找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>% E* v! L& _8 x! I4 W2 y7 f: z! A8 {0 [
<TBODY>- f# D6 ^# E  D* P6 m. }* M
<TR>% b! n( m, I# i6 q0 {- y1 C( s6 f
<TD><PRE>Method 01 9 K  K: y# h( Z9 \- h7 b
=========
" C+ G  x% r5 T. K! v" ?$ [8 j+ Z1 n. S! O
This method of detection of SoftICE (as well as the following one) is. c. W  i2 F: `& v  C: c% o
used by the majority of packers/encryptors found on Internet.
5 m: Y/ n! Z* ?7 h# ~' lIt seeks the signature of BoundsChecker in SoftICE
9 e0 q" O5 c8 z0 v: I; i, c* e
9 v' \# F8 u0 Y5 d& E% U/ w    mov     ebp, 04243484Bh        ; 'BCHK'
) r; T+ b) b# f# \4 T7 ^    mov     ax, 04h
" u+ K2 C/ P7 K3 G$ D* ~  A    int     3      
2 I& l$ }/ D3 \' [$ U9 b6 F. G* b    cmp     al,4
$ [3 n/ A( X1 H4 K. y( g    jnz     SoftICE_Detected% n  O. Z! S6 p

) _  `; A; U$ [5 C& G! `3 H( O___________________________________________________________________________6 A% {; r- T0 }: f- u0 S3 A
; i- u* u  ~: N
Method 02
3 s" y- R4 S6 f5 L9 D=========
, {; |) t) n3 N% Q5 K9 W; Z' \  G* `6 z6 r/ M
Still a method very much used (perhaps the most frequent one).  It is used1 R9 d7 K7 X! C5 N- v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! D, O" K. `/ P: Z/ @: B7 [
or execute SoftICE commands...1 i. s0 A/ h' U0 R! S
It is also used to crash SoftICE and to force it to execute any commands- I! U4 r9 [+ |. {
(HBOOT...) :-((  2 m' o( A  s3 a

$ l6 p* g4 i) b$ QHere is a quick description:
$ c# K; g8 N; n4 u-AX = 0910h   (Display string in SIce windows)3 Y5 d0 D9 P' `, K$ Z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, x' Q, g2 X9 d7 S' ~  H-AX = 0912h   (Get breakpoint infos)& @( A( m: O$ C( L" Y
-AX = 0913h   (Set Sice breakpoints)* c# b. u0 K/ p& e
-AX = 0914h   (Remove SIce breakoints)8 j5 I- G8 f8 D$ b; n# E; a( T* K5 n
# D; R2 m( b) n" g
Each time you'll meet this trick, you'll see:
: B7 `% `  b1 S7 B/ Q7 z+ r4 R-SI = 4647h( l, q+ J9 s2 H- y- c9 N, w+ ?6 y
-DI = 4A4Dh
# h! F* B; M- n. QWhich are the 'magic values' used by SoftIce.
" C; p- j4 u" F: G& W' eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, ~) g. O6 J$ j. k7 `5 i9 P/ [) @& y6 z' p2 m3 E. W
Here is one example from the file "Haspinst.exe" which is the dongle HASP. e$ ~3 [8 ]/ o
Envelope utility use to protect DOS applications:
8 e# f2 [  n3 v0 P% `4 Y% ~
$ x7 @& f  v  c; B9 s4 X! K7 U- F
) ?) M/ r5 z! L' I0 L! |- {& C, \4C19:0095   MOV    AX,0911  ; execute command.
# k6 D4 a; m" u3 c" {; V4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 Q( y$ s- @; k7 T+ o1 _
4C19:009A   MOV    SI,4647  ; 1st magic value.
, u+ {8 ~' A$ Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" v& l4 M- m1 N* I# l+ o7 k* g4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) Y6 V* Z* K0 W8 b' _! E( D
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 Y" G. G" Z1 |" [  E) s, K4C19:00A4   INC    CX
: {5 p3 r7 x' }' h2 d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 d: d" t5 T. S5 z4C19:00A8   JB     0095     ; 6 different commands.0 H  i+ _9 Y: U- X! l1 K; B/ c! H
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 S! ]( p/ _' G) p3 k: _
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- a3 \* g1 @- D1 S- V* r/ N6 O! r1 R7 u, X! Q
The program will execute 6 different SIce commands located at ds:dx, which1 P5 |: @% q; Q' s4 U; X6 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) y, D$ p4 C1 L; v% l7 @& o
- a- G+ ?5 r8 x0 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) R7 G' h  w( k
___________________________________________________________________________4 V( @9 O+ v" @" A
0 k( f9 U6 |8 V5 v8 |4 m
' \- H3 I  i5 _& K7 f3 `/ ^
Method 03
" S% Z% Z2 S( A* B7 T  I/ }=========
) h' Z9 V8 A6 D0 n2 v2 `
% o) \. P( I7 L- Q3 s# o' kLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: K+ t; T# ~% T7 j9 F+ U9 |7 H(API Get entry point)
* j5 W! x7 O6 ^7 d) R( _3 t, Z7 ?        
7 N: ^4 X- t5 B8 t3 Y. u5 z: Z5 m+ V% R6 g& w
    xor     di,di
' u, d# a) V' x( [  }6 t    mov     es,di( \. u: V; j1 ]
    mov     ax, 1684h      
6 s  n5 o/ w! h5 X, p    mov     bx, 0202h       ; VxD ID of winice
$ {7 V1 E" g% f  i$ f    int     2Fh0 r: t7 J# T+ X- C9 \
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, s2 _, T: \/ d6 a! d5 \  E4 z    add     ax, di( ?  h; [9 E7 x- k
    test    ax,ax
7 g: W0 M( \1 V1 p0 I1 j( X2 V) e6 R    jnz     SoftICE_Detected
' S5 f' @& a! @; p" B, I; _  I9 Q# O3 U# u
___________________________________________________________________________+ d/ I5 M1 a8 \9 N* I% K$ a2 f

+ w$ t; Q9 W0 D5 t7 Q) A7 c8 }Method 04
! M5 q) J4 Q: z3 i=========* }6 h0 O8 R& l' {2 D: d/ y9 g- h
* L+ R3 d  b6 ~
Method identical to the preceding one except that it seeks the ID of SoftICE1 H3 `% A. a) N/ ]( K4 r' U
GFX VxD.& U& W1 Z: y* M
% S0 u% z) ?- A, q1 L. n+ P
    xor     di,di+ ~9 H! g2 K, s
    mov     es,di& Q! s4 O7 s, Z2 a6 I
    mov     ax, 1684h      
# `, C6 f7 e  P/ y% S7 U    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 Z" E7 _* z- H' ~; J5 U! m# r3 i    int     2fh
3 L  C3 P! |" ]    mov     ax, es          ; ES:DI -&gt; VxD API entry point; L- k$ [  L( P
    add     ax, di. L& h9 ]' a6 ^
    test    ax,ax  ?( Q+ P; t4 j1 i( V
    jnz     SoftICE_Detected
  j# E1 _. _: N
# ]1 Y9 V4 i; m3 X# m& {__________________________________________________________________________
( D7 @% {* |3 i* A# E- A& \6 ^4 L4 u& j  O4 R" u0 E. v' t

9 l! i* f' r4 Q' K7 F/ y3 b; n- kMethod 053 Y2 D' D" s& Z: c* K
=========
( i7 |3 c. _9 j. D# d& O+ s
9 {5 ?8 N$ x; \2 |# @  ~/ @Method seeking the 'magic number' 0F386h returned (in ax) by all system3 e8 ^5 l: Q2 O! d& S- q3 p
debugger. It calls the int 41h, function 4Fh.2 s6 E! m4 P7 c2 e6 S  }5 N
There are several alternatives.  
5 n9 q- J- B  B9 Z1 d+ a5 Y8 P" c7 y; H3 `* B
The following one is the simplest:
9 Z( M" d, b' t3 [" I, K
3 w8 [' u# b' d- Y    mov     ax,4fh
1 y+ H" `- _  x4 H3 D    int     41h$ C; k& ]& `, v1 b2 ^6 C5 W
    cmp     ax, 0F386
( K( }; `1 C: w0 H8 V' q1 z+ ]  c3 w0 T    jz      SoftICE_detected
. }7 j- @; S7 n0 d$ v% {% s& E# W3 y9 N& u$ u" E. J" Y
$ Q& i$ w1 h: L4 N# X* E& b
Next method as well as the following one are 2 examples from Stone's
% _: j: A6 I7 ?2 w; c"stn-wid.zip" (www.cracking.net):
; }( S/ t+ {2 L3 }! D; H, o- m4 A" f6 ~* d# y  G
    mov     bx, cs
: b! A1 N- p* ]& F$ J    lea     dx, int41handler2
! W0 d! r8 d4 A$ G! y. s: |0 @    xchg    dx, es:[41h*4]
6 N- Y! B+ R% c- W1 X* q    xchg    bx, es:[41h*4+2]. H) d1 _1 R& V) t
    mov     ax,4fh$ j4 q! c7 E/ F( Z6 N& q% T
    int     41h7 {, o8 x% i6 l' t; _
    xchg    dx, es:[41h*4]- U/ e. ?: v$ M+ T1 U* T& Q0 V
    xchg    bx, es:[41h*4+2]
. F& u8 {( q) H    cmp     ax, 0f386h% l0 ]9 u: I9 m' E
    jz      SoftICE_detected
6 K7 d  J% K& b: \/ C  X& v# C
9 V1 w4 l$ H) J9 o; oint41handler2 PROC6 y: o! @4 t- E$ _7 x
    iret  P. x# t. b! [
int41handler2 ENDP
$ S+ J: a$ c$ P* ^. f# d& Z3 [2 C1 v  Q2 S- S' o2 [

) ?9 T3 ~7 d# i5 v_________________________________________________________________________
5 R& c" z% \9 ?( J* {) l" D; d! P1 E

" s" l' B" Q- M- x- P# nMethod 06; {' s+ h9 [4 _1 M5 r$ A4 m' k1 x
=========
" M5 v' c5 X# D1 j
+ q& M- J$ g/ a  s
) K* i- E% M7 p) \+ Z$ K* k2nd method similar to the preceding one but more difficult to detect:
, U! r  ^1 t4 P" K* Q5 T' [; l, s" G% N
$ ^. `2 f2 J$ X' ]* V; j' W+ Z" |$ ]" B
int41handler PROC
1 y+ n. f2 A) \- K5 Z+ b    mov     cl,al) \9 [" b# O, _( |! n& q
    iret. |8 c4 J! X, L7 {" U5 o
int41handler ENDP  V& D3 z+ R$ G# ?4 D/ E/ E. _/ ^

. y- a0 P3 W0 c8 B$ W  G; }: i& D9 b$ p* m/ g6 c
    xor     ax,ax
4 J$ [5 t% D- r4 Y/ K: @+ J) ?    mov     es,ax. p9 t- m7 y& s0 m" j) M  f  ]
    mov     bx, cs5 t9 j. [& X1 u, J; n4 z' \
    lea     dx, int41handler
- e1 t9 a8 [7 z    xchg    dx, es:[41h*4]/ N0 I& y: a& l
    xchg    bx, es:[41h*4+2]
3 O, d7 r7 L6 Q4 |8 E    in      al, 40h
8 D( n* X8 H) q4 ~, B' p    xor     cx,cx
' c4 y; _- `' B: w    int     41h. _- [1 ~% y* Y3 ?
    xchg    dx, es:[41h*4]
  {' t8 V  r% a/ u+ Q* ^    xchg    bx, es:[41h*4+2]: G' f: f: D5 H  _: }
    cmp     cl,al
# ^) |0 N7 ^8 P8 k, z    jnz     SoftICE_detected& X5 u# u: n6 g* U  [9 S
# _& z. q7 ?, ~8 {# l
_________________________________________________________________________6 r8 S% |7 b: C1 \3 m3 }; B
* _7 U- e- y$ d+ c- ?% J! H7 B% R2 p
Method 07
1 I! i% R! `. g5 k  Y! y. f" `=========
! c" a5 o$ J4 K8 x7 {  X2 k
- x/ S9 J: A, K3 U' F7 {' KMethod of detection of the WinICE handler in the int68h (V86)0 C% E5 Y4 d9 @( h; l
' k: N( O: I- k4 b# Q/ {
    mov     ah,43h
: t7 y3 \" \* U/ q6 {. t9 Z# G    int     68h3 N' R  E+ M7 _. ]7 S( [
    cmp     ax,0F386h
% ], n. n+ [+ ^' `. O$ n    jz      SoftICE_Detected0 [8 h6 }) a& j' }
6 b% q$ @7 R0 c
) D+ ~% A! }. H- e# n& l& M
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 s: s. O5 _7 B; ?# ~/ b   app like this:% j$ k. E( F, [
( S& m1 M- r1 c- Y) H+ W4 ]
   BPX exec_int if ax==68' T5 A9 A4 I0 G1 i& J) S: L# _
   (function called is located at byte ptr [ebp+1Dh] and client eip is
# P4 S2 ?7 j' J: K   located at [ebp+48h] for 32Bit apps)
* N0 Z) }) I3 R* v2 S__________________________________________________________________________
' z2 V- ~7 L5 E
) m- S' A1 ], T; `- [2 p+ |) J2 u+ F
Method 08  D7 a- y7 E' U; m# r$ Q6 n6 c3 t+ o
=========
$ u' M5 A" J4 w& D' x2 M4 i2 S3 J8 o6 q* [. y, ~4 k$ z
It is not a method of detection of SoftICE but a possibility to crash the
! R; h% {, Y& `3 x" A  e* }. Qsystem by intercepting int 01h and int 03h and redirecting them to another
/ E0 I# {. ^" E/ T: [" W; qroutine.
2 F6 m' a8 B9 u2 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 `! Z+ ?/ m' i( ?
to the new routine to execute (hangs computer...)* s1 J6 P, E/ N0 k$ ]: {! V) \- Q
; U) N1 I$ d! y' C: t. X
    mov     ah, 25h. D" b) H$ \  C( l  c
    mov     al, Int_Number (01h or 03h)' [4 {9 |- k  w6 E3 \$ j/ {
    mov     dx, offset New_Int_Routine
" d& |! Y: F2 i- s  ]    int     21h
+ p" z, ^- D) O% a5 c
  S! y/ E) n- z__________________________________________________________________________
8 h2 u$ f/ g* N; z# c# |; l. M6 U& q3 S& w6 P) O9 f
Method 09
" }6 M- @/ |7 a. y=========, [# N6 T& n6 D
. r/ \$ M$ ^7 P. g9 R5 Z4 y# o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 A; i) r5 q2 Operformed in ring0 (VxD or a ring3 app using the VxdCall).! z! i9 k7 Y) \" Z+ M1 y
The Get_DDB service is used to determine whether or not a VxD is installed
5 T) B7 M/ Q, k$ o/ r6 Xfor the specified device and returns a Device Description Block (in ecx) for/ z4 g) j( H- o4 ]; o2 n
that device if it is installed.
, {' N. T* ]) @& j5 U& o4 ?9 ?5 h- K( a
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ ~1 m+ G+ m& \; U( b+ n$ n- r$ t   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) u  i3 c- V$ e1 }( J7 \
   VMMCall Get_DDB: `1 ?. _: N3 ~* P2 K5 u
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ K5 r4 w0 b6 v* x7 b* N3 k
) d9 n! {6 ~* S9 RNote as well that you can easily detect this method with SoftICE:4 ?  ~, n& [& m; L
   bpx Get_DDB if ax==0202 || ax==7a5fh* s. `- M1 s% ]: O; T
, ~1 _" ~9 \; `4 x
__________________________________________________________________________4 o# ~. Z% G  m: J) _

/ f, w0 x* L% `$ w/ {  O. y( QMethod 101 U8 s8 z5 ~/ n
=========4 x  J; G/ b" d# y1 M
: F& Q5 L$ y# N4 H! {
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with+ s. t/ g3 Q( ]- z4 U/ Q1 _  X
  SoftICE while the option is enable!!
8 H! }7 X) j) e, t5 T( j- E7 A$ f! O+ t% }% K' B
This trick is very efficient:
3 k8 x# I: j+ N/ N2 R0 eby checking the Debug Registers, you can detect if SoftICE is loaded
/ @7 V! `5 t9 G4 [: W9 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 q6 D- u1 ]8 p% l6 k! @+ l% \: x" Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) q  ]4 `* h5 K& x0 m8 d4 g" m0 Nvalue (in ring0 only). Values can be manipulated and or changed as well. W9 V; ~# D/ M0 t) f
(clearing BPMs for instance)( @) D1 i5 X! ]& A+ f7 f

6 _9 o% J  H1 b; P2 k* D4 w__________________________________________________________________________
" V7 Q, S' o1 q' ^5 `5 I
5 S# ^1 p4 {  iMethod 11
# D+ x6 y( x- c  |* i! s=========$ ]. l# \( H0 K, u  V. z6 y

$ }: l  P3 p5 B) J+ {This method is most known as 'MeltICE' because it has been freely distributed+ Y) ~. h8 p" }0 |/ f: Z8 k
via www.winfiles.com. However it was first used by NuMega people to allow
$ r2 Z# f) X: X+ H( h$ I1 JSymbol Loader to check if SoftICE was active or not (the code is located: q" S, r7 _# U
inside nmtrans.dll).
! w; A- H% c  M0 J
  W+ Y! P6 C7 o$ GThe way it works is very simple:
. {; C1 }6 E1 o! _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 `  s1 X; J+ H$ PWinNT) with the CreateFileA API.
' i' C9 V" L7 b+ u6 c( n! {9 I6 u4 x
Here is a sample (checking for 'SICE'):
% r) _/ v+ U9 T, f1 h  F
! C7 R; P* a/ A0 _7 J* H% WBOOL IsSoftIce95Loaded()& k( ~. R+ [/ v) c( q/ q, p/ p
{  s+ K( V- K8 F+ ~3 p
   HANDLE hFile;  
& h" V4 h. G0 I6 ^) P! }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 o* b* _, L+ Z6 H1 h9 E                      FILE_SHARE_READ | FILE_SHARE_WRITE,  u2 R3 t2 l7 O  [
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 r+ }* u9 L+ \5 Q/ ^' b% G   if( hFile != INVALID_HANDLE_VALUE )
" U2 U7 U9 w6 C5 {! p) m   {
. i+ p: l" W6 g0 d      CloseHandle(hFile);
4 C/ s8 ?: l6 d& {* h' j$ [; @      return TRUE;. L4 [4 a7 G) d- B; T
   }+ ^$ j0 d; b$ r! F, V( Q
   return FALSE;
$ d! V: M4 q( c8 D}( I9 ]- \3 ^$ m

6 e: k! F" G0 m. p6 @2 h+ ?6 zAlthough this trick calls the CreateFileA function, don't even expect to be9 b( J7 s, R7 [0 b# }
able to intercept it by installing a IFS hook: it will not work, no way!9 O, u  G- ]$ W0 C( A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ s* ?+ x2 u8 @  Z, T% m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: N$ e$ ?8 U* Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 w- j  C# Z' ~. z: @5 u/ W8 q9 Lfield.
3 {. U; j7 \  n6 O5 m+ Z3 s# p+ oIn fact, its purpose is not to load/unload VxDs but only to send a 3 I2 Z' @: i+ O  W1 B8 S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 G# W* Q6 s$ C" V# r  d) qto the VxD Control_Dispatch proc (how the hell a shareware soft could try; z( S" a8 L* ]7 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 m" M5 k) x' v: ~" K8 g$ ]- @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, S1 _# ?. K+ S. I: ]: r+ `: [its handle to be opened and then, will be detected.3 W6 X  d: v% |
You can check that simply by hooking Winice.exe control proc entry point2 t. [" k2 M( G7 g8 Z* G; L
while running MeltICE.6 [- B, T9 l8 W) p! r6 B) _

' J- G! s" \* L3 ]' w6 y" p( t# _
% a$ }& r  V0 u+ f2 Y  00401067:  push      00402025    ; \\.\SICE
2 a) O- T/ ?& b  A  0040106C:  call      CreateFileA
7 c* I% E3 C# Q  00401071:  cmp       eax,-0019 n5 I. [8 q$ _' S5 v9 W. A' |. ^
  00401074:  je        00401091
! A9 P: ]2 j+ |, U% U
8 p) k7 \" r8 U) E2 p) @* O+ x1 F$ q2 {1 ^9 |
There could be hundreds of BPX you could use to detect this trick.7 C8 g& A2 c9 b& h3 P
-The most classical one is:
! H3 n1 V& I: K0 `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 O5 n8 L/ `! Y, F: S6 X    *(esp-&gt;4+4)=='NTIC'1 T: f1 t$ R' O' M$ h' N
$ p& |4 U6 y& c$ o0 u5 p
-The most exotic ones (could be very slooooow :-(
+ S4 y) P+ \% ^" d4 Q8 B& ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% L# f) x* w; ~- ?! v     ;will break 3 times :-(9 }1 h5 h3 d& N& A

3 F* _. M( K7 ?, B4 D/ _3 M/ l$ `-or (a bit) faster:
# n! e! f7 ?/ S  a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 C7 Z$ E% ^" J1 u- S: E# @
/ M  T4 u- E. G) i& ~
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( M9 y$ [! [! Z4 `
     ;will break 3 times :-(; b0 |5 p" g. f% L

, g  `& O5 L6 P2 Q: }' o-Much faster:" q5 Z( c7 \  r2 o; ~6 `
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 U+ |6 l, u% u$ K9 _+ p6 _$ [4 ?6 U
) j4 {) }0 k( g( ]& I! {+ p: x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ x8 z+ @* D) A# A# e" r2 S
function to do the same job:
4 i# S2 ^  T8 }$ C1 R+ m7 N2 a4 B# B- L" @( k
   push    00                        ; OF_READ- d1 l% Q4 T" {1 y
   mov     eax,[00656634]            ; '\\.\SICE',08 A1 g  D- e9 g3 {" E+ N; {
   push    eax
2 q, t) D) V8 m; M/ X( B   call    KERNEL32!_lopen
- Y" ~0 A1 Q- F   inc     eax
8 @6 g1 t/ w8 d* T& }* p% B   jnz     00650589                  ; detected) f: y2 L( y/ [" N- O
   push    00                        ; OF_READ
& b* f' _  c5 D6 }4 I5 g, G  e4 V2 m   mov     eax,[00656638]            ; '\\.\SICE'7 K2 g4 U; s! ?
   push    eax. h5 C7 r" W+ }5 b; t7 ^" }
   call    KERNEL32!_lopen% S4 ~* @  j! t& z2 F& @  L
   inc     eax: R, ~* F, d+ v4 f- V1 r$ C
   jz      006505ae                  ; not detected9 M0 s, F* f6 n- d( w& c! t% \5 ^
; w, S9 E6 ^& O4 u7 v

0 Q7 y+ L$ }5 x__________________________________________________________________________
& ^8 |) x% X) {: z! P, {2 }+ G
4 G1 f' f, e# ]1 a; o: l2 BMethod 12
  t! Q5 }' |3 m: }5 A  b/ ~=========
  v6 x( c& ?; B% f. g6 R& q2 Q
This trick is similar to int41h/4fh Debugger installation check (code 05+ P- v: I6 }% Z& T9 O; _
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 A+ r! O$ @6 j7 ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; f* N/ {5 Z' X; a. W5 {& i; l
/ j" h9 p) h) |   push  0000004fh         ; function 4fh, v& L8 {, K" Z% d! L/ T. q$ k0 O3 @
   push  002a002ah         ; high word specifies which VxD (VWIN32)
; i( T7 n: M3 }& P3 y1 C/ d" r& K                           ; low word specifies which service, j4 D& ]1 `0 d$ I: p: c( D
                             (VWIN32_Int41Dispatch)
  \' O& ^3 [% R   call  Kernel32!ORD_001  ; VxdCall
8 c% q) t5 `  L0 D  L' G   cmp   ax, 0f386h        ; magic number returned by system debuggers3 e, L) H; R; }: `7 R$ D; [2 C& u
   jz    SoftICE_detected* D4 U6 |) E" l/ E  o, P

$ v: T! w( ?7 _2 SHere again, several ways to detect it:, |# n3 }! I6 k$ d

9 W) E3 L/ |! a6 k* u5 ~    BPINT 41 if ax==4f
+ g+ x  _; D5 [; t, Z6 n& l
2 o( q, h3 f- O! ]) t8 c    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" ]8 ^+ s) u+ p
! i& l: E' k1 f5 m2 R) k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( h7 t3 T4 a- M0 |- a5 ]

, |% B. v1 V( T1 v! ~( r+ G    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ n8 Q6 B, `- I. P, m' Z8 y+ q& B% |  C
__________________________________________________________________________! f1 I& j6 s9 R: c6 V1 e+ ^" M* j
9 S& g4 `, w) |
Method 13- [# e. O& {; w% V( N4 [
=========/ ?3 w7 r# ]9 S7 s8 Y9 W

9 k2 o# b3 M, V# e9 x- h" zNot a real method of detection, but a good way to know if SoftICE is
1 u# ?9 Z5 ], f: minstalled on a computer and to locate its installation directory.
- i0 V/ N' V. a8 b. IIt is used by few softs which access the following registry keys (usually #2) :
4 y9 L/ O9 X# Q& j. C# f- D# Z6 f; ~5 K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 B! m: z) K' I' Q
\Uninstall\SoftICE8 d! _- }! M' N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 \) G) @+ D3 M1 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! G! d/ Z# S9 T
\App Paths\Loader32.Exe5 x. ^& l, _3 N- \
% Q9 D" i. B5 {

4 c( f5 Q  \# V0 j7 Z( B( DNote that some nasty apps could then erase all files from SoftICE directory% [" U% V# }' g: K  C* ^( x5 g
(I faced that once :-(0 ^5 g3 C' D6 `9 F' j

6 ?  u* C+ K. HUseful breakpoint to detect it:
/ }! s1 E+ \9 X; T" ?  M
3 w' _; u: {  a# h, _* G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! P9 T7 f, a  s9 i

8 @/ g/ D6 x  C- L6 l__________________________________________________________________________6 [5 R$ \; H( i' t4 P, N

3 G/ p# Y9 {4 X/ q6 I& D3 s0 ^; J+ @& Y4 N5 _4 \
Method 14
/ q1 R% p$ c' V1 ~# H/ ^=========/ n8 W4 T+ p6 H8 U! r
# j6 `7 k, L/ }+ \; k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ?* k: m0 H2 k2 n. K0 _# R
is to determines whether a debugger is running on your system (ring0 only).  H3 w. \; f, I, D1 q: g" R

1 }, T+ W6 \6 l! J* n) i) \$ ~. p   VMMCall Test_Debug_Installed% [3 M6 H2 L/ n& R1 e# K
   je      not_installed+ l# V9 Q3 y! q) g: m: |2 K

1 w" i& R+ I. \2 G: gThis service just checks a flag.
9 a6 Y% }, A1 n  m1 D3 X7 t</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-7 03:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表