找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  Q: L& n4 \$ ]. ^6 w<TBODY>
( F  Q) n  K) ]2 ?4 v3 |<TR>
9 x! m; ^& m/ @- M. W5 _7 E6 \<TD><PRE>Method 01
# J. @! H  @3 J; A=========
4 d' y* J* `( w( M
1 T% m, d/ G" P2 {# L* [This method of detection of SoftICE (as well as the following one) is* Y9 x& H" j& O
used by the majority of packers/encryptors found on Internet.
2 v0 c% q( W6 X3 T* bIt seeks the signature of BoundsChecker in SoftICE" L3 D9 T8 p3 f* |4 z, n0 k
8 [3 B/ m" T2 S$ B$ F
    mov     ebp, 04243484Bh        ; 'BCHK'
1 C1 D* ^# h, {1 \/ B    mov     ax, 04h
1 _, T3 ?2 H2 z; w- Q    int     3      
3 M6 Q1 L# K5 i2 Z* _" t) M4 i$ ^* d8 s    cmp     al,4
% Y& L. V: j, ]! ]" ]! U" w0 P- |    jnz     SoftICE_Detected3 b9 Y3 o2 O! ?
! p. _/ w0 C( W$ l4 u1 c9 S
___________________________________________________________________________
2 B2 q7 o! B: ?6 m( y. i
2 S; i$ W! J  j( mMethod 02
7 g0 ^# S' D* J! K; h$ n=========2 H- o# Z6 |# r% a' V

7 m. r; S& U3 I4 ]  x! d" N' uStill a method very much used (perhaps the most frequent one).  It is used: ?% e& L, i: E- f3 B+ W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* z( H% R* J: s; k- x' Dor execute SoftICE commands...
( L5 }, R; e  ?It is also used to crash SoftICE and to force it to execute any commands/ A) t3 M4 n  A) F) t
(HBOOT...) :-((  % Q, R& l" M% c4 X$ m8 o
- e, u- U7 _& l) F5 `
Here is a quick description:
0 @' O( m; N, S; i+ M-AX = 0910h   (Display string in SIce windows)
: E- @) U4 a' Q% e- y* Z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 T4 e/ g% }6 ?; I  d3 y
-AX = 0912h   (Get breakpoint infos)% B6 ]. R7 D. B( E
-AX = 0913h   (Set Sice breakpoints); r* F& z/ c" G, I
-AX = 0914h   (Remove SIce breakoints)6 Y" S' h" w1 }  b& }. |

3 H6 e4 |  W$ o* J3 ]! C# h' }Each time you'll meet this trick, you'll see:
) p1 l6 {! J  a7 p5 m9 Y! o0 a8 f; `-SI = 4647h
$ h6 @- M5 L4 w( k% n8 _, a-DI = 4A4Dh
- `( o7 U* |& I8 p- I) }Which are the 'magic values' used by SoftIce.6 b% e3 u+ H. m  F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" Q. i& o( n8 f# n( \& J* E0 g9 }* y, c$ R1 @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( w1 E& w9 p; e' `8 P0 o5 AEnvelope utility use to protect DOS applications:
9 d$ P  P! ]0 {- i6 q7 Z: f3 P9 _3 p' M8 w- S: V
  G1 Z3 p8 k/ ^+ O! n7 L1 k
4C19:0095   MOV    AX,0911  ; execute command.# @" r+ X" k, B) e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  U' u2 _- k9 U4 `  I
4C19:009A   MOV    SI,4647  ; 1st magic value.
* @  c6 m  e& z$ b- }5 ?) S" y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; w/ Q7 a" R8 h& Q4 b  Y, W
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% @( [# s' R# n0 t) ]" o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 ]. Z# U! _# a" O9 D3 |
4C19:00A4   INC    CX, R- X" e2 a2 s( x9 g
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 Y( ^! ^6 }& y: p: u1 O7 `% N& G4C19:00A8   JB     0095     ; 6 different commands.
, j9 O& R  p- ~0 A/ ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) f) F, X0 e; S; n- U4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 \. U8 j# i8 H! z9 N- d
9 ?# L# o4 l/ h0 `0 ~- n! B# S  x5 j8 n
The program will execute 6 different SIce commands located at ds:dx, which/ ^% O- o$ V( k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: {+ f8 F0 I7 X; F4 h& d3 Q6 M$ z( {4 L  ~1 h2 R, d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 d; D% N. ^" W- U# ^___________________________________________________________________________+ P+ q- V6 o9 O3 r: C0 r2 ^

' M; q, m2 d8 @1 V# W5 w& o+ `7 [+ v; K2 F( |, x) w
Method 034 v: M" h7 e3 c5 ?2 `3 B4 {
=========
# @# i) k6 @5 I/ Z# g' s
; ~# v. _5 C, Q& u) W: X7 u  GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 C6 X$ ^  \* u1 R3 A; B. e
(API Get entry point)
) W# T4 k3 h7 s4 G- k        
4 l$ J  O  U. Q7 t3 }
7 G( K% c$ D# v& H! v    xor     di,di
8 Y8 |2 ~3 J) y$ l: Y    mov     es,di
; x- O- N3 Y1 b; r' s; @, t: p    mov     ax, 1684h      
3 T* z( S# u% m# g    mov     bx, 0202h       ; VxD ID of winice
' m/ F/ y- v- x    int     2Fh# j0 A1 k' G+ Y0 m, h4 ]
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' n0 b! l; o% w7 G. X    add     ax, di
4 e5 y' r0 \* z    test    ax,ax
4 ^; [6 r7 ]0 g! Y    jnz     SoftICE_Detected
; _2 _: g0 g7 h8 ~# |' k, G$ e2 h* _9 [" a
___________________________________________________________________________( B! _* O% X1 G( V% R% d) o8 j

+ {" x  I7 i( ?% n: T  `Method 04( o3 H; f- \6 k
=========3 K4 u- i5 F( E9 @' d6 W- H4 T4 t/ H

1 q+ x. W  Q  Y; U7 k' ZMethod identical to the preceding one except that it seeks the ID of SoftICE7 L* m1 ^5 }7 d
GFX VxD.
# S7 E2 @, U+ o0 ~5 x3 A. C6 ?. _7 s) r/ E! G
    xor     di,di
9 h. C9 h( \( K1 X& }$ {    mov     es,di8 a- l/ R. v( ~& x  y* A" U
    mov     ax, 1684h      
; t* f5 h6 e/ {# D+ F* J    mov     bx, 7a5Fh       ; VxD ID of SIWVID* F& \7 q5 I1 I- M0 Z9 b. h- \
    int     2fh
. _+ B* O% L: D4 A  T  L+ R% ~/ c2 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point& S4 c! ~& i- N
    add     ax, di7 q2 ~! O9 A6 O4 V' Q
    test    ax,ax+ B1 S& ^; ]1 a0 J+ \& t
    jnz     SoftICE_Detected  y! ]/ z2 d. V5 N7 d
/ H% U2 U5 R3 ~! r% D: y0 t3 u6 t
__________________________________________________________________________
6 q  s7 S# `" Q
( \1 d) a1 ^/ i- p9 {" J7 {
, T2 J6 u7 L7 p* bMethod 05
- q' \/ O1 {) I9 M& ~% k  c9 @=========
  |& n7 X/ i4 A/ O% B9 G
+ r9 T" A8 I; w) O% bMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 u- }% r) F$ Z6 C2 K9 ?, a
debugger. It calls the int 41h, function 4Fh.
0 S: F4 e3 [& l9 R: ZThere are several alternatives.  
% L4 F9 k6 r" @# b5 b' e; ^% R# Z# g4 B
The following one is the simplest:
$ N; ?( R: o. w( t/ l8 B
* Q1 |7 B3 v5 v    mov     ax,4fh
( R/ m& C4 j6 C6 `0 @1 n    int     41h
% K# P: W5 R; n3 ~$ J8 [    cmp     ax, 0F3865 v" [3 l1 S$ q( H
    jz      SoftICE_detected" S' D% T" ~3 v: e) I$ Q6 k6 [
8 Z9 b6 |4 D+ k# S
* {8 W& D' z7 F" G9 A' I& \0 L
Next method as well as the following one are 2 examples from Stone's
) G7 L5 z* X8 Q+ ^6 a0 L" H9 w% m" I2 N"stn-wid.zip" (www.cracking.net):  i& X" d" j. @. p) P' N( L
  Q3 j! @/ U/ T  v2 }3 j
    mov     bx, cs
9 n. z& t  f( Q: D6 K8 }' }8 O    lea     dx, int41handler29 O" l) m* j& N) m3 G
    xchg    dx, es:[41h*4]
8 K# F9 K6 c! p0 U5 d6 [: G    xchg    bx, es:[41h*4+2]; A" u) o) o& d1 M
    mov     ax,4fh
- X' ]2 S. H. p    int     41h( k5 L& q9 H/ I" B" D$ X
    xchg    dx, es:[41h*4]
- `  t" Q7 k, W6 u9 p3 S    xchg    bx, es:[41h*4+2]4 G9 E& F' j; I! c% F( B
    cmp     ax, 0f386h7 p# I/ G- Z8 x( F5 B+ E1 M
    jz      SoftICE_detected& c2 T  \0 ]+ q8 I: ?% k4 D. n
  b' U( h* [; V- L6 e. v4 J
int41handler2 PROC# l3 j. `- }4 O/ p) ~2 F. a
    iret
5 c! X( [% X4 Tint41handler2 ENDP. B5 _6 M4 I, W6 m  L$ H
6 w& D# M: P. O1 E

9 G+ i5 c& ]1 E_________________________________________________________________________
8 w/ s1 M+ s. P+ A6 ^4 a9 s$ q) d1 q2 L! G" Y  g8 P- U' \9 j
* [) X( j, \1 s0 ~
Method 06
2 z3 J& D+ ?, R. {/ h2 e. L=========
5 o6 I7 O8 D: v0 `* |
2 ?% R& D/ j% _7 B. n: n3 r& Q2 t; x
2nd method similar to the preceding one but more difficult to detect:
6 q2 R; E% ]/ X* Q' J- [. I/ b  e5 D' w6 B* w+ _  @# v+ m

# g  ]; l3 S- E6 ~7 \- I8 uint41handler PROC9 u( a) e. E6 f. P8 e0 F/ j- `) D
    mov     cl,al) F7 U* a" D* A/ H# S# T0 ]' b0 j
    iret+ y; e4 \7 |# x7 ~  y
int41handler ENDP4 j! m7 ~  f  w8 c. Q& P* `" f* J% o
+ b: R- v# y2 J8 ~5 B& C6 b* X

' f0 h+ [, A+ j# {- R    xor     ax,ax
: n: s0 v" @* Q9 r    mov     es,ax
* H3 ], x% {  R( X    mov     bx, cs
/ N5 ?0 y8 |! w0 Q0 p    lea     dx, int41handler9 w& Q7 K, b9 u% P! \2 T2 o, z
    xchg    dx, es:[41h*4]
% p: }0 @2 U$ P    xchg    bx, es:[41h*4+2]
: ^4 |! c  `; G  R) L( q( X    in      al, 40h
% w% b/ q  c% m. x4 b. L    xor     cx,cx
" Q3 s* U' @) h' o9 G  f" h# V    int     41h5 J/ @$ h/ V- i0 N' T' ~% I" v+ ?
    xchg    dx, es:[41h*4]
! m1 n# |2 Q; N- `  h- z  F    xchg    bx, es:[41h*4+2]" G8 x3 G! T" o+ Y
    cmp     cl,al0 b; P$ r/ m% J9 q% |6 j# J7 H
    jnz     SoftICE_detected
% ~5 N; Y# W* `/ i9 I
/ F2 A( Y; _0 N: \0 r2 t8 Y) n  W; ?_________________________________________________________________________
& i8 q. Z5 }0 g4 p6 n1 ]
- f  ^. {. i, xMethod 07: Y, v" M+ H; V' w5 l
=========: d& d6 k8 W( n, U

! y4 w; v; w0 J3 V! wMethod of detection of the WinICE handler in the int68h (V86)
; L( g" P1 Q! @. q& n+ X* n
2 o( N& |& F; q9 L% {3 J    mov     ah,43h
' J# T) |2 ?+ G* ^- M) ~& a) K    int     68h. z' @/ D+ q: y* Y& q0 T
    cmp     ax,0F386h2 y4 I: b+ U7 v) ~
    jz      SoftICE_Detected/ c) R5 ]$ C( e
- X, \! w6 V, [8 F) k
+ ^. y& r, E2 a# G/ K
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. E3 C: B4 l) Y: s8 G. q
   app like this:- o& n+ T1 X4 @7 _$ C. [* }
/ t5 O9 B7 m; X7 w- M: z1 k3 `
   BPX exec_int if ax==680 F/ d% w* ~! O7 Y- W2 n/ K+ i
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ w# P8 F) F$ n3 z- X, S1 ~+ f& V   located at [ebp+48h] for 32Bit apps)
: |5 ], O( ?! k4 r3 ]__________________________________________________________________________
) P+ m" j5 H& H2 W: M5 s
) K4 G, P( P% b1 ^; d2 s9 |; G- T
Method 08. N4 b( S. B2 T7 L
=========& i9 b3 l0 q3 v

! I- o0 X4 M* A: u6 n; k) f! o* J2 WIt is not a method of detection of SoftICE but a possibility to crash the
7 s0 Z3 Q( u( {# J7 Osystem by intercepting int 01h and int 03h and redirecting them to another
3 a! f( v) z2 a' p1 D6 nroutine.
5 C) a8 A1 E( |8 n2 [. TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' z3 R+ a5 t! e# j  d8 r% A% A. Y
to the new routine to execute (hangs computer...)
' t2 G6 ?! {/ A- H- z4 V5 m0 U
' V: B7 n" {5 R& ?- B% }, \! `$ M    mov     ah, 25h
6 j. I7 \( v3 x  {' `0 J( N    mov     al, Int_Number (01h or 03h)" F6 a! s5 S- S3 X+ F8 @# j
    mov     dx, offset New_Int_Routine
2 g6 j1 W0 E6 H    int     21h- Z: [( b$ r- {3 {! y% O3 Y
9 k) B- J' R' _3 F+ j! S' G
__________________________________________________________________________
+ B8 t# J5 ^1 S$ \+ d: m$ j6 J8 ]2 [- V$ R% R" A
Method 09# c- y: u7 C  Z6 [
=========% j% M1 C" n7 F
3 x/ u! i3 Z+ ?- A6 ^7 T5 i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 U% t1 h$ [& b5 V. j) P
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 ?% p* K" C; j9 AThe Get_DDB service is used to determine whether or not a VxD is installed, u- y7 g  K/ \
for the specified device and returns a Device Description Block (in ecx) for
- X* _; u; i4 C* s9 g0 Gthat device if it is installed.
; ]+ W% a4 V  T/ u% S) X! S$ P: N: l' m; I9 q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& P4 T, N* Q" n/ q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 T8 ~: t$ v: p   VMMCall Get_DDB
, o/ W1 ~: j/ N! }! o9 p   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( y0 R3 Q! |1 ]0 ]3 z

$ r* C: I9 Y& [3 dNote as well that you can easily detect this method with SoftICE:# ]( t  s6 y: z' t/ a2 n" v" I; D
   bpx Get_DDB if ax==0202 || ax==7a5fh+ k+ C9 V% D7 ]* @: q/ p
  @% P  c+ P( p; o
__________________________________________________________________________) b* f! T6 t" _6 }# [

8 j: D, ?7 m3 ~: i' VMethod 104 w$ l( x( w' E
=========
$ s! D1 Z" N  l- C% \" C( }
) q; Q/ {8 d# a( F=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 [. B$ @0 O: Y* i
  SoftICE while the option is enable!!! X" d1 E# T) [  L7 D1 x
6 c- Y1 P1 \) B( Z; ]2 I7 y( A5 p
This trick is very efficient:/ J; w$ {6 r9 J) A3 v( `
by checking the Debug Registers, you can detect if SoftICE is loaded
% C% D7 o0 x- Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  l* N+ j0 w/ S4 @8 K- I* p1 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their% I: V. [' n; S. X+ b0 o
value (in ring0 only). Values can be manipulated and or changed as well
% G1 |; M& n! L# ^4 B9 W(clearing BPMs for instance)
, v! B0 _+ {1 H6 J! x1 a. B6 |: m9 [& o) n
__________________________________________________________________________* {. S  e  K7 e/ t7 Q: U
7 Z) N: {% A7 M2 s4 V
Method 11
% u- p, A; K5 j+ B2 M  }=========0 V2 O& x! {2 {9 A
# l2 r$ @$ U* j4 [' f
This method is most known as 'MeltICE' because it has been freely distributed% \6 {' |9 @* v7 D- S! R$ W
via www.winfiles.com. However it was first used by NuMega people to allow
: o3 B& B3 h" b; D( T8 nSymbol Loader to check if SoftICE was active or not (the code is located
9 l1 [* f2 U  m" y* M% linside nmtrans.dll).8 W/ t# S2 c9 p& I1 N

8 p. h% O4 w  r6 I9 F& R  \4 l1 oThe way it works is very simple:
! `' n& X3 Q. U( {/ v% FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 C8 c6 H; g* FWinNT) with the CreateFileA API.1 x" G, M3 d! _

& ~0 A1 j$ l1 @+ n% LHere is a sample (checking for 'SICE'):/ D% l# D, q( B' }$ s+ s' o- a" [
+ a  ~" E: q5 s
BOOL IsSoftIce95Loaded()
' P- ?" q' T9 h! ?{$ i, H' P. r; i4 G/ z+ e
   HANDLE hFile;  7 P5 L1 l; U' U! k6 `/ w& b- A) g3 S7 j0 R; a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ^* K* _" y5 L0 S% e0 t                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ E( l: O/ w6 H! v$ u# w
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% {/ u1 t4 X% t: G) \: b# H! Y
   if( hFile != INVALID_HANDLE_VALUE )
! w+ M, s6 k1 P  U   {- ~8 R: `" r; c9 s3 Z3 i% A$ N
      CloseHandle(hFile);
1 Z% x0 D6 ~; ~5 }4 s8 ?      return TRUE;2 D  O4 j6 Y& b( S" Z6 h
   }
" K1 E5 B) s) W8 U  C1 r* u/ F# `" s   return FALSE;
) z6 ]( T2 |) I, K: o+ V% @! J}1 j5 J3 e$ h* W

# r$ G" F$ {- K) O. wAlthough this trick calls the CreateFileA function, don't even expect to be7 Z& P( k2 J, s% h% L( g
able to intercept it by installing a IFS hook: it will not work, no way!
& e1 x1 m/ S8 u4 Q" s: [In fact, after the call to CreateFileA it will get through VWIN32 0x001F, I4 V7 X3 j0 B% Y* T, Y4 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' v! _& [6 ~& \' p( S3 q* ?5 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  U" r" x$ z+ ?: B% u5 Hfield.0 }: g% @7 I9 w/ K/ r
In fact, its purpose is not to load/unload VxDs but only to send a : v( `: f7 L5 p+ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 z" S( [' S# w2 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) U- F1 e) X, \1 a! R& `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 a! i7 C" H" Z, hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 A+ _6 V: }* `$ n# B5 s5 P. O9 bits handle to be opened and then, will be detected.
4 `! Q# y+ h. T* a5 q+ a9 g; w+ UYou can check that simply by hooking Winice.exe control proc entry point
+ V: k& K6 C0 T" S5 A# S! q6 {! z, W4 Ewhile running MeltICE.
$ U# j! o' v( S* N
" \8 s% G6 G7 y; e$ G( K, h+ I
: ^( y1 j9 T$ r: _. P3 J; Z9 t0 |  00401067:  push      00402025    ; \\.\SICE
. f* K- z4 a; P  0040106C:  call      CreateFileA; z: }9 i% w; y& V
  00401071:  cmp       eax,-001. Q7 K& B0 k5 |& R. E0 m: Q
  00401074:  je        00401091
+ Q- \1 ~  ?' m  ]/ [8 P* M3 z
: Q8 @# d6 i5 C: L" z! d
There could be hundreds of BPX you could use to detect this trick.
+ k" |/ t5 q( C5 [; [8 s" d-The most classical one is:
3 W4 s0 A+ ^! j# l  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# v2 Z! A# s3 M& l3 \  z3 O    *(esp-&gt;4+4)=='NTIC'
4 g* b: |5 i/ A6 Q! m/ k2 m/ A
& p1 T, ~1 I" M-The most exotic ones (could be very slooooow :-(
4 I. l8 v, z0 |; ^7 `   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 \" H+ D, l+ E     ;will break 3 times :-(/ B* y7 K* w' H  K
+ D- f% ?7 H4 v. b0 O5 K5 J6 ]: w
-or (a bit) faster: * {  s1 V* z1 j
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( I7 U/ R% w; v( {; Z
: p) d* `  w% C, U' O& w
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ' M# I: G7 U7 |6 t1 Z  r
     ;will break 3 times :-(
/ q# v" g: b5 N
% b# h6 ^1 P5 ]7 l. d9 r-Much faster:6 C4 T7 [! Z  s9 t% ?/ Q& @" _2 N
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* g' {$ V$ e0 W# h6 R) i! T

6 c) Q. p+ J; ^% E2 s) O8 }7 G9 `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 K$ p! ?  e" q  Q
function to do the same job:
6 {& ]& ]! h- N& g/ d$ \1 s% R9 Q1 @
   push    00                        ; OF_READ* l4 W+ r1 V" N* r
   mov     eax,[00656634]            ; '\\.\SICE',0
( L! \( u/ T3 D; t0 z   push    eax  s! B  i8 X" c3 \- J
   call    KERNEL32!_lopen; Y: ^$ \; s/ }3 v
   inc     eax: N# `1 J( s: k& R. F2 s7 }0 ^
   jnz     00650589                  ; detected; X' p* k0 f, C) ^( N, j7 }
   push    00                        ; OF_READ
3 a- |% m& o2 O& _; l- o9 i   mov     eax,[00656638]            ; '\\.\SICE'
* m9 J' U, l- Z6 j8 l6 o2 I: P   push    eax! s) ?! t1 X) |3 z. g! x
   call    KERNEL32!_lopen
" K: x. Q8 e6 u+ B6 [( ?  _1 X0 F% {   inc     eax
- r- W# S) e8 \, S' R   jz      006505ae                  ; not detected
9 S7 ?: E  L5 ?; k; ~4 A$ I1 z$ A6 j5 n2 l5 t
; W3 [; M& t' M; _
__________________________________________________________________________( P: n% f( N7 L

. L. D, n. V4 m9 l9 d- \! P" Z8 [8 gMethod 12, d6 n: k% \4 Z. ~! f+ H% k5 Z. v% U
=========# q" S+ ^7 q  {7 @( z; D% j

5 J3 s; m8 [3 \' s5 qThis trick is similar to int41h/4fh Debugger installation check (code 05' n7 K8 L$ C2 c& ~: ?$ l
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
6 k6 L1 [5 m- X# Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 h4 T, r9 R9 w  B. s; D

( @7 B' ?& u0 A8 |   push  0000004fh         ; function 4fh
, T# r4 k7 K6 Z6 c( P   push  002a002ah         ; high word specifies which VxD (VWIN32)( L, h2 L# E' m
                           ; low word specifies which service/ g4 ?+ `6 h4 X6 B2 {( F
                             (VWIN32_Int41Dispatch)% l) ]* |) j7 _2 R
   call  Kernel32!ORD_001  ; VxdCall
2 ^5 |% w3 n# U$ T2 M   cmp   ax, 0f386h        ; magic number returned by system debuggers' R" Z) f; I$ m* J5 J7 s
   jz    SoftICE_detected
! _. A8 D4 Q3 ~  Z' d# ^" F' X6 o
Here again, several ways to detect it:
9 h* s" k+ z" m1 x& i# y) L0 C( l* c6 s% G; e3 i/ d+ P
    BPINT 41 if ax==4f7 A3 i  K5 \5 N, }) i
9 E/ d& \- J4 T; v! {
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 ~( T  |& {" _* A: X
2 ?' o8 M" e/ X
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" p9 X9 _5 s- v7 y: p1 R! B
! p1 _5 j# B+ p4 y3 C3 L
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. {0 F3 U1 }% Z
8 @; l. i7 Y: `. Q/ j3 r6 s__________________________________________________________________________. r$ h8 }1 x% s% o$ x4 t2 T9 ]0 ?
; w  D1 m7 k5 u- G, k5 |
Method 13  t0 A, u  S+ z7 m5 W* e
=========
* ?- Z  D% X( ^, x+ u6 H7 ^
; ]1 w% }! T5 E  L  bNot a real method of detection, but a good way to know if SoftICE is
. x# x1 k# W& c* |+ Q: linstalled on a computer and to locate its installation directory.. W& t& U0 B4 L5 |6 @/ u
It is used by few softs which access the following registry keys (usually #2) :; f  @% W5 f# [  Q. C& e5 C* J6 O
& L! K& D9 V) b' j- S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* ^3 {9 |$ b# ?, s\Uninstall\SoftICE
4 Z9 e! Y1 @6 ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ q4 A' k) A3 i' P7 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) F) o0 ~4 y. P3 m9 d; y8 _\App Paths\Loader32.Exe; A7 D$ d" l' Q; L) B

: p- J, Q5 l: G) M2 |) S0 P3 ?+ }. I' |4 A' C4 m
Note that some nasty apps could then erase all files from SoftICE directory1 I# v  B: Z  f* Y: F
(I faced that once :-(
& L3 |& U' G+ J& \, l/ @8 E6 ~, D
1 z: T- c2 Z% DUseful breakpoint to detect it:
5 h! J, D7 F2 z, Q. ]& N  g; d8 j& b0 G# j+ e, y; d, \( O/ x0 N
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ D& D. w8 _0 L$ O2 ?9 J- n) A' Z1 V# Z6 w" ~  V& M: C. O
__________________________________________________________________________
2 ]) ^4 c0 A' y# k# o
, P% y2 |9 a! ?1 Z. S7 [* x7 K  e6 }+ r; f
Method 14 5 j1 y" W/ q) v, F. X. L" S! b
=========( B, a; t4 {/ F9 y  V$ Q
# a+ H! q) q6 [# }! t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; u0 ]$ ?2 p6 x# G7 N4 ois to determines whether a debugger is running on your system (ring0 only).4 y% e! |$ C2 D

9 `# G0 }3 |: N3 I/ W# y   VMMCall Test_Debug_Installed
- t5 s1 @/ n9 V4 Z- J   je      not_installed
) N0 O5 s# u, T- E! Y  r2 T
! C4 |9 c! z6 D2 M- `This service just checks a flag.
# k& D, ^" o2 D</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-7 21:24

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表