找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* {- X* ^8 x2 M9 d/ b<TBODY>
9 r, ~1 b! w2 |# I* [) m5 |<TR>' W7 E1 J* g6 ^( ]
<TD><PRE>Method 01 $ d/ h: T  J6 {" W0 Z# S2 @
=========0 Y# S  }3 b6 o( I- v+ b" \

/ H2 U5 u3 ~! Y1 b5 JThis method of detection of SoftICE (as well as the following one) is! D6 h* B. T0 f* Z7 I
used by the majority of packers/encryptors found on Internet.2 |' c# P* z( v- Z! }6 l
It seeks the signature of BoundsChecker in SoftICE. o9 }5 y- _: `. q
5 [. `( U* C# K- s( J
    mov     ebp, 04243484Bh        ; 'BCHK'
+ K" k  I, i! _5 e8 |- C    mov     ax, 04h, N7 C$ S; T+ ]- K: h
    int     3       - V- O8 p& y% O' U3 P5 e
    cmp     al,4
7 u( h5 V1 ~$ K  z    jnz     SoftICE_Detected+ b1 ~* R& B# w  m1 L

' E- Y" \/ D, w4 {$ [0 a, E___________________________________________________________________________4 l: f8 V& b6 q" R

% N6 o9 M- Q$ b3 [) {( s# T( v0 |Method 02
9 d- @3 Q" ^0 a( B+ o3 E=========
# z5 W. p9 u9 [$ ?( {! ~" ^) J
+ H- o" _- x; R. H; i1 i& h5 NStill a method very much used (perhaps the most frequent one).  It is used
1 _! `' }+ o/ nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 L7 l7 H% B# m# f) i  bor execute SoftICE commands...
4 D' J0 O- F" R; `It is also used to crash SoftICE and to force it to execute any commands5 v. I9 |( N+ ^' S8 w
(HBOOT...) :-((  1 l5 E# D# Y* Q

- A9 B/ o& h( Q+ H- `6 J! L, LHere is a quick description:
& z* ?. l4 ~# q9 g' W# p-AX = 0910h   (Display string in SIce windows)5 g# _* _* z1 |8 j
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)( ~& w3 i8 L$ u: ^. P
-AX = 0912h   (Get breakpoint infos)
' \; v# M8 I: X# X, @8 w9 [-AX = 0913h   (Set Sice breakpoints)
5 v5 Q+ C$ k4 m/ N/ R-AX = 0914h   (Remove SIce breakoints)4 \- k4 v8 c% L2 b7 Z
% s% V- C1 I4 n( p
Each time you'll meet this trick, you'll see:( T- ]. I8 T* C+ s% D0 d3 Q7 \
-SI = 4647h
4 }9 z* C) L$ {  L/ t7 j% Q-DI = 4A4Dh
3 a8 K( g( N- G$ |5 Q% f( kWhich are the 'magic values' used by SoftIce.
* \7 ^2 I+ K7 Z; fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 C* f( k% F: ?5 C" P, j
1 |! ]  b- S, y' u8 K  ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP% ]; G2 q6 x$ Z; v  C
Envelope utility use to protect DOS applications:& w, X( m+ x- M$ M1 e& s, S1 M" A
2 x* W3 e; s- g7 ~/ q; t' L
% n: V) p1 y0 w2 ^4 k: s4 O
4C19:0095   MOV    AX,0911  ; execute command.
. ?! U7 v0 r: q& B. N* O6 Z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ T1 ?& a* O1 O) d; m/ j5 r
4C19:009A   MOV    SI,4647  ; 1st magic value.
% h3 z& K, S: ^1 h4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 N/ f2 Q: F. l4 k+ V* T1 p* z6 R4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)% T# b1 N: g6 D( }( F" z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute7 R9 t% N9 ~" W& b+ x5 k  S
4C19:00A4   INC    CX7 a# Q: T+ ^# l7 O7 p4 s8 H  T
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ x* ]; g0 y% m8 c+ q& `  B# S
4C19:00A8   JB     0095     ; 6 different commands.$ ?4 e. k: H8 B* r  ^1 j0 M
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" \1 s8 ~7 T0 f# C' P- k* ?4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ o' n  e4 ^. y+ V4 Z/ \! f( ?* ?) q) @: @; i; T4 a
The program will execute 6 different SIce commands located at ds:dx, which
8 q9 O3 b+ W9 O( u. [* sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* L; l. S, c1 B% b2 N( O+ f' _4 f$ g7 G4 Y/ ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. z5 v( i* L2 f$ K' ____________________________________________________________________________
" M3 N. @" L! g) f- U
+ u, V8 d5 ]- Q$ t% D9 p/ P& X$ ~7 }& [) z
Method 030 b" |3 N* g# F
=========8 \3 a, d0 |; _9 k# }; t( r$ M  @

. `( o+ d; ~: b5 X3 }% i- p' F6 T& fLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ R- y: _; U+ D) v' B, S
(API Get entry point)
: S0 }% y1 W* ^& N" C        
7 ~/ b0 \0 i! ]3 @5 S) P  l
- ?8 B3 a0 l- l+ L  @9 X    xor     di,di8 g( G' [8 G% v2 y" v
    mov     es,di" M9 D1 a& i) _1 e: O3 _
    mov     ax, 1684h       6 z' ^2 y, o7 i7 N
    mov     bx, 0202h       ; VxD ID of winice% F0 I2 M" X6 Y+ x  _' {
    int     2Fh
5 `6 g5 Y0 q4 s( j0 t  _" k+ d    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! f" `% Y$ a, P    add     ax, di
* r; s1 a, }1 Z6 n, E$ a* b    test    ax,ax  s+ n4 B# k7 J' ^( g3 k& {! O
    jnz     SoftICE_Detected
- ]/ L0 f7 G/ d8 a/ @
& i7 P# \3 e" C8 V0 S1 o7 v3 @6 e___________________________________________________________________________( ~1 g6 `+ ?) x: m2 G3 A# d7 g
9 A( z( g2 S6 v5 t# [# {# c
Method 04' {6 |- y* y! X4 [" h! z) x. Z% `3 T7 x
=========
( r/ c3 |% A# X: ^& F6 e& b% u
* h" q. i+ p% @2 [" mMethod identical to the preceding one except that it seeks the ID of SoftICE8 a# R' L* b5 F# D
GFX VxD.
/ i' m# r( L; {- p8 S% o, D8 Q' O, p% g. Y5 s: W. @
    xor     di,di. T( h* k* u1 f: f: v
    mov     es,di7 s5 p2 e: X# A8 Q) B, Y
    mov     ax, 1684h       . t. m" e3 O! F& g+ y& X4 M" D
    mov     bx, 7a5Fh       ; VxD ID of SIWVID' I3 X3 f7 p' y( y
    int     2fh
6 o/ h* l9 N- c: ^: p    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 G' Q. g# w! D: p4 e# a: [
    add     ax, di. w  J& z8 _) b! W2 q- K. ]7 P( b
    test    ax,ax
7 w7 `2 S; a& X2 V1 _) l% w    jnz     SoftICE_Detected! x$ n4 w0 p* N! K1 a
# H& g2 a% P" M. Z! x
__________________________________________________________________________1 K( m7 }! e- k# @- S2 |

: k1 |& P, e) H+ w4 k9 h
- Z8 |% B  x$ N1 _4 vMethod 05
' ~1 X9 s8 L3 U1 {- F4 d8 M=========
, y3 v* [. X  \( G: C9 `, q( ^" O# T8 z! Y- l. ]' f$ y. [
Method seeking the 'magic number' 0F386h returned (in ax) by all system" C& G+ S" `7 Y" G6 d
debugger. It calls the int 41h, function 4Fh.
4 `# `/ e1 G/ D& i2 L# \) uThere are several alternatives.  
+ d) E; @6 H& }3 [2 ?+ b5 `) f5 C! X( _8 i5 F1 ]& C" P4 c0 i% j% }
The following one is the simplest:0 q) U* h3 A6 f3 s9 I3 _
1 {" i: b" ]/ u7 @
    mov     ax,4fh
0 {9 [8 V+ z( q4 h7 Q    int     41h, \4 b0 r6 Z- @9 E1 g
    cmp     ax, 0F3864 [) r" @0 F! R5 I
    jz      SoftICE_detected
# o. d+ I; u- u
7 J$ f; g/ x" r0 p. \8 ?' f5 i6 m0 E1 L4 S3 B/ q9 K. Z0 O
Next method as well as the following one are 2 examples from Stone's
( }  k) S/ m- }8 x: A# p4 b5 f4 m- Z"stn-wid.zip" (www.cracking.net):- l6 k) q2 q  y7 q* T4 ], j

$ b8 K% Q4 A4 F. u* O    mov     bx, cs
- \  X/ g; H9 e; V# l* |1 D    lea     dx, int41handler2
+ m, p+ K6 [9 I; G    xchg    dx, es:[41h*4]- C% Y1 v! B1 ?9 N
    xchg    bx, es:[41h*4+2]
: W- C+ h# |, \5 ^  m% x9 D    mov     ax,4fh$ }- c% L- k$ S* g, @. n) x
    int     41h7 b$ T' k& h4 w8 N
    xchg    dx, es:[41h*4]8 x* Z( C% G9 l; m
    xchg    bx, es:[41h*4+2]
( p6 S9 x2 [8 L. G. |: l    cmp     ax, 0f386h
* d! e) q8 Y6 s3 T2 t2 D3 G7 g+ K    jz      SoftICE_detected
; J6 I, T( S+ {, \' {: i
  y6 }  U0 @( Hint41handler2 PROC
) ~. ^5 Q# Y/ G! t1 D5 t. M    iret
3 j, q6 z$ k- `int41handler2 ENDP2 ?- R' ~- ~) Z9 O9 o2 R6 R- V, u1 O
/ m) B7 {, k. p6 S

7 O$ ?8 k- T0 o- b# y! T_________________________________________________________________________
, ^( e/ S, u5 B3 z
* k  R. y1 n6 D" f! |! R0 l! _8 U# d8 G' Y! D) g- b  U1 M# l
Method 06, ]/ A; D0 O$ f5 \* O% S7 z
=========
# g3 B1 u) c+ P( P) N2 [9 b9 X
! F) n; p, _# U" H! ~1 j  l( X, o7 L, q. O7 {2 O; z
2nd method similar to the preceding one but more difficult to detect:) l2 E# a% k5 g! Q

6 ]* C3 N( c5 w2 ~% Q3 |
. {/ W3 ?7 @8 J9 xint41handler PROC
% E7 C* ?' }2 @6 L& G3 {+ I! w2 J    mov     cl,al( ]+ l) J& c' y9 d) I, k
    iret' o8 R4 D* z+ r1 B
int41handler ENDP
% U" }, k: a6 g- I9 e3 ?" s) S4 W4 ~2 f" t& k* n
' F* L# W1 U# {% m! b
    xor     ax,ax
6 W& Q4 j. Q  U    mov     es,ax2 ]0 L# v6 x! m! O# d
    mov     bx, cs
, o: n' u3 Y% Q- U6 B: r, \" X    lea     dx, int41handler2 V7 |6 M! s3 c8 r! {, y
    xchg    dx, es:[41h*4]
2 R4 S8 q  c6 g9 u( c# ]' a    xchg    bx, es:[41h*4+2]
: p9 V, q' x  {6 Z    in      al, 40h* n- y1 Z1 @8 E1 Y, q
    xor     cx,cx! v& `+ t' L) u5 k7 F# V! ]$ z+ g0 L
    int     41h) g8 I- P' `. E
    xchg    dx, es:[41h*4]
, B5 i1 j6 v0 O, B* `& K    xchg    bx, es:[41h*4+2]7 n/ t+ o# a) q
    cmp     cl,al
& C3 {% j) Z. c    jnz     SoftICE_detected( F* r7 w: U5 P6 _

: u, `, R' \8 _; r# l9 C_________________________________________________________________________* z- h5 _% Q) E& s4 w- s

/ T% y+ e4 a9 p: kMethod 07; c( ]" e" A' B4 f  W/ w
=========
% g" N& U* n" y$ n: K& E% Z! ^7 ?+ l" l" ]( Q3 F
Method of detection of the WinICE handler in the int68h (V86)( V! a1 G" s- F/ K& K- v

% R# v; G2 N2 e% {; R; R5 h    mov     ah,43h
; j$ y; K4 _$ X. y5 x7 w    int     68h
0 {) p" [6 S! _- P0 Q2 y    cmp     ax,0F386h
2 ^- p) E- K' U4 e. i4 g. @% X    jz      SoftICE_Detected$ w  F  R; C; T3 \

' B: M- a) k3 \8 W( m' ]- F: X" q: h( P' j+ G
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. ^" G. @' w& `: z2 j7 D1 |+ ?   app like this:0 m  X2 Z% f$ k' l5 A6 i# M. C( Q  {

4 w& q" ~, e( T% ?   BPX exec_int if ax==68: x4 P5 r8 Y. g  Y
   (function called is located at byte ptr [ebp+1Dh] and client eip is# A: e; L+ M/ \$ k. u4 x( u
   located at [ebp+48h] for 32Bit apps)
, g& x: k- \$ b; _* u__________________________________________________________________________
% n8 F8 C2 P1 I2 h3 y: ]9 m# k
/ l: m$ @* y) B2 S* j: P5 x2 Y4 O1 ^$ q1 F
Method 08
1 j/ l0 M8 c* V5 [=========
! G/ n+ j& s! ~8 G- \; L- ?  D/ |& `; _1 s
It is not a method of detection of SoftICE but a possibility to crash the
' f2 f- N# \' Fsystem by intercepting int 01h and int 03h and redirecting them to another
  L5 {' Y& D9 V8 vroutine.  K5 P9 W7 D# Q- Q$ M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ g, _* N& G/ C" P/ M
to the new routine to execute (hangs computer...)  d4 x6 V6 {' ~0 e! w  I" L8 _
, K! s: o/ f2 P$ S- r- H
    mov     ah, 25h' g3 g0 ?8 J8 t+ g& O+ r
    mov     al, Int_Number (01h or 03h)
5 @* n4 [9 f% |    mov     dx, offset New_Int_Routine. w% J: ?; z; G- N4 v, r# [
    int     21h
* I/ o$ d; m- X+ |* H/ m) ]  k
__________________________________________________________________________  \3 p3 x, Z! o1 h
  Z: ~4 y! A4 x, D. M% A5 E! H
Method 09
- Y( H. T) w' R4 U' Q  b=========
) n7 i9 n8 ~- N8 n+ Y7 G5 Q: W( x% {! Y2 ^" G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' v8 e3 b8 \" p1 l- d& L
performed in ring0 (VxD or a ring3 app using the VxdCall).
( t' \6 u6 @% u* C( pThe Get_DDB service is used to determine whether or not a VxD is installed
* x9 R' J2 i$ ?* S3 @# ^2 Hfor the specified device and returns a Device Description Block (in ecx) for# k2 v: ]3 x2 F& R9 [, s
that device if it is installed.7 V1 U; z( [$ B& T. P' v" V

3 `* w" ~* ^) n/ A# `9 u1 x   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# ~1 ~5 ?% }  e: Z: o. y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 ?5 p7 e/ m( b2 Q   VMMCall Get_DDB
- Y- f) v9 E* y5 a; s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 S6 ~, E2 T5 x6 R: V  w. N
4 u" X' p  R- y) K' n1 UNote as well that you can easily detect this method with SoftICE:7 U4 u) s9 G+ H( q% ^& s9 C
   bpx Get_DDB if ax==0202 || ax==7a5fh* q4 I8 M5 |, B0 a7 [1 c- L7 E

! t# H; [7 {+ |__________________________________________________________________________! u5 L  C( b3 |5 [( p* r0 r! Q6 q
7 _1 m3 C+ h/ y* [$ c
Method 10
; z4 Y8 _& n9 H! F0 E5 I=========$ x9 C! j$ P+ g3 c% Z! Q

/ l7 M8 q8 V* o& R6 z4 Y& w4 h=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# \/ m, f; @/ a$ b  SoftICE while the option is enable!!; r+ W, ~5 Y: q

% e" L- p6 E6 \3 y* V4 A1 Y" QThis trick is very efficient:
/ \/ W7 h) c1 K  V1 g4 ?' eby checking the Debug Registers, you can detect if SoftICE is loaded
  S* D4 U/ x! a3 r7 B3 A, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 H: V- B  T) g3 t, I" N- M) J& Othere are some memory breakpoints set (dr0 to dr3) simply by reading their- o# h$ ^" j; ]! P- x4 c# t
value (in ring0 only). Values can be manipulated and or changed as well
. F+ Q9 ?% E5 H4 z. L(clearing BPMs for instance)/ a# c! a, O7 x1 j" |
+ P2 m* U/ c- w7 M/ I- h
__________________________________________________________________________! M  P6 M3 _  ^* @

7 |3 b% j% J4 M% k/ T( NMethod 11; z% @5 U2 H7 i% U
=========
3 Q. b- M9 {6 A. s% [
+ s. {5 c! L" e$ v7 QThis method is most known as 'MeltICE' because it has been freely distributed# S" d& x& T% X( o9 E8 S- S+ L
via www.winfiles.com. However it was first used by NuMega people to allow+ L1 j2 `, a, s# ~0 t; G  T
Symbol Loader to check if SoftICE was active or not (the code is located
: }: }8 a6 w& _& ?% l! i4 V9 dinside nmtrans.dll).
2 j, a: r2 r/ O* ^- a) Q
5 e; h! {% z8 N8 P/ A4 y8 m3 TThe way it works is very simple:0 x$ H( B3 F9 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( e! `: B& o& Y: {9 U
WinNT) with the CreateFileA API.* ^3 B  U3 @( C: j+ @6 `

0 t" E* Z/ W  a9 n+ JHere is a sample (checking for 'SICE'):
. U! {6 C! k8 Y* G3 I2 y$ Q5 y- n+ J; `/ u( L- i4 C
BOOL IsSoftIce95Loaded()9 Y' R$ w5 q9 I; l
{
. A( N. R% b& K/ l9 b   HANDLE hFile;  
/ M! t9 O/ D' v   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- C( C, G, e1 ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- y  r) Z7 l( j7 `; i
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  f0 C! N3 K% x& E. O1 N' a2 r7 R
   if( hFile != INVALID_HANDLE_VALUE )
: d" n1 ^6 R& ^. ?! s   {
6 Q/ x( t; S9 z- U- L3 c      CloseHandle(hFile);4 f& Q$ D6 ]" h/ t' W
      return TRUE;
+ K7 |- K/ v# k5 o- w   }) Z  e6 C: \5 e
   return FALSE;
3 D+ P+ {0 g  G, x7 N& U}% q* l$ r" ?1 N; z. N+ X
2 C' b0 M! L% ?4 t/ k# O8 c6 n
Although this trick calls the CreateFileA function, don't even expect to be( J4 ]' @: n! e! c
able to intercept it by installing a IFS hook: it will not work, no way!( g+ x: r' H6 s9 N+ [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 c* J" R: m" ^( S/ b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ [) j1 z$ X6 L3 s- N- @" land then browse the DDB list until it find the VxD and its DDB_Control_Proc# Q3 [" \/ ^4 M) p6 J! C9 [
field.! F, _4 q6 c! V  V
In fact, its purpose is not to load/unload VxDs but only to send a + f. E, d! m$ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): d6 N/ D1 u* m& [0 m2 h4 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: E, w9 M  r* X6 V6 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 `4 z  ~2 ?' h, z* x$ q& |' z7 |7 e
If the VxD is loaded, it will always clear eax and the Carry flag to allow* x/ {5 L0 W) [# ~3 u: A, x5 l
its handle to be opened and then, will be detected.
. N, p) Q9 `6 QYou can check that simply by hooking Winice.exe control proc entry point7 k% e4 N# ^5 g6 Q7 G9 W
while running MeltICE.
# \0 v! o4 h4 ^% K9 y0 G, u+ ~0 p6 ~3 }- `) }, [

, S9 h4 W' U# P) V9 |/ u) {  00401067:  push      00402025    ; \\.\SICE
7 U8 G7 W, p6 B; F( h( B3 u  0040106C:  call      CreateFileA
' d2 W/ o" b; n$ D  00401071:  cmp       eax,-001
, o* ]# v$ @" T  00401074:  je        00401091
; A( w# m& W) ^' b+ t1 g! d9 N/ V( L: l- c& d9 f5 N4 Z
1 }5 t4 n, D, k) U" `. u* s
There could be hundreds of BPX you could use to detect this trick.: [5 C9 m! O3 q% G; W' C1 L6 f' {; k
-The most classical one is:
# E! d. h6 F- u5 G& ]/ t  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! j+ U5 ]/ ^: J6 x
    *(esp-&gt;4+4)=='NTIC'
1 l4 B; S- N% |. ~" X: F' U
8 X! a1 U, E" D, u3 ?, g-The most exotic ones (could be very slooooow :-(
- w' E/ f# C. t+ O  z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) _7 B7 N' |: V5 S3 `- J     ;will break 3 times :-(5 U) H" V- Z8 y! j
2 N9 Y3 \; O/ b, @' g7 d6 U/ r0 o" K
-or (a bit) faster:
9 O  j; o( [8 h- |1 i" U( ?! y   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% t, j" C0 V- ]. R: H) O/ _

2 b8 {; q, Q$ f0 x* F3 X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 J: f& w7 T4 b) j, j1 L     ;will break 3 times :-(' [9 P2 c9 K; H3 U. M( ?

* ^) k& p5 ]! |1 \' C) j-Much faster:
; l% {) Q; a$ g1 q   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: k0 Y6 R$ g. ?; x
6 {9 c; N7 h: j3 J! \/ [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- o& [1 ~4 I! u7 @  n4 Dfunction to do the same job:5 o9 d0 n' m8 A6 \* s7 f* Y& n

' X# f* V  q0 z( o) M! g   push    00                        ; OF_READ+ G& l; p! [$ a9 W
   mov     eax,[00656634]            ; '\\.\SICE',0
" C7 n2 a2 F2 i; b( B   push    eax
3 {, I' l5 G+ _   call    KERNEL32!_lopen5 a' C2 p* P( \( d4 B7 l* p
   inc     eax1 t( N4 k' D1 Z2 ?+ |
   jnz     00650589                  ; detected" O' f, m& o+ Q. a
   push    00                        ; OF_READ+ ~9 x& Q# `9 E# i4 Q0 N
   mov     eax,[00656638]            ; '\\.\SICE'
" `) E. U$ ~: g0 @' {4 I* r   push    eax" A8 [" e8 i8 y+ c; f
   call    KERNEL32!_lopen
7 g. q6 f7 D8 `! u: n   inc     eax
4 `  L+ A  Q* f- o: u" h   jz      006505ae                  ; not detected
. N2 M" a5 ^3 l- J' p
( c0 {0 T: g9 R0 l- c7 o, R8 x! y9 m3 s1 o3 s, N6 |) p2 g
__________________________________________________________________________. H9 f2 }* F+ `8 y/ p! V
% `9 f7 x0 T5 |: A" i' F: d
Method 12
5 C: a$ h5 I4 N/ Q' X9 z=========( u# r: \4 F* v) F
- S# C- o' B1 s0 C( T: C7 I
This trick is similar to int41h/4fh Debugger installation check (code 05
' |2 O5 W& s+ j3 @&amp; 06) but very limited because it's only available for Win95/98 (not NT)) B) Q$ R1 K) i! X: V+ R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 ]' y4 p, z+ ^; D3 M3 @7 K

+ p% U: X2 R  p   push  0000004fh         ; function 4fh
: y8 t  x* d2 d! f/ Y  P/ c   push  002a002ah         ; high word specifies which VxD (VWIN32)6 o4 @9 n) H, c# m6 V. F# \
                           ; low word specifies which service
" q% Q) [+ V& x8 o) k9 o7 f9 T0 x+ ~                             (VWIN32_Int41Dispatch)
! O2 h9 |8 A, l   call  Kernel32!ORD_001  ; VxdCall
3 m8 q8 D5 o2 t  L6 x3 ^   cmp   ax, 0f386h        ; magic number returned by system debuggers2 Z( t& F$ F+ ?+ q5 G: r4 \
   jz    SoftICE_detected9 p6 e! K& {. d% Y9 ~, |+ R
  s3 U4 A1 \" s4 x- ?
Here again, several ways to detect it:: c( E) F- \4 v: S. G; q

2 u8 `! C, Y5 g3 b% R/ \    BPINT 41 if ax==4f3 Q! s2 z" o0 u& i8 O

& Q- v# t  @% f* k3 D    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' @8 ]# ^$ {4 f* A4 l6 |/ j
# q" e" v/ M) E+ V! N
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% b4 \+ p: ^0 b

! F  ~1 q+ g( W$ r7 d    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" {# [  R6 S# a) M& W9 y7 a) {/ i

% W& B( ^( O4 u( {__________________________________________________________________________) m, K7 ^9 q$ Z0 d3 J" `
! M) [9 _% K4 Z9 x
Method 137 d+ V! j* s; d  H; L
=========
; R" `- \3 O9 ~. u4 c9 ?6 V
5 X4 k! V4 J8 f# t% v5 P# pNot a real method of detection, but a good way to know if SoftICE is
7 J8 ]0 @- G6 `/ I1 J+ B" M# i, kinstalled on a computer and to locate its installation directory.' c2 r. b1 B0 t& f
It is used by few softs which access the following registry keys (usually #2) :, M. a( L2 E8 @
8 b- \, Y3 i" {6 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) e. E9 ?/ L) \
\Uninstall\SoftICE
2 [% J& F! J; m7 k* i" ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ y8 a. b3 @% P( p, `3 Z6 V- o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 J. P4 @) u( K, R\App Paths\Loader32.Exe& ]# a0 t: s: N, O+ e5 W6 D
4 J9 {% T+ d# a3 ~
' A% |: G. X% J% v, p
Note that some nasty apps could then erase all files from SoftICE directory8 {! w) s* S' Q
(I faced that once :-(
- k2 x2 |# q5 Y  o9 j& c$ F7 B& ^7 M# \6 H; a3 z
Useful breakpoint to detect it:$ \) d: Y6 d4 Z  B6 S; l

, x, G. M# h5 e" Q& @     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 R$ H9 a" W. _& F9 a2 ~
7 y/ t& P1 P) p
__________________________________________________________________________$ F9 c% m: c" k; S5 b

/ Y/ k+ \% y, W: S8 B4 g% x3 R  F
+ d6 }# e9 a# Y& Y0 y9 E% }) q7 XMethod 14
6 k* R9 w3 `% Z% y( G3 u=========8 I' v- ]' A& l
" B8 i' B1 `' o7 b$ c; h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 B- u3 q/ ]9 d/ C+ M3 p" {! V
is to determines whether a debugger is running on your system (ring0 only).
) q$ T, Y; m3 m" w) ~  V- g) d+ I" U9 c( D( O) E
   VMMCall Test_Debug_Installed; R  N! O. s) W/ b
   je      not_installed
$ ]5 ]2 t" ?2 Y2 I9 I% j, E" D5 d
) I1 u3 d4 b: }) i6 Y1 S5 _This service just checks a flag.
! C7 G/ [! r1 F: l  e+ k# D, O! z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-22 19:50

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表