7 b
    mov     ax, 1684h       8 y1 _* A  _) C6 f+ l
    mov     bx, 0202h       ; VxD ID of winice
+ N9 L0 f! L; m3 g( e    int     2Fh, x% g/ i, Q2 h; c" M$ b2 R
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: {, G- D3 Z2 U& P9 y1 j6 k    add     ax, di
5 y: x- P7 \" l    test    ax,ax
) R+ a9 U$ v3 V& p1 f  M$ g    jnz     SoftICE_Detected
+ b- E7 ~5 q. O5 g- C9 L$ X1 i# \) v7 x/ h
___________________________________________________________________________) x8 p8 e, {! j

3 k) y" ?) r, j, {2 ?* A: }Method 046 {, y6 \- p! v' M+ ~( j
=========
5 d: ^  q5 l( E$ K1 l" V! Y
& L! g& k, |' T0 q6 W  b' E. EMethod identical to the preceding one except that it seeks the ID of SoftICE, w# Z- N3 B/ B$ ~$ F9 D
GFX VxD.
& ?2 }4 q4 G5 F9 p4 E- g* A4 O* a
; P! u( B; a0 R" `9 |    xor     di,di6 U+ r( |1 s5 w: k/ e0 t/ x
    mov     es,di  W* w# N  R9 _8 t7 @
    mov     ax, 1684h       , B: @$ H* J( a, }4 A
    mov     bx, 7a5Fh       ; VxD ID of SIWVID( ]2 l6 K. P  C/ g* ^7 g' y
    int     2fh
8 y% P8 y* D5 l; R. t, p6 A5 k$ K" Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 `) G( B' l6 C/ ?# I1 [    add     ax, di
5 X' w, ?) n, V    test    ax,ax" W, \8 n  Z" y: x
    jnz     SoftICE_Detected% Z) _$ U& f( ~, H7 i% {

. R, @, v: R8 ^' ?4 W__________________________________________________________________________6 M$ O2 x$ m3 i5 \( [) ~) d! Y
1 l# K( m: e" B. v, z+ v3 [
8 w6 X& V) |8 T7 r
Method 05/ l% E" p7 z4 t  C# }' `$ R
=========
* X: O7 N. }3 S; ?5 n, n, W1 m  e7 x) D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 C' C8 R$ t" i1 Y- c6 C" Kdebugger. It calls the int 41h, function 4Fh.
* O4 \$ _$ y3 ?5 C8 ?There are several alternatives.  % @0 F) X. X9 ]" P9 I7 C

+ \3 I9 a- g$ {; Z+ q1 ]The following one is the simplest:' ~$ g8 g( h' K3 a9 b
" e' w1 I- v" W; M
    mov     ax,4fh
/ N1 y1 l2 u+ u1 ~' ]  s    int     41h6 ~! h5 |/ o1 @6 D
    cmp     ax, 0F386- C- i# P1 K) c7 J& e% F6 `
    jz      SoftICE_detected8 }5 ]$ k$ e0 {5 t6 M

" m3 `7 J5 _# c/ n. S  q: _- o+ O+ \$ q5 V# {  }" g8 v
Next method as well as the following one are 2 examples from Stone's
" E: M: F' X( z6 Q: R' E0 c"stn-wid.zip" (www.cracking.net):
# @! F7 s& D5 ~( |
5 `9 b; U" i8 y% g, Y    mov     bx, cs
/ n6 E. x4 J6 e) ~* k+ Y% |    lea     dx, int41handler2
( R0 i9 F* K( Y    xchg    dx, es:[41h*4]
) |! m: D9 m& P; O# [0 R# d3 E    xchg    bx, es:[41h*4+2]  e0 Y; k, _" g
    mov     ax,4fh
9 a/ n6 O* X: K    int     41h7 `. t6 D2 e; U( T: B" N
    xchg    dx, es:[41h*4]
% N# Y# V+ ^6 Q8 q- I4 [    xchg    bx, es:[41h*4+2]
8 n5 k" d; w' G8 Z    cmp     ax, 0f386h
) Q& B0 a+ a& U( }( T3 I$ ~" A) o    jz      SoftICE_detected0 G( |- {) h/ @' k( r( T2 Z

# R: k% I9 w7 q, A/ C6 r$ E& Gint41handler2 PROC% i/ F& J5 i2 V9 o4 h
    iret& C% A5 C# ]$ v# k) B
int41handler2 ENDP$ g3 P; F/ S4 L! B& i% ]( }& a
2 ?1 J1 s& `) L6 A+ T+ Z
- q+ Q7 Q1 y: j( g2 ]
_________________________________________________________________________
5 o: e1 O6 z7 m1 y) Q2 @
) ]$ n" x+ t: |# ~* k/ C, V! l/ y1 J
Method 06
1 l% f; V0 @8 n7 @# h=========
2 h6 m1 h' |( \' N8 \& j! X
9 Q9 g3 t4 y- @) y, q0 u# ?1 S' }  H% K  \! b6 I  `* A
2nd method similar to the preceding one but more difficult to detect:" d/ L$ ]& I4 j6 {

& X/ l! B" y  j' Z! |& Y. ~) J: s; I) b% `: a& K$ b
int41handler PROC
- \8 p* k4 {' H: ~, C# F; V8 d    mov     cl,al
. A4 c5 O1 ]( ?7 J    iret
) E! J! V0 _( n' T1 ^int41handler ENDP
1 |- o/ e9 K. {. {" z+ B/ t0 p6 M8 s  N( r2 X9 p! z* S' u; z' n% R
" G& V$ N0 a; _4 t
    xor     ax,ax
+ ?4 j7 x( ?! V    mov     es,ax. s6 X" I" l$ O6 ]& B
    mov     bx, cs
2 E. p* K: T  ^. y% Q    lea     dx, int41handler
8 h3 I# `' U7 _8 |/ O1 s, V. ^1 n& j    xchg    dx, es:[41h*4]" ]& `! ^( _0 [4 E+ ?% S. X
    xchg    bx, es:[41h*4+2]/ O& j+ g  \- I; p
    in      al, 40h) V. ^8 C/ a- x. D# i
    xor     cx,cx+ @* n! s/ v7 r( y! i7 A1 f9 h. M
    int     41h  c% a+ V0 h. e( G1 A
    xchg    dx, es:[41h*4]5 M* E' d; d5 N  T' h/ o5 [2 x, n2 M
    xchg    bx, es:[41h*4+2]  F- n7 w# r, j$ x
    cmp     cl,al' j: Y! x7 y3 S3 C6 F
    jnz     SoftICE_detected3 L5 F% @7 r- ~2 i8 D
5 @+ P* e2 ]4 ^( A9 W
_________________________________________________________________________
6 C) O& S. [$ C8 y0 j  e) ?. h5 W8 }, t! s6 O' H1 t
Method 07: B. D! @3 j9 g
=========
/ w: Q3 Y: G8 Z' t* j: ?$ Q* t$ q
' |* P3 U- |" _8 a4 W$ gMethod of detection of the WinICE handler in the int68h (V86)
/ k+ G' _  i, |  f% l: i0 D; p, s1 z4 H  X
    mov     ah,43h2 s- x; c3 E& n1 z7 y3 Q
    int     68h( i- @" C9 W  Z& ?6 `- A1 N
    cmp     ax,0F386h/ K9 \$ s* c; `! D% o
    jz      SoftICE_Detected2 w0 i' E6 @5 h# ~  Q% ?3 W# j: ]
! g6 w, j* m, J, z
  O/ b3 r$ S9 O  t1 w5 f: k# r
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 w! b1 C: p+ r8 I
   app like this:! i+ x7 M; V( f5 W& Z

  t& V( V" |" o, z7 g+ m   BPX exec_int if ax==688 F, v6 ^2 r( ^, {7 p- J# E; p
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 J6 w( j( r, S: R/ A2 J& D   located at [ebp+48h] for 32Bit apps)
/ J' y4 Q; C$ }# Z. Y. K) z! L__________________________________________________________________________
( x5 C9 a: U+ y1 S2 _* p& s4 n
9 `3 ]8 O/ m8 \3 L" r/ O2 D* X' @/ c2 P( f8 w6 W5 D3 Z
Method 088 C! C* O1 M# J
=========
3 z% v2 I6 D2 q! X& s4 N: ~% W+ ]; M# Q  b! T3 j  F& x
It is not a method of detection of SoftICE but a possibility to crash the. R" m8 v: X( J0 n! |6 C5 _
system by intercepting int 01h and int 03h and redirecting them to another
* w* W) m1 [( j- Eroutine.! ^# q0 E1 l% T  J. r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! K+ p) ~$ v- j5 r- D# ]to the new routine to execute (hangs computer...)
- }) o+ ~% y1 I
- {/ C1 r" f  z: Z) q3 e    mov     ah, 25h
2 o0 T5 z! `* V( i! \5 {# N/ L    mov     al, Int_Number (01h or 03h)$ V0 K- P7 _! v
    mov     dx, offset New_Int_Routine
' s# [) z1 ?' b! N; i    int     21h
& E7 R0 B( o; `! Y! f7 u4 K( b
__________________________________________________________________________) ^1 G! D- c' u' p5 i

" C& X$ e) j2 [7 u, {. fMethod 09: g/ z) Q% Y& ]1 Q
=========6 ^; k5 ~/ f, j2 H* I# ]

' s3 G  d3 v9 `% w! ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ^0 s$ F! P- z; ^performed in ring0 (VxD or a ring3 app using the VxdCall).' |) a' W# Z6 O/ Y( d$ l
The Get_DDB service is used to determine whether or not a VxD is installed
' ^4 v: Q/ B& q5 J# p& y. h% Jfor the specified device and returns a Device Description Block (in ecx) for
& k! R. V& ?" J# D/ ~that device if it is installed.
3 \; ?/ v3 P; U! V# ~5 N3 l
: [, M; F& D8 P" y1 B6 h( w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ G7 o3 p3 M* W4 k7 v# D; ]
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ V* p+ j* @( [" s0 j4 Y$ M
   VMMCall Get_DDB
  }" N" `$ }1 ~3 c7 Y   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 z  o; P8 ~- W# g6 |5 u0 S0 {1 t1 D
Note as well that you can easily detect this method with SoftICE:
' P: M( B- {( F: R. k  o   bpx Get_DDB if ax==0202 || ax==7a5fh1 o) Y+ {1 n- @4 k" c0 `; X& Z
# I$ D4 Q8 z! I! @4 \) B$ N8 l* j2 P. ?
__________________________________________________________________________
9 ?; g1 ]. v) K2 v! R' \  }! j
4 Q; M/ U7 p* z& x$ OMethod 10& q- z- X- e1 r  F5 L
=========" s* Y' c# u) ?, G7 n9 ^2 k

; T# C0 m5 f1 U3 S, i  z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 r3 b. \) n# f/ T: G+ f
  SoftICE while the option is enable!!
% j  z- v/ R4 x  P; p$ f$ X: t- \' P, ?$ j$ K9 x* X6 X5 o) Q
This trick is very efficient:& W2 _6 k. |  z. w! `
by checking the Debug Registers, you can detect if SoftICE is loaded
: R* b/ Z3 I% }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ]3 f1 d' ]: g2 R7 h; Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their, e3 I' T& P, H5 {* u% U! P4 F
value (in ring0 only). Values can be manipulated and or changed as well
2 ]: s6 w- i& Z3 a3 S# U2 @(clearing BPMs for instance)% V4 ?& ~8 A, _: w- d# D
. {2 |) k& U; j: u
__________________________________________________________________________
2 |2 K; t) q* t/ H9 @
  g% l/ U# v1 a/ H2 T  e4 bMethod 11
0 ]% c! ]9 X/ p, B& l# v# u' M; Y=========9 `/ @0 m" w0 P0 [6 p
* n/ y7 V1 y/ b  t
This method is most known as 'MeltICE' because it has been freely distributed# U. p. q: B& Y" C
via www.winfiles.com. However it was first used by NuMega people to allow
* t4 M9 t0 ]$ o' X1 q% ZSymbol Loader to check if SoftICE was active or not (the code is located
2 h! y8 i  z( F# K& }; C2 Binside nmtrans.dll).
8 n8 d( \2 _) Q5 C! v
- O+ B5 O4 L! d4 [, v& oThe way it works is very simple:3 ?8 e+ O$ x1 Q+ c1 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: f9 W6 d' d( c% ^5 z* p9 R0 {
WinNT) with the CreateFileA API.8 l7 n# ^8 c) ~) t& Y, Y6 z- u1 F

7 Z, a; N8 e& H' W) l; w1 gHere is a sample (checking for 'SICE'):; n. g/ Y  {$ \- y9 @

! G- m3 `* j  c, ^% ~/ Q9 I; c) VBOOL IsSoftIce95Loaded()
2 m% b" T: J. L, ]1 s4 V{
. g" k, X* r7 A/ ]& R  Y! X   HANDLE hFile;  7 u4 @9 S1 v; V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 V, u& u) v0 y( Z9 S0 s( Y5 j
                      FILE_SHARE_READ | FILE_SHARE_WRITE,) A8 E+ W5 _2 ~5 b- l4 V
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; q" Y7 h3 a4 P+ W' @   if( hFile != INVALID_HANDLE_VALUE )
9 {4 F. H7 @; h. c   {$ M1 |3 w+ {0 @6 c2 @: G1 c% X" D
      CloseHandle(hFile);; A3 `, |. O) r
      return TRUE;
% y# j8 r% X8 P! p& S, g' H   }6 Q4 F# K$ [% T
   return FALSE;
  Q" Z) B! P0 k' E2 H" z/ Q}
, W% S& D2 Y( i! }, l7 G  H9 L! f# z9 F' `3 g/ s  G5 M
Although this trick calls the CreateFileA function, don't even expect to be
# j6 W' S5 F. G- d0 v  Q5 sable to intercept it by installing a IFS hook: it will not work, no way!" B. {7 a0 Q( P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, p9 J1 ], {3 ]1 \* X  {0 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ @$ G9 w4 T3 j2 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 ~5 Q' U6 X5 U
field.
3 e  C" r1 c8 k6 d1 {/ uIn fact, its purpose is not to load/unload VxDs but only to send a 4 i* `& x& m! E( G1 V. T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' _9 v7 g9 H- o4 W$ @7 m4 o) R* Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try- A: s' {$ G; M. a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 o& T3 P2 ]& F6 o& R" B5 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 z  {$ s9 s- E. F; m' i  y$ u: Q& E6 o
its handle to be opened and then, will be detected.5 U4 s) P. [) ~/ `9 P) d/ [3 _
You can check that simply by hooking Winice.exe control proc entry point
- `5 y8 P- \( Q) Z# @  ~6 ~while running MeltICE.1 d0 G0 j& i3 [% k$ m( L. M' T

3 Z$ w$ J! Z0 I( J+ O
- c& H% D6 d# `8 T* W2 R  00401067:  push      00402025    ; \\.\SICE+ K9 c7 n4 c. ?: Z, s- x# z( ]
  0040106C:  call      CreateFileA/ \  L  g4 q+ n0 e5 R
  00401071:  cmp       eax,-001
! `( q5 k# w* {" V4 S5 S8 C0 q% h0 A$ h  00401074:  je        00401091. Z' O( M* i4 d

, E  Z; Q+ Y+ e
8 `9 b3 \' d& o+ F  U  B8 p6 UThere could be hundreds of BPX you could use to detect this trick.2 R, k9 M* ]2 D# M& |+ k! T( a
-The most classical one is:
5 a9 [8 T% [; L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) t  [; V2 u) L    *(esp-&gt;4+4)=='NTIC'3 z& t5 s  j- C! k) r% C
( K  ]7 s% }+ A% E$ S
-The most exotic ones (could be very slooooow :-(9 A' `! A  |' v  m( ?
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 P1 S" Q% a1 ~' n$ N: W& w9 ]     ;will break 3 times :-(- I% T" z* Q' l

0 T2 I* x) j: L) z9 c-or (a bit) faster:
0 m+ {* \/ X" e   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! j! e! L5 ~/ V1 A6 F
/ R  i' G* j* a3 y* e1 C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! D% B& W' B& D5 [) S     ;will break 3 times :-(
) W, i$ e5 e9 S9 G  U* m8 M
! Q( t; F( w2 C6 o: h-Much faster:8 J+ @5 j8 Z6 Z$ |& t
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. l& @  S8 {/ }% U' j* C

  Z7 x+ C; l3 M- P. sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. H. f9 P0 E$ d7 y1 k9 l' i2 @' Q8 K
function to do the same job:  N. t* i- N6 W, ^
/ c" z# a7 o$ T! z8 m
   push    00                        ; OF_READ0 Z& f2 m3 `4 ]6 r5 Z  ^( z; {5 p
   mov     eax,[00656634]            ; '\\.\SICE',01 n, Y; q& L/ ~1 ~, o3 o
   push    eax
4 O+ C3 V$ U, L( a# p& u# Q   call    KERNEL32!_lopen* ^# O- G# v) D) u& d
   inc     eax
( s3 i! \0 D+ R+ u# E+ J   jnz     00650589                  ; detected0 E4 G% f( p- k2 f& L
   push    00                        ; OF_READ: G+ m8 U4 A: S' v
   mov     eax,[00656638]            ; '\\.\SICE'
5 k2 k' ^7 d  H/ R9 O   push    eax- s& l  P* a* d& N2 s9 F4 {* }
   call    KERNEL32!_lopen% o& y  U- P) O
   inc     eax
1 R( e8 D5 n( \/ E% {" S" k( l1 k   jz      006505ae                  ; not detected& M2 C0 n: U5 }1 ]
+ V/ x- d5 w4 ?
, j3 I% D$ M3 b% b
__________________________________________________________________________1 T# s8 R9 A. n+ e' H

- Z2 L8 T1 n/ _. Q/ FMethod 12% Y& g) `" s8 L' H/ r: \" r! k
=========8 ~7 c0 }; H2 ^

6 C5 F& N! G2 E5 E2 |. Z: `9 kThis trick is similar to int41h/4fh Debugger installation check (code 05/ d0 _3 V# l7 r8 _( `9 q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# U1 T+ P! }: t3 b0 Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' U: j- ]: ?5 F- I- K% Y

2 }4 @& ?& K" x2 l   push  0000004fh         ; function 4fh
3 g7 F% R3 j. r" e: r3 ^( m   push  002a002ah         ; high word specifies which VxD (VWIN32)- x" K' K8 l" A: x
                           ; low word specifies which service2 x. h& Y4 h4 {( A# `" M! ?
                             (VWIN32_Int41Dispatch)
. T2 H; s3 {' P( V   call  Kernel32!ORD_001  ; VxdCall
; W! C' V0 ]: M' s2 ~' \# p- |6 g   cmp   ax, 0f386h        ; magic number returned by system debuggers- ~. n! m: R  E# ?+ n! K/ ]
   jz    SoftICE_detected$ S( f0 @% }; }  \- a$ ^
0 Z7 d& E7 {( e
Here again, several ways to detect it:
7 L; M. ?) l  [" w) M
' ?4 G+ d+ i6 h    BPINT 41 if ax==4f
1 F- c4 |* N5 Y. C) q$ t3 l  Y) w8 L/ F, }1 l  \: w
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one" a  G2 R  ^: ?& E* Y; X

8 o2 F, Z. V/ y# _% l0 B  B  x    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# U7 l! c9 N$ Z3 p. q
, |7 D  F% r7 g1 P4 J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) d5 {. J2 W; u, {# j5 |" m
, F, ]4 Y7 Q( `. v1 C* l( V, w- M% d__________________________________________________________________________
4 J5 d. D' b- D1 R0 C# K" |0 E0 I* X* e$ B
Method 13  ~8 o6 Y& R9 J9 c' V
=========* X6 Z; i$ K& \2 ?8 C' [

* n! u! Y1 P! U! r) |1 T  a: s" |Not a real method of detection, but a good way to know if SoftICE is1 C( A) @# ~; Q/ {8 D
installed on a computer and to locate its installation directory.
, [4 F/ i" J0 ZIt is used by few softs which access the following registry keys (usually #2) :4 x9 J, O$ s8 E4 i

  l( z& l3 A" b' n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- N. u# q* j( b* q2 K& D4 T( g) `\Uninstall\SoftICE! J& a2 ?2 q: w; Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, t, V2 _: d* j& N: M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) U- j# E3 K' V( u- D4 g7 I\App Paths\Loader32.Exe0 Q+ y8 ?" A+ e) d- y/ \- W2 _* |

6 o/ L1 e5 x' E: X" z/ X7 g
, i0 V4 O$ z- uNote that some nasty apps could then erase all files from SoftICE directory+ @( {9 R, B0 A' c5 |' K
(I faced that once :-(. H  s. m# A9 \1 B' J0 ^8 }; j- [) ]& S

0 n" A$ }- y1 [) J" [Useful breakpoint to detect it:% n) n, R" i7 A0 _; z5 u* \  t+ H

' u+ n+ J# F3 p+ J+ e     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 H1 M7 p7 g% Z" E
% g* w3 _1 h  X: o. O- U- V  n
__________________________________________________________________________5 e* F5 V: L' a

8 M* W1 j9 z# |% g1 \# ^# M0 f, e. O* A, q  J
Method 14
4 E7 B9 }/ G1 J=========0 W0 k6 P7 S3 E  r4 r% W

6 v; m0 n- ?5 \0 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. @7 S, ^$ T8 j$ D
is to determines whether a debugger is running on your system (ring0 only).2 n. B" ]9 T- r! f- e  Q$ F5 ?5 r; \

5 b. e: G3 l" }1 e# z   VMMCall Test_Debug_Installed
: L& j" G1 S; g   je      not_installed
1 ^* Y$ [8 K. Q/ L* H3 G8 o+ q8 q: C. o
9 `/ N& H5 y% v4 F! ]This service just checks a flag.
9 q& ]! f/ f/ b! P7 }# C/ l' N! X4 L</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-23 18:35

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表