找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' Z: r: M; X% g$ |+ y3 d
<TBODY>
9 A" Z" y7 o& [/ ^<TR>
& f& r& D* n7 R8 p8 ^( R) z<TD><PRE>Method 01 7 B' k/ y: Q7 j0 C+ ~5 ~
=========
, k: n3 F. T; ~! G
, ]6 K0 R  T( w, n4 p# ]This method of detection of SoftICE (as well as the following one) is8 o9 _& V% Z4 B3 `2 v% F) I" l
used by the majority of packers/encryptors found on Internet.
6 r+ [& q" T/ U; OIt seeks the signature of BoundsChecker in SoftICE6 H7 A7 h% T9 ]+ F+ x( M6 q2 ^

8 x9 h9 s& ]' O. ]* b" B    mov     ebp, 04243484Bh        ; 'BCHK'
! b; k, _8 H, r- Z- m4 k0 v    mov     ax, 04h+ V& X- ]: d. ~$ k' h. F
    int     3       . E3 Y. z8 b' [8 A
    cmp     al,42 ^: [/ m  Z) w; }6 M0 v+ L& l
    jnz     SoftICE_Detected) T6 v; K4 K, N9 {7 f; c6 o8 G
. W/ q- ?( Y2 T' N% p, _3 z+ b
___________________________________________________________________________
0 H( ~. v# i* G3 v( H0 _) X( Q6 F) m0 {
Method 02
4 B' w. t4 F8 f& j- u; l2 V% D=========
8 ^7 f! u. f# W. s7 U0 k4 u- i1 _7 a* W2 \6 R9 \
Still a method very much used (perhaps the most frequent one).  It is used4 k& r( D5 X9 h: K, y% j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: w* R; q/ K3 vor execute SoftICE commands...& h" A. |# F' n+ z4 e
It is also used to crash SoftICE and to force it to execute any commands
4 B/ Z" ]+ U: b. l(HBOOT...) :-((  
. G* M( F, G. O* _
% K/ T7 \8 G* d( W3 i. dHere is a quick description:
7 T1 h2 f, X( ^. T2 O-AX = 0910h   (Display string in SIce windows)
# j9 j& i+ V6 t" s( B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! T/ |9 f+ U; M# F
-AX = 0912h   (Get breakpoint infos)
, [0 l8 G5 L$ u1 V  r& f5 s-AX = 0913h   (Set Sice breakpoints)" w; v5 J, t5 y8 U! k/ W' {# w
-AX = 0914h   (Remove SIce breakoints)' }. p- A. P; M2 L/ @
3 J/ I/ L- o, L
Each time you'll meet this trick, you'll see:! w0 v& y/ W% I0 X* D! v; T
-SI = 4647h: n+ t- }% e) l. x$ L1 A1 h8 u
-DI = 4A4Dh4 U- z* J/ ]; e" k1 {: `8 s, m; Y
Which are the 'magic values' used by SoftIce.
0 _& }$ W% \& tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 I5 `+ F6 P  N+ N4 \  s# T: q7 R8 j' x5 s' }; f# R
Here is one example from the file "Haspinst.exe" which is the dongle HASP& z0 r) q* F1 ~* I) i$ i: r
Envelope utility use to protect DOS applications:& @4 f" S0 Z0 U. g6 U9 r5 b
1 @' l; G) p- r( V+ n$ {& X
# ?1 S; P; j0 J9 {, q% e: r
4C19:0095   MOV    AX,0911  ; execute command.
$ u$ O. ~9 n8 H, W4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 d: `+ L+ d- w) }, V  j: g5 n* V4C19:009A   MOV    SI,4647  ; 1st magic value.
6 T: c' x, D" s1 q2 b& Y0 e4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  W6 j7 y; x! J& j+ J1 K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 M0 ~6 V7 {; A* o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 Y. z, m; m( F/ W4C19:00A4   INC    CX1 v" n; W9 d' O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( ^: i) P) U1 [% \  r" o0 l" s
4C19:00A8   JB     0095     ; 6 different commands.
4 c2 r6 p: u1 j% c4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
! [2 F1 L8 a" b/ c4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ z/ u3 ^, ]* z/ n, J  x& n3 c
; P4 V& l  o6 \, }& q' R3 L
The program will execute 6 different SIce commands located at ds:dx, which6 V! S+ g/ w( v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 d3 b3 ^2 X5 K( z/ B, ~
% l1 Z1 e9 d! d9 s( {3 O( d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ L! G1 L6 u) p  |___________________________________________________________________________3 U+ y6 Z" k2 B) G; E
1 ?0 F8 @! `# k4 x! F

# g* Z. `2 L% R  F, i. W3 zMethod 03
% K- k. k6 N& }=========
- @2 X/ s5 x) y- m
+ n0 H0 |3 g8 D/ n6 o( v& j4 a# v$ FLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' \0 {+ M$ ]( z( e( v( [$ ]- E3 P
(API Get entry point)2 {7 s+ K: ^1 g* F2 R' z
        
2 W( C6 }6 q. U* n& d
1 ?* n" G- O: u0 r! ?" F2 j    xor     di,di
( z9 B  T; Z1 E4 M% ]    mov     es,di' B; w. ^+ f  S
    mov     ax, 1684h      
- o/ o$ P) W/ d4 n    mov     bx, 0202h       ; VxD ID of winice
6 d. K, {& g; R: S% o! w3 T8 V    int     2Fh
! U8 y, l; `/ r* P5 V3 ]    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( u# {  ]! |1 S3 Z+ a) f7 _    add     ax, di
3 p5 T- f5 L1 G& \5 {    test    ax,ax1 i) m9 v. m" C0 L3 |8 K1 @" R
    jnz     SoftICE_Detected7 _% B6 m- u$ Q+ h6 T& n( @: T

& a8 A5 G: \# Z___________________________________________________________________________
4 g% s; x9 Y6 t9 K& i7 v$ K0 l* N$ m+ N, `: {0 i9 T8 d
Method 04) L9 N4 G9 s* _* G
=========! y' E# E, R  l+ @3 T
: `5 c# u7 ], M( R, U" X. q
Method identical to the preceding one except that it seeks the ID of SoftICE& A8 |2 k; k, `3 t# L
GFX VxD.7 G$ v# Q5 \, o

. ]" S- B# Y. J# v; J    xor     di,di
' z$ ^$ q2 C6 }( D3 w7 ^    mov     es,di
4 [+ o( C0 T0 Q- p# O: a) I" @    mov     ax, 1684h      
# ?" ?. n! W* S2 t7 c    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 g4 m/ d  F- c2 y' c& B- ]    int     2fh* q+ ]; A! G. a0 n8 G7 T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ n3 s) c0 T5 g1 N    add     ax, di; M3 i  S4 x9 H9 f* q
    test    ax,ax0 [3 _8 |/ w  g( x6 h
    jnz     SoftICE_Detected
) T- m) \# v% V, j, r" I4 y3 h7 {2 b
__________________________________________________________________________
* o1 }7 E  n- x8 |  g% o- W; T, @& b6 o' L/ u$ w% f

- j. u' k4 A  t6 B" _Method 05( d) _3 J6 Y- g8 @8 D% o
=========
1 K: Q) `9 d2 I# }4 n* d: [* J% z* b! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system" B& R, W8 R! e
debugger. It calls the int 41h, function 4Fh.
+ t6 |; P( g& {; p9 j( S: P6 RThere are several alternatives.  
$ L# c8 m+ |5 o6 B$ d: s5 k0 c* A& m( |/ T' x5 _0 J1 g
The following one is the simplest:6 F( k5 T  J! Z# E/ Y# b

/ b2 v5 E$ n( ]& p0 v* {' S    mov     ax,4fh
0 u4 O+ v  n& e/ j; R4 U$ j    int     41h  R+ ^( K9 e/ r3 E1 Q
    cmp     ax, 0F386
1 K! D* Y6 I# H    jz      SoftICE_detected
/ o# o+ k8 V, b4 ~! C5 V# E) {! I
6 i% i! X) I  g: Y" I0 T4 _3 Z# m4 A0 ?
Next method as well as the following one are 2 examples from Stone's + K1 E" R) e7 y0 O) w3 Z0 L
"stn-wid.zip" (www.cracking.net):
* D1 H, d) U, O8 |' }5 N2 J6 t" u% h
    mov     bx, cs
+ ^% E# ]7 E. b' u    lea     dx, int41handler2  m- E0 a. j/ Q9 }9 Y8 O& g. q" p1 }
    xchg    dx, es:[41h*4]
" j3 x; [' K' ?  B  `; s. X' `    xchg    bx, es:[41h*4+2]) {7 ~5 h3 U4 ~! O! l* E/ w
    mov     ax,4fh- l: w; W; V' ^) L$ _& w% X; [
    int     41h
5 C( l% N& r# ~4 H, u8 n! s; c    xchg    dx, es:[41h*4]% x! U6 H; ~* w- G4 m/ Z
    xchg    bx, es:[41h*4+2]# x) Q8 {( I+ z) i3 Y0 I1 }2 d: w( t
    cmp     ax, 0f386h" E1 Z  q! y/ q, Z( n
    jz      SoftICE_detected
% h7 s5 [" W* M6 d, P! s5 r" U, B/ @! F
int41handler2 PROC1 o( X/ d4 s; A% s8 @
    iret
9 U6 A( c2 }/ s/ p: cint41handler2 ENDP$ ~0 D) ~6 _/ B# q) I. \. I
$ M$ D9 L) ]9 R+ {  a: h- m) |

4 L7 y! h) |% e  `: l/ `_________________________________________________________________________- E" w1 o9 V: n" c
2 G) T4 R8 r3 J% w
- m" i1 L% Q, m+ f' i6 A' }8 D4 y
Method 06
% K7 D; C; R# ]% K( r=========4 M1 I4 h5 M5 I* M

' v' N" h! M4 P4 u& s
  f8 `" ?( }4 A5 I/ j3 n: K2nd method similar to the preceding one but more difficult to detect:
( h. g3 y5 N4 r2 ~, T0 q+ G
- b5 y# S: H8 Y. h# O7 i  j  c
* k6 }4 ?4 A6 b4 Q# i, Pint41handler PROC
$ v- Y1 D' [* y; C    mov     cl,al
( J! X% ]: p( W    iret" A8 i' V7 C, V$ x2 o
int41handler ENDP1 w* E1 E  L, f1 ~' {6 r
4 ]4 B6 \7 w0 P' C" E6 ^9 V- O
9 m. X% S$ `8 [- W' w& _
    xor     ax,ax! Q$ c( ]; X7 |* ~* x- }# N
    mov     es,ax+ e, b7 T. s( y7 p1 Y+ i( N
    mov     bx, cs, k& w. N" f6 D% ~% n+ H4 P
    lea     dx, int41handler
9 D# f) H$ F5 x4 R$ f    xchg    dx, es:[41h*4]
! _6 a1 c. q8 [0 ?/ h    xchg    bx, es:[41h*4+2]
- t  X, @9 l4 g) M+ T) C    in      al, 40h
3 I+ q: y% ~8 ?+ h    xor     cx,cx
; `+ `+ Z/ D; r/ U( v    int     41h
# j) b: B, d  C    xchg    dx, es:[41h*4]
& A% s0 [$ r/ ]* h    xchg    bx, es:[41h*4+2]
% m  L# u! z3 p2 Z8 Y    cmp     cl,al
1 y( S$ ^5 h4 t! h, e    jnz     SoftICE_detected
% ~0 \/ o+ h- Q+ C6 I0 c) B, l, v1 R( |" w
_________________________________________________________________________# i3 S, L4 ?' P# a

* P9 ?4 y) Y* s3 ?! o* ]Method 07
$ u1 Q: h; g4 o0 B) I( `=========5 j- I; P; f% X, U. V
/ Z% A% e0 b% V7 p- H( P) i
Method of detection of the WinICE handler in the int68h (V86)9 c. D: T- q  _- Q

, |3 v! `0 n! b- N& n; b    mov     ah,43h
5 ?$ k" B/ F4 n# m! C# e+ K5 u; l    int     68h
1 Y# a3 R! \5 R5 C    cmp     ax,0F386h
& ~# F$ t2 I1 n$ V( x0 s- X5 U# H$ q% R    jz      SoftICE_Detected, P  c8 U3 M, u9 L

( O+ m) |, q5 f& H# L: H0 m' n. K1 r. L& c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ x: b) ?0 I6 g: H
   app like this:
; @. e$ S0 e, P) V' O$ u
* ~$ j3 \$ K2 n0 ^: d   BPX exec_int if ax==68
# |. n# L5 z0 p( c: j$ H+ Y6 u/ Z   (function called is located at byte ptr [ebp+1Dh] and client eip is( @& {2 G: i- d/ \0 M& ]  s: L
   located at [ebp+48h] for 32Bit apps); o2 g" v- ?/ {+ f* J) `, y2 I8 @5 \
__________________________________________________________________________
0 i4 X- L( x. j/ n  K
9 ^7 ^* r+ h- R2 U, h% u: j6 L6 y9 Z2 M8 c% v9 v
Method 08
+ g& D9 s4 g# S7 N=========
" a. a# X8 y; U! Q# l3 g4 ?+ ~7 w. W& \, _( y# n9 T
It is not a method of detection of SoftICE but a possibility to crash the# P6 b+ X! P  \: ]8 ?# Y8 V
system by intercepting int 01h and int 03h and redirecting them to another& G( I5 c7 L5 i! O" I7 o" A% }
routine.& z% K$ T; O# X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; A0 M0 ^) A, A$ H; k' k3 ]
to the new routine to execute (hangs computer...)& Y: U+ @+ q( w

; g! B7 \2 m6 s* ~* _    mov     ah, 25h. E1 s  [4 t! o
    mov     al, Int_Number (01h or 03h)
' s/ k" Q" u7 W9 T! i: V    mov     dx, offset New_Int_Routine
* Z# Y  j. b& {0 T2 n    int     21h( J0 y' [3 M4 g/ k% E; p

, c7 ]  P1 O7 i7 {' q: G( i__________________________________________________________________________4 p8 P& M! \; G) Y6 d
- N  u" @4 P+ k! h/ K* e
Method 09
/ o0 l4 E( T! [( }  ?=========3 ^8 r  M. ]& g: ?6 s% T: A" a
; A, W; y7 h3 Y3 U. H& X& u" L' L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 X6 s9 ^! E+ p  A
performed in ring0 (VxD or a ring3 app using the VxdCall).
: t5 j& ]4 i) }+ l( `- _The Get_DDB service is used to determine whether or not a VxD is installed
7 c1 |/ V& ]2 }2 {' ^; A$ e9 Mfor the specified device and returns a Device Description Block (in ecx) for
1 J, {/ M* l/ {that device if it is installed.5 S4 F7 K* U- ~0 t4 P
. i/ d" F1 a6 v$ c: J
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ]7 R) k( H$ V) R* Y  b6 K   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* b2 m, E$ F& c+ d( I   VMMCall Get_DDB
6 `2 [4 ^+ O/ J* o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ k7 G0 l3 t2 u' K. B. o( ?& ~  N
7 q. f, j% X0 \1 i1 O! E% \5 wNote as well that you can easily detect this method with SoftICE:2 R  {% o8 K8 {( M
   bpx Get_DDB if ax==0202 || ax==7a5fh2 A6 j( a0 u) V5 s  s* a9 g) Z: M! h

# U' K2 A9 y  Y1 {( c+ k* E__________________________________________________________________________
5 s" h% T: q" u! [+ T! K5 }6 j: K6 D1 K) t' f. O" W  E) b7 {
Method 10
* K8 o2 f3 h( M=========
, c4 D) T; f' Q# a3 @' ~' h) h3 u- A$ @1 I& X& H& x
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' I( O. s4 \+ W0 ?: Z  SoftICE while the option is enable!!" Y$ o6 H- ^; J: j

  T1 x' j0 B% @1 g% P  `5 A" AThis trick is very efficient:
! I# u3 }2 z  |& Jby checking the Debug Registers, you can detect if SoftICE is loaded
8 v9 ^/ ?% w! }: P+ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 E, l7 |$ t* N) W8 r. m5 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Z; i( P+ ]8 u) U) c% P9 s4 ~4 Z3 Dvalue (in ring0 only). Values can be manipulated and or changed as well
7 P0 _6 D5 Y! X$ e- c7 c2 |& z(clearing BPMs for instance); n+ s1 C3 r. S( M
2 I) G. V' j# Q  d( V5 I3 m
__________________________________________________________________________' [# c; U9 K; A

% g/ r  l5 d1 J6 tMethod 11
3 d0 X+ [% v$ S" y: a; f# J=========0 C0 l- W# H& z& P3 p

1 g1 p0 W* K0 ~0 E! E5 c: F! rThis method is most known as 'MeltICE' because it has been freely distributed
% x# Y+ R7 T' tvia www.winfiles.com. However it was first used by NuMega people to allow4 g! E/ S/ f' I0 Q9 g6 _: N- Y: i
Symbol Loader to check if SoftICE was active or not (the code is located# g5 a. [+ b3 M, b
inside nmtrans.dll).9 Y; ]  K) `+ g7 h
6 y) Q( F1 s/ e2 ~, o$ O/ W% E! ^" s
The way it works is very simple:% p5 ~4 _- t  Y- u3 g* k5 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ i6 t; o9 s1 [% c3 v3 x$ G. w: C8 pWinNT) with the CreateFileA API.
: c7 G6 o" ]! ^' t/ Q3 K9 q
; ?$ c1 L/ S1 p5 I- Z8 NHere is a sample (checking for 'SICE'):* x/ S+ i! D# }
' X# \+ ?, |3 M# L- ~
BOOL IsSoftIce95Loaded()" H8 h2 A  r6 i
{
- f% K$ a0 z& `  p3 v4 o! F   HANDLE hFile;  
; u$ q8 t. l# H2 ?' l. t. X1 a   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ^( ^& ?! }  @. c7 A/ E  p% G                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ U' W0 c: S# J/ m3 Z+ C  s5 y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# u8 E  W( x  x  v* M   if( hFile != INVALID_HANDLE_VALUE )2 p3 f1 B& m- ~$ R/ b
   {8 K1 {# \0 W0 P1 h- D
      CloseHandle(hFile);
6 Z  F6 C' [% K* I; i  o0 u      return TRUE;8 f8 ~- t+ l5 W+ b7 @
   }
1 {- G: p' T  B. d3 L# N   return FALSE;) T9 [* Q( T* l+ `1 A" V
}
2 N' `4 j3 t. O9 b7 F, |  N
5 S  U$ J2 a0 X- MAlthough this trick calls the CreateFileA function, don't even expect to be" |5 m" b6 v+ X
able to intercept it by installing a IFS hook: it will not work, no way!, \. ]8 z* _" w8 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 U5 j+ R' H* Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 W% a1 V6 r+ O/ q9 [) T; j& @: Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
  o7 S6 i0 m# p* v: ~field.4 x8 e0 m" K% V, `) a
In fact, its purpose is not to load/unload VxDs but only to send a 1 ~3 M9 a" N2 M; |& [. f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# R# }, l( _" j% K" z7 d9 y* t. p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 u! s% K) N+ n# ?; ^8 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
  {% Z4 X' k; N6 Z3 U9 F  B8 c$ \' ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
" w( q) }; L" u' }" uits handle to be opened and then, will be detected.5 \- Q  }" Q% E5 o9 O1 c  ?5 i
You can check that simply by hooking Winice.exe control proc entry point8 X! f$ Z5 X5 I/ Z. j
while running MeltICE.- }3 d& ?$ K$ P/ M
  B6 v% O: P; }. Q3 G/ q$ F
% ~0 A. s, t5 M6 _+ |& \6 {% Y
  00401067:  push      00402025    ; \\.\SICE
% ]- \- h8 M1 A! f7 u1 h$ U  0040106C:  call      CreateFileA
9 r% s. t# ?6 g8 L4 Y& I( w) j  00401071:  cmp       eax,-0015 x6 w5 r% |# m7 B3 `
  00401074:  je        00401091  @7 h. O2 c6 a  t; O2 E% }

1 _3 a3 {3 B$ ?4 s- j
/ H6 q9 b0 S. H+ `There could be hundreds of BPX you could use to detect this trick.% t: s! g) l( ^
-The most classical one is:& \8 O1 L" G3 W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ e) m9 l0 ]& Z4 ], M    *(esp-&gt;4+4)=='NTIC'
: G5 E0 L0 V$ [$ {! Y7 r0 ~6 Q5 _" {) C4 y. i! {4 |
-The most exotic ones (could be very slooooow :-(
* B3 r* ?2 k4 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / R; z' a* n) X7 T* S# x
     ;will break 3 times :-(
: B/ j% n9 j$ r( G7 j
- D6 W9 s% \! p1 \# F-or (a bit) faster: ! g( D8 W$ P' c  F9 d, u. c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ C* E: u; F8 ?9 B. m# P+ g% G! M
7 V: w9 e' i6 C$ U! Y5 B4 [% d
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * r) }, @, y4 V8 {9 o% |, q3 K
     ;will break 3 times :-(
9 v/ e1 @2 W" A5 S7 m% r: a, h0 x. Z# M. C8 w
-Much faster:& Z$ V4 [; {* \" q( f
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: b( S. m6 q+ P4 F$ n
& m9 y  m' x3 z, N$ VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 _' Z/ B2 v9 D4 a( m4 }$ L" p5 jfunction to do the same job:* f3 m0 J2 k- z- ~0 d

( v8 }/ n! T! e2 c   push    00                        ; OF_READ
6 z$ A* Z: v3 `: W3 ?   mov     eax,[00656634]            ; '\\.\SICE',02 {/ A2 Z8 N" U/ g; X" t' Z$ |
   push    eax
4 q1 M' x; p+ V& _5 h   call    KERNEL32!_lopen  J# e' I; k! N8 w3 b2 H
   inc     eax
( `3 M5 g6 b1 y/ A+ \   jnz     00650589                  ; detected, ^% j- P8 }& _* f4 j/ y0 T4 ~
   push    00                        ; OF_READ& g7 A4 z4 t0 [+ W
   mov     eax,[00656638]            ; '\\.\SICE'% X8 h/ @: r- w) _& M: A  F- r& S
   push    eax! U7 w/ D6 E4 J5 f4 E
   call    KERNEL32!_lopen1 z6 g9 a2 ]) _5 e! b3 V! J
   inc     eax
/ {3 r8 Z  L. q0 X   jz      006505ae                  ; not detected6 W6 E* j7 a5 f

7 u% H8 P+ k* @0 T# W7 V* G
$ d0 Y6 y  f+ A" {$ j/ V: o  I__________________________________________________________________________" ^0 |% C% X8 w9 P, p
% c6 x- ^" Q% ?6 g( e3 O+ [# c2 e$ d, |
Method 12
" W7 R# }! g2 |0 T( c2 Y1 t* C=========
. P( A* k5 W, g& J7 Q$ j# o: }# D
  Z& }5 ^. X* P0 A, v7 fThis trick is similar to int41h/4fh Debugger installation check (code 05
; J3 _1 L3 @) z. T" e3 z$ H&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 d7 T: t- u( h3 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* u) Q: V" t1 Q- j6 `) Y4 N! ?. ~& O9 W

7 i: {2 o0 A3 g- X- _: X* Y9 f   push  0000004fh         ; function 4fh+ o. A5 b, t2 \( K9 V' |* o
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% r8 S- |3 E/ y" H/ U0 _# |                           ; low word specifies which service* C/ A1 h: H3 Q4 F. i8 V- f
                             (VWIN32_Int41Dispatch)5 X) I5 `) U2 N0 |( c+ C
   call  Kernel32!ORD_001  ; VxdCall
) C; c4 Y  c$ J' ]   cmp   ax, 0f386h        ; magic number returned by system debuggers
* ?; y% }. d/ Q! x   jz    SoftICE_detected
% ]& h( H5 j( Q- I
' ?' j* l! i3 i, a5 |0 ?2 ~7 [Here again, several ways to detect it:: G) ?, e. O9 c( D$ V6 J

% l; ?: W9 s0 Q, c! r3 T    BPINT 41 if ax==4f
9 b- P6 [4 I4 `4 @$ |0 j
9 L$ t8 e4 l$ M! }" N) L    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
0 t3 k' N7 ^& V" L9 J9 [" ^0 x( A& u% x, w- j/ Z- D
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& \3 R; A4 h, `! a

: U1 V; v, w( @" l3 @    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 L) ]9 P& n) n0 f5 |+ p1 H+ ~
: \& M. V( Q; E- f3 }) u# N__________________________________________________________________________
0 ?- o3 x6 x* A# L. H/ t% z  i+ y- W- r: r) z' {# Q
Method 13! i& g  J+ }" n2 A. ^8 L
=========; b7 z7 A4 `; |6 ~

5 A2 c" M5 B) x6 \Not a real method of detection, but a good way to know if SoftICE is
! d9 e  _! F( X* {' Minstalled on a computer and to locate its installation directory.
2 W6 Y# Z1 K$ }0 I, tIt is used by few softs which access the following registry keys (usually #2) :
$ U% w4 b/ g! n0 M9 i4 R8 }
( B! ^; v/ }4 Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' F; w! a* Q9 c. y" t
\Uninstall\SoftICE2 @/ \. R2 U/ U2 i( A% A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, z' R1 U4 o$ _4 A( y2 J, O+ @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 R( _# _' q, o2 A
\App Paths\Loader32.Exe, o$ |+ B, m+ F/ |$ M8 B% F- @+ m

; w& X) e( r# n
& \/ Y$ R$ m1 h& X* ^$ `Note that some nasty apps could then erase all files from SoftICE directory
4 w; @5 r. X4 R( X8 _. K(I faced that once :-(6 [% k9 w' a2 b& A
0 }+ A8 U- ?" ~2 B+ S; h
Useful breakpoint to detect it:, u+ @; d! R  `% {: R

& U( e) {$ @0 r/ M8 `     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( h; s$ v1 b+ ~/ V0 Q$ W: ]; L) V1 w% y) r" V
__________________________________________________________________________
4 d  I# @# S+ T
6 p8 K, d  y9 o  [+ s6 i
" F; m7 C3 [1 w6 L5 b& }0 bMethod 14
3 ]9 s/ ^, H) g* k+ a8 d1 {% ?=========
. [' w" F5 z0 ]2 S* w" J& {& B0 m) I$ y( m$ z/ e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 W5 ~/ p' m" L6 H5 O  X$ o/ \is to determines whether a debugger is running on your system (ring0 only).1 C$ p3 F' Z0 l, H7 D$ ]
/ D8 i( E7 O+ \6 C# H: V& [
   VMMCall Test_Debug_Installed2 c' B. R) s; [
   je      not_installed
! b# u7 k* J9 d
6 h3 B- \1 y3 `( ~2 ZThis service just checks a flag.6 \5 {9 w8 T9 h0 ^9 [. F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 20:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表