找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: A  ]5 S5 e1 E- e2 v) u" f" @0 S* [
<TBODY>6 |; w/ l) `3 K
<TR>
  }+ x- y$ D  g5 z, K/ l6 m<TD><PRE>Method 01
2 h7 X1 b- N$ q=========+ J( i& L- p! N7 s  K/ f( ^2 C
( b4 O/ s, T, q2 {
This method of detection of SoftICE (as well as the following one) is
2 g, |8 R1 p) z; Jused by the majority of packers/encryptors found on Internet.
: m# v& V4 l6 ]) c# o$ t- AIt seeks the signature of BoundsChecker in SoftICE& |" ?* D! E) y- p
, I, w: Z) C; ^) ]
    mov     ebp, 04243484Bh        ; 'BCHK'
& g  h# b, ^' x, v7 y7 R- G    mov     ax, 04h+ V2 d3 f; R3 f( \! i" z+ ~8 A
    int     3      
$ Q/ ]! B; _+ x& x- x    cmp     al,4& F" I7 y) Y& k, ~4 D) V
    jnz     SoftICE_Detected2 p! P/ ^- S  i' ^: @5 f; g

$ v* E  S5 v' d/ O5 G___________________________________________________________________________' ?5 y) d; ~! b" F7 h  c' ^( L: a
2 W; l- I2 b7 t; E
Method 027 Q! e$ |) F( W% h% k
=========" M2 L1 l$ Q# ]! w7 {3 ~% q, X

  P+ p7 z0 ?2 f3 T6 kStill a method very much used (perhaps the most frequent one).  It is used
8 C5 k) G" W( \5 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( G- O3 U2 m; Jor execute SoftICE commands...& v6 |! J2 d: P% N
It is also used to crash SoftICE and to force it to execute any commands$ J" S, X& h7 ^$ f
(HBOOT...) :-((  
. ?$ {" }' R  J) {6 f  [; U. J% M% E
$ h  j+ |  L& o, Y! sHere is a quick description:5 k# e. O% e9 M
-AX = 0910h   (Display string in SIce windows)3 S7 m7 j  l4 E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
( l$ l$ R( E" V$ K8 }-AX = 0912h   (Get breakpoint infos)
" u8 ^+ m/ w" f6 r4 q9 P9 V# a) D6 s-AX = 0913h   (Set Sice breakpoints)
1 R/ ^$ K% v, t9 W( x* g-AX = 0914h   (Remove SIce breakoints)
( c9 }" @5 H  [; L5 W# H; ]: s& {* N
% T+ d6 h% j4 k  m0 L. e# |, fEach time you'll meet this trick, you'll see:
6 N! J  }" Z9 |& {0 }* C-SI = 4647h
8 R- Y5 c# k6 V. b* n: d, u$ O6 i* }9 c-DI = 4A4Dh
: {  B3 e5 q- q( l( EWhich are the 'magic values' used by SoftIce.
7 R# c4 v# D: L% N) j0 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 r% X; E/ Z) o! u% P7 {9 h) k
9 I- [1 R) v& U0 y+ jHere is one example from the file "Haspinst.exe" which is the dongle HASP
& ]$ _1 t/ z2 A7 P# ]* I0 DEnvelope utility use to protect DOS applications:
+ V9 \- w2 S, O0 f
. T, u- Z/ F& B" `& D8 W% C" q
. A0 b( A4 h1 n- [  I* P4C19:0095   MOV    AX,0911  ; execute command.
& _8 q* _1 U7 _) F0 I; V( q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; z! p# J2 P4 m4C19:009A   MOV    SI,4647  ; 1st magic value.* D' p- m) o* M0 u* D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 r# f2 j( U3 T! }; J- u9 ], k
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 Z' ~, d- d! F3 J4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute: v- `) Z0 |6 q8 D* w- w
4C19:00A4   INC    CX" Y8 L1 o; M. S& A* J
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  V# s# ~7 M3 s' J9 o+ D4C19:00A8   JB     0095     ; 6 different commands.+ e- i- k7 V  c& j2 v. }2 z0 g
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 }4 R6 \) `7 i* t  C" \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ v; L; t) h$ I
. J% q/ P1 x- yThe program will execute 6 different SIce commands located at ds:dx, which  D1 ]$ L- v( O% D2 w$ ]  N/ W/ a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 s* `& x$ u& P( s, `0 v& h' W
( C% @$ ~5 j! ?  t0 ]3 f/ @. z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ M) y0 {, I8 X+ G4 [* M
___________________________________________________________________________3 u5 _; e0 `0 y5 F; @) H. ~
; s1 T! v9 i& S$ {2 b( D; \

9 H0 V9 P- M9 B; f7 ^: T, LMethod 03' x0 g0 Z) s7 w1 ~/ C% O$ p$ j) d- m
=========, {  f; M$ ]. Q/ q
# K) J5 z8 O' r* G- K6 E
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 O/ Y! x" H2 u3 @(API Get entry point)3 m4 o# F1 Q* o. @: ~
        
: Z# g+ H9 r# c6 r( J
& @  f) h' n" T; h    xor     di,di7 ^" E7 g* K8 Z( M; f% f7 H( }. C1 |
    mov     es,di
4 m2 w& U. A/ o9 r    mov     ax, 1684h      
0 y" Z# ^; J+ g7 T    mov     bx, 0202h       ; VxD ID of winice) S# i" ~5 p( @3 ]
    int     2Fh) l* w6 |  e) i8 s  f2 J# ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# v: E2 X5 r# y) R* a# f" B
    add     ax, di1 B! L" o2 u; w: y0 J
    test    ax,ax! f2 _1 \5 w. r
    jnz     SoftICE_Detected: O  a$ @9 b6 Q

7 {# [/ F& |% @6 r/ A___________________________________________________________________________4 ~" O5 @9 o% t0 q/ t0 ]

. {+ N/ F; t. c! ^4 {8 h' n. yMethod 04
9 q( [: `  p+ M+ C% ^1 H/ T  F  N$ v% e=========
) x/ c! V3 m. v' d  J0 j! \
2 \$ d7 Z: m/ [5 n& OMethod identical to the preceding one except that it seeks the ID of SoftICE) g' T1 A1 E: s! e& l& [, W; z
GFX VxD.
2 I' I) z$ V7 V& m. g9 P+ W0 ~+ [; s4 D9 g% U. H: A' H) }3 b
    xor     di,di8 s: ]& |! A- C
    mov     es,di
3 P" t; ?$ b. |, q6 g2 O% S; p    mov     ax, 1684h       ) O& q( ]5 o# v* a' y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- `. `5 g$ F& }$ a" U/ W, x    int     2fh3 W% w* z2 A6 j6 U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. d. B: x3 ^1 _- H
    add     ax, di
2 R) g) r9 l  x5 e8 X    test    ax,ax6 j0 w, W, }! u- D, t9 ]# B
    jnz     SoftICE_Detected
( z" X( i( j) i3 a9 Q# j, R1 \) j- p! ~+ I) i
__________________________________________________________________________/ b% Z' s. _  J' m6 R6 `" M) k2 p
( s. X0 y& H. G2 m( V' h1 u) H
# G* |) ^7 P; c% d( R3 y% f7 e, c
Method 05& b; _0 y$ {% }$ E
=========
: R5 S! u- ~9 p" y/ Q2 G) y
0 }/ K; s! T8 h9 u7 O, vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% A, _$ A9 C$ Ydebugger. It calls the int 41h, function 4Fh.% o# n# u0 s# `! R9 J7 [  u5 c
There are several alternatives.  " ~0 q. {4 Q5 q, g
, Z7 \( ~% K3 A* Y. {  \
The following one is the simplest:
; S8 t) E' C' ]! T' V
! g, |' m/ q7 [    mov     ax,4fh/ D3 x; A( t  ?5 d. N
    int     41h" Z! M/ o$ h+ L4 C# l' t8 N4 ?
    cmp     ax, 0F3869 N5 \$ S) t/ W. K6 F3 r* p! u9 R
    jz      SoftICE_detected) `; I  o' j( e
% p! s% B! ~2 i! J( ~& C
" w/ p4 ?0 E  i  n- w
Next method as well as the following one are 2 examples from Stone's $ d; D! E9 e# c
"stn-wid.zip" (www.cracking.net):# g, B& ^3 D8 q+ w& i0 `
+ N1 W' n1 I" n- e" j# @
    mov     bx, cs5 r! l" Z2 u4 E- i  u
    lea     dx, int41handler2
4 [# M( E5 {* f0 M8 p9 G: v    xchg    dx, es:[41h*4]
! ^) h# C% z$ K    xchg    bx, es:[41h*4+2]
8 n9 T# Q# T" A0 l. ]    mov     ax,4fh
& t8 Z: y' c6 b1 K    int     41h3 x8 ^# }  P3 x, j
    xchg    dx, es:[41h*4]8 o! g9 r" U' a% k
    xchg    bx, es:[41h*4+2]# ?& D; \- D; E/ G8 g3 [6 j
    cmp     ax, 0f386h
  L) K7 y3 k' i5 u6 r  q    jz      SoftICE_detected
. A, Y; U! e- O" Z) F: |
, H7 u3 y4 y  \" z. z% _2 Hint41handler2 PROC
/ i6 K* ~1 g6 `5 @5 T    iret- I& @/ x  p  z) K9 s* j$ N' p
int41handler2 ENDP
3 Z& Q% v5 n8 }) ?, @3 ^, k
1 r0 J* U4 K' ^
1 ?/ k. F! y/ }2 V# m_________________________________________________________________________
1 W) p4 o& R( f3 O6 S9 P9 b6 {) t" I2 m  u
! k9 G8 Z2 w) V0 M: P
Method 06
7 K- O! s7 i  ]' Q$ T. F=========
9 G/ b. Z/ M: D+ W6 d" d: U
6 I7 F5 H& v% _. }1 r9 R6 R
% q' W* i+ s+ u+ N& w2nd method similar to the preceding one but more difficult to detect:7 t" A/ j( t) c8 |/ X1 B& N6 b

1 C5 v# \6 s/ a: F5 c& {/ A3 S: A6 L+ i8 J9 K. ]9 u8 w' b0 f
int41handler PROC
# O8 Q% p- p2 T& a# c* e    mov     cl,al0 I! d4 i1 P" H- N" n. x0 h! O3 ~- \
    iret
9 _& Z, h9 H4 ?8 X" V" W. R) hint41handler ENDP
1 r3 {. |1 |$ X( L/ ^
  z2 c, b9 s* l: U! y! X% S, h* k& A" m. M
    xor     ax,ax
- l. b: [! i0 u/ a7 }6 M    mov     es,ax
7 h# k, c; }# |) B) l: q! _    mov     bx, cs
" \# t# V( h4 g$ h6 W1 M' L2 Y2 W    lea     dx, int41handler/ {) S5 A4 a5 k! j5 F/ X+ g0 E: s) L
    xchg    dx, es:[41h*4]2 n: c! \, W$ j
    xchg    bx, es:[41h*4+2]2 ^) S9 ~+ g) W9 g6 k* x
    in      al, 40h0 X1 @) _8 T  o, {) h/ y; n
    xor     cx,cx
2 G! j. N* b3 @5 N5 x8 W1 ]    int     41h
- v' ]& v6 F  `    xchg    dx, es:[41h*4]
# H" q& |) B; \1 Q8 K    xchg    bx, es:[41h*4+2]
" n! n5 H9 Z. ]* i    cmp     cl,al
! s" ]/ q2 E; k& d3 p+ E% Y8 n6 I    jnz     SoftICE_detected$ V/ I  o  ~5 G
& L9 m/ `& s- ~9 y3 F8 M% x: ]4 B- `
_________________________________________________________________________8 P& x0 f& L6 h6 p7 Z) u* h. e

& Z0 E: u+ Z: ]Method 07& M# `. p0 G- ]4 ]$ @
=========
; p. `+ K! _* j1 n& W' m9 P' j2 x  s) o4 ?# R  }
Method of detection of the WinICE handler in the int68h (V86)1 m8 m$ t$ A3 X5 S
/ t0 ~  L6 ~# a7 m! O
    mov     ah,43h% `* A6 [& K+ l& p# a
    int     68h
+ d, i# `5 V) ^    cmp     ax,0F386h
4 c5 `7 f5 j; v. J9 J1 O% |    jz      SoftICE_Detected8 A- ^' ~5 ^& F% t* L% |
& x6 _% @; M6 i

& {0 z- a9 ~+ n( t- H/ Y7 ~=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ Z; |. q- I& M9 c  k8 x! }
   app like this:; e0 p5 A1 l( k9 |$ Z! ~! A
9 G, f- h+ q$ g  l& j- J( d
   BPX exec_int if ax==68* z6 R  y3 C9 K& x
   (function called is located at byte ptr [ebp+1Dh] and client eip is. y/ R5 M4 f: |" X- p- ?* P# x
   located at [ebp+48h] for 32Bit apps)
( {7 p, i( V& Z# y' \__________________________________________________________________________
3 X2 s2 l% x) {$ @9 G$ j/ f5 I
. R) z. G6 [2 z5 P( P/ I
2 j/ q7 u: l' S: \7 {Method 08% G8 n9 d2 I! O2 Z
=========7 c! C! O# l1 H0 S2 c' H

* t! s& `2 ?# I/ @4 mIt is not a method of detection of SoftICE but a possibility to crash the% S# h5 t7 o1 v6 C; f8 b* ^
system by intercepting int 01h and int 03h and redirecting them to another
7 p2 E2 q, j( C* C" s& C) eroutine.1 L6 ^9 ]% f# u' l$ y: n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ [8 }7 _; d# pto the new routine to execute (hangs computer...)
  j* o0 C6 ~& o/ j7 R
  ~; u, `0 u; `- Z    mov     ah, 25h
* E4 G) `* o* j. e) x+ w    mov     al, Int_Number (01h or 03h). d$ s; @# ]% n# Z0 B- s1 a
    mov     dx, offset New_Int_Routine
9 a& V1 t3 ]8 j& @7 }2 ^    int     21h. Z. Z: C3 ~' ~3 }3 P9 u+ B; i

) N; o1 s) K( a. T# [5 ?__________________________________________________________________________! t" M: w8 `' Y; l
/ J& W9 F- j3 d) Z; E3 G8 e$ M% |
Method 09
8 `% q3 I; F6 D* @0 ^=========+ C; X- X: _& n/ s
6 k+ ~9 u0 f' e/ z0 O) W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 r; N, j9 \0 Y1 s% u
performed in ring0 (VxD or a ring3 app using the VxdCall).2 Q- _0 {) t. {$ W2 d1 T2 [1 ~' R
The Get_DDB service is used to determine whether or not a VxD is installed$ X, E4 I4 h$ D7 q' g2 B
for the specified device and returns a Device Description Block (in ecx) for/ Y4 {( v. g+ j/ ^
that device if it is installed.
2 G4 B/ a3 ?* k2 w! @& ~* @* B3 j" q0 w% N7 H' {
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 D8 |' j; g/ t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  V9 q# q; o4 b: @2 p   VMMCall Get_DDB# T5 ?4 H: k# {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) w& ~' G6 _1 Y5 K8 r' w. ^7 M
( R4 w- g7 B  x8 V
Note as well that you can easily detect this method with SoftICE:
7 P, k- k+ d- l2 \4 V/ T   bpx Get_DDB if ax==0202 || ax==7a5fh
7 U1 A* ^  `. Q+ F/ Z7 E
6 b9 z2 Z  A: ?# H( C__________________________________________________________________________
3 H5 N) |8 ?% [, C
$ h# c8 R3 b% k- C, M% wMethod 10
/ `# N; @; @0 f. J=========
- \( N$ t* q. k: o) {  j; R
; w9 r! s/ v0 k. s3 N/ I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) F$ @3 j1 v, z& F0 w0 ?
  SoftICE while the option is enable!!) W2 F" I+ e+ d" `) {, _

; D$ w4 j3 @* s, E: {5 p' vThis trick is very efficient:
$ K5 M( o$ U( Y* O, Eby checking the Debug Registers, you can detect if SoftICE is loaded  h# @1 n: m8 A3 _7 O8 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  p( T, E, ?& [4 A. W
there are some memory breakpoints set (dr0 to dr3) simply by reading their( U1 B+ @* c" k: J6 `
value (in ring0 only). Values can be manipulated and or changed as well" H0 a( J0 I- [' f2 L' {
(clearing BPMs for instance)# y7 {" K2 {# G& b

' E: g. Y2 t) B; r" Q7 ^' X+ ]2 ___________________________________________________________________________
" x! d/ L8 x" @/ z: r. @' G8 e4 }# _- `1 W$ e; K- w$ V; m/ ^
Method 11
, u! V  u- q# H6 T1 F=========2 h3 r$ z* b* P( `( h
5 M. t9 j$ I' t: s
This method is most known as 'MeltICE' because it has been freely distributed- Q& ^) I, d1 ?3 d/ ^: z# n
via www.winfiles.com. However it was first used by NuMega people to allow4 U2 T$ z$ p8 s3 F2 Q8 K9 o# S
Symbol Loader to check if SoftICE was active or not (the code is located
2 n  `. q. h0 V% W& _- P8 t6 }+ Minside nmtrans.dll).
; e+ s$ }1 I5 B. [/ C* b  S7 c/ E. z  o+ g& W
The way it works is very simple:
" r2 p& [9 p* }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 i  w1 n- b% Q
WinNT) with the CreateFileA API.
+ @8 B7 c- o% W  c: B4 F1 y$ t* h6 n2 p: D
Here is a sample (checking for 'SICE'):1 r2 Q' T1 x4 Z* n1 u" o; }/ u

! O, A3 y! U( I7 V5 GBOOL IsSoftIce95Loaded()' L2 f4 d4 j' b! r/ t7 X2 {; s
{
0 G& S1 F8 M) Z   HANDLE hFile;  6 g- f3 p9 T5 X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 I+ s9 O! F& s1 J6 m" _7 E                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, h/ c4 {. U: R* |8 v( t. A                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 z( F# H* R4 z) p- \4 t
   if( hFile != INVALID_HANDLE_VALUE )
6 a& H4 ?% [( e8 k+ ^, q7 k* l9 @; L2 `   {7 B& v. v& |% l
      CloseHandle(hFile);6 a# g2 M5 P6 @7 B) v
      return TRUE;% n( A7 s' o7 _: [# H$ z
   }' ?! m7 P+ ?/ q
   return FALSE;
4 A& |" @1 ]: j% p" n2 N2 p' ]}
5 X# r5 t3 x: h  s3 B
& s4 G9 w# j# i7 n& A% ^9 t. gAlthough this trick calls the CreateFileA function, don't even expect to be8 E' ]( j2 {; }3 W/ O
able to intercept it by installing a IFS hook: it will not work, no way!- G* _0 f) V* A( p0 K3 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' P/ }# S' S1 w2 v! n3 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* P$ q8 s4 n1 J# a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 \. O( ]6 N% j0 ?( t/ Z) Cfield.& U- a8 ?" @; K! H- h; Z
In fact, its purpose is not to load/unload VxDs but only to send a
7 m8 l: E6 b+ }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 w; N2 }# x9 v# A; U. Q) g: nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 o& |' ]: J9 w% z  N. g. Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).. U2 C( L' c& }" ~# ], g0 K& e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' t  _4 s8 M1 |# z' f/ Dits handle to be opened and then, will be detected.
& J0 t3 X2 J* `* U# P6 q9 `. nYou can check that simply by hooking Winice.exe control proc entry point
2 B$ k7 {3 o0 B8 b# nwhile running MeltICE.
; d2 ?  z: Y4 o2 G$ o4 y2 |
& j6 P1 P) {* |2 n4 A
" g. r- S  o# R" i! P0 T  00401067:  push      00402025    ; \\.\SICE
' J% ~3 x! x3 r2 ]( V, b/ I  0040106C:  call      CreateFileA
* {. T5 A7 F. q: f- i5 S  S6 i  00401071:  cmp       eax,-001) ?! V4 r  s7 y4 V2 ~, L
  00401074:  je        00401091
+ O3 b! w5 M$ a7 |, z( g
# E) [: s0 K3 Y; Y: d2 Z" L1 N
3 s2 b' t1 X, j/ iThere could be hundreds of BPX you could use to detect this trick.! S  F5 C( v: M1 ]! s7 S% A
-The most classical one is:, P5 R* r  b3 F& K1 o. v
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 j' d5 Y; m- v/ M0 X: i
    *(esp-&gt;4+4)=='NTIC'
: @  t% w+ n2 f5 H* M3 t) w( H$ v
7 D; V3 p# u+ l& Y4 N1 ~4 m6 ?-The most exotic ones (could be very slooooow :-($ Z5 O" _( e) i/ }( B! A0 C. g9 c0 [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" O+ S, j# T" X* g( x     ;will break 3 times :-(! i. ~  z$ ^% z# ]: \, D4 b5 a
* {! ~: s7 S' C4 v$ |# s+ s
-or (a bit) faster: & T  i3 A, o+ v
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 [$ S) R0 E( B

, u6 _) }/ r8 P: j. I- ^% c' h+ q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * G' m& C6 |; z1 H- m& ?. \+ z
     ;will break 3 times :-(
3 @$ M$ W4 G/ g& h1 E' D1 E
6 j/ }; ^% Z. C6 d* t-Much faster:
9 d- D; E/ r, _( K# h   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 D8 [  m. n$ ^2 @$ Q" U
/ H' c5 q- W- K3 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ _2 }) f) l4 o/ G) x
function to do the same job:3 t+ z  u4 A$ ^) i5 X2 F- |. O
2 {! `/ |4 x& w2 \  `
   push    00                        ; OF_READ2 n& b4 n+ o* C- Y- i
   mov     eax,[00656634]            ; '\\.\SICE',0
2 e+ v; R. i( }2 q- z5 ^   push    eax
3 Z, k' K# y3 |$ k+ ^9 c, N   call    KERNEL32!_lopen
. s! C( E- B  S" i% \   inc     eax
$ n( ^4 ^# Q  I3 W   jnz     00650589                  ; detected" N& L( n7 Z$ p
   push    00                        ; OF_READ
+ q, r' P( L6 R; C5 k- N   mov     eax,[00656638]            ; '\\.\SICE'  P" I2 G0 z. `  J$ p( \( L
   push    eax
. q* d! O+ w0 G' D+ z" z   call    KERNEL32!_lopen- \) g! y' E4 T% R/ ~+ X
   inc     eax
. s+ h, Q2 n* u0 t( b( @   jz      006505ae                  ; not detected
% _5 a8 P! E3 v" {# l! p0 w  ~8 K

- s  ^' K+ g& M) i$ `1 |, V__________________________________________________________________________, T  Z" ~" Z6 M. m) _9 C, \
' ~! K4 k7 `) z5 R2 U7 y
Method 12
" ]2 E( x& }6 I3 j$ w=========3 y+ ?- `" @0 l4 s& X# q9 L6 x$ C

) D% l" j' \2 JThis trick is similar to int41h/4fh Debugger installation check (code 05
5 y, u- Q  a: \) [&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 B- q; {* ?  O2 y2 d, _$ Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo., y, z$ s3 B+ \- ?+ h. |8 ~
' w9 D0 L8 p% J7 m5 u" b# i7 e
   push  0000004fh         ; function 4fh6 L6 c) L! ^9 @- i4 R0 ^! D* `- [
   push  002a002ah         ; high word specifies which VxD (VWIN32): b+ Z! |" U4 P( C7 b* {
                           ; low word specifies which service
- E2 `/ g- e+ s                             (VWIN32_Int41Dispatch)! K( t/ f+ _% t% m- B! k
   call  Kernel32!ORD_001  ; VxdCall
4 h8 A5 {! v1 q+ w   cmp   ax, 0f386h        ; magic number returned by system debuggers1 a6 a8 C" j9 D
   jz    SoftICE_detected! b$ Q4 w: d' _% P* u- ^
- b0 X- U" C& k3 P- E5 T4 c
Here again, several ways to detect it:5 I9 W* G" F1 b/ K! I$ f2 H

/ E3 }7 r7 N* k7 _3 w) K    BPINT 41 if ax==4f
) B$ W9 c: W- t% _! q" _1 ]0 O' T  u# s; ?$ {, i
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' i1 U: Z0 c, m9 H% [
/ ?& ^! _/ v) S6 g- Q& a
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" E) H  V  _0 R  y: n# j
8 w  r2 n3 c6 `    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 r& Y* v- ?3 ?  H- F
$ p( n/ e1 I% I& E. f% I__________________________________________________________________________$ d2 {) @$ G6 E# `( x) n  \5 I

. O: K/ l  ~! p+ c/ l& H+ `; FMethod 13
7 f9 Z# K, }& o=========
7 `( `; h2 s, w- ^2 o$ x
$ c: E, Q2 ?5 I3 \Not a real method of detection, but a good way to know if SoftICE is
# F7 y4 k( m8 K/ r+ n% {4 Oinstalled on a computer and to locate its installation directory.
! d& A3 Z6 `% J. t( W: [It is used by few softs which access the following registry keys (usually #2) :5 C" e7 z% O  s  [' y! g9 K: `- g
. E' k/ U0 O+ m6 c. B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( h# K% O6 w7 j+ [% Q3 y8 ^" d\Uninstall\SoftICE, F" N7 w4 {7 Y. Y" h. ?7 \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 `% d9 W& p" A* Z# v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 i2 b3 X& J1 j' q* i) p% Y\App Paths\Loader32.Exe
# F: Y% I+ H$ F: s
5 \6 T8 S. U9 n4 Z' ^7 B! F" t' q" x0 F6 Y' x) Z
Note that some nasty apps could then erase all files from SoftICE directory3 Q5 j: k( _' |' g
(I faced that once :-(3 [& e5 O" _; u5 ^  {

9 p& B; N, |' c# V; g; i! @Useful breakpoint to detect it:
! r7 p/ e0 R3 q% T( N' S. d" Y/ H6 V
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; q) f& D0 b, s& o; T! J6 Q2 v8 d
8 v, U8 f  s- \0 L- p+ u__________________________________________________________________________
% k; J4 n* v1 i: r% ], d- k8 Y+ C3 p/ n4 K9 X4 B

% m- X. d, \5 J1 fMethod 14   x$ G5 ]9 R# s0 I  b2 W
=========4 i- U3 C1 M1 o" V. H6 D
: U5 e" m- V  _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 G3 [5 H- v) o6 H) Q5 \: o: k
is to determines whether a debugger is running on your system (ring0 only).; r6 n# r! ]; S! ^7 R" X
& F* M3 s, e+ S( s" Q
   VMMCall Test_Debug_Installed
. W% p, b4 B! i3 t   je      not_installed
& \! C# [5 ^4 C8 D+ k1 r! r. q- ^( q: F* i
This service just checks a flag.  a' ^2 U1 m  L" y, N; l
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-17 01:15

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表