找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) q6 E9 i, v( W2 e" L<TBODY>
0 {! d4 P, h; f) O( E: }<TR>8 s6 w/ l9 U1 Q. K2 B
<TD><PRE>Method 01 / k& y6 C& o8 A+ |" V
=========4 O) W! B8 }0 l- P7 B4 c

- p/ g7 I% c! I0 @% p& I% |( |This method of detection of SoftICE (as well as the following one) is
" s! }2 d. E" Bused by the majority of packers/encryptors found on Internet.4 i/ p& c' ~8 B! k% N; n* R( l; Q
It seeks the signature of BoundsChecker in SoftICE
4 x  P9 n& @. i# [/ c
7 _0 a; h; M* J7 Q" Y; d3 R    mov     ebp, 04243484Bh        ; 'BCHK'6 B( l  S* @* G: K& F# e( H
    mov     ax, 04h& P  o4 p$ D: d4 y7 V6 r
    int     3      
' {& s/ B; Y6 w. f5 ~& A  n! K    cmp     al,4/ a6 ], C* I( m- G: @, r
    jnz     SoftICE_Detected
, H" r& R# E% P" H3 L$ m( F( B$ m* x& }" A4 Y: ~
___________________________________________________________________________8 Z% C6 n  ?0 _: E
3 J! O  o  C! A; z( V9 H
Method 02
1 C$ D4 y) Z' U=========/ ^$ e2 r9 X) a3 U: n1 |4 R- w

8 V) G$ b4 n5 vStill a method very much used (perhaps the most frequent one).  It is used1 Z; ~7 N- o7 ?) x* b3 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 i  G9 e# j- M& j3 u
or execute SoftICE commands...3 H+ W" S9 p% h) m2 @0 O
It is also used to crash SoftICE and to force it to execute any commands- K; X. g" a6 O) f1 A$ y7 `
(HBOOT...) :-((  " w, e8 T9 E- \' Y2 V3 h

: V% c" u, w6 a5 yHere is a quick description:7 }( [# ?! B& [4 j! P$ v
-AX = 0910h   (Display string in SIce windows)
, R/ b  U4 v/ f/ g5 ?# d-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: e! |+ d  Y0 s& Y# u) M1 z-AX = 0912h   (Get breakpoint infos)
8 J7 ]$ @6 [& m  P6 R9 V# Q-AX = 0913h   (Set Sice breakpoints)
7 j- h; j7 b; j-AX = 0914h   (Remove SIce breakoints)1 Y. c. ]% m0 R& f
5 a- m) O+ T5 w5 ^& }9 \" P
Each time you'll meet this trick, you'll see:
6 K! z3 O. H) w+ c8 `-SI = 4647h# x, X5 V9 e/ v& D* Z% }5 I
-DI = 4A4Dh
2 a4 i, [$ F% i2 f+ o5 h5 {3 ^6 QWhich are the 'magic values' used by SoftIce.
8 {3 H' |- G) c* ^; ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% v( _4 t6 a( Q, R6 N
; e* P- e) H+ n( t7 G6 [' E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& e, H; x4 y6 j3 YEnvelope utility use to protect DOS applications:
! k5 T$ {7 h: w4 e& A3 H
7 @! u/ |$ `, ~- U+ z' _
" V2 `5 I2 E% c' [9 F- G# @- \4C19:0095   MOV    AX,0911  ; execute command.
  ~4 @# k8 E0 D! s4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ H4 h+ k1 P" c  C( d2 @1 Z
4C19:009A   MOV    SI,4647  ; 1st magic value.
4 t' ^/ F' P/ y: }, l' K' h2 G1 C& {* `4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) L1 L; S0 b5 O& o  R8 ?) a4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 r  T/ r" y2 k1 F2 z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! Q  D, w# c$ I& y5 T
4C19:00A4   INC    CX
2 X$ ~' W# g( [6 U1 v! b: o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, P( j1 ?" n/ b- _4 B9 O9 y% j
4C19:00A8   JB     0095     ; 6 different commands.
, B; P1 ?( w$ B- m4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" H* q8 m" ]- e! R% f6 S& V4 @4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& m3 x( n0 m* l+ o3 ?
2 D- P/ `( ?% |! Q% t, `The program will execute 6 different SIce commands located at ds:dx, which) H8 X$ u: B5 j( ~6 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ b5 N/ v* _" N# u) c$ G5 E
1 u" V4 C1 g+ H  ~$ M$ k6 V0 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! H1 p& P+ L! f" ]) q___________________________________________________________________________0 J* j9 Y& G* I" T- T

; }4 K8 L5 v6 y5 V9 }& T6 a
; d# _+ t; ~# X3 V! G& v& U; X) xMethod 03+ B  A. g7 r8 z% M
=========0 v6 w% h2 h3 ]

# i0 F' G7 N- Q8 s3 {* |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 N9 V) X) H  h8 X& _: l* V! T(API Get entry point)
$ r0 [8 F( q- t% C0 y% R( _        / M6 k  T3 l2 I

3 g% B. E2 b6 r0 P. X+ Q; u    xor     di,di6 D9 B7 u# g3 @! S! Y- a
    mov     es,di
8 _8 X- l9 ~  _8 Y& U( n2 h7 s    mov     ax, 1684h       3 }8 t; Z9 o$ q
    mov     bx, 0202h       ; VxD ID of winice* q3 j. H+ t8 A, e# j8 V
    int     2Fh
0 Z: [, a9 A1 m    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" O! T. X1 N  Y, `" ?+ ]$ S% r    add     ax, di
2 ^2 w/ \! Y& `7 l  J. {  c    test    ax,ax% C" w* }9 c+ _. g6 J/ E
    jnz     SoftICE_Detected2 F+ _4 \* ~1 V

0 ^7 x3 Q: X  n7 t/ V___________________________________________________________________________" n% c% @2 w3 E: B0 L, o1 {
- X3 w2 r" W" f9 S9 K% v' z2 Q: B
Method 04
5 `3 s3 g: ^9 N0 ?$ P- S% `0 w=========/ H' a  L/ F! d( _' H! f& X1 ~
8 G- w3 W) w6 [/ A& D$ y
Method identical to the preceding one except that it seeks the ID of SoftICE2 m( B- C: ^* q
GFX VxD.
3 E+ A- H% x- u9 b2 A3 m8 g
' b9 D- r$ B; p$ z( F( s    xor     di,di
$ O* B, \! ], e1 A' y, w/ n& O    mov     es,di. ~. b4 _3 V4 K" @2 F3 O
    mov     ax, 1684h       & a" U/ z6 |- ]6 q5 N
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! ^9 |! _& C6 c5 L* @    int     2fh/ t2 U3 O( T* u+ c; e3 E- R! C7 g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 E' v$ P4 W6 Q3 u( P, T
    add     ax, di
! G" G/ j: o" Q; t3 m# c' k    test    ax,ax
3 d! b; f- U! C    jnz     SoftICE_Detected
& q' y' [! T* S" d2 R! `/ F1 v
3 |4 L1 s2 S* M# P" v__________________________________________________________________________) F: p0 h. v% Y& z. I  T1 u

, R2 |  w6 |( Z1 J9 G, S* l
+ N- r) s& ]8 JMethod 051 L( \1 R7 s- E, e  ]
=========
, [6 j+ \& ?+ o/ J/ y
+ k+ q0 X; F. SMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 Q; ]+ a. T  ~1 h6 L  C
debugger. It calls the int 41h, function 4Fh.+ R5 v% o2 K% ~
There are several alternatives.  
/ p, D9 y/ ?1 @3 b; c
6 N  i8 ~0 e7 g  MThe following one is the simplest:
" b: {$ ?8 Y4 e  ~* o/ f; P5 F
8 k9 M- a8 A! K% Z7 d    mov     ax,4fh
7 e4 j; ~  ~3 e6 n: U% V    int     41h0 l7 d7 X7 \9 v4 h) m7 X& }
    cmp     ax, 0F3867 ^! Q' F" h0 U
    jz      SoftICE_detected
3 Z' O6 N4 w2 O: _3 i$ V4 w. Z/ ~$ H7 ^$ u' @
: U9 t# K7 n. {: T1 |/ y4 m
Next method as well as the following one are 2 examples from Stone's
6 c% F7 s8 I+ Y7 [/ y# V"stn-wid.zip" (www.cracking.net):) C( }1 e1 C# X2 b1 I
% o1 n9 V! L& V- B! v' Q" }" x
    mov     bx, cs
2 T, O4 M4 z. [. A3 T    lea     dx, int41handler23 w  J0 o% M5 J% E4 W
    xchg    dx, es:[41h*4]
& j+ t3 F! a. V: K, N9 _6 P: Z; r    xchg    bx, es:[41h*4+2]) R% C( {$ g* K2 |* z
    mov     ax,4fh
& k4 D' J, T; i7 S5 U+ C$ h    int     41h
3 }5 s! V+ ]. P! |+ {# K7 k' B    xchg    dx, es:[41h*4]. @; ~- n9 f5 H" V  N! @' a  G
    xchg    bx, es:[41h*4+2]' V" c7 Q0 X  ^  V' ~1 v/ N3 l# W
    cmp     ax, 0f386h0 {3 h7 a. e8 H; ~* Q8 H
    jz      SoftICE_detected) k+ m& p( h5 l5 N; Y$ A% r

7 H+ m: l1 C) `! N# G- r: x( Rint41handler2 PROC" w7 ]" U; e$ H
    iret
0 F1 t9 _! X1 c% ]7 Lint41handler2 ENDP3 j' }1 Y$ z3 E. d1 W( _5 D. I
6 w9 _7 R8 D+ r# B

8 o/ @$ K* ]) j) t# S_________________________________________________________________________" a" C0 l1 Z) x, V8 q; z
# x* z: ]$ B: ~. [4 Z6 Y

& }7 V: i: t, P- l# |Method 06* U' B, F+ Y" @4 n
=========- Y1 G0 L. J6 r2 r2 A+ b8 d
9 z0 k& M( Y5 X  s) J% }& v) b

# l+ v  y5 W# N# F( ^2 k2nd method similar to the preceding one but more difficult to detect:4 S! j( {- S" e* Q+ t& s

; N: O' e0 R; d- W+ m! r2 F
% y& |# M  H5 d; Y$ f4 E5 w+ ?int41handler PROC. S# Q: b) R3 D7 Y8 P" r7 C
    mov     cl,al
3 V1 l: |0 C! U+ q, a    iret/ C$ a/ j' o# p6 H- _
int41handler ENDP: @  Z* K- Z1 F* t2 ^" X5 T

, E* e, K3 ^, ^' {# T, @" C) p) k% \! o& [  c' `; k# K8 e
    xor     ax,ax
  j8 q  W; G3 Y" u' ?# t    mov     es,ax
; |2 k' a# W. a( H+ C6 W    mov     bx, cs0 e1 u2 l/ x9 [6 X) e2 M9 J
    lea     dx, int41handler
- q) B6 ~: K0 ^  l    xchg    dx, es:[41h*4]& C, }( X6 [2 I  I# k
    xchg    bx, es:[41h*4+2]
" s/ _& q" p. h    in      al, 40h% ^* ^1 O1 [; u2 ^6 r8 q
    xor     cx,cx
) D' O% X( `4 H' Z    int     41h9 @% @8 V, J9 O- Y# F
    xchg    dx, es:[41h*4]1 ^" ]1 `: C* U) d- v( T; S. A
    xchg    bx, es:[41h*4+2]
$ A6 t" E: `2 K3 Q2 ^) W    cmp     cl,al+ L8 x6 N" U6 D0 u- Y. k2 y
    jnz     SoftICE_detected
9 P- R6 e2 b  x# W
) Y( W; c; a) }3 X_________________________________________________________________________
0 \- y5 I$ T: T8 {0 s3 x) L: P* h- C0 J' q: D7 Y
Method 07
- W6 O7 w: C" I# k; [5 ?* o+ @' P* f=========+ o6 `$ {' T4 g
3 q6 }% i6 Y! E1 u) b! C
Method of detection of the WinICE handler in the int68h (V86)+ F+ \: e- f5 i8 Y
8 w4 ?3 {% O* Z- j
    mov     ah,43h
% p, q/ f* X! a* G/ Y    int     68h
6 ?. Y6 c  D" y! D) D% I# N    cmp     ax,0F386h
/ ]$ B$ \1 ]# H9 A# Y" m. J( M: y    jz      SoftICE_Detected$ b" J. j; {) J. }
9 t* e+ A) }/ e

5 I8 i9 l5 p3 V$ F8 C=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ^' r4 N. y' v& r
   app like this:* ]. U: A4 ?% e

* [) M, x3 T& A- Z8 E% P: N   BPX exec_int if ax==68& O6 H3 y. x0 @) H! O
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 ~1 w3 [' A% i- ^( b; ?
   located at [ebp+48h] for 32Bit apps): @1 m3 _5 u0 ]7 s- z: `
__________________________________________________________________________
: G  V; K8 o1 e- A) t9 {) t/ j7 D; A, S- n0 e( D+ y& Y9 ]3 |

( Z. K2 {- t* f, qMethod 08# ]/ X0 l9 W' Y. Y8 M
=========. w4 ^  r# x! p4 }
6 `# p2 I4 Q1 x5 S( u
It is not a method of detection of SoftICE but a possibility to crash the; k6 I& `; ]6 h6 o2 X) Y: E
system by intercepting int 01h and int 03h and redirecting them to another
" p; n2 J/ y, j' T3 k; `routine.5 W# t$ Q% J1 p. o. J/ K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 i: M6 k0 X( l
to the new routine to execute (hangs computer...)( z' C9 i4 ~9 |6 Q; z
) R9 w/ z& X+ V- D( V' q) H2 Y, H
    mov     ah, 25h
3 n5 A: f, a* r' N    mov     al, Int_Number (01h or 03h)4 ~4 `8 b6 u0 E7 y6 ?- d' I
    mov     dx, offset New_Int_Routine4 E7 b: s) d. C5 n
    int     21h
/ ~$ ?6 r% k: V! `% i: g* K, I0 M1 h' k* ]2 K
__________________________________________________________________________# p& r; k: o1 H% P' i8 X

( s& t3 g# R& g* S) X2 K' YMethod 09
2 d8 h, ^" Q- {0 b# K4 `=========
( k9 A# I& J  U% S! T3 p# E
8 i+ @: S6 R  g- {  k0 z; W6 NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  i6 F7 V$ Q" [- J0 L
performed in ring0 (VxD or a ring3 app using the VxdCall).
" y  T4 G0 N8 |& C1 I* MThe Get_DDB service is used to determine whether or not a VxD is installed
& ^- M" Y4 s+ v  |for the specified device and returns a Device Description Block (in ecx) for
) i6 v, b3 l& ^' I6 _. ithat device if it is installed.; h* [  r& {. i' |. Y

; G, ~2 @8 M" t. G   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% B. `7 [- |2 ]( H: \) G
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 _+ L0 L$ W) o+ t   VMMCall Get_DDB
  R8 y$ a' i5 }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ [8 P! e+ V4 y$ j1 c
, x$ `" N1 Y3 U7 ]. vNote as well that you can easily detect this method with SoftICE:
5 W0 q+ q# F- D# `   bpx Get_DDB if ax==0202 || ax==7a5fh
- E2 W9 p8 n$ k: C3 `6 ?- i
/ T" T* [- M6 z  A6 T) d__________________________________________________________________________
' D0 s- ?" x: l# B3 b; @0 X6 u$ `( u" u* f* y
Method 10/ V) ]8 t3 L* C5 }; F/ K8 L6 W
=========
( g$ M- F: o& m3 W& G3 w1 U2 r" y' R
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 F+ n7 ?; r' j0 U0 ~- G$ s
  SoftICE while the option is enable!!
* s( r+ U, `5 W8 }. ^: }' h3 S
This trick is very efficient:. S+ x/ L- p; `* d! l; G9 U! K
by checking the Debug Registers, you can detect if SoftICE is loaded
: N% ]( a1 l/ B6 [0 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 I- B# ~" ^8 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, D# R) n1 ]( R$ X( A. A2 Ovalue (in ring0 only). Values can be manipulated and or changed as well/ A# `% S7 w2 M! I/ S) A- @: d
(clearing BPMs for instance)
, X+ p  Y6 c% e! p( q) Q0 @
# D% A6 ^' }1 L$ u__________________________________________________________________________0 u0 G: {$ E( W) T  h' F

0 S* P) L  T& Z% B% Q* `) X: XMethod 115 Z6 i: Q* l* R, Z: H5 @: l
=========: c- d3 q$ `% [6 ^$ ?+ P
  s) h3 i- ^' G' Q7 N& w( F+ A
This method is most known as 'MeltICE' because it has been freely distributed
" J5 a. x- }' _2 Svia www.winfiles.com. However it was first used by NuMega people to allow
8 _( z8 J3 a  O, N, y! e: JSymbol Loader to check if SoftICE was active or not (the code is located
" Y( O. S, Q0 ^0 Rinside nmtrans.dll).
# z4 `9 T" G" H7 h6 I, E
' s- G3 n$ J. p4 r0 _  Q2 jThe way it works is very simple:
. G2 q% U, J# j; n! ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ u3 T; k: c+ g& Z* aWinNT) with the CreateFileA API.
% r/ l( x6 n( N9 K5 N/ z" `0 }' z5 c) O% K& Q
Here is a sample (checking for 'SICE'):' ^  y1 g; A* [& k

. w; H; F  i; o: K: z; u9 v- nBOOL IsSoftIce95Loaded()7 K  T  n8 p: g% T
{: g, m. ^% Z- y4 _1 `4 P/ M& u
   HANDLE hFile;  6 F: G& {1 s: o
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: C- C) u+ }1 a' `  ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 J2 l# }# M& `, M" Z0 F$ X) k
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, l# z9 W* L5 T
   if( hFile != INVALID_HANDLE_VALUE )
. Q6 T- @8 Q! x# A3 W# A  ^   {3 t; c  W6 K+ N) k' W
      CloseHandle(hFile);9 H) k: Z. q6 T- t: A
      return TRUE;
8 M) k# X# h1 r! S4 @3 P  O' e4 u9 a   }+ z- |) m2 a  a8 c" ~% u5 S9 j
   return FALSE;
' K6 Q6 M9 l3 H7 l}
* `9 I* w. {# z+ L6 L& X/ P  w$ i# j' |+ f+ q2 ?$ e+ m
Although this trick calls the CreateFileA function, don't even expect to be
5 I4 s2 [+ [3 P7 Nable to intercept it by installing a IFS hook: it will not work, no way!
6 Y, f2 _0 ~9 F% m  E7 h2 `5 BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, w" U2 O' j3 \3 I! T7 \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 i# y3 d' W! \: K- L! gand then browse the DDB list until it find the VxD and its DDB_Control_Proc& \' ^1 o" D4 {  N) ]/ d3 Q% A9 j
field.9 j, \- j7 x3 C+ M# V& A; G% d: A6 f
In fact, its purpose is not to load/unload VxDs but only to send a : _' E: Q4 r; X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 O6 }2 Q# R6 k' ^0 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 Y' q5 c7 b" O& N" Y0 `$ x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! ?# S% A8 H( I; }8 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: \: M1 i. s& e1 Y1 h4 o7 R9 M. Rits handle to be opened and then, will be detected.9 j6 L; m! V0 w+ J4 t. u
You can check that simply by hooking Winice.exe control proc entry point1 D0 }2 N+ v0 C) I6 u6 J8 ~' h" @) r
while running MeltICE.. o; s  P2 f/ m
8 H% q. @& P4 a5 }# c/ Q6 H

. f& b7 S/ U- o0 D( C) R  00401067:  push      00402025    ; \\.\SICE
: Z7 _7 M# I' R% B6 Z* q( G  0040106C:  call      CreateFileA
. D4 q  w! p3 C0 k3 \8 `6 W) `4 E+ s  00401071:  cmp       eax,-001
% y# q+ T2 E6 L1 Q; |( ~, h  00401074:  je        00401091
# j0 t( M( V! D3 j' K: B& B
4 s* V" ]- c: i
1 Z$ Q  q, m/ I- e' P# ^' W) n- @There could be hundreds of BPX you could use to detect this trick.
3 ?5 O8 m' V5 O5 Y& k. U( l3 Y7 |-The most classical one is:) a- ]' D# r. U+ O
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" C; Y1 {$ @) a& [3 @# z; y    *(esp-&gt;4+4)=='NTIC'! D- {# n+ s/ C1 D0 f3 h: ]- x
' d4 `& R7 D0 Z1 b* \; _( \( r
-The most exotic ones (could be very slooooow :-(
  U+ t8 F9 T0 Z. I9 @9 U; e" [   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' B: a1 c# K7 F8 X7 R' z* w     ;will break 3 times :-(, P4 U/ w) ]1 b2 C
3 r9 X; C( H7 a9 M- s4 k2 R
-or (a bit) faster:   ~4 Z) k, s9 s$ G
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' v9 H; a/ _' c2 R( f8 w$ w6 k* [# @1 _& v+ w7 }) L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    f$ x; C3 x: r
     ;will break 3 times :-(
. S; R$ {  X/ q8 }
6 H# ~) J( n8 Y/ Z; t8 B) k-Much faster:% A' A0 Z+ v# W' H0 J. I5 D" s: i
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': r8 g. }2 q' I- b: i
4 U3 Q- g  V; w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ Q6 z; k& ^/ k. B0 h( l9 Mfunction to do the same job:; n8 P- l3 t( N- @. {4 a

+ [2 @/ d3 P6 [1 I/ u( @$ e9 q   push    00                        ; OF_READ
; m  ?. i/ O+ s( @6 {  m9 k   mov     eax,[00656634]            ; '\\.\SICE',0
* @9 K0 B( X$ S- {   push    eax
: W2 [1 k* ^& D5 J4 H4 }   call    KERNEL32!_lopen/ g( g% B+ Y3 S) d
   inc     eax
! T: A7 m5 e8 x2 z' n: A# `   jnz     00650589                  ; detected4 l  C, V" S% O2 z# P  s
   push    00                        ; OF_READ
4 ~0 A& @5 e  N: o& X4 z( A( |   mov     eax,[00656638]            ; '\\.\SICE'
8 h( K- r% N* p, T" _/ n   push    eax
" T% S1 `- V1 i! T   call    KERNEL32!_lopen6 J' D' L/ [6 p# ?, o5 i
   inc     eax" T, E/ k: h" \4 K: ~
   jz      006505ae                  ; not detected
( {$ o& Y/ E4 Y9 g& U, g! K8 E8 e2 i/ S

/ u/ B. q" J* r3 ]) g9 i' Z__________________________________________________________________________. p3 z' Y3 P5 K+ [( p& \# h

* \0 ?5 h% o+ O$ E* x6 tMethod 12
# z$ ~6 S4 f: V9 A8 G+ w, @=========) _, q% Q) ?  ?9 r- z* M0 M; E
) D, u( m2 r( w" W4 j
This trick is similar to int41h/4fh Debugger installation check (code 05( t6 w: V+ N, e+ |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' M4 q1 S' l+ c$ ~8 C4 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 j* c9 ?( ]- i1 z3 I8 _6 O- {  z0 g
   push  0000004fh         ; function 4fh' N9 A! h+ u/ V7 j& Q; F
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% T, i$ F) ?  [: ~7 V3 P                           ; low word specifies which service6 i0 ?  D& g, t* O2 d& e3 b
                             (VWIN32_Int41Dispatch)7 u& Q% R3 N' J8 u! W
   call  Kernel32!ORD_001  ; VxdCall- W$ m# x# E7 M3 U( L( |
   cmp   ax, 0f386h        ; magic number returned by system debuggers+ C0 T: Y/ j- ]6 K, a- x: `3 `/ i' q
   jz    SoftICE_detected: R6 S  q# V$ ?& {, ^( w

  F. M5 C9 V, l0 ^+ g8 o- DHere again, several ways to detect it:
& A9 j( x. P0 O
9 |/ a5 G! `# t/ c: Z- h    BPINT 41 if ax==4f
$ Y$ H5 A; O) e" s0 _9 G1 f" p) s
5 u1 g+ ]4 @! y    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 Q" b3 |8 N1 U+ a* {
0 N9 l, H  y& I7 B) |4 M    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; v' q* t6 @9 l6 b9 h4 \
: m& |/ Q4 O( b6 G! k) D3 D) ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! X9 W/ d! C& I% E) A* k
" A9 K# _% ^+ D1 z# h__________________________________________________________________________$ Q- W$ w! }8 L) F* t4 P

# u/ G4 [; N, Q2 K4 c2 i( CMethod 13% T- J( M. j5 {, @1 J# [
=========
( g) D3 o% Y! W+ o
( ]( B+ S% {5 j) k; d# ?& J9 SNot a real method of detection, but a good way to know if SoftICE is0 |9 P& h/ f/ {& ?7 p9 N' w
installed on a computer and to locate its installation directory.
# X5 m/ ^: Y( TIt is used by few softs which access the following registry keys (usually #2) :
4 K9 C! Y* \4 o% F$ N. e3 O$ W+ U/ h; T1 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 S! X9 T5 }6 \. O3 S( Q* {
\Uninstall\SoftICE
8 h& `2 z' v: O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- a9 I  e* t$ }% _1 ~2 @" s; }* v# Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Q5 ^% X, h- B& R5 N\App Paths\Loader32.Exe: i! j" ], u5 t1 L2 k
; M1 `+ ~- T+ H7 m

" _# i6 b" o7 i9 E" qNote that some nasty apps could then erase all files from SoftICE directory+ v# R! S- W# @. V. Q
(I faced that once :-(
6 y1 K! P/ }) `# |3 E) }$ _; q& k4 V2 p, H
Useful breakpoint to detect it:
5 O, ~) x3 r8 n. u- x# U: W! u9 U7 R- y  B) [2 T+ Y' g4 J
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ f( b7 k4 v# j3 P- G" ~# b. f; ^4 }& ]# q
__________________________________________________________________________
, C$ _* e" Q6 ~. j9 s
0 P- E- e. {! f3 v9 h' P! |0 n& H7 C- x) V
Method 14
! X. n; U; J4 N- g3 V6 c' ?=========3 P* X3 A, \9 N7 g6 `
9 w. h% r8 n$ d( ?3 T2 C9 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ g) f0 K, b0 Z, m# W) Q9 zis to determines whether a debugger is running on your system (ring0 only).
. d: ]: W& o3 t+ R
8 [# c3 s! M. M$ m   VMMCall Test_Debug_Installed
+ g! |! ~) ^/ G- Z3 L   je      not_installed
- V' F1 [1 ?% c/ g- {' u0 V9 }  M8 F4 F% d  M1 L
This service just checks a flag.- C- I* Z6 w, R- L0 J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 23:02

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表