找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: n3 J' ^9 _  ~2 E* t& H<TBODY>1 U6 @1 j5 d/ V) ^
<TR>
* r2 i0 ~! F9 z4 t' y% y4 q/ r$ d! |<TD><PRE>Method 01
; n$ v7 n6 T! b$ |=========+ M/ d& C; B1 X$ A+ Z5 @# I: n. q) R
9 N/ k$ K2 r8 k: U5 `3 q4 I. x4 h( j
This method of detection of SoftICE (as well as the following one) is
; m5 K/ z5 U; |1 F: b0 xused by the majority of packers/encryptors found on Internet.
. v' u6 h) B) `5 Q3 E# V! @5 LIt seeks the signature of BoundsChecker in SoftICE5 @3 w! x7 d0 g* N* L

8 ?1 E' n; @) T$ r    mov     ebp, 04243484Bh        ; 'BCHK'9 l, I) S; P5 @$ O6 R! E7 S* d
    mov     ax, 04h
9 C7 l: s  R! [$ N5 R7 N% m$ c; u' W    int     3      
. q  d4 ]" x/ d4 o7 g    cmp     al,4# B2 \% L: |3 {$ G, o$ g4 w
    jnz     SoftICE_Detected% z; C3 |- ~) t1 Z& _& z
  _0 X4 D! Q! o* @4 R
___________________________________________________________________________2 x* r( O) t" _3 i/ D+ t: `# i

4 q5 v0 t- d/ D! v, DMethod 02& U+ N- ^* u, K) C6 B) z7 o
=========
+ o! l3 n* e0 f; k9 p) I
0 y3 ?5 V8 {- F3 v: G4 a8 n$ FStill a method very much used (perhaps the most frequent one).  It is used
# q4 c+ y% q6 F" s* M1 b5 c# \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' \! C7 y7 T7 v4 nor execute SoftICE commands...
3 Z% a, Q6 d7 |& LIt is also used to crash SoftICE and to force it to execute any commands; w# ?( V* w( r( ]
(HBOOT...) :-((  ; L, ]" h( M  H2 w. m1 y0 z! k
# V2 j  R* R6 S( d
Here is a quick description:" l0 w  |. M6 S; }. [9 F4 ?
-AX = 0910h   (Display string in SIce windows)
" P8 P/ |, b$ S$ e5 A. X5 ^6 t( ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 A0 N; G" [" Z# W1 T-AX = 0912h   (Get breakpoint infos)+ ?: e  h; B5 M2 R
-AX = 0913h   (Set Sice breakpoints)
; _  L6 {6 T6 [9 ~; S/ d-AX = 0914h   (Remove SIce breakoints)
: C6 G7 E/ j' R* L. y# S$ g, b5 j! M
Each time you'll meet this trick, you'll see:0 x( K8 ?" ]) _# D+ `
-SI = 4647h
9 [* y! j# {( j2 ^7 R8 H& i-DI = 4A4Dh0 H* s2 p7 m$ V8 O
Which are the 'magic values' used by SoftIce.
8 r' j: z& d, g: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W  H$ }1 q5 O0 i: H" U& _% I: |% B$ x6 H  d
Here is one example from the file "Haspinst.exe" which is the dongle HASP& C* t5 }0 x; Z% h
Envelope utility use to protect DOS applications:$ }" Z9 o3 _2 k/ j
" g% w* _3 m" \0 }+ A9 Z3 V. N

* R+ x& f* _! A7 H; S% x4C19:0095   MOV    AX,0911  ; execute command.: e3 [4 _# ?/ E" P
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) |) n  e% _, N/ E4 o
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 R* k' A7 `2 u5 c: A9 u/ G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) a8 X3 n3 b; N, ^2 t' X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); w' k  W8 ^  R* X) z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, m7 S/ m4 X6 p2 `2 \
4C19:00A4   INC    CX
4 m3 J4 a& W( O" A, m' `4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  p7 G7 j& J, Y, I6 N
4C19:00A8   JB     0095     ; 6 different commands.9 G6 R: d$ a$ _, d- [
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# I2 U/ z% n  G
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), r9 b( l& z& C% z

" a2 U9 s, p- bThe program will execute 6 different SIce commands located at ds:dx, which
2 B  Q/ j; j( K. p7 |# q6 ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." M& |  i% u, M$ Z; J, j& z* S4 H5 u

4 B; w7 v0 J) d# {" `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) n* R- u' N5 j4 l6 b' \8 Q; M: U  [___________________________________________________________________________
# G3 J4 [  f' c1 @) ?
. p1 G4 b0 I5 a  |) `( \0 b/ u2 y/ a6 t( _& O2 S+ J5 n  C
Method 033 G/ y6 S1 g1 j
=========1 R" x2 l  ?2 {" b' w2 `$ j

0 _) ]/ X: B- a; x4 qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ j5 Q3 o  s; t! A" `+ i" Q(API Get entry point)# G) v& t; p8 p2 x% X/ e
        5 b5 a0 F1 |% B: _

( l0 A! r! l( J7 k; {, F$ V    xor     di,di2 j; n. y+ u. M2 f
    mov     es,di4 _; d3 Z1 C/ `' @
    mov     ax, 1684h      
2 V" J% b# A9 C8 F    mov     bx, 0202h       ; VxD ID of winice
" n: T0 W4 T( Z& Z    int     2Fh
, P  v4 Y" P. `" \% h    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 j( C4 w: @+ I' _6 o" m
    add     ax, di* `1 L6 @" \9 l5 z3 F
    test    ax,ax1 L4 l9 |: |' E3 Y8 u
    jnz     SoftICE_Detected, t4 u* h7 u/ D1 [9 R: {6 m
6 W& S" u! p& z: Q* _6 v& c
___________________________________________________________________________3 I+ `; ^1 L% Q' b! f

: O5 {/ V1 b7 P/ OMethod 04
, b' @/ d/ z8 p" w# k2 D3 Z) a% c=========2 n, P& g% J8 J

; ]/ G$ J; ~% aMethod identical to the preceding one except that it seeks the ID of SoftICE' o9 k- ~- m) ^3 U) Z4 c4 \
GFX VxD.' D4 v5 s2 u; g0 _0 b. x/ c; \

) b; Q4 e# w; S# g" T    xor     di,di
* g& M9 g- J  f% s5 S) D/ u' u* U, p    mov     es,di) d5 H2 \, g7 x3 h
    mov     ax, 1684h      
) s+ G- j8 \3 U7 o* H6 Z    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ ^& J* ~; d- r- s+ h) d    int     2fh0 Q* v. q* E2 t! b. s) X. A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& x) l: a$ m  F9 y# |
    add     ax, di0 V. U3 M9 E% e5 Q8 X
    test    ax,ax
# Z# d4 Q% w5 k+ r, W! @- O! L    jnz     SoftICE_Detected
5 q5 y; j! c2 f2 B6 e+ O2 q- P7 Y) |  c% `/ A6 g
__________________________________________________________________________3 j$ }) D& J0 E) c

9 L, K9 M5 g1 x1 s
( F; Z1 b2 b) R" ~3 V0 JMethod 05
# ^5 p7 z- C- Z% R1 t=========, j3 `% w' ~0 f) b4 B+ X
, d5 X2 Z3 C/ B8 R6 f# U7 F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 @" u( D# c# S+ xdebugger. It calls the int 41h, function 4Fh.
9 h$ o! c! v( |- y8 B2 P& UThere are several alternatives.  
7 }  {7 Y, B; M! U8 w
) S. z1 t' W' n) \  o. S/ PThe following one is the simplest:
; B9 d5 \+ b% O3 h3 H- E5 V# ~
  P8 H- X5 R* B6 o/ p    mov     ax,4fh6 ^# A. d: I! Y9 z) {- T1 `
    int     41h
. ~4 t6 ^! h& o# p    cmp     ax, 0F386
2 F" g6 P( n5 m% K5 ^    jz      SoftICE_detected
( d- n9 q1 _- j! E. g/ a
  e, c2 ~+ z; N. X2 l7 A! N0 o% D; A* j( u  o  p- H* k, n
Next method as well as the following one are 2 examples from Stone's
) p, S! p1 X4 G7 ["stn-wid.zip" (www.cracking.net):5 v) [- U7 g" E* v8 P- f

3 s$ t0 n+ V. `1 N5 g& ~    mov     bx, cs
) N$ s/ \% b% X$ @0 ]) ^    lea     dx, int41handler26 Y# J" |) a  h: i5 h* x
    xchg    dx, es:[41h*4]
* z/ c/ ^1 ~0 q' X" l    xchg    bx, es:[41h*4+2]+ y1 \; A9 c6 X3 g0 `
    mov     ax,4fh
, I4 H. b5 Z# |. p; N* w* p    int     41h0 N0 C1 y" \" G' ?
    xchg    dx, es:[41h*4]! t, C, J# `/ R4 b, E& N
    xchg    bx, es:[41h*4+2]
1 {/ T$ p8 E: l& |    cmp     ax, 0f386h
8 p" Z8 p& @% R    jz      SoftICE_detected
$ e  E3 t% ~2 a2 u  j0 v: a; Z! j* E, E  |( Z
int41handler2 PROC- W8 }7 O! s, k
    iret/ ~2 l7 R" B" J- f2 v; a
int41handler2 ENDP2 f' b* b, r4 u3 c
, `' A- Y! ]1 {# W0 U, ?; U, s

6 e6 i9 t) ?! F2 u& |_________________________________________________________________________
- O9 y, K$ ]$ _5 b. ]) |9 v" s' d6 \8 b- h( w6 R1 p4 j4 ^$ V# \

6 s* C3 c( J; R+ i, ]0 }1 \* yMethod 06
# w0 Y, h! x4 z: V=========! F- F, ?9 i6 y9 s2 ?. w/ D  T* j9 q5 Y

' ~" j$ ]8 I$ F
( \. H7 r5 I9 ]) w2nd method similar to the preceding one but more difficult to detect:
3 o9 ^$ @( N: O1 {! x( |* @9 S9 v: A+ V% i1 q& l

, z1 J4 l8 B; X3 F+ E1 q# k( O8 @4 _int41handler PROC
; Y0 h8 @- T- y( H( @    mov     cl,al
) n, k: k) w) r1 \" ^0 ]; M    iret
' S4 m6 r- ^) M5 O# r9 R+ ?int41handler ENDP
6 ^# b  }. E5 b3 r0 N
! \3 {1 T5 J/ t2 l. [$ j
& S( _* p2 G5 T1 e. u    xor     ax,ax
9 ^& C3 T! H+ o/ b9 w8 r$ `3 B    mov     es,ax
& f$ M: j6 j# l$ F" z3 ~    mov     bx, cs$ C1 ~; y7 D8 d" K" e2 Z$ ]
    lea     dx, int41handler4 }1 i7 v4 [' E
    xchg    dx, es:[41h*4]
: {* g% j% Z. |$ E) {" z7 u    xchg    bx, es:[41h*4+2]  T4 j4 @- M3 E' ]+ v5 ]
    in      al, 40h
; s5 U( w6 g' k" i    xor     cx,cx0 `% s5 e* g% |9 _
    int     41h8 |. `" u4 n2 l
    xchg    dx, es:[41h*4]+ n( w8 J  a* ]
    xchg    bx, es:[41h*4+2]
& M9 A. b3 w) h    cmp     cl,al
2 N8 o$ p6 E6 V  |; o0 r4 C2 {    jnz     SoftICE_detected
7 X/ ?( P& L5 I" Z1 N# h8 x0 N7 U. Q: ~' L: _' v5 M; @" P
_________________________________________________________________________
+ n: b% }$ L' X: f6 }
/ s4 J3 A3 g& |6 \% jMethod 07( L3 U# G3 \0 n% k4 }1 `# |; U
=========
) q3 i0 [! n" ?' |* b0 \/ N* p% [+ t% V1 M' n9 x+ v- W, e9 `
Method of detection of the WinICE handler in the int68h (V86)1 {/ k2 N  \9 o" e5 X, w
( u$ K% u4 h$ y) u  y  H' X
    mov     ah,43h
5 b( s4 T" Y9 s/ `: f: }( Q3 m    int     68h
- }2 v2 p. A# L- H- t+ N5 E    cmp     ax,0F386h. Y% o) O* J" G7 |
    jz      SoftICE_Detected
$ |" i% y# @" W1 v' C! _& O5 r* Q' Z9 t& H! ]5 o0 p0 |+ U

! a, g3 M+ O7 Y% j* H' L=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 ^( L# D" e2 S6 i. V
   app like this:4 M3 P0 K8 E2 b4 P( Z. s& Q

* T. ?6 {; F! o# `1 ~$ w3 u   BPX exec_int if ax==682 ]8 r% D  Q3 e2 [& W( O" N3 t
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ ^; W6 P5 P4 Y# I+ U& k
   located at [ebp+48h] for 32Bit apps)+ @4 a- F3 \8 ^- U
__________________________________________________________________________
# i3 K1 A* O7 U/ {. r! _2 E, I" s1 r: i. r

! A# _1 v$ t$ QMethod 08
. J; q9 l0 R8 U) ]! g=========
( ?+ c- v  d! r# [; k1 q
2 t+ [' {+ t1 L; b7 f- Q# XIt is not a method of detection of SoftICE but a possibility to crash the
& ^- z' K/ y/ K# y  Lsystem by intercepting int 01h and int 03h and redirecting them to another# L# u3 ]+ }) V$ s  A
routine.5 y/ l# m; e: x2 I. W$ k& O6 o3 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 ^& ~6 @. }+ `+ c/ R* a7 l% `: x& Q& B
to the new routine to execute (hangs computer...)
& K8 q5 y  o/ s6 \' J1 \( E
# @8 d" N, L1 D0 f: w    mov     ah, 25h
2 l/ m+ G0 I& `% I+ M; P# w0 j    mov     al, Int_Number (01h or 03h)
) |+ O0 Z* \% W* j    mov     dx, offset New_Int_Routine% s  J" h$ ^/ U
    int     21h
( Y0 E( t+ T- z) r( A: ]6 c6 v3 c
__________________________________________________________________________
6 C9 g8 F! H8 u3 k- d$ p
2 r! K: X7 l1 p6 I1 IMethod 09. F9 k" z7 ]* @+ |8 L2 W; |- Y
=========6 w3 [! j+ ~( K1 `: T# v( b  e
; B: X* N6 J  ?+ m& i; H# h, z# W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 b8 K, `7 Y5 H
performed in ring0 (VxD or a ring3 app using the VxdCall).
" W& M* Z9 S5 D" Q8 h, LThe Get_DDB service is used to determine whether or not a VxD is installed0 k' e2 W: K# Q+ r% O6 }- |
for the specified device and returns a Device Description Block (in ecx) for; y3 ?+ x1 z& ]9 m& e4 g: c
that device if it is installed.
$ V1 i$ Y# p9 {. w: c0 }1 p; v; o, Y$ L# F; F
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID# _7 z9 Y2 [+ u9 I; G/ p0 \6 O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). X7 h! _& c9 E5 g% G
   VMMCall Get_DDB) G% e1 V4 U+ k7 b4 g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) w/ W4 _- s( q/ A* x" E) U
: f$ v6 q5 V' G7 t
Note as well that you can easily detect this method with SoftICE:1 P  m9 y/ q/ W9 ]2 ~0 {1 v9 E
   bpx Get_DDB if ax==0202 || ax==7a5fh
- q* {9 ?0 c5 {4 o! u" W! ~0 ?) ]& ]5 W, d" N! g
__________________________________________________________________________
3 T1 b" E; G, G4 ^/ L. }) b  ?" p$ I, a. G
Method 10
) U+ o" c  v# {; ?) T8 Z* C- p& ?=========
  {0 E1 E" w1 q# F( ]
5 z8 _2 x9 }/ b& D6 C7 e! P=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 S% {, x; N' n4 h( ~6 |  SoftICE while the option is enable!!% B. L0 X; u+ L/ [# [) z9 o8 K

# `, I/ |* I4 l( y  W" b, wThis trick is very efficient:
8 H5 u; ]0 Y0 o8 V" m% I+ x- h$ Gby checking the Debug Registers, you can detect if SoftICE is loaded
* Y& W  W8 w$ C4 \& [& A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- G/ g# V7 T1 L* ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 N6 r6 W! ~  A" G% ?  t2 u/ \; F3 Evalue (in ring0 only). Values can be manipulated and or changed as well
1 W$ u6 d# P5 F0 d  z2 j3 [(clearing BPMs for instance)
5 Y: J% s- {. T5 t' f' X
7 p; [9 g: M) j7 |8 @__________________________________________________________________________9 h# J/ w: F& r8 K: k
/ t5 O' q" R1 ^& C4 g2 u
Method 11
7 J. l! e7 \& i- E$ E=========
+ x4 _* c' r( ^$ G' ]" C& _/ k/ b; a/ V' {
This method is most known as 'MeltICE' because it has been freely distributed
+ a0 N8 R- j" ^* R8 ^via www.winfiles.com. However it was first used by NuMega people to allow+ H0 r1 f% Q+ }# q5 h1 {) x
Symbol Loader to check if SoftICE was active or not (the code is located
" i* k: a, s0 I! v9 J# U3 Ninside nmtrans.dll).
" f! B; `* f" O% c) w" Z$ S
/ C/ ^* Y/ f0 W' ^8 O7 v) EThe way it works is very simple:7 Z- m9 j7 [( |/ ?  W: A1 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 N$ e. u* P% _& {2 ]) uWinNT) with the CreateFileA API.4 Q3 A- O# {* U
, D' Q/ B3 c) B& [: q: m! g0 r" z
Here is a sample (checking for 'SICE'):; T7 V9 {+ w3 \2 ^

1 J9 R7 i5 V# x& n; W- wBOOL IsSoftIce95Loaded()
* T- P, o: j3 |9 B# [& x- @{8 f: F  I7 u0 A
   HANDLE hFile;  
, N3 h$ ~! Q  C0 p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ j- K" C' }4 M                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! U! i/ s% q& G. P                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) w$ h, F8 X: `( B$ N0 r
   if( hFile != INVALID_HANDLE_VALUE )$ `# w4 q! |' E3 k* M. H0 o
   {: }7 F% E9 S' R1 W' H3 r$ O
      CloseHandle(hFile);9 Y! l( J% e' p8 l* h6 j' _3 ~
      return TRUE;, C; O; c: h! U! X5 _
   }! N) Y9 s9 G9 w+ r
   return FALSE;( o! V( I2 f. w
}
( g! Z" }1 j  \0 G1 A) w+ z- z3 a9 T' h' n% Q0 Q* P3 k
Although this trick calls the CreateFileA function, don't even expect to be
. f0 P9 f7 l* X2 `! h5 X9 ~# cable to intercept it by installing a IFS hook: it will not work, no way!
' S1 k. o. W/ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- J: O( H1 c$ f/ D. L  y4 d' |4 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* e( q8 n4 g/ t$ h- X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 W9 t7 j* [2 l8 M3 I* Yfield.& M' z& n6 G! K, U4 J
In fact, its purpose is not to load/unload VxDs but only to send a
' L, n/ h5 A+ g; K% jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 c0 x0 B( Z; B: I% {9 Z1 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: D4 U: E4 R' L, H5 I, \to load/unload a non-dynamically loadable driver such as SoftICE ;-)." H: {5 K/ i5 ^' x# o" Y8 `
If the VxD is loaded, it will always clear eax and the Carry flag to allow  R2 I5 k. g. m4 P3 k
its handle to be opened and then, will be detected.( i, k' T- e, U# g
You can check that simply by hooking Winice.exe control proc entry point
0 I1 P+ E* {& @1 N+ Twhile running MeltICE.+ m5 w3 D. T4 z+ `# }
5 i. a9 k0 J/ t  J

. ^# R& D  R  n  00401067:  push      00402025    ; \\.\SICE% o. O0 s# u2 R$ c& U/ I- Y+ y5 g# w
  0040106C:  call      CreateFileA
8 i& x9 y2 s& P4 \# c  00401071:  cmp       eax,-001
9 v3 _/ t8 e3 M: ~; ?  00401074:  je        00401091/ V" V, A) U1 O/ I
" k) o( n6 h, ~; M

7 U  V( ^5 w5 kThere could be hundreds of BPX you could use to detect this trick.: C) ^: ]0 @* [5 O
-The most classical one is:+ H5 \( E5 e+ D! O
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" |2 R4 [) O) W# l4 w% I    *(esp-&gt;4+4)=='NTIC'
" ^2 b) L- x# b$ n1 d" H/ \3 N8 I' P- f/ P' W2 f
-The most exotic ones (could be very slooooow :-(9 B( I: m7 l  ^, s5 {5 U; e- V
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - R* @0 L& ^0 h
     ;will break 3 times :-(
1 ]  ?2 g# l5 e" t# d, U. m- h2 V: |
* ]; `. u/ X2 ~! Y0 S, v. f# R-or (a bit) faster: + N' S/ B% q' F
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ V5 A) B' _+ v2 `- a0 y, A4 `* ]
( ~, ~; g1 h, i# {" a0 n/ F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 g1 @0 @, }& a# k0 r, M  W, }- L* k
     ;will break 3 times :-(
) m  I: R7 s# n5 I
4 Q5 O; P1 }* s* i% w. S-Much faster:8 N1 o: T) S2 n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! ]6 Q* ^: z0 m9 i; w) A% r! f0 c" L0 Q' E5 h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 M, a1 K# H4 X. T  J
function to do the same job:
6 h3 K' d$ ^5 Q3 m" H& m
! P; R" |9 ~" Q/ u5 H" @  S   push    00                        ; OF_READ
6 z# I7 T# r& j  B$ R   mov     eax,[00656634]            ; '\\.\SICE',0+ S' d1 w6 q/ v- ^
   push    eax/ I: F) O, t4 |7 a
   call    KERNEL32!_lopen4 A9 W. ^  R: H$ v3 F& k8 q& I
   inc     eax0 q9 U3 z" m# q: h! m2 h% q* y
   jnz     00650589                  ; detected- H5 L/ Y& \3 Y( n% S9 x$ |6 Q
   push    00                        ; OF_READ
6 s) c3 h* h( L& S; J" T   mov     eax,[00656638]            ; '\\.\SICE'
; w$ Q' O/ G# w3 }: P! J7 Y   push    eax4 I/ G% \* ^7 ?
   call    KERNEL32!_lopen$ [6 t2 t+ B, C& o
   inc     eax4 ^5 L  y% c& N+ |  T
   jz      006505ae                  ; not detected
, s3 D2 k' d0 w' R% i+ n2 F& V% m2 C7 y

) v9 r: C% G1 i6 A3 o8 g__________________________________________________________________________
& Q4 `1 ?4 c$ I8 H4 F/ \  @* }/ _4 i' B$ Y; f7 e9 f7 s
Method 12
  Q, C. f+ a- y=========
. c# P$ v1 i* J8 S
* |/ W2 E7 j+ V( dThis trick is similar to int41h/4fh Debugger installation check (code 05
. Y! q* D/ M9 G/ _1 Q8 f&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 z* O0 T/ \; p3 Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* G+ f1 G$ Q/ A  `. ?; m, R' c( f7 n: @$ H# [
   push  0000004fh         ; function 4fh
- E- M+ v1 b0 p9 F# m3 b   push  002a002ah         ; high word specifies which VxD (VWIN32)8 r' x# s& v. J, J% Z% H$ }4 U
                           ; low word specifies which service+ K) }3 w$ b6 h/ Y+ v  }' W
                             (VWIN32_Int41Dispatch)* Y) C! d/ K+ \5 V; O1 {
   call  Kernel32!ORD_001  ; VxdCall' x0 k( Q5 |' J( x5 i0 A. b& {
   cmp   ax, 0f386h        ; magic number returned by system debuggers# I& q% m$ |6 G2 y$ Z4 L! v
   jz    SoftICE_detected
/ |! ?- m3 z. a: R; ~9 y
, I- C1 s# h: [Here again, several ways to detect it:7 N/ p3 F- d( |* s: x- M
  L) D5 F- G. x8 Y7 h2 ^+ A
    BPINT 41 if ax==4f. R0 I/ H0 C( q- k: j/ s

2 e# K' l0 ^. i5 b; \5 @    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; f4 M" K# m. m1 ?' y2 Y
8 a% T7 G( @9 x* U& t    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& _8 U4 K& a: [! O# O- U! f

9 m8 ]: W5 F% s4 e. `$ X/ Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!& S$ ]& q) z+ q! F+ H
& b) ?, d  I: ]- D
__________________________________________________________________________
& y% h5 [" N1 [
7 }* h7 q6 K/ b6 M- GMethod 13
/ D8 e- V4 h4 I+ b) [9 n=========
3 M' P. g$ Z" Q8 p, z: a6 j! r$ J' w0 E2 z0 t
Not a real method of detection, but a good way to know if SoftICE is
  G1 S+ `7 Y1 A  Ginstalled on a computer and to locate its installation directory./ e  M, o2 f% N+ c# h
It is used by few softs which access the following registry keys (usually #2) :
) ~# {  O  z1 [/ z3 J( ~
6 l  [- X0 ^, S3 `/ g# s" x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 S$ m- {" Y& [( E; W- X+ i0 d$ J\Uninstall\SoftICE5 I* E" b, d/ J! E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 N6 O" J) {3 |9 w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" m1 e' z0 H, R5 I4 a
\App Paths\Loader32.Exe
% k0 j7 v0 t$ [1 @+ z
# a1 h2 ]9 X. o  [- K. L
: _, h$ `+ R2 R! h. B/ oNote that some nasty apps could then erase all files from SoftICE directory  ~" ~4 x( a, k7 x; I
(I faced that once :-(: }3 {! W+ n; y1 _6 Y
( B* O" a. a1 h" B4 g
Useful breakpoint to detect it:
4 g( J; Y# s; M* x8 g
* w. s3 W  @7 b3 F0 U     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ d8 W/ l6 o3 p1 Y! O7 n$ i( w0 @" n9 Z' `% b
__________________________________________________________________________
$ c# S8 D9 b6 x- g2 V4 d3 Y9 Q7 `. W& y, H$ Q- E/ e

* }" Y& q' Y1 Z8 q7 d$ }1 A5 }Method 14
: y1 ~' N' F6 h. S=========( c% G1 _9 M% }0 z8 t9 q6 U
5 o" O( `& R) }4 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: |! \6 ]. Q+ ~3 I0 t6 ?: Ois to determines whether a debugger is running on your system (ring0 only).7 R, H' I  |0 k% c" d2 Z$ k) Q; i4 m+ a

6 j/ `5 Z( _$ c1 D% }2 Y   VMMCall Test_Debug_Installed
0 t# T/ B. G3 m  B/ m6 x* X# c   je      not_installed
- @0 U/ M  ?. c# k/ ^8 l9 l
5 K' c4 |! P8 G- c9 j' m% K$ S& X) h8 ^This service just checks a flag.
( l) S$ C" t0 ]  t. ]</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-3 04:00

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表