找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ z0 A. n, K! t6 P<TBODY>1 P! L3 x' a& o7 V
<TR>; W/ s8 u. p, P! @$ \$ O, Y# Z
<TD><PRE>Method 01 " |1 n* Q4 @3 l+ K
=========& G3 C  G; A# t2 t0 D: U' M

- ]$ T+ i) X+ o: cThis method of detection of SoftICE (as well as the following one) is6 f) F" B/ W" x
used by the majority of packers/encryptors found on Internet.: k% S8 u9 I( _9 @
It seeks the signature of BoundsChecker in SoftICE  b: `' ]) C$ t( m( Y: F

  S* b; M% z) ?- U& ?    mov     ebp, 04243484Bh        ; 'BCHK'% R- l5 V+ T' x* F* v
    mov     ax, 04h
1 I0 f1 k; Y$ {$ E3 d+ T6 _' r    int     3      
+ \- Z  U, y+ k* s2 B    cmp     al,4
) S" Z4 T9 |5 l( |5 B7 n0 }    jnz     SoftICE_Detected; P" a0 Y( h- `2 z

. E+ p1 @  \/ I  o) c& I# g- a___________________________________________________________________________
, j3 Q% M7 P. X/ o9 ?8 S7 d
* G3 O( G  g$ M" D1 H  yMethod 022 }% S1 ~6 O& z  W1 }: N2 e) E
=========
0 |* T* \  B2 n& b& G# p
" ?9 ~7 J* n5 MStill a method very much used (perhaps the most frequent one).  It is used; z4 I6 a, ~# w: o6 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F# r9 F- q1 o. b" g. N; O" ]
or execute SoftICE commands...* a* S$ \: a: T# W5 |
It is also used to crash SoftICE and to force it to execute any commands9 {& E4 u( P: g: |  Z
(HBOOT...) :-((  
6 W3 ]+ N  {5 Z$ u. H' j* F( q) H, w& s. R( f% S$ u4 \
Here is a quick description:6 |' s! {8 v7 g% I7 |5 }
-AX = 0910h   (Display string in SIce windows)
! }" j1 D% Q, `$ Q. f# z: X2 B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 J2 P. U& Q' O7 n) s( K-AX = 0912h   (Get breakpoint infos)
' |/ I/ _# ]6 J0 D, B* t% k-AX = 0913h   (Set Sice breakpoints)3 z$ ~. t3 A) g+ V; h3 W
-AX = 0914h   (Remove SIce breakoints)
/ r$ k3 ~0 ~$ f+ {
! u6 s- [# t1 |0 V0 g4 U" N9 C: k' rEach time you'll meet this trick, you'll see:5 _2 G! u* k; i/ u4 p* u5 }8 L
-SI = 4647h
: K# f% k6 R* l-DI = 4A4Dh5 B9 Y' R  n! k* y
Which are the 'magic values' used by SoftIce.
0 f. n, ^+ x. \' v6 pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 Z$ H' [0 X4 ?1 Z: G" Y
2 S9 I6 c  H0 F% f$ s' c* B- g3 NHere is one example from the file "Haspinst.exe" which is the dongle HASP) B; {1 X. J' j" ?! I4 h
Envelope utility use to protect DOS applications:1 _7 A7 l6 o( w  @5 _4 d

: U, R& m9 c+ R0 }  d/ l; Y$ `
, A3 Q, }  X  U+ R# p# W4C19:0095   MOV    AX,0911  ; execute command.
$ k  N8 X5 f9 w( _" Q! C  \% @" U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ n' u4 |( @1 p, p5 H% g+ u! v% o; j
4C19:009A   MOV    SI,4647  ; 1st magic value.
2 E# G* b. ]' \+ u; w7 b, |4C19:009D   MOV    DI,4A4D  ; 2nd magic value." g4 Z6 m% ]$ C: J
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 P; V4 R7 W9 Q5 }& L4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 T* G( z) u) F" ~! w
4C19:00A4   INC    CX
3 F' N- B8 C4 h7 B4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. @9 [: ^1 R4 G2 W7 ?4C19:00A8   JB     0095     ; 6 different commands.
9 u& @0 c- s1 _& C0 d4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& Z( w; u+ I5 m  q2 k6 a, s/ B* {( n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' D1 a2 N& `9 @- a  Y( M5 L
* h$ @  g' K% ^8 T7 b; l; b8 V' |
The program will execute 6 different SIce commands located at ds:dx, which4 X# S+ ^: o2 W6 O& M" {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 Z  I( ?; o3 S, I5 I( f8 g% u' [! O  J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. X0 t7 P: E9 y% Y3 O6 P5 g
___________________________________________________________________________
* y  _7 `$ d; \7 h3 n/ r: F* n- T  o$ z/ t2 z* u# X

# N2 e* K' V  L9 zMethod 03
# E# J2 u  S8 ^; D, q) i7 ~+ j=========
5 ^5 z8 f5 D+ Y2 X7 [
/ L- p. @. C* y2 {7 x8 o/ M$ c+ {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ e* H5 A3 x% u0 p
(API Get entry point), p" c0 \) s& Q. g# h3 ?
        
  ~0 ]0 z) S; p. O8 g
. O: p( V7 s  s) P3 j& e7 b    xor     di,di
6 r3 ^$ U& E3 f1 l% b+ C1 l- o    mov     es,di" R2 X# K2 y( U7 `' E+ c' T
    mov     ax, 1684h       6 Q) u: y" `$ B* X2 g1 W$ f6 w* o
    mov     bx, 0202h       ; VxD ID of winice
! N" p, b! g; D8 |9 x    int     2Fh
8 c% X9 e1 f4 S( G" {5 X    mov     ax, es          ; ES:DI -&gt; VxD API entry point% s8 ]  v( J7 E2 X
    add     ax, di+ c, s0 n2 U' h3 ~- n1 [
    test    ax,ax( t. _) O" e, o
    jnz     SoftICE_Detected5 |9 M) o  N; _  S* ^7 d
$ _% g: ~8 R* W- F$ d: Q
___________________________________________________________________________3 ^% \" O5 c' H/ C  Z

9 m, g9 ~  k3 Q8 W1 k* q+ {Method 04. i. }7 J% z0 L) I9 O
=========. R+ x, J$ u1 X: O& r$ }# f- F5 @

- \6 C0 ]/ Z: ]1 c7 C  m  ?Method identical to the preceding one except that it seeks the ID of SoftICE% T3 k, _/ R$ ?9 Y" I" @4 m
GFX VxD.
8 l7 `9 T, F; i( ?" y( g$ m5 g, [* W& `# }, A$ n6 V
    xor     di,di6 Z5 }9 T0 D8 z# O' g
    mov     es,di; L& z! i5 U' J0 B0 Y) i( K
    mov     ax, 1684h      
" K7 x& d/ J+ l; t, S: }    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 _% [( |8 h' D( B- Z& T( Q+ x    int     2fh: g: c/ n/ Y9 o! \) A- _4 u+ w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 y  @; o% U% Q: S3 l1 \) `3 C
    add     ax, di
! B% A. u0 }) M* k/ i! l    test    ax,ax/ B7 n" ?3 F2 \- l9 e
    jnz     SoftICE_Detected5 B4 h) S0 X, a- c( M$ S( i
* F( j- |+ @" N% ?0 I# @! m
__________________________________________________________________________
* q0 `; d2 F" J3 {& j- m' L) [1 N
1 o+ A# N' Y' I* a2 j  g' g+ Y) u5 Y0 T$ w# N/ z4 ?; W
Method 05# R. Z( t4 w) z, q& k
=========! c+ K9 ?2 Q. V9 l0 p7 _

+ W0 g) r; t" ?- r8 u2 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 \/ R- V3 _" S2 t( f# m  n' idebugger. It calls the int 41h, function 4Fh.$ q& l/ n1 c3 g6 T+ q
There are several alternatives.  - i1 n1 r- }# U2 q3 s2 e# X# _

* }- b& s' c) Z9 V2 ]2 S9 eThe following one is the simplest:. N! }+ d. \4 R, a
5 s3 a5 V0 }2 G8 U
    mov     ax,4fh
0 F! n) i8 U' {1 o    int     41h# c* c/ P! @& l
    cmp     ax, 0F386, n+ ~, @7 M: \! c4 W1 Y
    jz      SoftICE_detected
+ c: i% n1 U7 ]. ?! V% f/ x% u2 v; K1 Y& d* H
; z, i- x8 q, K1 T4 `1 W8 Q
Next method as well as the following one are 2 examples from Stone's 7 n, z3 I3 h, q6 k0 B8 t
"stn-wid.zip" (www.cracking.net):
! a1 \; f2 Y0 p( J# u
# n* i1 k0 K0 j1 U    mov     bx, cs
6 D5 `4 y, L, @& I0 r    lea     dx, int41handler2
. n3 E, o# `- c  u6 {' d0 V7 ]$ a    xchg    dx, es:[41h*4]9 L& [& u8 H  w( T. R$ D& G
    xchg    bx, es:[41h*4+2]  B) Q  o7 \! Y$ U- t
    mov     ax,4fh. m* H- k; w; g- G- ?( K) u, J
    int     41h
; z8 }$ L6 t* Q7 d/ `) l3 o    xchg    dx, es:[41h*4]' A7 U- a! x9 u
    xchg    bx, es:[41h*4+2]6 P% c/ ?$ n9 {
    cmp     ax, 0f386h
8 V* j. F+ X+ n, `! n4 d$ m    jz      SoftICE_detected% v, @$ B1 Y! q/ ]3 D* P

9 ]: @, W* \8 ]- J+ h9 Dint41handler2 PROC9 h' }% N% B) J7 R1 M
    iret4 ?7 s$ \8 N- E3 L6 m8 x6 K
int41handler2 ENDP/ Y' n8 c- y! l7 i, G
6 x8 _2 Z  C1 z" q- _
7 _% P; I9 T  b. r
_________________________________________________________________________
! l9 S) j, K! t7 a1 O9 L9 s! S: v8 Q: L

0 |5 K/ H/ E( Y+ ], `$ JMethod 06, [% F8 {) \6 L% M
=========
  d- t, T, O$ j7 R+ Q& q8 w/ D6 g% i
. k! h  b( ^* |- H/ H9 k$ P  P3 f
2nd method similar to the preceding one but more difficult to detect:' n5 g2 Q- l! W0 E
' w0 g8 q, D2 M: u

5 u, d' R" I# R3 W6 e  @1 mint41handler PROC# Z( a3 A) p( g1 d
    mov     cl,al) ]( N9 z$ J; f6 n
    iret
) X* r5 l$ n, `# v9 J( X* Iint41handler ENDP
2 G8 J/ T0 j* L9 N: x3 n/ O( Y" \7 W/ ^$ N2 Q4 _
* T. h3 t9 g0 [& K7 t$ v- E
    xor     ax,ax
$ r. w' m6 |, d' d' t4 Z    mov     es,ax
6 x% S  a7 K" ?/ F* ]    mov     bx, cs1 b: U- E9 O6 ?( M3 ]. Z& `
    lea     dx, int41handler' l- u. U$ O  O2 z( }5 T+ ^% j
    xchg    dx, es:[41h*4]
; M; ~/ Y2 l+ Q( n  T: v0 Q6 [    xchg    bx, es:[41h*4+2]
( l! u9 W3 r: U3 {" x: q) i9 B* k    in      al, 40h- P, v1 [" N3 @3 U3 B8 _2 x; B
    xor     cx,cx
# d' I8 ]; R, v# ]    int     41h
/ i) U; R/ \. P0 i* B    xchg    dx, es:[41h*4]$ v* N! p' n4 r6 N* T
    xchg    bx, es:[41h*4+2]
" v- B; q) }' C5 V$ s+ l& ?+ i5 X    cmp     cl,al
% J+ P0 g& o; X4 S! ^; h    jnz     SoftICE_detected
6 g; N  ~- G8 j& I  R, g/ n+ H
- B! |% ]5 z" S/ u* Q7 Y. t4 }% h2 I0 Z_________________________________________________________________________
, C  e( |2 t2 e7 J/ k/ b# G1 Y/ O% O! P3 D8 @  \
Method 07
# g7 l4 ^" p9 K* w% I  v$ x=========/ d( F+ j9 k. `# ~; i* m: d

: u" S: _' Y# A! k: Z2 l$ h6 H/ MMethod of detection of the WinICE handler in the int68h (V86)1 _$ ?5 e2 \2 v2 _: l0 m

/ k( y2 S& X0 K: N    mov     ah,43h6 C# L9 A$ o4 m
    int     68h
! ^1 k. H) ]/ ^0 q$ o2 i    cmp     ax,0F386h
. u# h: h0 s$ m8 {    jz      SoftICE_Detected
# F2 F5 L: i% F$ U
  a+ \! T* T# s0 B( _; v2 _6 Y
  `( V9 {- T2 t: m+ S1 t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' w) A# M- N( c5 A   app like this:
( l2 y9 m# T' {- `
0 o7 b7 u3 N: I. W8 t, U8 ~& @: d   BPX exec_int if ax==68. l4 R: k+ F/ Z/ N2 }; y2 j. K. T; k
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ R# c% _  X0 Q2 D" K% U   located at [ebp+48h] for 32Bit apps)
. `2 {2 m% i& ?+ W4 Z/ B5 i__________________________________________________________________________3 X3 N* t3 h) `% R) |9 [' Z$ H

3 F' ^; w, i3 }( }& ]- [
) e7 y- F' U7 g6 i1 o6 c( Q0 |Method 08! v5 }, ?) x- N" `
=========
, B* t! |/ K/ h  S% A. w2 c; _. y# o. B& n7 \
It is not a method of detection of SoftICE but a possibility to crash the
  X( p0 p$ F, asystem by intercepting int 01h and int 03h and redirecting them to another
& k  g; _) E9 f9 ^" nroutine.+ ?+ |( D1 Z5 l/ H' f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! S! p2 T, N; M3 A* t# W6 ]: Sto the new routine to execute (hangs computer...). x  d9 i% B( P: K( S$ Q" P
4 b3 g0 ?; G& U
    mov     ah, 25h5 W1 d3 s5 Q. j" v" b8 N& {
    mov     al, Int_Number (01h or 03h)# R7 N5 }. t! ]/ `9 m5 g5 W
    mov     dx, offset New_Int_Routine$ j. S3 D* N/ s/ p1 q
    int     21h7 ~. X2 ?7 F, }: _

$ l+ x; K9 `  y" {. X% g6 a, F__________________________________________________________________________
/ g4 }' @) Y' W$ i- T
# F. S" W2 ~" FMethod 090 d( Q% L' s% O1 k
=========2 c9 G' B8 E9 L. R1 i
' _/ S1 {* v, w6 R# i) p* K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 l( M! k% O9 l0 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).8 M6 A2 V  I5 t0 Y. X
The Get_DDB service is used to determine whether or not a VxD is installed
% L  @; `  z) s& ^3 x, M* ufor the specified device and returns a Device Description Block (in ecx) for
% G5 G7 p$ R5 n/ q3 [; u5 t; gthat device if it is installed.
4 e' V( K6 _+ n
! _$ t! u! W  Y0 s6 K* K5 ]. y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 G1 S+ n6 C4 A- @' }   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), [8 t3 W% p& F
   VMMCall Get_DDB& g0 |1 ~4 B, [8 @. q0 q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ A1 w: l: Y/ z; N; a* X
; r7 m+ R' ^# j& F( T
Note as well that you can easily detect this method with SoftICE:+ l7 I$ p5 [4 V
   bpx Get_DDB if ax==0202 || ax==7a5fh
6 S0 r" Y0 }$ L( D3 O3 J$ k7 H
1 {5 ?* t; n% ]__________________________________________________________________________
5 L: V/ Y3 S2 U% U
+ E. W& u8 t) v& LMethod 10
) \* b3 `5 p" D1 H=========1 z* r8 O+ t- m3 z* S1 O7 r% t
2 E  e6 \- i* }* A, L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% Q4 F  C5 U3 \: {' A
  SoftICE while the option is enable!!
: T; A  R2 L! e) D( g) e3 }; m  ]' W' [, f* L# r" @) E2 v
This trick is very efficient:
2 I: D+ t1 d  z6 I8 h/ Oby checking the Debug Registers, you can detect if SoftICE is loaded
- t' |& _$ j# T/ Q' R, m4 |1 h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: F/ Q9 T& M8 @2 @9 t' W- jthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 e5 B* Z" v2 ]2 R
value (in ring0 only). Values can be manipulated and or changed as well
3 a, Q1 b2 O* ](clearing BPMs for instance)1 U: `- M8 P. f5 ^' _

5 e9 Y& C* i, ]( H1 O* o' ^__________________________________________________________________________
7 y, l+ Z: `3 |6 q5 V, C, {( V$ v" V6 @) N, B
Method 115 l6 m4 u" k; W" Q) M: u' w
=========8 w! D4 ^% O; r! [
% |! p5 e+ V) a% v/ s9 ?& [3 _
This method is most known as 'MeltICE' because it has been freely distributed
, M8 |* u6 d( J# i3 \via www.winfiles.com. However it was first used by NuMega people to allow
) Z  R; ]2 ]  }, t0 wSymbol Loader to check if SoftICE was active or not (the code is located2 w- G" }  \- Z6 W3 P, f
inside nmtrans.dll).8 _& |- y/ w' L0 O: Y

( t# g$ ~- C5 i1 a7 A. aThe way it works is very simple:
; v$ l8 y6 p$ y/ `" X' y9 E& x9 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# R' |) y  x, v0 }: n- h# F/ s6 d* ]WinNT) with the CreateFileA API.
( c: N, x# G# w9 ^% F9 }& v9 ?
1 m! g2 U, x/ g( y3 l- \Here is a sample (checking for 'SICE'):
1 i& L6 [* U5 N% X- b, n% m  h0 n8 N+ h. P
BOOL IsSoftIce95Loaded()
* v1 }% `- r! I9 L2 z{7 w# c% E- S+ [
   HANDLE hFile;  
. t! R" `  K+ N# M" |1 w$ W; p8 L   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- p  }$ x# u& e0 J- d
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- ~6 |$ M! e  K
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* P1 p& Z" C- X5 C% a8 b+ E9 a   if( hFile != INVALID_HANDLE_VALUE )3 L$ J8 F6 s$ s
   {) F4 w9 X2 U) g% L8 G  k5 b2 x
      CloseHandle(hFile);
# P/ \3 n6 G/ n8 [% b# T      return TRUE;
  }' m5 N5 ~6 ?# E   }8 X" w, b" m3 Z$ [  o# D
   return FALSE;7 E7 N$ D# r$ t" O
}
* q  }8 x5 ?4 C4 n0 i
; r! _1 g# J7 @; u/ D! [& }Although this trick calls the CreateFileA function, don't even expect to be
7 y, Z, j0 F, S9 Y3 L* Uable to intercept it by installing a IFS hook: it will not work, no way!, O. i% u: z) N9 ^% x% Q8 _2 ?2 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( ?5 Y2 B2 a3 }& H. D+ W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: [) C+ {2 b, b7 H; Z& X2 D5 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc( u4 [, I- r6 a' A5 d' j7 u
field." A  L% J- S. H4 P
In fact, its purpose is not to load/unload VxDs but only to send a 7 U8 U: ]8 _% J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 Q3 s" ~" J+ u3 T. T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 K* i% M4 B' y  s" y8 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% C$ `7 v5 z. d1 `1 N+ G: |* X
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 N( V: _- a  j# C! K
its handle to be opened and then, will be detected.
/ U6 H: G; l& h& W3 C  h  ^2 YYou can check that simply by hooking Winice.exe control proc entry point
9 u7 ?1 J$ ]+ Jwhile running MeltICE./ W* f7 x; C# j- Y! N8 l

, B2 y# \# p' m' ]/ ^& f# r0 P; X  ]  y
  00401067:  push      00402025    ; \\.\SICE
! u- W. d1 ^+ y" ?6 ^; p  0040106C:  call      CreateFileA! l9 g7 ]2 I/ Y# j$ H6 x
  00401071:  cmp       eax,-001
4 o' w9 g: S) E8 E: d% w! x3 u  00401074:  je        004010918 P; f" H1 U" Y4 \
$ ?* j# s7 Q% }, v7 B4 f. b

( e& e! l: i3 KThere could be hundreds of BPX you could use to detect this trick.
6 F  e- _# J( t$ h-The most classical one is:
8 I  t; X. m6 w& A- B5 Q5 e  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" q, @0 O1 F7 i6 S3 U    *(esp-&gt;4+4)=='NTIC'
; l+ N1 Z- |3 a
/ {; Y) e3 E* [& ^-The most exotic ones (could be very slooooow :-(
9 M9 ]- f+ h' p5 \+ Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  8 }3 J8 K' S" N4 n7 t
     ;will break 3 times :-(
& a$ w" l: p- `9 ~/ k: W$ B* L* O+ I# v' ^3 ?. @
-or (a bit) faster:
: A  V4 @3 X; k* `  S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# R6 A2 A( u) M
1 N# t" r) H' A1 \+ O9 ?   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 R+ Y3 ]+ z/ n0 v* l8 X
     ;will break 3 times :-(1 Y" E# Y$ h& E5 q2 N

" t  @7 i+ v0 m! T1 t; r) R-Much faster:  E0 b) }& E) c3 {4 ?3 {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, t# j6 d# x. X, j
  B7 k& J3 M. \2 b  s! qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen  c2 D- h& @/ g7 h5 ?1 n5 s: X0 m3 y
function to do the same job:
5 W* h' A7 P, ]* V8 L) d
4 i! l4 l" t" s9 j  U   push    00                        ; OF_READ+ h& ]0 J/ x. z  Q0 [4 \
   mov     eax,[00656634]            ; '\\.\SICE',07 C6 w' h* J% Y& L3 A$ v7 S& H+ T- ?
   push    eax# X, S4 W) L: ]$ l
   call    KERNEL32!_lopen2 ~9 `0 ~1 y# ~" O# ?) I: G6 l
   inc     eax
6 Y" ^  g3 c" U) @, a   jnz     00650589                  ; detected% s/ L$ Z9 H+ \! q; A8 Z
   push    00                        ; OF_READ
% g: U" K, v3 v2 H' N1 ^2 i   mov     eax,[00656638]            ; '\\.\SICE'# G5 w0 E- ^1 V! @* p! Z) m" s
   push    eax
8 P# v# b& r. ~& i+ a   call    KERNEL32!_lopen2 ^1 l0 M9 N! `* b% e
   inc     eax0 T0 G1 a$ I0 N$ z; g7 ]8 V0 L
   jz      006505ae                  ; not detected
! F: q/ K4 J( R- R/ F; V2 r' Q- ?: k
  d# K3 a4 \9 }& g1 |9 A, M
__________________________________________________________________________4 ]! ~* u6 ?/ R0 `* f

8 ]  E; X" v- |7 Z( kMethod 12
& g- t0 \$ ~3 G5 G8 W=========
6 {2 D: [* a' ~- M) T3 ?, W/ a! u# r# d; X2 x" e
This trick is similar to int41h/4fh Debugger installation check (code 05  e0 m; |. t( p3 |8 n. F! i
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: @8 {* c3 a& W1 F8 H  _2 L9 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 k* e2 E5 N- ]2 l- b9 G. y% @' Z

. G( z* P& c$ U$ G6 [   push  0000004fh         ; function 4fh6 q/ U9 F" R0 h3 U' Z. W
   push  002a002ah         ; high word specifies which VxD (VWIN32)' O" ?8 k' C1 Z  D
                           ; low word specifies which service5 t3 W& B1 J2 O( N+ ~( Z
                             (VWIN32_Int41Dispatch): W6 P2 g+ C& q/ c, _5 m
   call  Kernel32!ORD_001  ; VxdCall
7 e; i' ?" a% v( {* R   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ ^: J1 V1 }/ x  }  v4 q+ s   jz    SoftICE_detected" _+ S$ i# p6 ?  V* M! b

5 x/ a0 }& i* `7 S( W# lHere again, several ways to detect it:, ^- u2 g0 u/ Z/ k) l

: P3 U; p5 l7 o  g! b+ K* ]  N    BPINT 41 if ax==4f$ B! C- D7 z$ b3 a  l' l$ a8 E! v

3 m7 u4 v/ B# N$ s9 b% q2 A    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 i3 G- f' F% f0 u: q/ H  r+ r8 i& C- c5 j+ n" C2 E. {
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) {, J; E: Y6 z& ~+ G; Y  v$ G8 M
1 |! C( \4 }1 a$ y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- K' g# j6 s' ~/ E% [; O

- u& q' Z6 f" N( O# e9 d# x& D__________________________________________________________________________4 S5 O5 d6 X9 `5 y
. U8 |2 v* f: f6 R
Method 13
, l7 R  Z. u% R& y+ ?, z=========9 A+ ?  z& _. K2 O- B. X# k

. \% R/ D7 l# K% ]& p! t" `9 PNot a real method of detection, but a good way to know if SoftICE is2 L- y8 y6 a+ g$ z% H- T
installed on a computer and to locate its installation directory.
1 J. w$ e& f2 M7 ~5 E4 b' |$ ]1 zIt is used by few softs which access the following registry keys (usually #2) :
" ~" y5 U: k3 w. b! |: f% o# i7 n) {9 e9 e1 Z- [9 W$ _) s5 J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ X* V0 u) n1 {1 D\Uninstall\SoftICE  n, _* f% C1 n( v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* A: K9 V- G- t% x* i! `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. G( M  j! ^7 W- U\App Paths\Loader32.Exe
: A+ Y+ s* P# p! d; o) ?# J3 t! @
$ A7 {/ X  x7 B, [7 z# Z
" z) R7 W) y  z- B6 n0 BNote that some nasty apps could then erase all files from SoftICE directory0 {1 Q) [7 c, {$ u6 Y/ ^) {* N
(I faced that once :-(% e( E7 U" p5 d1 k
$ z' r! |  X- O* g/ D9 N. b# m
Useful breakpoint to detect it:
0 G/ C7 c! g" M9 a* C/ h, l, _) k1 W! s8 k9 z7 E$ Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'7 F- K8 I- z1 f$ [& H/ I

% s8 |0 n" w( u; n4 N__________________________________________________________________________
2 `0 k/ P8 V* o2 L  n0 O5 P+ j& [) e6 i) q6 `% Y' I( ?
. K- `8 H: b# A, A* l/ P+ L! U3 `
Method 14 4 s1 T- Q" Y! ?/ k
=========& Y$ p. z9 Q1 Q: x9 G: v; {- p# p
; P( b6 X4 P) S. F4 p  S8 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* a, ?& }4 w' x9 N
is to determines whether a debugger is running on your system (ring0 only).' I' G0 O$ ?' S  w+ f- a

0 Z/ X( g1 [& {6 z1 A   VMMCall Test_Debug_Installed
( U8 ~# O  G) e0 `! {2 Y   je      not_installed. t$ [% [7 h. z) q; R: ^; N  y

: B8 C& T% B1 V+ K( YThis service just checks a flag.
" ^3 J: O! H2 L& R& Y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-9 01:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表