找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( N8 r' x7 C# i0 |1 v
<TBODY>6 H- r/ I. ]) `7 V; Y8 j- T( ?' r3 c
<TR>
7 _1 {+ y7 P: u) R) {4 X<TD><PRE>Method 01 : N: f( S" O5 S* e0 o
=========
$ T! _& ^8 X: Y- W( m( `0 F1 e* C
6 ]9 ]/ P: F' q) A1 \( EThis method of detection of SoftICE (as well as the following one) is
: @% P9 `, \; [+ b/ v5 P2 Oused by the majority of packers/encryptors found on Internet.7 @( G* M+ l- N2 X
It seeks the signature of BoundsChecker in SoftICE
2 v+ O& r' K  C$ C( W( s% K0 ]6 y  k/ j# d7 _" T7 ~. Q/ Y
    mov     ebp, 04243484Bh        ; 'BCHK'
$ [* u$ I  z+ [    mov     ax, 04h
7 I8 _+ T/ b* T; w! `& X    int     3      
2 K% v% C1 e# G, X. V$ A" ]9 W3 [    cmp     al,4) j; D- _7 h) k4 p
    jnz     SoftICE_Detected
: _5 u1 ~. f1 N( @* |+ O0 ?4 P. Z* [, b6 \- T# a
___________________________________________________________________________) L/ T4 X% d7 O; {% E
& ^! f! M; @1 L) @6 n
Method 02
. ?; s4 u. ~' M6 \, Q9 N6 W3 d=========7 f1 @4 J; ^% L: l  C$ v( @

' B, `) V2 O) H2 t! m( D+ j1 OStill a method very much used (perhaps the most frequent one).  It is used
' c+ f4 B$ U/ S, ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) o, s$ d) p( O* z+ `1 Y' f2 Y1 ~
or execute SoftICE commands...& O0 H( U6 ~$ x. }& F0 b; O8 g# ^6 o
It is also used to crash SoftICE and to force it to execute any commands. r1 E: Z7 o# K- n# y) D! F$ g# C
(HBOOT...) :-((  
6 b1 ?  q, o9 B: f0 H" h3 x8 a2 R/ K9 ?5 n0 X' Y4 W
Here is a quick description:
- @$ K6 K9 C8 X- i; N; n5 m-AX = 0910h   (Display string in SIce windows)
' E% k8 X/ h( H* Y-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 D1 V' C$ M( g/ D
-AX = 0912h   (Get breakpoint infos)3 o" g; c/ N: e- y3 I0 o0 y! B6 m
-AX = 0913h   (Set Sice breakpoints)
* C5 T. t1 S& e-AX = 0914h   (Remove SIce breakoints)
! w0 O. k* A/ M; y
& b$ o9 j; s( Y) s1 l: |9 K9 Y% [Each time you'll meet this trick, you'll see:
! u9 s+ i  X' e! i* }: `: g6 s-SI = 4647h
5 S) {3 E% J$ j: D-DI = 4A4Dh% e, i8 ?% Z! m  _
Which are the 'magic values' used by SoftIce.4 A% z! x+ t3 I4 L8 i3 S/ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! {' q$ f8 h' D; s7 ~8 D( Y* E4 l
  A8 Z$ y2 ?; }4 N, M- q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ K4 Y3 t8 B/ m5 W6 Y( N+ x8 XEnvelope utility use to protect DOS applications:
% P1 z. G. @$ Q6 F' p$ c& n- f+ \7 c. ~1 N% D5 e* F. [0 o

% `. _1 |: r: L4C19:0095   MOV    AX,0911  ; execute command.
8 h; M0 n5 {3 g! z  {0 k4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  }9 X4 Z1 l4 A. t) ~1 X4C19:009A   MOV    SI,4647  ; 1st magic value.
% U5 ~( a* I7 w$ F  O4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# [; O" c2 ?6 X& m4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 {+ F: ?6 X6 f- J  g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* `' j6 g6 T% \# Z0 a6 _4 l
4C19:00A4   INC    CX! Q. N& i' A' s' F$ ]# \; x8 @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; y1 b, S9 _6 W7 f7 o
4C19:00A8   JB     0095     ; 6 different commands.
, s5 Q# n+ B9 @1 X$ F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 w6 M- q$ ?) W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# Y8 h' v/ P$ k* A
# S" v# a% }7 {2 zThe program will execute 6 different SIce commands located at ds:dx, which
" y0 M1 \% F# i" I/ Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 U7 I$ L# M$ D2 v# P3 Q; Y0 P4 f) F1 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 o4 Z1 V/ }* ^4 F___________________________________________________________________________
' u+ U  A! C* F& C0 y
+ ?0 z: Z: D% z2 O: j, Z; _
' \+ I9 U2 k# _Method 035 v3 O  z; \; g: p. M- z& P
=========! ^# T. N$ v; K8 F* U

9 ?5 V- o7 q# |& r1 tLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: @0 i6 X! m* f  P: u
(API Get entry point)
2 @' t$ O& [) ~        4 W2 c1 d+ v* r

& P, [5 L7 T, A    xor     di,di, E8 x, a6 h1 h: x+ L  Q
    mov     es,di
) O# D0 ^1 Q: q* @    mov     ax, 1684h      
9 U% r& R1 R! m3 g    mov     bx, 0202h       ; VxD ID of winice
, v2 G5 k. @! h    int     2Fh
3 g9 e: j- M' V: ~6 @* |7 B$ D    mov     ax, es          ; ES:DI -&gt; VxD API entry point& i/ k: w: u- }
    add     ax, di
# k- o0 _) r+ A* X0 o    test    ax,ax2 }* w% Z; J# s3 a0 [6 H0 y
    jnz     SoftICE_Detected
* |+ R) ]# t8 `) n& |6 O6 Y2 a; c* Q- S3 w
___________________________________________________________________________9 u0 \3 v* K7 B# P4 p: v8 I1 R4 @

4 B+ u8 {- J. R5 vMethod 04
2 C8 |! T# P! {7 g6 H1 b- c5 |7 W=========
/ V) d0 e0 @8 N- O/ [
0 t2 b, G0 H2 A+ ZMethod identical to the preceding one except that it seeks the ID of SoftICE' N2 N2 D3 x8 Q9 X: b" D  C
GFX VxD.' M  }# X9 p( ~' r+ K: c6 H

! b% x1 g  J6 h  q4 `% N    xor     di,di. V% p/ t) t9 L# M
    mov     es,di% H0 n" N  ~/ Z% o+ N1 W$ R
    mov     ax, 1684h         U4 k1 m! u, I1 j
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# U' N: G6 L5 ^, Y9 o    int     2fh# s5 W: d1 z2 L9 {. H8 [$ c7 r$ K5 F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ ^$ x8 M! ^5 x; f3 i
    add     ax, di0 Q% |, M, K- e) s: S
    test    ax,ax! E0 X5 ^% e3 w( v( T) @0 |: I7 H
    jnz     SoftICE_Detected
3 t: x$ Z' K) f8 s2 A% O& D8 z2 p( j' l1 T4 q
__________________________________________________________________________# J* P# \! Y; [" z8 Y5 D
  D9 F% z7 V& P$ A  Y

7 L1 P* N8 X; ?. m% S; xMethod 054 m6 }2 o( |5 W
=========$ c5 @8 H. ~) E! w+ r9 c6 {1 p
* ~; C! v' R3 `$ u% N& B
Method seeking the 'magic number' 0F386h returned (in ax) by all system" k/ c6 _: }( H" ?
debugger. It calls the int 41h, function 4Fh.4 I3 `& h+ L* h+ u5 t) z0 U: A
There are several alternatives.  ! {/ ]/ J& G5 F+ X
1 V* F3 r# F( h* O- Z* d
The following one is the simplest:% z4 ~1 ]  [1 f: k

" D8 M' Q. |5 B    mov     ax,4fh
& `5 g  o; g1 ~% `) }+ b: k    int     41h
9 k2 q+ j+ C/ Z* D& F/ W0 k    cmp     ax, 0F386
# E4 R  U" G) T0 ^    jz      SoftICE_detected
, a# x# p4 d6 M/ \2 U; W$ x  G9 R7 X

* a, E! x% s! Z6 q/ U% ~! }1 YNext method as well as the following one are 2 examples from Stone's
$ A# F6 j( P4 E+ q8 V  P"stn-wid.zip" (www.cracking.net):
1 h& j+ T% i/ l7 f8 m$ P; B: u2 a+ i) L; }
    mov     bx, cs
+ [  K, r# V: p# i/ s; r  h- F    lea     dx, int41handler2
" U/ Z3 F3 i, Q& k8 {    xchg    dx, es:[41h*4]
- i0 |* d: {1 y+ B( m    xchg    bx, es:[41h*4+2]: i1 {/ z: O0 k+ _6 t6 x! d/ L
    mov     ax,4fh7 f& `: D# x  Y% k' @+ K, D
    int     41h. Z$ V: b0 c/ B2 A% B  B
    xchg    dx, es:[41h*4], t9 G' X: c  d4 ^! V8 z
    xchg    bx, es:[41h*4+2]
  |9 _& j2 G1 u8 O6 x! D0 m    cmp     ax, 0f386h
4 }! _$ I" ~* |, x- X) `    jz      SoftICE_detected
9 _. k4 [0 r" R7 k
3 e5 P( O: t% n' X1 A  Gint41handler2 PROC
6 U9 j1 v: N% w    iret, b: G3 M0 H$ c6 A( t( ]1 U
int41handler2 ENDP$ N' m% i8 E/ _0 @. s: R0 [  Y

& |6 u0 O, Y# E% p+ _. e  U
) H1 P$ n5 v* {% n. M9 j( d5 o_________________________________________________________________________: o. I* D% |# _6 o( K$ G* p2 I

# o: w6 m* f3 G& C
' d2 G) ?; _$ z( Z& [" h+ j2 z: HMethod 06
+ r. B2 \' y+ T! D* Q=========
1 Z0 \+ w% `$ q0 B! g7 t* z; b2 ~+ Q9 {

. x3 x' Q! J; Q# R8 |% C9 x2nd method similar to the preceding one but more difficult to detect:
) V' V7 A6 E# T0 X, h9 w& Q! A! @% `* n$ P, M. U# A

1 ?8 U; M5 B- N9 j9 Oint41handler PROC
; N- J( Y3 p2 ]; w    mov     cl,al
" E6 v3 I; f, o    iret
) G$ Q' B. ?- g) s2 B) l7 ?int41handler ENDP& A% H( s" }# n7 \# w2 P
7 g& z' z$ {4 v- Q8 B

1 F! c7 M9 ]7 q' B' ^1 R7 S3 l* f    xor     ax,ax% s  O2 z' V0 o' K
    mov     es,ax7 q& x. Q* I( `0 m- K
    mov     bx, cs+ l1 N7 A, b  f! y
    lea     dx, int41handler: W- r: g& P, j$ o  C; J  |' R
    xchg    dx, es:[41h*4]: @% t2 s& [& f
    xchg    bx, es:[41h*4+2]
* y, R! e5 }9 n: d/ @    in      al, 40h
! h0 L  Y' R& b5 G. C  ?; M8 N    xor     cx,cx4 V7 V0 p- C' F
    int     41h  H' z3 d5 K) Z0 I( f
    xchg    dx, es:[41h*4]+ K4 r1 J* m8 \* h# V6 ?/ O
    xchg    bx, es:[41h*4+2]1 p2 R9 F+ O3 Z
    cmp     cl,al
5 n. J& J, J: q# `3 }/ o    jnz     SoftICE_detected
- y/ ~2 X" {) t2 v1 V9 ^- s  j3 R# G: v. S- v3 ~# Z  X
_________________________________________________________________________
! F2 {/ @  o* D; E. Q
- X" u0 h. i! a+ ?Method 077 m: n5 p( i% v( h& N/ [# v
=========0 ]4 c4 w3 e& c- }7 u+ S! L

& r3 U. K8 S1 X0 x* J- E0 B/ SMethod of detection of the WinICE handler in the int68h (V86): g4 ]4 s8 V' w+ G- r/ i4 R
8 d+ I1 k: m* h4 c% e, v
    mov     ah,43h
5 \) P- z* y( s0 y) O+ F7 Q    int     68h7 ~" A6 O! u7 p1 g$ u# A
    cmp     ax,0F386h! d. R* i3 a% H; S* s
    jz      SoftICE_Detected
; w+ F- `% d: |: L# c/ m/ S3 r- ]5 X! O- y0 x* |
8 j+ s% X! R+ T3 d0 W/ ~$ D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. M! T7 ?" [1 u( B. F. D
   app like this:3 b8 C, R% y! C* w  k; a

" s# l/ H# e/ }( A   BPX exec_int if ax==68. u; ?# D8 w7 X: G' A. G, z$ n
   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ p( P3 Y1 @, a, f, B& _   located at [ebp+48h] for 32Bit apps)
; @) G* t  ^5 p, }9 m6 L__________________________________________________________________________
4 T! [# p( U+ {
& F2 L0 U2 e( M& j! \8 F: W. G+ L/ f. m2 P* Y2 A
Method 08& B4 V: |1 R" d3 e. A; o7 |2 y6 H+ \
=========
' v% u1 q2 v6 v0 Q4 J% y- h8 Z& ^8 F4 o1 f6 U5 X
It is not a method of detection of SoftICE but a possibility to crash the7 y4 A7 i* t# X2 m; B3 @
system by intercepting int 01h and int 03h and redirecting them to another7 }! x$ w6 h# E: [& n, A* j
routine.* D( U7 o2 Q" \' ^4 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 d* p* n! }( k+ J- Z4 c" k3 |to the new routine to execute (hangs computer...)
9 W# G& s# w/ }' Y. \( q( @& A! p+ l0 F# f1 d
    mov     ah, 25h; H0 F, N9 ]5 V. O' L5 `; X
    mov     al, Int_Number (01h or 03h)
# @2 O, t% K. Y0 Z8 ]    mov     dx, offset New_Int_Routine2 z, E  W* J' G" O
    int     21h
  n# g1 V8 q9 p+ @2 U1 F6 S. p4 u5 o; `% d
% g+ S7 t" T' C7 ?. O! ]9 {+ B+ S) D__________________________________________________________________________4 h: a- {; I1 F7 i2 V4 M6 O4 k; A

, Q7 z0 g- a9 C: bMethod 093 }% u, }0 h2 i& Z! s6 {3 `
=========) Y* ?% M6 K8 E% s+ X; }

$ o/ F) z! a5 b. K/ j" rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 u8 [( E: q( T7 [, {% g( H
performed in ring0 (VxD or a ring3 app using the VxdCall).
' K0 o6 v1 {& h3 A- J5 e- E5 ]The Get_DDB service is used to determine whether or not a VxD is installed
3 u: `/ t5 u8 _9 z  Mfor the specified device and returns a Device Description Block (in ecx) for0 g9 @* U3 w( [$ {( E% j9 }5 B+ ~6 n
that device if it is installed.
5 T9 D1 m5 w& E7 U& e" V8 j5 J% I+ {4 @; t' A* }- O
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( G/ t) t4 J  L& C! {, S7 F" m
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 d9 ]5 a7 y, `9 R3 V   VMMCall Get_DDB6 I8 T5 p: i' [2 l0 W4 y$ _
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! A1 W: B9 n% i+ k  J
6 C; ^$ P% n3 g: CNote as well that you can easily detect this method with SoftICE:* U" m( E5 F, w9 U! `+ c2 e
   bpx Get_DDB if ax==0202 || ax==7a5fh' l7 a# x6 z( T" {* ^+ g

5 q. P4 z1 M: I9 G+ q. h__________________________________________________________________________1 i! g7 L: r7 y: h9 ]

0 V. d$ C2 x8 R9 ^/ oMethod 10$ ^- J: v* r$ \- M
=========/ S+ y- O' P7 R$ X
9 R9 {# T4 m/ a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ ]$ x$ |, D9 r% [  SoftICE while the option is enable!!
) [8 t- C2 i' W! W" W2 I5 j( w+ \5 A8 r5 X
This trick is very efficient:
- x7 R" j! k4 ^9 o% hby checking the Debug Registers, you can detect if SoftICE is loaded5 ]( m; V0 O* a) G0 F! i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Z' j0 z* p$ }. H$ T1 R# i: f3 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 X' @+ A9 o4 }  K% E" L- F2 Hvalue (in ring0 only). Values can be manipulated and or changed as well
5 ~1 N; g5 @" e: Y- A* ?(clearing BPMs for instance)
3 R+ f& N" z/ P9 {) c6 e
9 L  G: o5 q" l- c__________________________________________________________________________6 \/ [* L# M0 y' r" S
( ]' L) w8 J# v
Method 11
" B0 M  u" p- o! K=========
* P- n# ]' n3 g3 c) m
1 ~* o, @& s7 u0 w) _, C5 |This method is most known as 'MeltICE' because it has been freely distributed
+ F1 I+ l; ~& C( B4 hvia www.winfiles.com. However it was first used by NuMega people to allow2 Y4 K& |  ^2 U4 b* L) X& m* L
Symbol Loader to check if SoftICE was active or not (the code is located
) s% f5 f& A/ h7 j/ I1 s% jinside nmtrans.dll).
1 j: M6 r, g( y# L: K5 c+ i$ D5 @6 I( d. m' U# f
The way it works is very simple:
+ r  D* e, [& V: e+ V4 ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 m8 t- R9 s. ]* z! @/ w
WinNT) with the CreateFileA API.
; {# ?* q5 L$ g+ ]- ^1 `
0 V& s2 T; o# Q' P+ `4 a9 [) WHere is a sample (checking for 'SICE'):$ M: E7 @2 I- k
0 x8 y/ a- {% \( W  X
BOOL IsSoftIce95Loaded()1 _2 A* V, r& g& `- f8 H
{
" |! C' x* E) Q2 F' Q   HANDLE hFile;  
: \/ ~# |, Q" Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* x+ ~8 w& d5 M# L: s- [0 C                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  g! a. b6 n7 B$ T9 V) |. K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( x; `. [8 s4 x. I+ m  K% a
   if( hFile != INVALID_HANDLE_VALUE )( E- ?% {) B* p& d6 g4 I- w% G
   {
/ D, a* p* @" g6 ~( {/ M      CloseHandle(hFile);
& L4 @- t; a3 |1 N$ g      return TRUE;
& l1 I* v; a; n/ A, J: s3 h+ ~   }
  T: r/ [. H0 y2 Y  R   return FALSE;
' F8 E/ o8 A  `& ~}0 S# t4 F5 c$ d# `0 K+ d6 ]4 W
# `* M) I# Q% v* D% q/ K$ d
Although this trick calls the CreateFileA function, don't even expect to be
- M6 O* t/ J* p6 B; x" o3 oable to intercept it by installing a IFS hook: it will not work, no way!0 Y* U9 b' {0 x& S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( A+ @: g$ Z2 Z9 i( O* ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) t1 M9 Z" H; Q) U- o3 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: u' S  X7 A4 K3 M& D: m
field./ N* K3 T! l* S
In fact, its purpose is not to load/unload VxDs but only to send a 5 W3 w5 H8 K# _4 R% C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- M, k0 @7 w1 A/ s0 s' qto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 g/ j5 I- G7 ?7 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 L# q" ]$ ?3 r* h  v) F
If the VxD is loaded, it will always clear eax and the Carry flag to allow. x) c" q' I( ]7 _
its handle to be opened and then, will be detected.
" ]  v. n, e. o; HYou can check that simply by hooking Winice.exe control proc entry point3 S' {# [4 w2 l9 N' e9 C$ x
while running MeltICE.
7 `/ h2 u7 F- @9 ?/ N6 t  A
' o& o* k- I0 s+ N1 c
; m" J5 @$ T# y6 E, w3 W4 R; U  00401067:  push      00402025    ; \\.\SICE
3 u- Z4 h9 b* `4 j" A* s6 A1 Q3 S, K  0040106C:  call      CreateFileA( g! w* b# N. D, i6 B& G8 J+ Y# Y  E
  00401071:  cmp       eax,-001& D& y# {8 V2 Y. G! ~/ a: l' C
  00401074:  je        00401091
' s$ |2 B; X& s! Z& W9 @
& H0 B* H% `3 D6 \# P/ h2 ~, |7 A* A( i9 o
There could be hundreds of BPX you could use to detect this trick.- v* }8 x  i- X
-The most classical one is:0 [  s& G; T6 `; z! h( J8 F) L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
& x7 I# Y, t$ I0 h/ n5 z* T    *(esp-&gt;4+4)=='NTIC'( o0 K; ?9 u# x: o

. w- _" N$ d2 s2 A  z* v" W-The most exotic ones (could be very slooooow :-(- c! ~2 m" A8 D$ \! L) `5 F
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # ^( _2 S% r3 x/ U+ G0 d
     ;will break 3 times :-(( s( c( ^; H' g+ q
4 `+ t& a( M% v$ k* Z
-or (a bit) faster:   b, ]' A8 c9 J; h5 h* G
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( k& d1 B- J9 f: u6 H% e% [6 S/ M+ H$ @5 T' u
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - X4 e' I2 o5 v& Q; i# b3 n; z
     ;will break 3 times :-(; g, i7 H: T& a
, y/ V  V* Y2 W6 n3 p
-Much faster:
  ^9 ]7 j. K1 K( E; V. L6 x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 c- c8 r* ^* O% s: `' s. `6 e& N/ r+ ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 d; f+ J& r* j7 x
function to do the same job:( p. u- {) H9 Z( u

+ [* ]5 j* O* b! j   push    00                        ; OF_READ: v# }- S" g) J* Z5 u
   mov     eax,[00656634]            ; '\\.\SICE',0' m/ y& b' q/ S
   push    eax
# v  j1 L1 m( `( I   call    KERNEL32!_lopen
  h* ]! ~, S! \6 @- _( E   inc     eax* @% y' u5 d- ?+ }% c
   jnz     00650589                  ; detected4 G5 t- S# P& x. |
   push    00                        ; OF_READ
" s4 F: I, l( e3 h1 Z7 I6 g   mov     eax,[00656638]            ; '\\.\SICE'
1 w. L8 z* O$ R; H$ k& c   push    eax% L0 Q, Z: i) l, W' {8 K! D
   call    KERNEL32!_lopen4 n0 L' l7 n4 X5 Q% h) p. J
   inc     eax$ G% r0 a  m/ r& g
   jz      006505ae                  ; not detected2 Q" [& y4 b) Z( h) [, ^

) _+ m& K* y* ?8 U$ A* Y" r, i9 E  U8 k
__________________________________________________________________________
4 ^- |) h2 l3 _- s% Q( [  o! M  m% ?% L* f' k0 P! b
Method 12% C; f5 Y9 ]2 \! {, B3 w% ]
=========3 D. B) w+ }% k1 c9 q
1 [( ^3 w# }" \/ L0 p
This trick is similar to int41h/4fh Debugger installation check (code 053 z* `+ U# K+ q; ]
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' q, e7 u" |" N! Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 I! k& U6 U+ R- ^" m  H

( P# j) i9 b6 Q   push  0000004fh         ; function 4fh
+ X# `) @/ x6 N2 x1 L7 q3 P   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 e3 M8 ~( t3 v9 k5 C4 z) x3 I9 ?                           ; low word specifies which service5 g! p# N7 u0 d
                             (VWIN32_Int41Dispatch)* z" o6 v& _( j! ~
   call  Kernel32!ORD_001  ; VxdCall
( f0 x% |. c! s5 @7 K   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ E5 r  U0 N- v; h6 J   jz    SoftICE_detected
- F  E; E* t2 Y: {
$ z: o6 O" C% ?: BHere again, several ways to detect it:; ]- F$ E: r2 b( u

! Y; Z) s  u/ `$ W    BPINT 41 if ax==4f  d0 ^! }  ?& ]# l+ A( k: D7 c* t8 x

9 `. ?; t# P' r. q; L) i  N" E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ b8 q) `" L  L  q: O' k4 L. s
8 R" b; o1 U4 y  |( n" X
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- ~4 Y% J0 Z; h- @4 w$ G* i
- t* _8 j8 L& W3 Y7 o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. d5 F4 c2 z) H. Y

& E8 I& W3 [+ }3 K__________________________________________________________________________. x: W  U+ q' {  W  J8 g* w
" T/ Y3 M; j2 v
Method 13, R. ]  F+ a9 i' y. u# K
=========3 X$ M/ O9 @, m+ F3 `
8 L5 }3 ?/ Y. \( e
Not a real method of detection, but a good way to know if SoftICE is9 I  h  k" \0 X& l2 c; E
installed on a computer and to locate its installation directory.
! [; ^/ l# k* X; T0 \& U5 iIt is used by few softs which access the following registry keys (usually #2) :
5 y' B  Y, `4 X% e1 T( I0 g- ~" {% X7 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 b! _( S: u: ?; X\Uninstall\SoftICE
5 w1 L6 E1 d6 t0 o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, [1 w$ o9 C. X: e2 p& P9 D- W" s3 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 ]9 I1 }" n9 v) p- f$ [! ^\App Paths\Loader32.Exe  ^6 V8 c4 E7 A" P9 e5 l: q

  i2 g; I  ]+ f/ ~( ?2 P6 g5 \
# j: [. B$ k: f, j* qNote that some nasty apps could then erase all files from SoftICE directory
8 T& o  W$ O$ M3 p( c* j8 K(I faced that once :-(
$ l0 _: k+ v' l. L$ X1 K. w$ \  b4 E: T3 P( [, o7 Z
Useful breakpoint to detect it:2 ^& l4 h8 g3 E  U# h9 j

3 b0 Y' p, A- }$ j# I     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
5 Z5 Y! y1 F  b; @8 ^, r
8 R0 ^6 m0 R& I__________________________________________________________________________- N# }* F2 |( c- B+ N% V/ Y0 H3 i4 |

) g6 H+ H; g8 W0 x8 b9 \
8 U6 s4 I" x! J' {Method 14
7 P' D/ Q! m: Q0 P% S  e4 w; i% K' }=========
" E% w0 ]' }2 ^) S7 g$ n6 e8 k9 z- Q& }' E/ F0 ?2 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; ]- W! H# N9 _, ?& O/ Q( G, B
is to determines whether a debugger is running on your system (ring0 only).
) P+ S. k5 h& e& O9 w, C% E1 W7 s& R: i6 `
   VMMCall Test_Debug_Installed/ o; I6 P4 x$ ]6 ]. R* l! m
   je      not_installed
9 P  M+ Z4 e5 I* B/ \; d) C, ^% [2 q
This service just checks a flag.
3 Y4 c9 @" y# a! e: A7 d7 y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-3 21:43

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表