找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 B2 N1 B) M  z( ^/ |' x
<TBODY>
& V5 R8 P+ s; b1 M<TR>
9 |) h  F  e4 }3 T( L: j& \1 T& c5 k<TD><PRE>Method 01
2 ^$ k" F  g1 e! A  D=========1 s$ R9 W8 q( A, h, S( z
0 z4 X, G5 p2 F: v2 e2 u: i5 ^
This method of detection of SoftICE (as well as the following one) is
  t: G+ O% Q0 u7 Wused by the majority of packers/encryptors found on Internet.
5 U6 \; q0 K  J8 IIt seeks the signature of BoundsChecker in SoftICE2 ^5 `+ s& U7 q& I

' Q: g; q" K* R. @! i9 c    mov     ebp, 04243484Bh        ; 'BCHK'( z6 x4 q5 P: @2 f
    mov     ax, 04h! _& R4 M& A; E7 \( P
    int     3      
/ [9 I& b# [& R2 d! f* ?    cmp     al,4
) o3 h6 S+ F% l3 b3 E$ b    jnz     SoftICE_Detected
3 S2 X7 L# c5 A, t7 \8 u# Y* Y1 w+ U& b) w
___________________________________________________________________________
7 u, P: {: H9 f* `4 U5 v
' ~9 s+ \. e5 b4 ]: d* x8 _* J5 YMethod 02/ o3 E; y; |1 ?2 M, f
=========
1 Z! Z. b  c( H& ?. P! d) p9 ^* C0 e2 K5 k
Still a method very much used (perhaps the most frequent one).  It is used
& g1 Z0 \% \9 ^" vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, C  }/ M. y- e* Z5 _) ?or execute SoftICE commands...
, r6 l$ l: G) {; VIt is also used to crash SoftICE and to force it to execute any commands+ S" {. x4 J) b# |' q
(HBOOT...) :-((  
/ x) Z: `8 S2 [. \9 ]# O: n; u9 |3 s/ K3 J, T$ e% X/ _4 e6 A
Here is a quick description:
- g) p2 h, K' B( J, L% i" ?2 g) V" F-AX = 0910h   (Display string in SIce windows)
9 ]) R" L0 i; u/ P8 g-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! e+ Q- S/ \3 Y1 P$ D9 A
-AX = 0912h   (Get breakpoint infos)1 Y: ]7 a! k7 r* @) j; @  f2 e% R) S
-AX = 0913h   (Set Sice breakpoints)
( l, j( g9 E6 r. n. `-AX = 0914h   (Remove SIce breakoints)& I7 i: |% k: \6 Y& L" n( t7 C

- z4 G9 O& x1 `Each time you'll meet this trick, you'll see:9 v5 h" m2 y0 Q+ v
-SI = 4647h9 Y" V) G2 ]  |+ k* z# G1 h. a
-DI = 4A4Dh* S  j$ ]" u1 i1 |
Which are the 'magic values' used by SoftIce.
' R$ {7 ]  @% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 v* I& k1 W, M6 R( ]. ]$ ]4 K& R

7 ?+ g3 w6 o0 w) T  IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 w& f- s' ]: x, N1 E" p
Envelope utility use to protect DOS applications:
1 W& y" t9 J" y6 r1 ^' C" c
. [; z) b' S: Y- W, g2 g, Q( x$ b. B& h( f! S( U/ x. h
4C19:0095   MOV    AX,0911  ; execute command.
/ R$ O- I7 W9 Y4 x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 g' N, h1 U; r' }
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 k. Y( G4 Z0 H& _: v# \" a( k( c4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 j6 E( O! n3 z! I: K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  P* {* t4 {# [8 F- L4 m9 w
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 k6 \. c* R5 L5 Z4 T4 |. q1 ~
4C19:00A4   INC    CX
  k" t$ T. o% R" {: ?# K- v4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* T( ?# B1 v7 t! J8 f. t9 W4C19:00A8   JB     0095     ; 6 different commands./ C% Z7 U  R9 k; s) T/ q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
! a7 D3 `$ p5 l# j) c0 ?5 {  ?! R4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ G/ e5 j' q% \
2 x9 l! f8 |1 [( \) PThe program will execute 6 different SIce commands located at ds:dx, which
# m" P& E6 ]% }0 V+ a% w# k3 ~0 R; Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  Y9 V7 o  M: B4 S9 t' Q
1 M; N4 A. c3 Z; a1 f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ f2 b2 K$ h3 W+ O! ]6 v$ n
___________________________________________________________________________
8 t8 d8 P5 q6 c, I0 C1 Q/ @, U5 m$ K: d: y. h7 B9 g+ `( l

- z) C# P7 c7 ?  O' K& K. \+ y& lMethod 031 x1 _$ x+ n' a. c
=========* M0 R( q3 L! w3 E
( q+ i# w* n" Y/ v+ t& U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  C  Q+ V' ~7 _9 t; A
(API Get entry point)
, x% [6 @+ n8 |6 q9 }0 H/ U+ b, K        
6 ^) g' c" `$ i+ _
6 r/ g) h. a. G    xor     di,di0 A8 ]0 A5 d  c9 S  D6 b9 z
    mov     es,di
5 c* O( g; M% K- m5 f( E) d' G    mov     ax, 1684h      
: T& l  Y% y% y6 ~    mov     bx, 0202h       ; VxD ID of winice
/ s5 Z+ L7 q+ X" q+ `    int     2Fh5 ?4 Q# v0 e. r5 E, E# g  W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 z6 ]5 \" }& Y! ]( }+ K! _$ Z+ L    add     ax, di
" y) D$ b* ]  |5 q2 o    test    ax,ax
: R4 x( l8 Y7 L" J1 S    jnz     SoftICE_Detected1 A; X. l4 G$ @6 _5 ]( q
  _9 X: Q# B8 q! z" F
___________________________________________________________________________
5 I  A$ o) B8 h! ^* \1 M$ g6 [# m" ~8 }8 ~
Method 04. G( Y  G: d  N5 M2 a7 s0 `' P6 O
=========
1 C, C5 w9 @. N  Z& \
& R) |- c, l; ]9 c4 ~1 }- p& @& JMethod identical to the preceding one except that it seeks the ID of SoftICE
. K+ Q, Q' `/ H# r! ?GFX VxD.  Y( b8 m; s& j6 K5 R

' A2 ~2 C) V- [    xor     di,di
- ~' A7 E- {4 X8 r+ x4 s% Y    mov     es,di
4 V/ O& N& i6 [& y    mov     ax, 1684h       ' X( P. `" w" Y5 H7 r* d
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ F. z, U0 e# u7 v    int     2fh
) V0 Z6 i6 X# \1 z1 F# e( k1 C    mov     ax, es          ; ES:DI -&gt; VxD API entry point* q6 p7 A) t1 U% m: R! @, J$ h$ p
    add     ax, di
9 C) {$ O" k/ j9 {, }, U9 f    test    ax,ax0 l' l( L, m# s+ t- f- L
    jnz     SoftICE_Detected
, _5 M: E+ Y4 R! u- B# A1 ^
3 a0 E/ I' y3 h- v9 B__________________________________________________________________________0 x  W) ~/ S0 n/ Q, J# [
/ v) g& O3 Y2 E. h& X. V
1 l  @1 h, m+ j2 w  [
Method 056 k5 N! v: I3 L1 x/ K; ^
=========1 y  E0 ]5 o' O2 \, _# ]

4 r1 m) N9 X5 W" n. hMethod seeking the 'magic number' 0F386h returned (in ax) by all system- `( s2 y5 I3 q- e2 N) S4 E
debugger. It calls the int 41h, function 4Fh.
+ W8 O6 _" G, k4 s3 p. B% TThere are several alternatives.    E/ B; w( K1 U
' G" i5 Q9 a  A. E  H% k; m; b
The following one is the simplest:
/ v/ h3 z( b5 P  g, `  q: K; n7 Q' f0 T( s
    mov     ax,4fh
, T" U% {" {3 b5 x& W7 a4 Z7 T8 J/ }, _    int     41h
6 M! s$ I) X2 \1 D) `! Q    cmp     ax, 0F386
$ }8 i  ~  Z+ I    jz      SoftICE_detected
; m9 [; y  P2 d" F
+ ~8 j: F3 a0 z7 }! e4 E+ ]5 Q' L5 G* l0 |
Next method as well as the following one are 2 examples from Stone's
, y5 |# H+ ~" \"stn-wid.zip" (www.cracking.net):
6 P' N& `- P) r1 h( X( F+ _: k% }
/ F: K) [+ j2 e2 ?0 G5 A, P; a# u& h    mov     bx, cs
. G  m% W& t2 H4 x- o    lea     dx, int41handler2! K# p6 J/ B% q
    xchg    dx, es:[41h*4]
: A# s. E, t. ~7 I. ]6 F) J: X5 l    xchg    bx, es:[41h*4+2]
0 H' H. [. i' q) ^: s    mov     ax,4fh
! P! U' b5 K( t3 q( n! ~! w    int     41h/ u1 U0 ?; Y; o2 D) R
    xchg    dx, es:[41h*4], C; B( A* B5 d" Z2 z! Q
    xchg    bx, es:[41h*4+2]& |, u. u  X0 v" y( x3 l  _% ]- C4 [
    cmp     ax, 0f386h" e; q4 B; b" H$ n( N0 p2 H
    jz      SoftICE_detected
8 b6 v: {0 {0 a: n/ L- w: K# x6 I" l+ G0 F* T- U: Z6 @
int41handler2 PROC
; V3 E* w; g& s: q! H    iret
  o1 u+ q1 W2 M" C3 s  Y, p; ~int41handler2 ENDP! y# \$ u; F: H5 h7 F; n3 D% I

& S% b; x* _: m, \$ q' J) a( [5 I/ K5 ^! ?3 ]
_________________________________________________________________________" r* w1 E8 `% l0 D5 |& o5 w

6 F# W0 W3 U, I: r) T; u, F7 Q! O9 a7 Z, l( m! K
Method 06
& ]7 c4 A0 N4 y4 s# o=========5 M* j) V7 i9 V
, D0 j; q: I( N  d/ n

# M7 L* z/ B8 Z8 F) _2 F2nd method similar to the preceding one but more difficult to detect:
8 X, a8 r- f1 \; p7 M
/ W% k; L! Y/ E$ k( k
( [* e7 M) _( e3 _- mint41handler PROC
0 q- a9 E+ M7 A% U- C    mov     cl,al* r& s9 a! R/ z  s. t# Z# q
    iret
7 z# A2 u3 m  i/ O& H+ K- @' Qint41handler ENDP4 H# X7 O" M( g$ P

  B( ]  Z; j( q$ o3 {& M. z6 K$ T" [& i# R
    xor     ax,ax
- S/ J/ ^7 ?1 x5 m& o    mov     es,ax4 E5 ]: W  j" f' }
    mov     bx, cs* e  ^1 Y" S7 B% A9 f
    lea     dx, int41handler
) |- r6 V3 }: b2 \1 F7 b2 j# \2 ~    xchg    dx, es:[41h*4]' }  ^; y2 V" F+ p* l
    xchg    bx, es:[41h*4+2]
  Q  C" |1 m; N$ A    in      al, 40h
% |9 a! a; ]1 M7 J    xor     cx,cx
5 `0 S. m# c% n- K8 Y    int     41h
# Z1 f0 C  o+ N# j% R9 s  `    xchg    dx, es:[41h*4]8 D6 x8 H8 w) ?, s# {& [& W
    xchg    bx, es:[41h*4+2]
5 b- x4 H$ T" @- p/ y0 i5 e& n    cmp     cl,al4 N3 ^* n- t' ~% J3 G
    jnz     SoftICE_detected
9 ~8 ]; _8 c) r" r2 ~: c0 a  Q- W& H* O: q
_________________________________________________________________________( l  K: p* H/ S& W6 z; O4 p4 D

( I6 ?. r% ?' \8 [4 sMethod 07! |. l) D( b- V' L9 c6 v
=========. Y$ G6 p" @+ a( A4 T/ r
( P; O! G' `( y- @
Method of detection of the WinICE handler in the int68h (V86)9 E) D" b' z) g

' c6 p7 `1 R2 O; ?; C    mov     ah,43h% x" S) N# k1 S6 j7 e
    int     68h+ k& [! m/ r' _1 z1 a1 N% R0 D; B
    cmp     ax,0F386h
3 c2 W+ S% @% l$ ~" V    jz      SoftICE_Detected! c' Z  V6 q$ c9 J; C

! G" M1 S/ f% W% o' g5 M/ d' E% U8 A/ H. k' u6 ]8 j  r4 C+ @! {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* O( v) `- R) m% @- M  Q- M
   app like this:. m0 s: Y1 y. o* @6 g; ~) z
1 d/ r0 u- o. t& u) Z; v8 i
   BPX exec_int if ax==68
9 G, a. r/ v, Z4 V   (function called is located at byte ptr [ebp+1Dh] and client eip is: s7 Q, j1 R- D* B
   located at [ebp+48h] for 32Bit apps)8 ~' y% L( i4 r& H
__________________________________________________________________________
' w* D3 a9 E. |6 o+ r  D7 u
6 y1 r% \, w' t# E" R1 p, M+ h/ z% |" o" |
Method 08
/ G2 Q- d3 m8 U5 M" l/ w" K* y=========
, T4 h+ }: L" [+ w$ y; n% e% O5 H% t- S' t, D  J# c. L) ^
It is not a method of detection of SoftICE but a possibility to crash the- u% m3 V& U" x, l; N
system by intercepting int 01h and int 03h and redirecting them to another
: I) `3 u$ e: J3 wroutine.
  c* p- k8 _. _6 I5 j5 w) X- i+ UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 i" O* l3 h. @7 C7 b1 ?% s
to the new routine to execute (hangs computer...)* g5 P) c1 M8 ~4 b7 j' w) p
( R" W4 f$ K- N( x) R
    mov     ah, 25h
% j3 [: d+ n5 l& M' A" R    mov     al, Int_Number (01h or 03h)  i$ a5 H: D( U  v* E4 x! p, K
    mov     dx, offset New_Int_Routine; U/ m, ]+ n- S, V) h
    int     21h+ s% R$ P2 p& D" v5 B+ _
$ A8 ]. b1 `- P
__________________________________________________________________________
2 X- V; O, _% |/ `0 ~9 l0 X8 J
' @! _  T4 w% m, y1 D* v$ P# VMethod 09
, u, L5 m, W/ j+ k: T=========
- v, ]9 Y, h( R+ u# T  y
0 E. R! B* R! d0 ^  X' GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 k: h$ m+ G! C9 V" ^performed in ring0 (VxD or a ring3 app using the VxdCall).+ h1 g7 n0 V8 y6 M2 d" f6 O
The Get_DDB service is used to determine whether or not a VxD is installed- x. b! X% \5 }7 V! o( x7 D5 U
for the specified device and returns a Device Description Block (in ecx) for
* E1 n& ~6 y/ m7 {( h$ Gthat device if it is installed.. U8 I( P8 e% l3 r; k. d

0 b* E3 R6 U; w1 u; I1 y+ P   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ o" r+ {1 j+ J( J   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 Y5 u: A7 y7 l" @
   VMMCall Get_DDB
7 |. m0 ~2 ]; ?: Y   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( g, D" Q) {4 C# w- P$ l0 H
1 W9 l% E- s/ b( t# b2 h: Q9 vNote as well that you can easily detect this method with SoftICE:1 Y. I7 B: X: J* b: v) I% S! |
   bpx Get_DDB if ax==0202 || ax==7a5fh8 P# V2 W/ L- ?4 M. K
  s$ C, G8 ?$ `8 c' O% i
__________________________________________________________________________) N* J$ r$ g2 k! r' w

* L& b: S+ p- FMethod 106 k- P: ~' D* F" g9 \' G* [3 w
=========& \1 l# k% h: k

# O1 ?/ i9 h6 y) b) g1 E9 `=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ [* G( i  _2 D$ a! U  SoftICE while the option is enable!!" S6 F+ F) q, p- I( e% M

9 o: e  F' n: [* X% NThis trick is very efficient:
  i# N9 L# S8 A4 O3 ~by checking the Debug Registers, you can detect if SoftICE is loaded3 \' R& o+ V) C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  G+ r1 `  `1 d; w: athere are some memory breakpoints set (dr0 to dr3) simply by reading their0 h* u3 J, y  a
value (in ring0 only). Values can be manipulated and or changed as well
8 T1 a; P, ?% u1 p/ M(clearing BPMs for instance)6 _3 T3 S6 V* K2 w, g3 n/ @0 ]4 G
: \8 Z4 _* o- ]
__________________________________________________________________________
* L% k5 ?. u0 f3 x3 v9 \
5 i4 G1 P2 G8 U" pMethod 11
% K9 v) v3 b8 q' ^' }; v  n* r=========) D4 o2 }: b. x/ Y
( v& R! R1 L& g+ m0 ?+ Z- S
This method is most known as 'MeltICE' because it has been freely distributed1 l8 X6 k8 c0 w7 ~2 u
via www.winfiles.com. However it was first used by NuMega people to allow
3 x; |) ~2 Q. k5 u3 a: wSymbol Loader to check if SoftICE was active or not (the code is located
6 Y% ~& b# ^$ U& s& qinside nmtrans.dll).
( H* r, l7 M. z; N3 p, K# D" q! u8 t4 t" m/ t( U( o
The way it works is very simple:
1 C, q! x/ V( a/ K2 ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ u- S3 g, u$ t7 Z2 ~, K# JWinNT) with the CreateFileA API.
. o$ D: K/ r3 L! b1 J. w: v' i" {8 V' R) Y" X1 S/ t
Here is a sample (checking for 'SICE'):9 {0 l) A! Z9 R1 |# W1 J

7 c- h* `4 u  u" I  NBOOL IsSoftIce95Loaded()
% W2 ]& r+ J' J: L  A0 I{
( W  g. \" \4 M+ M   HANDLE hFile;  7 F8 t+ d3 L, m, {+ _) ]
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 R* L6 e* w- _5 c5 U
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! K1 f0 I: b0 T) X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 o% C  B% m3 w4 N; o) w
   if( hFile != INVALID_HANDLE_VALUE )
& I% J- f% k9 ^. k   {5 x0 @: p3 @( p/ f: U
      CloseHandle(hFile);
0 l8 V( Z9 {( \4 S$ n      return TRUE;
- A0 e/ q5 ^- d4 s3 ^   }" ?* l: Z. F3 y6 a2 N: x8 T
   return FALSE;, @+ o. ]0 Z8 C2 }( w- |' {* j
}; |6 Y; q0 X2 {* W4 q2 e0 d

1 d: ?) [6 q( L! O; @5 tAlthough this trick calls the CreateFileA function, don't even expect to be
, E+ }5 W7 C0 Q7 `able to intercept it by installing a IFS hook: it will not work, no way!
) ]2 \1 t2 `1 r% a. m9 B9 q0 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
  e: ^: g% l; @9 \. X* {& G, m7 x6 k- Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- F5 C5 u0 _: j9 v/ @- o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# _1 q, f' o8 O
field.
9 L& G. a! g& f9 l; p' H) UIn fact, its purpose is not to load/unload VxDs but only to send a 6 I" l. ?# Z- C/ c5 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* Q6 l$ ~# a8 W) v* g% S$ y3 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ j$ {1 |4 T3 `2 M: u6 Z2 Q. u; Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* g  }$ `7 G$ U0 a$ @) GIf the VxD is loaded, it will always clear eax and the Carry flag to allow# N0 N( v5 K' H7 @" S3 l5 m- M( J
its handle to be opened and then, will be detected.
4 P% U6 X% H, w7 v9 aYou can check that simply by hooking Winice.exe control proc entry point0 `! {6 \& H' p) c$ c8 J9 s9 {
while running MeltICE., L* ~5 t; T- h& w0 p
3 y7 K4 S2 m& }
  [9 V! c7 O( ]' v! T
  00401067:  push      00402025    ; \\.\SICE6 x" i" n3 y0 f* b1 u
  0040106C:  call      CreateFileA# A! j8 X& m2 A3 l9 }& k1 y- D
  00401071:  cmp       eax,-001/ N6 T& |7 x" F3 D' N+ y
  00401074:  je        00401091% p* I9 C% U' p, |' w2 K% q

  H  M- o8 ]3 Q, [* |8 q; ]/ J1 g$ {+ y
There could be hundreds of BPX you could use to detect this trick.9 ^0 R- Q2 P: x$ s3 ?( }9 R
-The most classical one is:7 ~+ q/ t' B! ^0 N6 J' N
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
6 P  z8 |  u- C+ J5 ]7 J8 B    *(esp-&gt;4+4)=='NTIC'
3 A9 l0 O/ b( E; E. y) z
6 v+ `7 ]# F3 V( T* \: k8 \/ T) ~-The most exotic ones (could be very slooooow :-(! T1 \+ J3 ~) V( |
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 l5 [% m: K6 i     ;will break 3 times :-(' c; Q- Q, Q+ }
: E3 W3 b" x4 e7 ]
-or (a bit) faster: 4 ~& G; P' I, e/ ]: J4 X$ a
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 `% t' S/ L8 p1 L* P, m8 W
( K8 D! `2 w" ?7 z4 r
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 V% t/ {! x/ E) p; [3 x+ t
     ;will break 3 times :-(9 u" V+ g5 W" d

7 @- j! W6 h1 C-Much faster:
. P# i/ A1 @: k- s5 B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 N. X/ K% G1 N$ Y2 y' r2 q3 `1 W5 u. p& ?9 X( v) i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 `" d' w" T! o5 f8 }& B  N/ tfunction to do the same job:
/ T( Q, E' B6 ^6 j$ M; {, {
" o, w5 F; ?: U/ H1 c   push    00                        ; OF_READ4 q  j! s1 Y* H: V6 l; B% P
   mov     eax,[00656634]            ; '\\.\SICE',0
4 x1 `0 D. X$ ^# Q" r8 y$ Q   push    eax- {' w: i* L" ]- ~3 d# a) Z$ u
   call    KERNEL32!_lopen
2 S, O# j# m) w' e   inc     eax
8 o5 h" @7 U. l   jnz     00650589                  ; detected9 `4 \4 A6 ]5 t7 W* O
   push    00                        ; OF_READ
; S, Z  w9 y" a- a$ f: u   mov     eax,[00656638]            ; '\\.\SICE'* Z% \$ X# M. ^+ T. z1 G* ?: O+ ^5 Z
   push    eax; S3 W+ T9 i! t, N" ?! M$ U: U
   call    KERNEL32!_lopen- P1 L, r' q% T0 Z. }
   inc     eax
1 _$ Z0 t$ s0 w, `% x6 c, N   jz      006505ae                  ; not detected
! l) }1 a3 v( e( X
. Y8 G: G0 J# C
0 o9 ?* w* w4 M. r: r1 k__________________________________________________________________________
3 K& T( u# n7 Z- @+ v( \+ x7 c8 q0 j! \# H" G1 g6 U- }7 ?
Method 126 V$ F1 x' j3 q, P
=========% [% @8 r; c- g' w

9 j4 _6 D# ?6 E+ uThis trick is similar to int41h/4fh Debugger installation check (code 055 M3 k, R9 P) w3 {8 P0 [/ a7 k
&amp; 06) but very limited because it's only available for Win95/98 (not NT): L0 j! i% u  [$ j! ^: Y+ }" _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; g0 w6 Q9 h2 g, C6 A5 F  e
  V) y% ~1 t5 C% S+ `- z   push  0000004fh         ; function 4fh
, ]8 x6 I/ Y. B3 k: k% k- `   push  002a002ah         ; high word specifies which VxD (VWIN32), [: ?) l5 u$ m9 B8 A; s
                           ; low word specifies which service
- Q0 x+ A" g' z$ J" Q' y+ d                             (VWIN32_Int41Dispatch)+ c- k0 @/ c, p1 f+ s: J0 ?
   call  Kernel32!ORD_001  ; VxdCall
8 i2 j& z1 q& |$ x$ y   cmp   ax, 0f386h        ; magic number returned by system debuggers1 Q! q* E0 x* x2 }5 A+ I  g
   jz    SoftICE_detected
# S" I$ W5 I- C( P) a+ I7 c1 H
5 W5 H  X: `; a$ z6 qHere again, several ways to detect it:
0 w) g( B4 X, C" h9 H" A# M+ B, k! R8 _# u
    BPINT 41 if ax==4f4 X- O. q& k% _5 ~( j% p: f% Q

7 K; L; x- }* g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; X, \7 [1 a* M1 M( p: n# a! g' u- l! H" n- e8 ]! g  ]( B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 V5 a5 c1 a. `. |9 s

! I% P1 j& u9 p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. e; T' z- V( J6 j0 a* H; F. a, s+ z7 v) H, S+ c
__________________________________________________________________________
) C) a8 P" ~2 [" X4 a8 ~% y4 D6 u7 y9 N1 ~, A8 m
Method 13
  _& m1 d2 s( \=========4 Q- Q$ e/ B! {' W$ R+ [

5 s* a; N1 z5 N2 oNot a real method of detection, but a good way to know if SoftICE is' J9 ]8 x. [* N9 D5 A) ^7 }/ V# g
installed on a computer and to locate its installation directory.
& [  ]6 ^2 p- l; U3 \. FIt is used by few softs which access the following registry keys (usually #2) :
* X: g  n/ B5 D) N+ D
& g' W3 Y, c8 T# k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! r4 S& ^# k$ O+ y
\Uninstall\SoftICE; U5 v6 C4 ?, F0 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; [- N& T# E# o0 y3 V9 e+ ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* a  r/ K9 P. f# T7 p( S  k# D) X( v2 [
\App Paths\Loader32.Exe* |% b3 q8 ?" u4 H5 H
8 m' p2 p# V/ W9 j0 v
; n& b  A' j* V
Note that some nasty apps could then erase all files from SoftICE directory
: {5 V( d5 w+ E) x  x, m(I faced that once :-(
$ v" z3 c/ ]+ w+ g) S( a- c+ T& G+ W4 x; ]' U: f
Useful breakpoint to detect it:
' ~' u" s& L! D+ p' f5 A. x' \+ L9 D' \4 n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
' Y* I5 ]7 x6 @' l# C
8 B' ]6 G- X5 v( s0 F9 s- l$ |__________________________________________________________________________6 k0 {! n1 s2 W+ T( K9 i, e/ ?

  _  v7 d7 ]! C! a) N% Z+ \) F. O4 Y
Method 14 0 e8 W8 f# F) e* \7 F0 I0 R
=========
2 A% _% c6 ~# _. `" W% ~0 [- q* M' @
2 \  W  s1 T5 {' Z6 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 O( c( C1 G5 C& f6 ~9 ]
is to determines whether a debugger is running on your system (ring0 only).2 ^5 a0 r  Z! n4 r- o9 l* {6 g

! ~' _7 h( g( X; F   VMMCall Test_Debug_Installed' ~2 B" j* n5 O: G7 \, W
   je      not_installed
2 T) l! r" V1 n
' i, W+ f" R  kThis service just checks a flag.: a2 {9 g& D+ M
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-10 00:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表