找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! c5 f7 I; t/ U- T# y" t
<TBODY>
) |1 N/ z- d& n<TR>% T/ ?. \6 a8 a6 ^6 u7 N
<TD><PRE>Method 01
9 O8 H9 U3 ^! I4 {- [=========& G# {3 w2 B% r
, [8 I& i3 U9 B5 |+ o9 ^
This method of detection of SoftICE (as well as the following one) is$ j) e/ T2 F, G0 d. L) [6 W( N) f/ N
used by the majority of packers/encryptors found on Internet.
* x" \4 U6 w& N$ J8 ?  H; l% RIt seeks the signature of BoundsChecker in SoftICE1 H* t" L, P& J: }% O4 b
# C1 S" e6 L( j7 H6 Z" n
    mov     ebp, 04243484Bh        ; 'BCHK'
$ i5 u/ q& d5 ~9 T; d4 f+ W1 V0 s    mov     ax, 04h, k( g& E6 E+ S& p* F# g/ R
    int     3       8 n, F9 L+ @) z, B+ j
    cmp     al,4
6 h8 a1 P6 G6 A% a( I$ {' W& R    jnz     SoftICE_Detected3 l! g3 S% p9 E7 l) `7 a

9 u, ]8 N1 n/ r/ G! C2 e, x! x4 @___________________________________________________________________________& e' H$ J4 M* k  O3 W  k& H' h& R
0 a" ]/ s2 p# `" T; e" H0 y- l
Method 02
) h* ~1 J. H8 u=========/ ~+ x0 A9 x' m7 ]! @" H& S
) ^  a( m2 r9 P7 R9 i+ n
Still a method very much used (perhaps the most frequent one).  It is used
; c9 ]. w' r; |0 r: y- C/ B$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% l! b' l7 Z; `6 \" ~or execute SoftICE commands...1 U+ s$ \5 \  T+ l  B' J) b: Y
It is also used to crash SoftICE and to force it to execute any commands8 }: W% T( H) n1 V  u/ b
(HBOOT...) :-((  
; U* N% w1 O! S  H* y6 O* e
  @! X. ?& w& W6 r9 H3 R. hHere is a quick description:
2 ?( t- D0 ]( \% {-AX = 0910h   (Display string in SIce windows)
2 b9 Z2 t" S# e; [" Y$ F, A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 L$ K# k3 ~& C! i( B3 f: y' l0 ^-AX = 0912h   (Get breakpoint infos)) m. a/ V4 p5 K, m
-AX = 0913h   (Set Sice breakpoints)/ P0 Y1 I, h# e% E& p' J; `. O
-AX = 0914h   (Remove SIce breakoints)& V0 c' C& L" y  x0 [5 {. h
) h  b0 x2 ?# K1 m$ F2 f
Each time you'll meet this trick, you'll see:* K  \1 c7 n: I9 M
-SI = 4647h+ P# Y+ h5 G  z* L4 ^
-DI = 4A4Dh
/ P# b. p) N% s% pWhich are the 'magic values' used by SoftIce.. a& ~! ~" r/ J* I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 y# h+ C0 n9 W7 Z) a
$ C* F  l1 d, G& s8 SHere is one example from the file "Haspinst.exe" which is the dongle HASP. ^* A2 J3 }% ?0 ^" N
Envelope utility use to protect DOS applications:
1 n( Y  I/ W  e: |( A0 B- a. A2 N. ^* z& L9 [
- c& Q( U; s) f) }5 Z1 E* ^
4C19:0095   MOV    AX,0911  ; execute command.
! t6 d* q# |) ]# X; D& p' Y! A4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. N" k- y( c- V! R9 n' k4C19:009A   MOV    SI,4647  ; 1st magic value.5 I! q" p. `" n9 c* h3 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 ~% _; R: q$ d2 J$ O6 A8 [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. U1 T6 l; a  k$ F; Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
5 {- |. I0 \9 _9 e& _4C19:00A4   INC    CX3 _% G- I3 n3 h$ g0 w6 ~
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute0 |5 N5 p. U% i  w  I( U- _
4C19:00A8   JB     0095     ; 6 different commands.
. a* z* L: ]) _% q7 H  a3 c" a2 L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 k- k$ ~2 N! m" W9 Q  @% T4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 U+ q+ c% \3 N7 I) L2 p

3 Y# r6 v+ N/ d& CThe program will execute 6 different SIce commands located at ds:dx, which5 a; d' A2 W& w: g. G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 r  M$ @' U& v) x1 I9 b7 b! `# ]) o' M  w  Y" O9 W9 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 T. e; h( V$ Z1 U. ]( v
___________________________________________________________________________; J# U* K' k) _% F6 b

* @6 e9 g* g2 y4 x4 L
3 v+ ^/ H3 ?, c: p- ?Method 03( |8 A! ?0 l* Y% s
=========
5 D# J& k3 ]9 Z/ R) f/ n8 o# E) e/ Z  y( R- j2 }
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 T5 M8 U, x; P* b! Q; ?; J. Q% m) y(API Get entry point)" {% O; {0 d  Y! l4 t1 f) t0 S
        
  C+ R) B( i) h2 X$ A  L$ h
4 K3 \- M' A2 ~! B& S. _2 X/ D    xor     di,di
* Y7 Z4 o; u) o3 x( e. G) t" N0 a    mov     es,di7 u' ~# T! K0 S1 j5 m! k. H
    mov     ax, 1684h      
" C+ X) B( ?1 ?6 c/ V    mov     bx, 0202h       ; VxD ID of winice
6 ?1 w, e3 ?+ O& e2 z* s    int     2Fh; H' q: d7 M5 c& E" {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: |8 ]( e8 ]4 B- c3 X0 o    add     ax, di* T& b9 v# t$ _( o8 L
    test    ax,ax
% n) V7 e. h, C" R    jnz     SoftICE_Detected: v( L% o9 I) N( |" D
( u7 G4 n7 W! u: A' b- @5 y: c
___________________________________________________________________________
2 T9 H; h' S  j7 C& a, `2 y
  |1 s5 E  F2 M4 uMethod 04
  Z8 y  d# {+ n3 m+ w=========
1 Q% T. |0 h  \* Z3 p$ ?4 H/ D
0 I' i" @9 N+ B' \! k/ _  CMethod identical to the preceding one except that it seeks the ID of SoftICE
( y- d3 x3 v  p& J% p8 nGFX VxD.
! V/ G9 _2 _* x; T" a. L8 \" ^
0 X6 F2 Y' N; W4 c5 c& d2 n, [    xor     di,di
+ n( q/ ~* A  ]    mov     es,di
4 z9 }; P$ O; o+ b% L    mov     ax, 1684h       1 [& |4 ]! J; E; w: t( P  r2 n# \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 L. A  b3 z  u0 k
    int     2fh" S, Y1 @6 F: v9 Q# O5 d0 }/ K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. p6 x6 o7 c/ u0 F5 l' R    add     ax, di) u6 Y$ _  N# q" }
    test    ax,ax
- G# h6 D/ z* l* S, W; \: P    jnz     SoftICE_Detected: ]* K$ F1 H, b# `" w

* H! {% I5 M1 t__________________________________________________________________________
6 e3 S/ Z( D: L" H6 d' \4 h& t4 n
2 d" z& G$ M- b" J3 I- X; `, e
/ C: `7 y/ s9 a% w+ i; c  ]; eMethod 05
& s' _: ]$ |8 }3 ~# g=========$ R* V# T7 l* b

  `  L; j3 Y3 ]5 T& N5 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 v6 I6 B0 O& }/ m& g/ x6 pdebugger. It calls the int 41h, function 4Fh.3 C7 b& M/ B0 _/ i
There are several alternatives.  ; z1 t6 [7 b. T- O/ i# h- P3 X

. G! ?# A) a' G0 h- N# w* LThe following one is the simplest:
# ^& e, P1 e* o2 C! V
9 N5 m* H' J. k7 |& ^5 ^    mov     ax,4fh5 F& g+ L& k+ q1 O+ k
    int     41h
3 v7 F1 \) s$ q  `+ A2 c    cmp     ax, 0F386! l9 x8 d4 ?8 y, _! r
    jz      SoftICE_detected- z" R* @/ c, y7 ?7 {6 T2 z6 s
1 {$ x. [1 {, ]" Q' w0 q$ C

* l4 P( ^0 M' X: A; b4 kNext method as well as the following one are 2 examples from Stone's . w7 @# d; ?: @; ^0 i
"stn-wid.zip" (www.cracking.net):
" ]$ C) Q# J% i. }! |& B. H; \1 y) s, j1 ^: A
    mov     bx, cs
) E4 |! F+ n' g; j; R* @4 F  k    lea     dx, int41handler25 E  t: E5 a3 }) Y; E; \$ Z. S
    xchg    dx, es:[41h*4]
5 l/ T$ d1 D! ?2 I2 g3 j    xchg    bx, es:[41h*4+2]6 P' j/ E: ?, ]% o: }
    mov     ax,4fh
) C0 ~5 U: M$ T    int     41h
, S% a. N: ]0 X2 R    xchg    dx, es:[41h*4]
9 p( K7 J" Q8 v  N  T    xchg    bx, es:[41h*4+2]
% h2 F9 o  q. i    cmp     ax, 0f386h
3 b# g1 o( e2 M( J( h    jz      SoftICE_detected8 r( P- K* {3 w8 u

0 M- s' ]- p6 v+ [int41handler2 PROC
" ~! o3 V) ]5 n: V    iret
' z) I' M' T& j" mint41handler2 ENDP- B$ u5 m' g, |$ l
- ?" ^+ {3 F% O' ^+ M
& _/ ?( H% r; o3 g8 V2 N
_________________________________________________________________________& u5 A* i) b1 _  J

* B; }! T5 b) H' W
* I7 n' i3 N5 A/ L4 [/ \, d( _Method 06
+ H# [- z# A* y2 B0 K  n=========
$ P, ?3 {; g, R. f1 r5 q" T( [) S& F% B* p1 Q3 ?

1 C5 l5 b2 Q# E# m2nd method similar to the preceding one but more difficult to detect:
( G3 ]# X+ i7 p; y1 S; U" I. p- {3 }

/ n9 k' o6 F3 G/ {5 }; j2 D  zint41handler PROC
1 @) e. ~0 r; L7 C& q$ [1 s    mov     cl,al
9 t. x8 z( m2 U: ~( U% ?& p    iret0 `7 X1 E4 M# d
int41handler ENDP
/ I) A: Z: Z5 |$ b5 W; J) m0 t# W
+ N9 w5 d, ~( b* U
3 I3 Z5 |8 r9 \5 D# n. e    xor     ax,ax
( T( Q9 V( A8 p3 s    mov     es,ax
) m8 R8 E% D; J  }" i( e) \1 [, Y# x    mov     bx, cs, m$ k2 G7 T' H' I# _6 V! `/ }0 E
    lea     dx, int41handler
* w+ L. f( Y: }6 i8 b% T    xchg    dx, es:[41h*4]$ `# E9 L6 V! {3 g. Y4 m
    xchg    bx, es:[41h*4+2]
* j7 X( S3 Q3 I5 I  U0 ]; C    in      al, 40h' J, ]; J7 x# O$ I
    xor     cx,cx' E- f5 q- l7 S4 h9 |
    int     41h
6 w, s* ?; _! N" ]0 x& X# W) c    xchg    dx, es:[41h*4]& f6 G+ \; c: `  |& y8 t' r
    xchg    bx, es:[41h*4+2], `" _) T1 _5 g
    cmp     cl,al
- r4 L, Z9 g+ a& W* _    jnz     SoftICE_detected. c2 j) Y) s5 z

: E& \/ X( D* z; v, k_________________________________________________________________________/ n* q0 ]: x+ Z2 s5 |" _
! U6 ^, X) f/ W
Method 07
7 V6 K" E% D- m  }& g=========
( z- h3 R# k1 W0 E6 o' p8 a3 G! A2 n4 t$ S
Method of detection of the WinICE handler in the int68h (V86)  z6 ?% X/ P) o

0 N5 P" N. k# S    mov     ah,43h: m" F. s) a& M; X/ c
    int     68h9 c' {  ]5 i0 ^) u8 @! _' A+ K9 {
    cmp     ax,0F386h8 h- J' F8 ~9 U" O' T$ k( O* D, g
    jz      SoftICE_Detected
$ A% W0 k( I1 ?
- N8 o+ O2 f( p5 z2 j6 G! Q: ?1 `4 n0 f& C9 r* j# ?0 P3 J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' W* v4 O+ X; w6 ~, H. F
   app like this:3 v" i1 p& @( L- @

5 R1 @+ v' b; e; r. }& K   BPX exec_int if ax==68
/ n* J8 `7 b4 Y( G* v, B   (function called is located at byte ptr [ebp+1Dh] and client eip is
! L# K2 R: G- C) H, V   located at [ebp+48h] for 32Bit apps)
+ V% \+ G, t$ t* p. g- V__________________________________________________________________________
+ |" ?! }, a% ?' {; G! @0 b
8 v& }) n, N  z
/ g% R5 z) j8 Y8 u  m" I: p7 Z$ ZMethod 08
5 t2 s5 O/ C/ \* R1 D3 u=========
/ F+ v5 O) f4 L9 k$ Y  V8 w/ f; k- U4 D$ F( E6 C' d
It is not a method of detection of SoftICE but a possibility to crash the# E4 h' P# N/ \8 V* h: I6 @
system by intercepting int 01h and int 03h and redirecting them to another6 F% n, k6 W2 O! X5 A
routine.0 S# m2 V6 A5 b4 g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 H. p) x8 ~- D; d
to the new routine to execute (hangs computer...)) g$ w$ l+ J; t" F) K' L. s
' l9 A$ {: C7 |& {
    mov     ah, 25h
0 `$ B" [7 q  l8 d' Z    mov     al, Int_Number (01h or 03h)
  F: V* f  ?. I# G4 [/ M    mov     dx, offset New_Int_Routine" L+ A, Y9 j* H+ R( f8 ?8 F! U! L% B
    int     21h: U- i( `' u" h2 a$ i+ ^

7 C+ o1 E- O0 R' B6 X$ r, e% S6 ^__________________________________________________________________________
0 H$ }9 _: p/ q8 W% P8 e) p3 N0 M
Method 09
5 U, L! |$ V2 b& o) u9 X=========* B, m6 D/ S7 {1 r
9 Q2 C" h! k/ v( y, b. p0 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ C' k  X: T3 m: X7 H  o$ Y% W
performed in ring0 (VxD or a ring3 app using the VxdCall).
  B$ t' e* [$ m, YThe Get_DDB service is used to determine whether or not a VxD is installed
& b3 u% F, d+ J9 @$ @. Gfor the specified device and returns a Device Description Block (in ecx) for: `) X) v, _2 k7 E9 o5 M! D
that device if it is installed.
1 ^. {* r3 t& Z! ?7 Q( P
& ^( k+ C  Q3 ]5 h6 t7 E3 z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ Z6 Z! M* d( _. _   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 b! v* t3 y6 }) i3 A( z   VMMCall Get_DDB
- L3 o# \' k5 [, F' {: C   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 v6 j- v/ f% \  {" a
; Q4 z0 b# ?; I! u7 C* e& ?, HNote as well that you can easily detect this method with SoftICE:7 @, ^' q# z9 r, g) s( A3 x' B
   bpx Get_DDB if ax==0202 || ax==7a5fh
, w4 Z4 p; S: a( Q5 A7 h, ?
/ X0 _$ v2 |5 \1 n% h7 K4 y: r5 \) O__________________________________________________________________________
( R9 x0 u% @5 ?) t" K: m) u* ~7 f; |$ b# K3 D; C
Method 10% g7 j. W5 d1 ~$ {4 A
=========+ ^  `% c2 ~' c7 D; Y" n' D: X

6 A- o* W) V' D/ C2 R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# \( E$ A! V; e" J  SoftICE while the option is enable!!
; c- {* c- r7 K
/ \3 |5 w; y6 Z2 ~% G8 ]5 {1 `( C9 yThis trick is very efficient:% [( Q; s, J7 x3 R% H) j
by checking the Debug Registers, you can detect if SoftICE is loaded
8 u& K, a; Z$ N, p0 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& P& [  K, d1 \! V  q8 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their- ]& I$ ?3 x& q
value (in ring0 only). Values can be manipulated and or changed as well) }3 V5 @+ v5 B1 ?- Z4 }
(clearing BPMs for instance)8 K/ Q5 X6 T* f& v: o1 v8 {! e

4 G- A% W3 K( T: n__________________________________________________________________________
" p" ?+ d2 l7 @& F" }' Y- g% S4 G$ A9 E; U2 Z5 H
Method 11
% I7 d6 J' Q. o: ?/ B. @3 M2 D=========
' }) `. B$ d9 P3 s$ M$ F  C3 U4 H1 e
This method is most known as 'MeltICE' because it has been freely distributed
& c; C- i) R" S8 c: R  w8 nvia www.winfiles.com. However it was first used by NuMega people to allow3 Z0 I  ?$ E1 `- C# A4 j+ f. ]
Symbol Loader to check if SoftICE was active or not (the code is located# m9 k! a$ A' k8 ~  k$ @: A3 O
inside nmtrans.dll).; M5 ?" c: ^! b0 f0 t" T

( n; F: a7 m, m  t4 g4 JThe way it works is very simple:
6 L" a0 R! ~3 t+ t5 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% W  S: W; i: M
WinNT) with the CreateFileA API.+ n5 q4 p" Z2 z: Y3 `5 h

/ }3 K5 a/ ?5 g4 E% }Here is a sample (checking for 'SICE'):
( H- ~' {! P3 s/ [* g! v3 X9 D. O% E0 Q
BOOL IsSoftIce95Loaded()* n3 ?2 ?2 I) b( L
{5 U8 B1 }0 _7 d7 x
   HANDLE hFile;  + R  f6 A! k( ?, F
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  @6 c( P- N% Y' ]+ ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! @& S7 s' X2 k6 h                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" G, M$ s7 y5 L; j' C, B+ T! c, @# F   if( hFile != INVALID_HANDLE_VALUE )8 X% v, ~& R0 u- |% B3 s  c
   {; ~3 j& x) s" f4 j( I- Q
      CloseHandle(hFile);' x( Y8 c. K4 P  v& Y
      return TRUE;; m) r: S0 `  E
   }1 s- \( ^4 ~( u  \; |* N
   return FALSE;4 a: T% b9 W8 I( }7 V, B, o6 }! C6 R
}$ R9 C% M( I: Z( h4 Z# g4 y, }
: Z8 q6 }5 ]1 y* x
Although this trick calls the CreateFileA function, don't even expect to be, Z& y" W# `5 P2 Q( }6 @' e
able to intercept it by installing a IFS hook: it will not work, no way!7 }# G4 ?/ e$ N% i  F! T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 g( `. q- y! m, S1 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' {1 g, D" K7 t- g1 M+ V, jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 n5 }3 l: y" m5 y0 u0 kfield.
9 q* X* t9 s0 u/ C  f' NIn fact, its purpose is not to load/unload VxDs but only to send a & ^* p0 x; [6 _  w, M+ @) ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  `7 G# L, J; v3 l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" I* C# p: O/ u' ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).( v! v/ E) D8 z, K6 u6 [. E
If the VxD is loaded, it will always clear eax and the Carry flag to allow* @7 \- I) J4 `& l( E+ b
its handle to be opened and then, will be detected.# `0 ~/ M- |9 p
You can check that simply by hooking Winice.exe control proc entry point2 E- r  f& J1 L' f3 R
while running MeltICE.# J' p6 o' S: T* v( Q

4 P* @8 b3 Q$ G' ]) N+ f  b: }& t$ @0 T3 ?0 D. [; V. l1 D
  00401067:  push      00402025    ; \\.\SICE  T1 Z1 T! f! E: i* H% E
  0040106C:  call      CreateFileA
$ p$ T" g  @; P7 F) {( R$ m9 x  00401071:  cmp       eax,-001
) ~4 q$ b' u, f* S+ I  00401074:  je        004010917 o& n$ f- X8 B2 i0 x. v8 S- `
1 K6 z/ |, O" |* {* y

7 k2 A0 Z9 q4 Y: YThere could be hundreds of BPX you could use to detect this trick.
! H% W& C! M4 C  W8 |% r-The most classical one is:- `# g( X4 [. Z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 V5 G% [3 j2 m0 ^$ ~
    *(esp-&gt;4+4)=='NTIC'9 f% t- N& p  U! M* k
: y5 k( ]+ l7 _
-The most exotic ones (could be very slooooow :-(% d, l0 L4 y1 j3 ^& r# I" E
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ N/ l! D/ U$ W8 ^( W     ;will break 3 times :-($ i% z3 s" B9 d4 G* ~& M
* j* O. ]* j9 q* Z+ C4 c5 n
-or (a bit) faster:
5 A0 O! E1 @1 b4 B7 b. H5 Y# l   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' n7 e3 m0 Y4 u( k9 k
, v4 e5 {% y. y9 `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ X6 i- J6 W, C: Z1 d3 D9 D     ;will break 3 times :-(
/ y" g/ a1 ]) d; d) a7 z5 N: F5 {7 o1 j3 T* r
-Much faster:
" Y% `2 S. r0 |& Y# N   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" l$ `/ R  a8 @9 [3 _; f* p7 g

9 L) b# o7 }3 ]3 t. FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 {8 f- G3 }7 z" K8 l% W+ Bfunction to do the same job:
+ j" ~' W9 i& D8 e, `/ s$ E
: V) ]8 v# \3 s4 X" P) a   push    00                        ; OF_READ
$ @% K$ z4 b! P( _. }5 d   mov     eax,[00656634]            ; '\\.\SICE',0
0 w9 N. S) g8 A2 N8 R" G   push    eax, R! N8 o" }$ @& I4 S/ F" k
   call    KERNEL32!_lopen& i+ e6 `8 H* F) Y
   inc     eax
3 M* p" N: x* ?: x& P   jnz     00650589                  ; detected/ m; [+ \. Z2 O. _
   push    00                        ; OF_READ5 J. ]8 w+ l9 ~( x1 {
   mov     eax,[00656638]            ; '\\.\SICE'
: y( H# B2 z2 N3 O1 A   push    eax9 q1 g) W5 E6 b0 x- u
   call    KERNEL32!_lopen
! Q$ O2 k+ a' g: Z0 M  f   inc     eax7 u( Y1 \. @5 c$ l5 a
   jz      006505ae                  ; not detected! C( l3 h+ Z# B! v# `
- Z4 V4 B  `8 [& M/ b) V

+ A) @& |: ]9 j* C) n; R, M8 j__________________________________________________________________________
. P: H# b8 p$ l5 q) n1 t' }0 B' f( d- t4 |, ~+ `: J0 S3 N
Method 12
+ L& Z* ?- B0 \=========7 _% y3 J  Z" T) }2 [1 Y1 |
# c$ m: O, G& x# X
This trick is similar to int41h/4fh Debugger installation check (code 05
* U- I4 j5 j) l9 p7 @&amp; 06) but very limited because it's only available for Win95/98 (not NT)( T1 l- o( r, [6 m# p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 T- c4 ^# E/ l/ X' K8 q
  G+ _3 L* s' }$ ?- _4 m9 i
   push  0000004fh         ; function 4fh2 \- ^8 ]' V9 A8 W4 H
   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 Q* n5 ?; A+ Y: _                           ; low word specifies which service, U6 F& A" `, G7 K3 M' A
                             (VWIN32_Int41Dispatch)
% M" C& z3 Y8 y: S) p# t   call  Kernel32!ORD_001  ; VxdCall0 C( V$ h* r0 a9 w0 w! z
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  j' ^) K0 `  ~) j' x# D% f   jz    SoftICE_detected
0 S5 ]1 j% M% @8 e' e+ G* w# S' g1 K  X2 `" ?# l0 T' p& H
Here again, several ways to detect it:! f5 n5 E% p( c0 w5 d5 [1 V8 p! z

( ?" `7 J" q0 `5 `: t8 T    BPINT 41 if ax==4f
+ M0 p3 a+ i3 V
) G2 g% M" r$ f' b    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: u4 T' D: q$ y) W; O; X" u; ?8 v0 D) B: W0 |1 l9 V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& ^/ s- p6 L6 P, ~
/ P& G' e: V, y" k2 u* w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& e1 |3 I. }8 Z; O! m
9 G' ]- \' W# ~0 [! Y  @& @__________________________________________________________________________
: L& ?" U  p6 s% h1 U* y9 |6 H2 K7 x- c5 R  k
Method 13, c+ J, P0 `. ~
=========$ V2 N0 i/ N, L# s# ~# d8 J

0 i7 @: K6 \3 H( F3 w  {Not a real method of detection, but a good way to know if SoftICE is; ], f0 H3 g( x) C2 Z
installed on a computer and to locate its installation directory.% {, N* l: c% O. g( P# T* Z' n
It is used by few softs which access the following registry keys (usually #2) :" O% M- h! f6 T9 G$ z2 K
# V" [% J( L/ \$ W7 D, z" R4 f8 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' @1 A9 f+ i% M& W5 d' k
\Uninstall\SoftICE0 h3 j1 J6 e( B  a' D2 H8 a3 T& N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! y8 B* [/ [; T/ c) U- a4 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ @) c# n7 q/ Q5 _6 d\App Paths\Loader32.Exe
0 @  m4 Y' d6 t7 I; H$ J: m& K# J7 Y0 O

% y7 E6 ~* ], n2 e! `' E; DNote that some nasty apps could then erase all files from SoftICE directory
4 w) O3 U, L4 ~. E5 C: y! ^(I faced that once :-(
: f: Z2 [2 n' g% ?" p$ q5 S
( k: S: R1 ~1 \) z4 \+ MUseful breakpoint to detect it:! U% H3 y* m% s" @$ J

1 K2 {( S9 Q  @3 [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE': G# G6 f: m, I  D8 ?/ V6 @

# k8 v1 Y& L* z- c1 f* |& ~__________________________________________________________________________4 u% t& X2 g& ?# n+ ?

0 N$ ]- U6 T; \+ C( C2 {1 |7 T' Q/ `5 C, G" g8 ~4 Z
Method 14 $ d+ x3 K0 z. B9 Y! h* S
=========
  d# R1 p3 f3 h3 V, y, R2 Z) a8 \/ m' Q0 K1 A/ U' Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& p# f% C( l0 o' `) i; ais to determines whether a debugger is running on your system (ring0 only).
% M! W, H( r+ \1 J0 A: b5 I
, b/ k) t* F- C. n: R9 s$ o   VMMCall Test_Debug_Installed
5 z( H# b1 I- L7 s1 [3 D0 C5 J; }   je      not_installed7 l" D; z( _0 N2 C
! N' [: q  _+ |
This service just checks a flag.
0 L' P$ X5 c# L7 @</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-16 05:57

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表