找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 q( s  {& z$ d/ P
<TBODY>1 J  f: @, j" J& W# `% @8 i, c2 a
<TR>
  e; k+ h$ y2 X: O4 T4 o+ G<TD><PRE>Method 01 " k3 T, y3 H& X( F2 V# J- \) v0 o4 ~
=========' c& t4 \) F; g: Q0 D$ [6 x* c

8 c' ^( F' x0 z9 d4 jThis method of detection of SoftICE (as well as the following one) is
' g/ g  I( h! Q. R" yused by the majority of packers/encryptors found on Internet.' ~9 r+ y; }$ }2 F; i; x7 C
It seeks the signature of BoundsChecker in SoftICE
! r2 [. H" E, A  r' o0 q/ J7 w# x4 x0 B
    mov     ebp, 04243484Bh        ; 'BCHK'
4 _, K6 i! m% T$ p. u. i. r    mov     ax, 04h$ N& w6 o0 }* j3 m6 p% a
    int     3       ! I: J2 |* i% c: v, L& c/ i2 V8 ?! l
    cmp     al,4( C: J6 @9 E( o4 e
    jnz     SoftICE_Detected
+ _. d( B# Z6 g  W4 @/ R! j0 ^& H; l3 L, t# u  W
___________________________________________________________________________
+ H) A2 F, f( i  M9 f' ^3 G8 O! ]2 x3 B+ C0 P/ u
Method 02) S! T7 h) S3 F4 F. t) g
=========
' ~0 U( e  M  {$ M" x
2 X+ v, Q* Q: a  x8 Y! r! L0 y( OStill a method very much used (perhaps the most frequent one).  It is used
1 l( Z$ p! J; j, V' J7 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& w9 T3 Q+ F0 C& W- b7 p
or execute SoftICE commands...2 K/ M+ E3 H/ y8 B7 E
It is also used to crash SoftICE and to force it to execute any commands6 N9 }3 ~# [" H3 D; L
(HBOOT...) :-((  6 [+ K5 e+ q' Q- F  y

5 t/ ~- {! J, Y+ e* b  A5 D+ jHere is a quick description:
0 S( \0 |$ T1 j& ]-AX = 0910h   (Display string in SIce windows)6 a6 V- S! U6 o+ |% g6 \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 Y# J1 A: l) q* o+ P
-AX = 0912h   (Get breakpoint infos)
5 {8 E1 p7 P  `5 n6 @4 x3 ~9 ?-AX = 0913h   (Set Sice breakpoints)
, \0 v- T! M3 n( T- A4 v9 @-AX = 0914h   (Remove SIce breakoints)1 \8 K7 x" D3 L1 {' a* t
  L$ J9 `( U- C( S# \" C6 e1 y1 D
Each time you'll meet this trick, you'll see:) I2 d. O5 k) H* s
-SI = 4647h
1 t! b- c2 p8 }% X: F) ^1 I- t-DI = 4A4Dh: q  v8 g6 D8 h4 [0 e5 w
Which are the 'magic values' used by SoftIce.
, W2 J6 O" F% Q4 U* r: q0 z% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' U& H8 u9 z9 k2 I9 \0 y0 Y5 p3 R" F* ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 W- y6 V# k8 U. N1 y) g6 e! O# H- kEnvelope utility use to protect DOS applications:
: ?* h, l3 o: q
1 h" h( `. o' u4 H2 z# {
! }2 a& H5 s$ y4C19:0095   MOV    AX,0911  ; execute command.
0 ~* S+ x- v8 n+ v  G& `4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 j; ]- m; d: S% u/ H
4C19:009A   MOV    SI,4647  ; 1st magic value.
% z5 J6 w" u1 r( V4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' b7 _0 d6 }; |3 {$ j! ]$ D5 ~
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- W  ~  a8 `9 K% ]4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# X! X; y- |  n: \- _! M
4C19:00A4   INC    CX; b, y4 h& u/ T* a, b. E3 v
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 {/ i  K5 F1 J$ V2 A; H
4C19:00A8   JB     0095     ; 6 different commands.! y% [; R+ e/ A4 k" t
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 S) X0 t" ]/ b0 T4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* D2 M/ G$ t0 ?* A7 @/ G
8 A# g9 r; j* qThe program will execute 6 different SIce commands located at ds:dx, which0 V# @6 Q; e) z) y; h8 Q& I- p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! ^1 J; S  ^* `, M* @
+ G7 X# F; i- V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) K. Q$ p, ^0 C1 G; U* ^
___________________________________________________________________________
' a2 @2 H1 ^4 _) u' x1 f9 }8 R. D0 ]$ D

: O0 V# H# e5 Q8 VMethod 037 I, F1 \: t1 c- Y% ^) \3 d5 Z
=========* D, Z/ B1 Q6 ^
" B9 E& \3 n1 W. u
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 @# X% D' \6 y3 @; v/ p
(API Get entry point)" S+ H2 y# N! D" P: ~- e) @
        , j9 u& ^: l: r6 D
0 m0 V9 R0 O* f8 K  K  U
    xor     di,di. \9 b' E0 h( {: E8 q2 ?( {7 `- V! h9 L2 E
    mov     es,di: m8 i3 n7 c% l0 a; J% g
    mov     ax, 1684h       ) y8 j8 R( x( J
    mov     bx, 0202h       ; VxD ID of winice
1 r/ ^7 H- }$ \* b0 T    int     2Fh3 ~; w, [  |6 {5 T& h1 s2 t0 e. l' P; ^- \
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& ~9 T4 l  Y1 A% i- ?
    add     ax, di- ?8 w6 k5 j" V' Y# M; M, R. _% w
    test    ax,ax9 S: t6 @4 |7 D) I% l% B
    jnz     SoftICE_Detected& z* V* |. o5 {6 z( Q

# D: g$ q  j* W2 q% \___________________________________________________________________________
7 B3 ]( s& @+ S- ?- i6 F  ^& M, `- P5 d% Y
Method 04. R, V. X: Q: U9 R# }; b
=========% u7 z, F8 A6 B# L4 W' Z, T! n! \7 R

" Y( C" h* W4 pMethod identical to the preceding one except that it seeks the ID of SoftICE7 y% C9 s" l6 d0 o, s! o
GFX VxD., k' {) E: A# {& S3 H# ]1 F0 u

! e3 b' L, ?+ t0 Q    xor     di,di
& x8 d; h8 [! \+ C    mov     es,di( n8 H' c7 @9 ^
    mov     ax, 1684h      
# \$ n7 |3 J& r9 j$ K' P    mov     bx, 7a5Fh       ; VxD ID of SIWVID& D! z+ E* E+ x: S
    int     2fh
7 X- ]9 F( E7 v5 |  s* E    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ `% Z( c4 r8 Q
    add     ax, di1 V1 o3 Z7 O& F9 I' J
    test    ax,ax
* m2 [: h( w( i, b3 {: a- H. a5 [    jnz     SoftICE_Detected
, [( o. N7 j7 n+ _
* w) k# D! j. [. p: \6 N9 b__________________________________________________________________________
) A8 ?$ x' b- K6 k' Z5 \
, a3 R" |6 r" }6 u7 P" H+ Z/ ]8 O/ G/ H/ z% q' v0 H$ S& V
Method 05
" [9 D* M- g$ v; f=========
% `  y$ Z" ~8 Z
/ _. V6 o: g4 m$ RMethod seeking the 'magic number' 0F386h returned (in ax) by all system, @" E1 Q$ r/ ^4 i$ I) Z
debugger. It calls the int 41h, function 4Fh.
' D0 O0 J; a9 f$ `0 z; E+ YThere are several alternatives.  
; S  \, w, V3 n5 p2 }# @. f/ J; t/ [  P( }
The following one is the simplest:
# q, n* P6 ~' [. d* I" ~3 }( A* ]( @7 \; _# ?3 w- b4 M: J
    mov     ax,4fh
4 z5 t9 s* z9 ^/ l% l    int     41h
! L& U4 y" J) K& C3 N4 N    cmp     ax, 0F386
2 S, h5 ~2 V6 N    jz      SoftICE_detected
% i# n: R& d& f0 ^# J
& L0 v- W% _, _' k# \) ?
+ F/ M8 _7 f4 U* iNext method as well as the following one are 2 examples from Stone's + s7 K( m% r" b' s9 Z% ^( B
"stn-wid.zip" (www.cracking.net):2 ?$ h/ U+ Z* T* a, Q
4 [8 v. T+ |+ M" P
    mov     bx, cs
# P; f; b/ X" E5 i4 M    lea     dx, int41handler2
/ z5 v0 v" N! B1 g    xchg    dx, es:[41h*4]( w- U2 _+ b2 a. I
    xchg    bx, es:[41h*4+2]
. P  m) v+ R+ q  V    mov     ax,4fh0 E2 E2 I& ~8 k8 m9 V( F
    int     41h& d1 |) Z. g8 L# I
    xchg    dx, es:[41h*4]  k6 E! ~; ~+ v7 u
    xchg    bx, es:[41h*4+2]
! P+ ]: ~! r" I# n& B6 b    cmp     ax, 0f386h
- d$ ^6 q& X* \8 }. ?, M    jz      SoftICE_detected  K) v# e. j+ j/ r* R% `

( h1 Q1 B4 T! e7 x2 qint41handler2 PROC
% ]& ~& O- }% f; R) x- U    iret0 U9 m4 o" ]7 `6 l' D
int41handler2 ENDP1 G% Q) ~% O" n9 U/ Y9 c! A

2 M: t6 B  Q- z* e' x+ n9 o& t+ s0 p2 y8 q) u  ]" U5 j6 Q% h
_________________________________________________________________________( o" L0 M/ C; t

5 U5 u8 F/ v9 P0 t" z% V" M- w: N+ y) c; L- A
Method 06
& Q' A) j. w/ ?- t7 g=========
# @: T) l& @2 l; M. Y' u+ \- j& L( |, d
+ M2 n6 F4 G& K7 G& P
2nd method similar to the preceding one but more difficult to detect:2 I5 U! z8 x8 s1 U3 _' t' t* N$ y
' @! G: O2 G( A2 r1 K

/ [  B3 t& K( U) p) h) Q5 p! rint41handler PROC0 k, W7 L" }1 {
    mov     cl,al
5 J  X* j! I! Y+ [  g. ?( L    iret2 c9 I; U- V4 ~6 Z& m# H$ V* i
int41handler ENDP/ A% T# w3 X3 G! p

- U' }& N& C+ U" P* Z' Q
$ ~& V' _) H2 T) i+ E( g    xor     ax,ax
! C: i- J7 f0 a% A0 [    mov     es,ax( u5 G5 K( }7 L+ a3 f" A
    mov     bx, cs
( t# @( t. I: @$ W3 T    lea     dx, int41handler
* r3 ]; v( m! P2 M    xchg    dx, es:[41h*4]' a7 x# l, U- J( r$ C8 g
    xchg    bx, es:[41h*4+2]. p5 }* b5 P3 u. |3 O- L/ Q
    in      al, 40h
. u- J. c6 O  ]* ~# ^+ \    xor     cx,cx
# o: ^/ Y/ H4 |* `5 {    int     41h; \. i7 k& U: Q
    xchg    dx, es:[41h*4]! O0 a/ `! m, F' ?. T9 g
    xchg    bx, es:[41h*4+2]! ?7 o6 \! w% M6 m; v
    cmp     cl,al
/ l# S! ?, Y5 z$ R    jnz     SoftICE_detected
# o3 J7 k7 Z! x2 v. k( f: B; H1 q) t& t- U; \5 u
_________________________________________________________________________+ }/ _. u  o3 I2 ?
. g& p# m, z1 w1 ~( _1 u' D
Method 07
, t0 L0 p2 Q( ?! }* B=========
- k( f& a; U: K* C( F
& \+ d! _0 z; x' U+ C, e! IMethod of detection of the WinICE handler in the int68h (V86)
$ B7 o6 h0 z& u# \7 I
; H* Y: [1 c' P: a  `* W: l6 A    mov     ah,43h" d- j) L2 f  u. q, ]1 ?9 N
    int     68h
0 t2 y; L' n. u. Q3 N    cmp     ax,0F386h& C, L/ K- b: y- C$ z
    jz      SoftICE_Detected
7 C9 h0 L1 j4 r* I! c) P- }6 H) @! T7 r2 i7 D! k
, a# O* _5 P. S# I9 Z$ g$ T% Z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 _% z3 {) f! }5 i/ e) g# R; P
   app like this:8 j5 Q. q! Q1 m! k: ~

  g' s7 S! S  X   BPX exec_int if ax==68
' [1 T/ \. G8 R7 y: M' N   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 k' Y- ~2 ^* r0 Q$ P4 w# |; ^/ [   located at [ebp+48h] for 32Bit apps)" U2 |2 M1 r/ h2 s5 j; l! s
__________________________________________________________________________
" c" y) v8 V: G" A4 {5 H
0 B' q# {' `/ S* o( N  A4 `  T6 C
/ {3 r9 e5 h& W9 W4 h! i& v  aMethod 08: f3 B* ]% u3 p, q, A& r
=========
: o2 v, ^7 A: W" j8 ^
* x8 f9 `- k7 _9 f6 e) `) tIt is not a method of detection of SoftICE but a possibility to crash the
7 s5 s: K% u3 fsystem by intercepting int 01h and int 03h and redirecting them to another
4 G! c  N3 y4 W8 M0 O5 {routine." Y+ V8 {6 r+ M: Y5 }2 O  \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" _# j: p+ p- Ito the new routine to execute (hangs computer...)/ F4 \/ F) Y; T( P1 M. k* b8 ^9 {4 ?
( f. e' g0 Q% h9 z0 y5 Z& k
    mov     ah, 25h0 G* Y" h4 I1 l( a8 C
    mov     al, Int_Number (01h or 03h)+ D# b  D9 W! v. [) A. ^. M7 e/ U% \
    mov     dx, offset New_Int_Routine* n0 ]: Q0 r) Y" R; z
    int     21h
6 V$ U2 ?( d7 k) R2 u
- @" C; N' B0 {- y" b0 T. z! [__________________________________________________________________________
, Z* o, c6 C; _& o- K1 `) D( y1 g. I# Z& n4 d5 S7 u
Method 09
) }9 o* B8 m& a8 F=========& A/ j$ Q0 {8 ~4 f
& z6 w- F+ \4 n: q; w% l; N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 ~& _- n9 z; l0 ?) \8 Z, _/ t6 O2 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).+ Y8 s! ~. k" z8 F  _1 F$ k6 N1 l0 }: b
The Get_DDB service is used to determine whether or not a VxD is installed% O9 w; a3 t3 X8 I. n
for the specified device and returns a Device Description Block (in ecx) for( {5 s# `/ B0 U- k; \6 a# b
that device if it is installed.$ M3 h) @' M, K. Q# b4 n
( s+ O' J! l# Y6 U9 v, \
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 L- L! ?8 t$ X4 p
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); j; Q5 j. X5 B8 D
   VMMCall Get_DDB) l2 Z/ M4 V) E
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, a  C2 e2 j$ {; K- q1 i7 Y3 s3 A- U% v# B2 \- t7 V- l2 L+ n
Note as well that you can easily detect this method with SoftICE:2 {& H/ o" Q; y& I
   bpx Get_DDB if ax==0202 || ax==7a5fh8 d5 m! }9 u: D0 l  x

5 o8 B3 R" G- Q  i% k5 R__________________________________________________________________________
  H% X- O% t+ {, X! F1 `8 g: u/ E% y1 g0 E3 ]# c& v
Method 100 g# J0 F; x9 {7 q' `
=========$ h' B+ o$ `# k- @) F, Q
% Q% ^9 @7 `4 J  W: Q7 l
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, a9 ^9 G, s4 u* A
  SoftICE while the option is enable!!8 ^# |4 F0 g, p+ h# ?
$ \2 a  o+ T6 N
This trick is very efficient:
" R% q5 E, o9 A4 S% Z2 G$ V6 H  H3 Oby checking the Debug Registers, you can detect if SoftICE is loaded2 Y& }* A& h- Y0 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, b  K  g' x  J, q1 }+ v; G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 i+ q2 \5 D* E' Y1 o0 _* lvalue (in ring0 only). Values can be manipulated and or changed as well
4 w. l3 A' p$ {: W) q(clearing BPMs for instance). q0 W/ l6 N- C' P/ U

8 G4 k5 V) ^/ E% E0 X; c, f1 F__________________________________________________________________________% Q) R% d) _' k! F+ x+ {" b' ]
8 }4 U: e! Z! }0 W4 `
Method 11# L9 X! N9 Y  t: Z9 r9 A
=========" J6 |% Q: M+ P; Y2 x% R5 Y
# a0 V. ?5 l0 N6 W
This method is most known as 'MeltICE' because it has been freely distributed
: ]" m+ p9 c% {  m; [$ {via www.winfiles.com. However it was first used by NuMega people to allow$ T- z7 O2 d2 p$ `1 |% I! N* ~+ c
Symbol Loader to check if SoftICE was active or not (the code is located3 _' S& \% {$ t) y
inside nmtrans.dll).
' g8 T1 |! W! s+ F+ z9 o* G9 l( b, A( ?, A# \
The way it works is very simple:- m  a! U  t. K1 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% Y% u! s/ e; i. IWinNT) with the CreateFileA API.
$ [1 H/ e4 m+ x$ u. s4 [. ?1 C1 j; ~) Y3 q5 s0 ?# U# ]
Here is a sample (checking for 'SICE'):: b. f$ K. W, b2 ^0 @
( a2 d( ?& m8 Q* q/ ^. O1 R
BOOL IsSoftIce95Loaded()8 s5 _! M; o' ]$ P8 ~( U
{) k0 ^" e: s; Y/ a
   HANDLE hFile;  
! S" N8 n" d' g( e5 p# Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 I8 v& e3 H( k2 `) S, ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ F& O' j3 }0 g
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 n# H3 U, J$ g& i   if( hFile != INVALID_HANDLE_VALUE )
; Z; O7 d/ K: T$ X3 h   {4 ~: c, f6 R8 m& A" J  G
      CloseHandle(hFile);4 I: v* I6 g; r
      return TRUE;+ |8 H" E4 Y0 E- l4 y2 v; e
   }
9 a( N0 M2 K1 U0 p   return FALSE;
2 w; r9 \6 {  N0 m1 a}* Y( Q3 l2 M# t9 l# B
  E! V/ c6 l5 ]. F' M5 J3 L8 \/ ~
Although this trick calls the CreateFileA function, don't even expect to be
2 U  |& @+ i9 Q+ n7 k1 E$ J+ k/ U+ H$ zable to intercept it by installing a IFS hook: it will not work, no way!' G+ p# Z' L! R/ E* ]* ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ x! z# s/ b' q! P: t! a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) j1 n  H$ b7 P' J/ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: W7 G' t* Y. i5 |field.( b+ P9 e! d, {1 F6 k+ p; F) |
In fact, its purpose is not to load/unload VxDs but only to send a
% b4 m$ s' f- v. K- y3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: v' ^1 H; [' `# ~9 Z4 @9 L& E+ ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 E* K8 ^. w& Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! `2 r4 C( }' h. IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ d$ e- u8 S  d. g$ sits handle to be opened and then, will be detected.1 J/ ?; W! M% r/ v9 u% _9 t
You can check that simply by hooking Winice.exe control proc entry point2 D4 F0 g$ ?# g) ~# K  d
while running MeltICE.
8 [/ u3 z8 z2 X
+ |$ p8 O5 U  U+ ]3 R) }
% M1 p8 y1 I0 f* b3 S: v  00401067:  push      00402025    ; \\.\SICE, R7 |0 }6 h9 @1 s1 {8 o( }
  0040106C:  call      CreateFileA
% X% q- f  r4 R8 V# w8 @  00401071:  cmp       eax,-0011 E: J2 `5 O+ d# Z% s8 C. k
  00401074:  je        00401091! p9 }% |! y# ^7 o: V4 p, j

4 C: ]$ l6 O& o0 S0 H! I1 `, [9 r
0 |1 g+ g: [$ z+ r( [0 ]There could be hundreds of BPX you could use to detect this trick.
& {$ u. v; M9 r5 Q8 z-The most classical one is:0 X1 S, {0 }* v
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: ]5 V9 s8 B1 c: p( Z
    *(esp-&gt;4+4)=='NTIC'$ ~( R% c8 W1 i# m$ r

7 s" q1 `; _% L* S- g-The most exotic ones (could be very slooooow :-(3 a" x8 u( |$ D% O8 h$ m6 [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; ~% Z  s% A% F/ M) q: ]. k
     ;will break 3 times :-(0 B  x$ y, w1 f9 z4 S( {  @8 Z4 _; ^
$ L) x- x$ N4 c9 U8 X+ w
-or (a bit) faster: 1 s2 |& q: w- u6 e6 U- Q: l! D
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  G( n- I- k+ |& d
3 v, r$ i0 {' z; I4 p6 L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. r0 u& k$ ?/ t$ a2 f6 H- ^: u     ;will break 3 times :-(
$ R2 e( _$ ]: G( G) M
$ s' G8 g4 j+ n1 n# I: @-Much faster:8 Y% g' e% {3 c' o
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 ?, }2 p8 k# {; M" s* E* X
; H! R0 m2 g- I, n4 FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. k& F+ t* d- a) G' e4 \0 z2 w
function to do the same job:& @& V: s- P: F) L% B

' w# b1 m+ m  G; w# H: c2 R$ w2 H   push    00                        ; OF_READ
  K1 W8 m9 \- ]* r3 h$ i, p. a   mov     eax,[00656634]            ; '\\.\SICE',0
5 r. v7 k# t8 C6 q' v' D) W   push    eax
" t3 U- }; j. }1 I: {/ ?2 @   call    KERNEL32!_lopen
' s1 A  |7 a1 d3 C1 f/ i5 u8 M) Y   inc     eax9 S0 I+ f9 A6 v' q7 \. Q$ f/ h
   jnz     00650589                  ; detected' O0 F; X/ l( h' w  x( g
   push    00                        ; OF_READ
- Q% u7 S; o, Z' Y3 L- r9 a   mov     eax,[00656638]            ; '\\.\SICE'. {, M9 j, ~% I" R
   push    eax
+ }5 a& M, }4 f* a   call    KERNEL32!_lopen
3 t, {+ x9 o# L, `. b   inc     eax
/ k1 b' P! L$ G* m  \   jz      006505ae                  ; not detected( b/ `0 S  Y' D0 `( K/ I! A# [

/ w3 x* _" W5 |$ ^3 @" n* X; l) T+ C0 `1 ?5 \
__________________________________________________________________________
  [3 N1 G2 N: `4 d4 L; @2 g8 y# A+ O7 G& U% N; n9 \& q
Method 12; w( V5 m: R1 y, u. S
=========
2 r7 F3 T. X( V7 w
5 l2 G  Q% i6 v. A+ A6 y# mThis trick is similar to int41h/4fh Debugger installation check (code 058 u% \8 X+ _% `# y; [/ |( ^! d
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% f+ {8 W" ^5 S" x) Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) s. I! a0 G; ]
6 h! u; B! ]3 p- t1 ?7 F: S
   push  0000004fh         ; function 4fh3 Z- W4 o4 T4 I' b: |$ ?8 J
   push  002a002ah         ; high word specifies which VxD (VWIN32)  c  }* P/ H0 O& g- |/ `
                           ; low word specifies which service% I. a& x# q# I- B, f3 f6 w
                             (VWIN32_Int41Dispatch)
0 F; l$ L" u! N8 y3 _* a& K   call  Kernel32!ORD_001  ; VxdCall
) [  j/ V  y* R, H0 c; r   cmp   ax, 0f386h        ; magic number returned by system debuggers
( B% B4 [6 S( M. f5 w8 a   jz    SoftICE_detected
( |8 W( ~7 X' x0 D( P8 m) r8 D" |! e! b  H6 ]# Q
Here again, several ways to detect it:( R$ Z1 N$ U* k3 y4 k

! c; ^% D4 n) I6 C* J  \    BPINT 41 if ax==4f
9 T& N& ?! u' f
0 N, P6 ?% C# z' J% q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 f  t2 a" u8 W& e

8 {2 p4 x6 h0 Q' J9 h: i+ U    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# q& `& \$ N) h1 @6 u2 f, F0 N
- @( E. |1 a  q3 N3 |+ c9 O, q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* L/ ]) v$ f, D4 D+ H- U
0 U. y  D. |2 m! ^9 E8 ]__________________________________________________________________________9 j( n! c" W( z1 X

5 \6 a3 v" _: J& \Method 131 k, s4 l5 E; S! W
=========
* n: Z% e6 \$ U  m3 k- }
$ @- }1 p3 F' m! D$ {Not a real method of detection, but a good way to know if SoftICE is
) X. B. M5 N% Binstalled on a computer and to locate its installation directory.$ t& D: P$ a  m7 V
It is used by few softs which access the following registry keys (usually #2) :
. F( p6 B% K4 q# ^* R( `, }
0 d. ^9 V8 }( v# ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ^2 X8 r" O! N; r' d
\Uninstall\SoftICE. a  [8 P! E$ ^$ k& r9 Q* e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- v7 I! Y7 Y9 v2 i1 F$ h$ |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" _1 z( y4 e, ]$ u7 V4 X\App Paths\Loader32.Exe, `" X( e- L- n8 p  p) Z5 R
& @) w+ i! J( l7 n  }
- Y* R* D$ A$ a2 Z
Note that some nasty apps could then erase all files from SoftICE directory
/ R& y6 i6 |( ?" c- j- R& Z(I faced that once :-(( H& b4 v. r- E  _# u
' v; N" c& }, O; M7 K
Useful breakpoint to detect it:" B4 z8 s" w. P% {
" Q+ P" Z6 w, |( s: j' k" R8 d
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! k* A  Q6 W5 F1 \7 G

9 [# x9 u0 T  \  ~__________________________________________________________________________
4 Q9 I9 A$ v4 J% X8 \: c) R& B9 K" A/ X( ^1 W' E. h

6 W3 {7 \$ |0 g  wMethod 14 ! r( d  Z6 }  a) e1 g7 }2 z/ p9 t" I6 c
=========2 V/ j; W) g9 W
1 _- f3 u: F7 v4 O, _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% R" {3 K/ a" Y: M6 ^$ i" h: Pis to determines whether a debugger is running on your system (ring0 only).
. g, ?" `% y1 a4 x* B2 f. O" m3 u% E8 X
   VMMCall Test_Debug_Installed
6 }* \! X: _) }  i: ~/ K   je      not_installed
( }, L( O  x# C
) S5 I, ~8 m, \" v' EThis service just checks a flag.
/ |6 Y2 e! g" z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 12:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表