找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># V0 L  Q5 ^9 |
<TBODY>$ \3 |" X7 A- F3 I8 W9 W3 J
<TR>3 h, s8 n) ]) A) j) v
<TD><PRE>Method 01 6 [3 ~# o+ c4 X2 p6 [& e, C
=========
& k* I) V9 h# W( e+ y! d2 m, B1 h) D* P, q0 ?0 q$ V5 e0 s' E, L
This method of detection of SoftICE (as well as the following one) is
8 E* h2 y2 `4 x0 m0 X. t# d# cused by the majority of packers/encryptors found on Internet.) x4 ~# Q) k: N% T
It seeks the signature of BoundsChecker in SoftICE
; ], a2 y: Q0 K6 Q, H+ z6 K" ]9 _
    mov     ebp, 04243484Bh        ; 'BCHK'; Z/ I/ k8 L; @$ {5 e; `! s4 k& B
    mov     ax, 04h
  }/ `4 ]% A9 b& T" b% P+ Z* J    int     3       & r: P4 A+ N7 b" m/ J2 z! Z* X
    cmp     al,4) k9 c+ S9 A6 S6 t" t" r2 o
    jnz     SoftICE_Detected/ O: E4 m5 b" Q) {3 e: n& l' Q

- E- F7 R* ?; z5 w! W+ l. {* T___________________________________________________________________________
" ]6 }, {  p: J7 [- ]
+ t, P/ A0 {' C8 D! w& C$ PMethod 02
8 h- X' c! K% s. r=========2 M1 c( w" F" k9 }/ F$ ~

7 R- v4 b4 J  o4 o6 [Still a method very much used (perhaps the most frequent one).  It is used
9 I& P  G9 n7 U0 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ [6 M$ ]# t+ R" H9 s8 t% f2 l# |. Jor execute SoftICE commands...8 R' Y3 P5 ]* O* M( d
It is also used to crash SoftICE and to force it to execute any commands
9 z+ ~9 B, w# q0 e( ?+ W2 w" i(HBOOT...) :-((  # L3 k1 C+ `. X, y

# x) W- y+ Y. q7 f+ ~$ W2 CHere is a quick description:. m& D3 c0 |, ]
-AX = 0910h   (Display string in SIce windows), W! _! W0 L5 J2 [+ {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 J/ ~- c0 w/ ?$ A' }4 ]-AX = 0912h   (Get breakpoint infos)! J% r/ m+ L  l& N1 A
-AX = 0913h   (Set Sice breakpoints)% Q  r6 f4 B# O# S
-AX = 0914h   (Remove SIce breakoints)5 @& s1 ^; o) d. d4 R
6 A" `; k4 n0 I8 F  x
Each time you'll meet this trick, you'll see:
& w' `0 i- Z# M! I-SI = 4647h
$ @  ^& j7 [3 x% i2 F2 t-DI = 4A4Dh, O2 C& p) U# b
Which are the 'magic values' used by SoftIce.  h1 `5 h- h4 s  D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 n0 ^( s1 D$ g3 ^

* \( m4 z1 j6 o* NHere is one example from the file "Haspinst.exe" which is the dongle HASP  e, Q9 d1 s+ u5 F" d8 r9 t
Envelope utility use to protect DOS applications:: O! w3 }7 I# N4 e3 M% ?# p
5 z- o- P$ k, I" u
, s, I0 ]/ _. k1 c8 R- Z: {/ W
4C19:0095   MOV    AX,0911  ; execute command.
# C+ o/ r  x+ ?; L* Z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." f# X  @4 R' O
4C19:009A   MOV    SI,4647  ; 1st magic value.2 V1 W0 R# }1 Q  A
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 k$ w% a1 z/ w" ^% z4 T% Z" r4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 }; I( v* B  e3 G7 C% C
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' {* d6 P# v# [  q* @8 `
4C19:00A4   INC    CX0 `( C* K; B$ f# M
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# i% e% S% |' r4C19:00A8   JB     0095     ; 6 different commands.3 H3 m, R' @; i4 d$ R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% t2 Q! M! i; Z- Q6 N0 S0 L- l" A+ ]! Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" _3 M' h& c: Y2 ~4 C: I' q
. P0 r$ l- d. u* c( P  nThe program will execute 6 different SIce commands located at ds:dx, which* K# e; R! ]. \6 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  ?) E) S) J% D  O$ `# I9 n/ ?9 W0 R* v! @& I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 ]# _+ m5 ~4 t& x# ~___________________________________________________________________________- X& j2 W1 |- G

8 _: J# W9 a# w$ b( u$ b" @; p/ y& ^+ E! t
Method 03/ ~# S) j+ }  f
=========, Q& e. S. B. l( [! ?

3 D. m, O% X3 D4 ULess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# H  c* j/ x1 s' V) D8 {
(API Get entry point)& x+ N$ S# \% Z8 W) d$ D
        . T) G0 K7 h( c* }7 h2 ?

8 A; F8 y2 H; q: t    xor     di,di
* @- [0 R9 {, q) b3 D. Y* U. j    mov     es,di
7 A6 h( S' O; A* [  ]    mov     ax, 1684h       ; i: i" ^0 D' S9 u% O: K5 X. D
    mov     bx, 0202h       ; VxD ID of winice
+ n1 z; _; M$ P' f% }& t9 a- q    int     2Fh
3 o% M( d. a9 S6 i' \3 C    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ H" Z1 ]0 B( \) h3 u0 z
    add     ax, di
) i/ p; e$ ~1 e& S; t, p    test    ax,ax
2 m8 S6 e) S, n! Z    jnz     SoftICE_Detected1 U0 c! _# n6 I+ l
; f' h' i+ B& F
___________________________________________________________________________+ U# {  S: w* G! D; k; D8 L4 v+ b$ X3 K) b

! U* [4 E% c( `: l1 Q7 \7 m) C6 n( b; |Method 045 {! t! u( N) |! l( ^8 M9 _) h
=========
$ C- E* @: j- q) Z
  Z5 s4 Q+ n8 fMethod identical to the preceding one except that it seeks the ID of SoftICE3 c5 q; @, U5 Q. J
GFX VxD.
4 I! G5 H4 e: ^" I4 g! h1 ?  f7 U  V
    xor     di,di2 ~$ j0 U' K7 L4 m5 H/ e" x
    mov     es,di3 Y, a/ @+ ~/ J& e) \
    mov     ax, 1684h      
! F  D) e  y6 o5 t9 z    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 s  M2 y# B& L# W* T. }    int     2fh" x0 {* A9 j! |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 K( d) k& W4 ?8 U* R, s
    add     ax, di/ b/ S# |! f; t% c
    test    ax,ax
2 B0 }- v7 n4 j& S2 |    jnz     SoftICE_Detected
# E& B$ q1 C! ^6 {$ r6 U
! W# N8 v6 L' E! v3 u& f# I+ Q__________________________________________________________________________
6 k) m( i2 @) U+ d. Z- r4 J" Y3 {4 v% p: k* L& M! I5 c

9 }- C4 F& x6 oMethod 05* v/ J! e1 Z- x7 Y( D& R! R
=========
% V) y# q; u5 u, R  q/ v: M
% Q5 N+ j8 E6 ]2 N# X2 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
  b0 g# H2 y8 G9 m1 [4 X. ?8 qdebugger. It calls the int 41h, function 4Fh.
7 |3 w$ A4 O8 N! B! M/ kThere are several alternatives.  % w1 O' l7 V. I/ M. L

3 l; w' P; `- P0 J8 l' g$ b/ rThe following one is the simplest:. r+ ?, o" m7 q& f

, U/ g1 q; L# p" M( @5 N7 S    mov     ax,4fh
6 Q% q3 n  t  x1 N4 o3 H- c0 c    int     41h
$ f2 E6 @- [" }- p1 d% V1 ]8 J    cmp     ax, 0F386; ?8 q* }9 z* I5 H2 h
    jz      SoftICE_detected( L: ]; G$ }" J) W7 T

  g) _+ y/ w8 [$ E6 o6 r% a
2 x/ S( w1 N% ^Next method as well as the following one are 2 examples from Stone's
; y# w$ G" F: u! a"stn-wid.zip" (www.cracking.net):# L% \# v3 X( G( i; b8 A
/ \) F6 ?$ h2 r9 z
    mov     bx, cs* @) |% ]2 a3 j4 N# n
    lea     dx, int41handler2
7 b: J0 A" ]( x    xchg    dx, es:[41h*4]
- H. t/ ], H5 @& d    xchg    bx, es:[41h*4+2]8 i2 B* D9 G% }* i
    mov     ax,4fh
* B5 M5 E. r+ F$ D+ E    int     41h& u! L/ _- U6 o1 Y$ n
    xchg    dx, es:[41h*4]
6 M/ ^  K; S2 C. V: Y    xchg    bx, es:[41h*4+2]: v+ D$ G  d/ C# S3 P
    cmp     ax, 0f386h
# |- m1 J( S! B3 Q    jz      SoftICE_detected
( O# ^' M( P( s* ~
) c3 k6 p5 Y$ F+ \' }int41handler2 PROC6 E7 j7 S" z& G7 ]8 N9 X: s
    iret, Z7 F; V. O- Q" b" O# h8 q3 \
int41handler2 ENDP- t/ m: ]0 e1 d* F- l6 V

/ R, R& q, f4 P( C7 x! B. q8 y6 y0 L. P2 C$ ^' H
_________________________________________________________________________: j+ r4 I4 S5 F9 R1 m6 j

% o1 r6 k( u4 w: I1 P, v, E+ Y3 Y0 Q' {: z( E" Y
Method 06  ?( `3 G2 G5 z: _/ a! m8 i8 z: x- _
=========5 J! @5 o- n( I, }/ {6 d

7 c# T, ?6 Q. E  S! i# C8 X- }1 e: [1 F6 C
2nd method similar to the preceding one but more difficult to detect:+ q8 ^) [" O5 s$ ]4 C4 J
' ^2 G7 G7 n4 A; U

: q/ w& z* I' N! |, }2 {int41handler PROC
' F2 q1 C' r+ n2 ^    mov     cl,al
8 R7 g$ {, ~5 I1 ]# f: |    iret: i0 a  l  \- i! }+ g
int41handler ENDP. {5 D  R0 ]8 @0 Y3 i0 A& M; q9 i
! R+ T2 ?0 D. G- P! q# f
" g4 F2 x+ O1 l3 [* `1 ~
    xor     ax,ax$ N$ Y7 y- @% G8 T1 d$ G0 K1 m
    mov     es,ax/ d/ V4 h% y1 n% v4 y' l' O
    mov     bx, cs1 u( R( f, \( d& ^& f5 |* Y
    lea     dx, int41handler
( I7 Y2 \1 c. }  T. ^    xchg    dx, es:[41h*4]* F1 J: I8 [/ |. _" p1 M$ L) ?
    xchg    bx, es:[41h*4+2]
! T! A: O2 c$ _$ E+ D2 \2 F    in      al, 40h
" B' f& S+ s2 a" K5 `6 D3 Z    xor     cx,cx3 M' N; i9 _& W! o' W
    int     41h( P2 d! ?3 H5 l' F; q# W4 W! [
    xchg    dx, es:[41h*4]
4 G; a' c* s- x9 ^    xchg    bx, es:[41h*4+2]
0 s( A, `4 U, I4 X0 |' g    cmp     cl,al
7 @4 i; \$ ~1 c) H# {4 B    jnz     SoftICE_detected6 L  s" w/ z1 e, P9 y: ~
* {/ |5 j6 j7 h4 v) f# f% j
_________________________________________________________________________
2 w+ v* o; e* e5 b9 p) H! D$ y
6 ?# j( \8 P; m; `! ^Method 07
  j* N7 o- K% ^3 j# g=========
+ m2 N. ^, ^) x- @" V; d7 u
; x% K' Q$ V" R$ l8 wMethod of detection of the WinICE handler in the int68h (V86)/ Y. s- `+ J) ^6 \: d+ s
( O- v9 Z4 \1 ^
    mov     ah,43h
: P4 [( o, o+ S/ X    int     68h
' U' g# r+ I( r# a& y4 S    cmp     ax,0F386h
' x9 u. P, R$ c5 v0 W    jz      SoftICE_Detected  X9 U" {/ j- T2 x* Y) ?

! k2 k2 M) I$ {- D$ Y, y4 m% I% s0 a) z) r: ^2 S* _
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& h8 Q4 N7 s+ Y' M& S
   app like this:
  v- T8 p6 C& ~
. d9 o/ {2 T7 [/ v# p* l# D8 b   BPX exec_int if ax==68
$ i' v; G6 \& K! y0 Y! a   (function called is located at byte ptr [ebp+1Dh] and client eip is/ |7 @+ G0 C# I4 d& a6 L
   located at [ebp+48h] for 32Bit apps)
) X( R7 W9 j  y7 I__________________________________________________________________________& f; h+ d+ t9 B! w8 W- Y' U
  w# l+ K3 ~# n+ G& N. l. t
2 U( R9 A" X4 C# j& [/ v$ S. L2 b
Method 08/ k& O$ r1 g5 t+ j3 z; d
=========; Y$ T9 u1 e% u+ A- R, ^
+ n( V6 s4 y7 [6 m5 a2 I
It is not a method of detection of SoftICE but a possibility to crash the
0 Y, p4 S9 O" O, }; I! wsystem by intercepting int 01h and int 03h and redirecting them to another
2 M" o2 t0 ~6 {4 t: g! Kroutine.
! }1 [) G+ }2 g  P) k+ S1 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 O+ f& M  y/ y. P& s: F* C- @
to the new routine to execute (hangs computer...)
2 \: ?* _! n4 X. Q+ }1 k& o+ J/ T
) w8 ]. x% d- N' z# f' \    mov     ah, 25h
; b! i! T4 g" g7 n1 ^    mov     al, Int_Number (01h or 03h)
- f* |3 F/ z' n3 t% O' u$ ~% ~    mov     dx, offset New_Int_Routine, l/ `3 ]- z5 J9 b! T2 F
    int     21h( r7 j6 |7 Q" z* c/ E: S& D

& z+ v& M% ?$ a% M! q__________________________________________________________________________) K6 Q/ ?% R& X) G  i

8 |# T' E" V7 m# M! JMethod 090 z  @7 f; w: {5 l
=========
% _& u0 b; ^/ m3 s" r) y- v$ z* X" S' n$ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" A8 c* P& o& a' c3 ~/ f+ U
performed in ring0 (VxD or a ring3 app using the VxdCall).9 G5 G  e! C' {# f/ L8 w
The Get_DDB service is used to determine whether or not a VxD is installed3 y& I6 @* T) C8 F
for the specified device and returns a Device Description Block (in ecx) for
6 j& M. R3 c4 l8 {6 A1 Wthat device if it is installed.
- {% B& s( j1 x" h; w- T7 V" U; Q2 M/ X% V5 Z% f: m$ L9 G# K2 L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  x/ Z9 s- x7 z4 r  B/ x: c* a
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 x: r" q' W' h' e$ R
   VMMCall Get_DDB+ L$ G8 L9 x+ S* R
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 U8 D9 J$ o  D* A* g8 G$ K# ^

% k6 N/ T! O- Q' D( b1 nNote as well that you can easily detect this method with SoftICE:
( i' a9 ~2 z0 i- I7 }, c: f( k5 Q   bpx Get_DDB if ax==0202 || ax==7a5fh; ^( `, b2 J6 H" k6 H% l1 b5 z
1 Z' q+ f) Y  _6 L; S
__________________________________________________________________________' S0 J+ j% c, d: U/ m. Q9 }' F

- t& Z7 `" \; R- B7 S9 J. ?, xMethod 10
& H$ L' }/ G) _/ B5 Z$ j4 Q=========
7 h3 l) V, k) |9 S' x
7 D. D$ M+ n) e* V" c=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 l# T  D$ X/ H0 D! a* ?9 W
  SoftICE while the option is enable!!
  Y) K* [. L( d$ Z$ ~5 o. U6 I& G6 `, G8 E8 H$ H
This trick is very efficient:, J- E* `' P6 t! Z  q$ h9 M) X5 L/ A
by checking the Debug Registers, you can detect if SoftICE is loaded
% [, r- g/ c& o6 T5 T6 |3 r: G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& `5 w3 v6 t5 P' J! l- Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& `9 z" m' k% V+ p& X  G+ v9 Lvalue (in ring0 only). Values can be manipulated and or changed as well. i& H% B& ]& h' [( ^  K1 n
(clearing BPMs for instance)
3 A" o7 ]# x, A4 Q! |& S: S* U; c! Y
__________________________________________________________________________" Z  Q. e$ ]: v6 S  |# _9 x7 q
# ^* N: G3 b, y7 q0 r* ~/ ~
Method 11
% Z6 \. Y+ @1 U2 Q' A=========
% H+ `- X* I1 x1 H; ]) _5 f1 B5 X* `! C! H6 {
This method is most known as 'MeltICE' because it has been freely distributed5 _) v6 h4 \5 i3 o8 F
via www.winfiles.com. However it was first used by NuMega people to allow
% b- o* I5 G7 J/ e( PSymbol Loader to check if SoftICE was active or not (the code is located/ j& f8 i0 f/ @2 \
inside nmtrans.dll).
) N) ~1 t8 S( `& D5 ~: A) t4 x
" g0 q: M: v& P8 UThe way it works is very simple:
  n8 i& o( y9 t5 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- k; ?& z9 o; }
WinNT) with the CreateFileA API.
/ t+ X& ~% [, e5 N1 k6 |) \! L# w6 ]6 p
Here is a sample (checking for 'SICE'):7 N, S9 Z+ w0 u: n& g1 ^

3 r8 Q% N  G  JBOOL IsSoftIce95Loaded()9 T+ a. W8 k3 B  i. k7 m7 ^
{
9 s& l. o8 o2 L. p/ R# w* |" F   HANDLE hFile;  * X" U/ a1 T0 U0 S( X4 f
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# D4 |$ F8 S3 C. }( \                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( d7 p% H/ p; h/ @" o* B                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. K; N: T" ^  w8 h" R  q, S7 l   if( hFile != INVALID_HANDLE_VALUE )3 M# P$ d: L) h. ?
   {
5 P' E0 I8 T* o4 S  I0 f9 P      CloseHandle(hFile);
) x' y( u; b) M9 @6 l  W+ g      return TRUE;3 R+ c6 |( c) [* b, J
   }
8 V3 s, w3 W5 s6 M6 @' u   return FALSE;4 z; T$ v8 H7 n) C1 a% y& o
}: [- N9 r+ j) E( q1 M
+ A, [8 b3 R7 r$ U& Q
Although this trick calls the CreateFileA function, don't even expect to be) @/ m' a  \9 B
able to intercept it by installing a IFS hook: it will not work, no way!
; I1 U4 A& l7 I, ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F. @  W, ^2 K8 x: }  L5 W" }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* J- l8 ~2 l' M7 s4 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) z, S' O( s; ?" c& q% p, tfield.
/ E" L9 Y8 q- V; }  uIn fact, its purpose is not to load/unload VxDs but only to send a 5 t: W, M( t7 g. E" p' O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ r/ S! a; i, T' ~3 z4 y  e: [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) E& e' b/ k  W4 j5 y2 |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ w! ]/ E; n$ FIf the VxD is loaded, it will always clear eax and the Carry flag to allow, n' s5 @1 ^4 S# D6 a
its handle to be opened and then, will be detected.1 e; p: N& U" R. j1 `
You can check that simply by hooking Winice.exe control proc entry point6 G8 v9 |1 a3 o/ [  G
while running MeltICE." Q/ A0 Q' F; Z6 ^4 S: J
, Y; u% n. d7 Q9 d

; T& z$ A3 h. s: f) B$ C  00401067:  push      00402025    ; \\.\SICE
8 V4 K& A4 S: S2 }; _1 j  0040106C:  call      CreateFileA
  f: {: {& [6 v  00401071:  cmp       eax,-0018 h* U4 ~4 y( y6 O) f. u/ }
  00401074:  je        00401091
% Z/ }; V9 G) d5 e+ Z$ h# A- F& V! R3 J$ x$ h
0 k$ V" z1 A9 U1 U1 }
There could be hundreds of BPX you could use to detect this trick.
6 k2 u! e, u# i, c6 E5 E-The most classical one is:" ~0 p- y. m# s/ X. E& T
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
5 b9 F2 C' s$ _. k    *(esp-&gt;4+4)=='NTIC'# h, i0 T9 g6 m; W4 n) ?
( n* |8 F% J5 b. ?  g  H- X
-The most exotic ones (could be very slooooow :-(
) v" g4 S6 d* ]/ }- M* w! Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  ^0 ]1 k% z) u, ^0 n( l     ;will break 3 times :-(6 m- Y  ^* [' I6 U4 V2 I" B
* Z8 J% e: N" A! ]
-or (a bit) faster:
  R4 Z& g0 W# G( e; a; o, S4 u6 w3 A   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ W/ e6 O# a& ^( E3 a0 w

, A, T; P2 Y8 P0 ]  F6 y& r   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 ^4 c+ j7 l/ N$ L     ;will break 3 times :-(! U' j8 c" w6 l

- _6 t2 ~% U, a" P9 W-Much faster:: @* K' N- P5 f: M. j$ i
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 ^5 K" [! d) z! `( _0 U4 r- c( n3 M. }* M( K+ p  p+ A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ y' V' H. @5 v' U4 J. r) ~function to do the same job:# t8 T' Z; g% v, g) t

* h" t6 H; a: A( L   push    00                        ; OF_READ9 {8 N5 u; C' n9 F6 U- [
   mov     eax,[00656634]            ; '\\.\SICE',0: \# G4 e' }: D7 S: r  T
   push    eax
# V  K$ H9 E* Z3 x   call    KERNEL32!_lopen5 |' Z: y* B1 W3 e! W, W7 R
   inc     eax7 D) G6 f4 i3 [+ w/ u% ~# u* G$ y
   jnz     00650589                  ; detected6 C5 R3 @: j0 {
   push    00                        ; OF_READ
) H( a! `) r( q! |   mov     eax,[00656638]            ; '\\.\SICE'
. z* Y9 O: G& p3 m% Z+ `0 |9 k, W   push    eax/ f9 @( ^4 `; c
   call    KERNEL32!_lopen! D1 M: g' z- i- L/ ?; c  A
   inc     eax0 t! z4 U* q; `6 t8 j8 v
   jz      006505ae                  ; not detected
; q! \  N7 h8 |0 U2 N) }9 U5 |5 m/ G) o6 j  \& t' R2 S

) j, u- j0 [) Y% ^- `' S" ^__________________________________________________________________________
1 K7 J; h! s: ~' F& S% I8 h$ c, L  B# K7 r; L2 T. _* m8 Z
Method 12& r- o/ B" I0 j" {0 Y
=========& p  I5 i) k9 P- Q. M! I

" W, T, C  h) I0 c+ uThis trick is similar to int41h/4fh Debugger installation check (code 059 B4 f2 Q0 ?6 r9 o5 b; i$ T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)& e- v5 X) }0 R& l7 e2 s! Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 B# P4 X1 }4 a% Q4 f3 A3 h+ q
6 ?/ B0 c9 J0 ^
   push  0000004fh         ; function 4fh; y1 S4 L) O. W
   push  002a002ah         ; high word specifies which VxD (VWIN32)  G: t4 {6 x- y6 e$ f) Z
                           ; low word specifies which service$ V  D4 @- ~: ?( q! ~
                             (VWIN32_Int41Dispatch)
& i- T4 W( X& e+ G7 b7 l6 c9 g   call  Kernel32!ORD_001  ; VxdCall
, s0 p( m. d4 B& P   cmp   ax, 0f386h        ; magic number returned by system debuggers" }4 o- k, W' R8 K# J4 ]' f
   jz    SoftICE_detected
' T  X; S# I  _/ v3 x3 b3 [& ^/ a9 v7 `5 i+ D. [. o: o2 I4 y
Here again, several ways to detect it:
3 K* P" P" A) W- Q: f# U( d+ K/ A9 g' f4 {7 C
    BPINT 41 if ax==4f
: P  a7 H* B) Q$ u* ^# K6 ?; j+ J
* e  Y" T  n" o! P1 ]    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 e- A  W/ |3 C5 O# M  ?! ?& c6 N( m
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 C0 Y! D5 q! f
7 P6 O5 m4 a" F* k+ [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!2 D& x! t7 I7 U9 w3 T! {% J0 ^
, E$ {; G' X8 A1 c
__________________________________________________________________________
6 y8 C0 s3 t9 N+ {2 ~
% J7 m3 l' P( ^$ r- ?8 _1 H: fMethod 13/ v/ m2 V* K9 c/ i! R8 t
=========
0 R% n; N: ^# J7 A, F" `/ j8 M
6 @5 Z, ]/ L8 XNot a real method of detection, but a good way to know if SoftICE is9 U6 F3 e* P; q1 F7 L
installed on a computer and to locate its installation directory., Q$ _8 E1 F9 g# G7 V0 J) u. P
It is used by few softs which access the following registry keys (usually #2) :
$ G  o& f+ @0 J$ o+ ?$ I% I+ J1 V, e& w3 W, I: E. |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 X) ^, z8 Z/ }
\Uninstall\SoftICE
; _: z6 m5 A  l, B  `) }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; n0 H# S0 L) d, M) I7 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 i3 l9 ^. U, _
\App Paths\Loader32.Exe" f. p+ n" ?; h0 Y

- I* r1 ^( K  h- m$ V8 b  R' Y, U
  U9 X6 v! m8 r7 K% ZNote that some nasty apps could then erase all files from SoftICE directory  a* B; \, y- H& B! L
(I faced that once :-(
' J# p3 c2 }$ c# b- ?8 `
* `5 D1 A4 Z* Z# F' r9 o+ u5 {% BUseful breakpoint to detect it:
0 o& A+ C3 b( ]* A; m3 J5 F8 X9 o0 Y2 ?4 V2 Q1 d* o7 C$ ^# j
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! d6 H  o2 ?. V3 n
' F5 z# m+ Q  Y$ z  d
__________________________________________________________________________  ~- @( A! ~" m

  e% f+ `; }; e; z5 c! V* M9 F+ M2 ?
Method 14
+ D) {. c$ E" p/ ~* R=========
# m2 U8 B. K, ?1 q4 |" n* K' p! J5 W# H0 Z' X& Z( Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ?+ O, w( \* Q7 X8 G1 v
is to determines whether a debugger is running on your system (ring0 only).
, {+ D& J' U" {9 J: E6 I8 y
$ q9 r/ o) D6 x+ q, R  w- |   VMMCall Test_Debug_Installed; s% O. ]! S8 n: L5 t
   je      not_installed
) ]7 G2 A  [6 d# N, y% R$ c5 T3 @; L; `8 b( i
This service just checks a flag.
- ?7 m6 S' z1 R7 j</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-26 07:00

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表