找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ t( j" O6 P3 Q5 H2 L, d) j<TBODY>7 T9 w2 P6 L6 J1 e$ ]
<TR>
0 L; }/ C6 M' |' e0 H<TD><PRE>Method 01 7 u7 I/ B# O( J+ {% i% `0 H8 e
=========1 S2 m  V+ p1 \& M# T. |% A1 _
9 `" A$ A) s3 h- E7 G: M
This method of detection of SoftICE (as well as the following one) is, k7 q) ?1 _2 c: H/ G
used by the majority of packers/encryptors found on Internet., P) n  {" A+ Z+ B2 q$ `( ?0 s
It seeks the signature of BoundsChecker in SoftICE
4 l/ {& o0 g, L# I3 l* F: Q' v' M& \; k; Q" a! n7 |, b
    mov     ebp, 04243484Bh        ; 'BCHK'* n+ M* v- z6 N
    mov     ax, 04h
) [" X# ?  A* {5 e1 Q    int     3      
/ `0 D3 {. F$ n    cmp     al,4
8 W5 H8 C# h1 x& L    jnz     SoftICE_Detected
4 a; ^# h% P3 n1 S2 N3 G3 o5 ^4 l4 f
___________________________________________________________________________( H* O$ X8 B+ m$ C

. c& j2 W2 V6 {( o% M; J  r- z, V. x* RMethod 02
# K: V3 a5 p# x) x  ^=========- }: B: \9 G, K/ Q/ @. E% T
3 \' ^% |) ^# u! r5 k3 X  o% m
Still a method very much used (perhaps the most frequent one).  It is used6 l0 S' V, }. f$ D+ n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. X, Z* N* j  e8 ^or execute SoftICE commands...
+ v  c1 V3 t$ O) o2 B1 W" i6 kIt is also used to crash SoftICE and to force it to execute any commands
! q$ D* m' [9 U5 x8 \(HBOOT...) :-((  
" W  C- ^( t3 h2 v2 T; Q5 a, ^* A' M# b% v6 \# |( v/ N4 e
Here is a quick description:
  h& w; H" F9 N% K0 o5 B-AX = 0910h   (Display string in SIce windows)
% m& I0 G8 p9 U4 O' h2 R2 i3 `* z  D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' h% j4 V: T! H! ^- {5 q' i2 C-AX = 0912h   (Get breakpoint infos): k# B5 C" E2 |* u
-AX = 0913h   (Set Sice breakpoints)/ a' j. p/ q( o3 c( i/ j
-AX = 0914h   (Remove SIce breakoints)
: d4 I# u% m5 A. B( g
/ a8 x  x- y  i8 n% t' d" x, REach time you'll meet this trick, you'll see:
5 e% K$ h& u' t6 h+ f$ k-SI = 4647h
3 l" M+ W; V+ F-DI = 4A4Dh
- `/ N0 P5 d: @- c* H1 qWhich are the 'magic values' used by SoftIce.# ?) ?! I4 E& g. x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: d& Z& P, W. G- e/ W% O' p8 z5 E6 ^
% t9 @0 k& J5 A( \- @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" C4 J& {5 A/ q% FEnvelope utility use to protect DOS applications:
- F/ Y1 w2 n; J" l( V9 x. q) h& T! R: u
4 i, b" j' D  C3 p1 l
4C19:0095   MOV    AX,0911  ; execute command.0 F& e+ |% }2 E2 o
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ r7 O9 T% a7 \  s7 j4C19:009A   MOV    SI,4647  ; 1st magic value.: N- U8 b  i1 R7 q0 \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) l6 z- K1 }$ v4 {4 b5 D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
' |/ G8 Q1 m4 W. P; p  c4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute" ]( ^% s# S" `7 G: W1 F
4C19:00A4   INC    CX
7 g4 T, [" N* B+ x9 |4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ b7 n: t, S' }: H& H0 i! y. {) D
4C19:00A8   JB     0095     ; 6 different commands.
. s5 T9 T" a, B: d) a- V4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& l4 N' U# ]& b" l0 ]8 ?$ ^
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' D; |) e) B, h# p

* l! u% P* w# ?# XThe program will execute 6 different SIce commands located at ds:dx, which
2 {8 C' e4 ?5 c3 w. c; Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ }6 W% N5 h' @8 y6 C! [

5 u% X0 v7 n; I7 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ o: T+ @! ?- {1 l2 i___________________________________________________________________________
; y; O1 J4 d4 a# p8 A! W3 u+ P) b% R$ o9 L: r
1 c% }0 X- F0 y6 c3 A* [: {1 z
Method 030 Y0 Y3 @; M7 N7 C- W
=========4 ?, |9 A$ x1 z+ o( F
5 n  E! N, e  L. d
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' c/ i/ b9 @6 Y, b
(API Get entry point)4 g0 l2 M# o" ^
        
6 e2 V2 |+ r9 U3 e/ Z4 M/ F: k1 p: `+ ]0 _; x8 z/ D- ^) G" |
    xor     di,di
( ?, t) ]+ t1 y" `: ~6 G- f$ P    mov     es,di- y& k7 q  _: _. t
    mov     ax, 1684h      
6 _! Q( H+ \  b- ^& m    mov     bx, 0202h       ; VxD ID of winice
3 j0 |3 ~# X* N    int     2Fh+ q$ e5 b( S  o# @5 v$ r! I. K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! @/ E3 w7 u; c9 d3 K! d4 [" r; I    add     ax, di% ]0 B1 ^3 g$ x) O# Q% a
    test    ax,ax4 ^& Z- ~2 g5 p6 m6 n& w
    jnz     SoftICE_Detected
+ D! b+ K$ d# i, Y
: J' ?0 y( h; h$ d% g. M( j" x& v___________________________________________________________________________
  y1 Y7 H; e8 T, M; o& i
- S# g( Q  }; k& E* L% ]6 IMethod 043 w6 a8 V5 b0 |* I
=========
& H" d$ z. v- z. E5 i2 S1 n& M  o! P/ u! o* G& c0 R0 b2 z" P
Method identical to the preceding one except that it seeks the ID of SoftICE
3 j" \2 g/ e% [' d4 y# _GFX VxD.5 A1 M! S% x& A# `

- Y' c& t5 ~/ D5 i' e( W, Q    xor     di,di
5 }+ b3 g6 T2 o2 ~    mov     es,di3 H" i: @' i3 C$ q2 ?! ]
    mov     ax, 1684h       " s; Z) X9 n% c/ }: f
    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 k3 ?8 u0 L: r( q0 F' ?) v  e
    int     2fh
1 s, b' _- |& ~5 r& @    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; F8 X/ o4 C2 |% f8 f6 |    add     ax, di: z! J: F; u  e6 [1 E
    test    ax,ax! L, J2 A+ c+ S- g3 {
    jnz     SoftICE_Detected
8 i4 a1 j# V3 `; a  f/ `# X; N+ l! C% D, I. o9 o  l+ C
__________________________________________________________________________
3 Q+ k" ]3 q  w( l* ?. y" b% @( }; i: I
3 A: u, e9 f2 a
Method 05& a  B$ O0 u  p+ ?% \8 {- D6 B( X
=========
1 J+ H7 C/ v( ~* ?2 J/ k, G2 f7 O* ?/ y  ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; p. i8 Z  A! t4 }debugger. It calls the int 41h, function 4Fh.
7 w% ]4 y0 @, N( T' O' uThere are several alternatives.  4 N; E' }' Y, O/ N
/ F7 Q% {) S" y, u& V; _# {0 b. y& p
The following one is the simplest:
7 w% `/ S: g8 v: M1 O4 b; X) x$ R6 c1 c
7 F# u6 Q  B  A2 N+ g: V) Y) c! V    mov     ax,4fh
9 k, P6 _8 [. a( w+ F. P; }7 h    int     41h
" E+ B/ x- T. V% V( _3 d    cmp     ax, 0F386" k7 M! j7 n/ Y
    jz      SoftICE_detected- u( [' \  J" H0 o; {
6 ?9 U3 U' [" G" z% Q: ~; N
5 l2 T6 ]2 Y; w3 P
Next method as well as the following one are 2 examples from Stone's 1 P, U7 Z; U1 r3 ^
"stn-wid.zip" (www.cracking.net):
, _3 P, T4 G4 h) O: T/ f4 O, O
; A- c/ o# g) `9 s5 e    mov     bx, cs+ n  |+ M3 F  b6 w* s; t) q
    lea     dx, int41handler2# C2 ~2 ]$ Q3 C0 E) O4 O* e
    xchg    dx, es:[41h*4]; A: Q# D9 t  N4 ^
    xchg    bx, es:[41h*4+2]
# Z. v; z7 S7 v( H! [! ~! h    mov     ax,4fh
4 K" }, ]  N/ [/ F- g% W    int     41h
8 o; D1 p, B4 b' G    xchg    dx, es:[41h*4]3 g* S% a- t7 P7 S
    xchg    bx, es:[41h*4+2]
2 Z, i, K) r4 E: x4 k1 g    cmp     ax, 0f386h
" x* U7 E/ t0 R1 a$ R    jz      SoftICE_detected( b- o7 j& d6 S( G

  Q* O: P( U' A$ f3 Vint41handler2 PROC
3 k( U; B/ I5 p  O$ v% t    iret9 m5 D1 Y- @1 Q# y
int41handler2 ENDP
2 _* q" v. X' b: z; c% M: j
& r+ L* E+ Y3 j$ F
  L) ?# w0 H4 J& ~_________________________________________________________________________
5 L* y) J& B3 @; P% z4 C! U5 I( @& e5 O2 d) ]" x' ?# X
! y  T# n# w3 N% w, @6 Y9 O( H
Method 06
! X9 ~  ~& A6 E4 [$ h=========/ H, s' U  W* [7 R& ^0 W

4 ^1 K( B7 r+ J" A' F4 P
: I/ r" V& u; F2nd method similar to the preceding one but more difficult to detect:- N# d  N; c) V3 E$ v4 M
4 g- K* \& M$ x* C' }* ?* f: s
- p9 B6 ^- A. o; i- o8 ~6 D
int41handler PROC6 @. \% ]9 h; B! L5 d' O, D# O( _
    mov     cl,al
$ K0 u3 V5 x! i    iret% ^, c. `& G! B2 [4 t0 c
int41handler ENDP
/ L6 N1 h3 j+ }- d: U& C2 Q
) J. I) |2 h0 X) A8 J4 Y+ u
* M% Y7 ^* S$ \+ n' o' i    xor     ax,ax2 N4 {% r, p9 `, \
    mov     es,ax% u1 z2 y1 ^- j7 y% X
    mov     bx, cs/ B  {5 M7 s5 J0 j1 V1 ~, c1 v( o
    lea     dx, int41handler3 ^" ^3 m  L$ j# A& s" s8 W- r
    xchg    dx, es:[41h*4]# U5 b5 ~+ V: k# N9 ^- h! ]* H
    xchg    bx, es:[41h*4+2]
+ y( Q0 m4 R& C( N, M/ n( ~    in      al, 40h
+ ~9 j. H! m( u! F    xor     cx,cx/ J% z- T, {, p
    int     41h0 ]2 n+ S. v4 w- `+ C
    xchg    dx, es:[41h*4]4 U5 z  j* \8 ^% }3 _
    xchg    bx, es:[41h*4+2]
5 u' u  r. h4 \$ f9 z" q    cmp     cl,al
$ K/ m5 N% b7 u) ?. w2 n. T    jnz     SoftICE_detected3 U1 i4 \4 M8 ?5 F( Z1 i) W

4 `9 G' v. _- F' o5 T_________________________________________________________________________, q) h* M) R0 u0 v
9 {2 c) K! W1 v2 g' i, Z4 J- g- @! b! `
Method 072 H9 @: \, ?( G7 q; c
=========4 d& u! `" X$ I! S
, K6 Y( X' G+ T* p* ?+ a# O# K
Method of detection of the WinICE handler in the int68h (V86)% h- z" q$ `7 f1 w5 t% `3 G

, x$ w' ]( `7 _    mov     ah,43h
5 w: z% b* M/ h) c    int     68h
, u" J$ Z9 b/ t8 V. ]    cmp     ax,0F386h: I, z! A1 }2 t8 F# [! `
    jz      SoftICE_Detected) f) @6 _( t- S* h( _2 D% ^. ^
  b( }* G; K, i* ^% i; i
5 t0 V+ `3 K% ^/ R6 i
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' L! H/ e$ L3 c   app like this:
8 ]' Z. G: g3 q, W4 ^. L) r  h0 A- [/ I! W
   BPX exec_int if ax==68+ A1 s8 j9 w. J, A4 w0 N- S
   (function called is located at byte ptr [ebp+1Dh] and client eip is6 M! s" O% V0 z, F( d! }; g9 G
   located at [ebp+48h] for 32Bit apps)% |$ S2 m4 G3 ]3 w0 ?1 @
__________________________________________________________________________4 `1 `8 ?1 u# Z# w
/ M# J7 r( P; k/ j: x8 [. }1 n

7 l1 X6 b3 j+ a( D8 b5 w+ aMethod 08
/ }5 S% H! N. g' g- j' w: M=========( ^3 @* e% k' C: V( P
- F) k# s; S1 M1 W: E& z! T" L/ {7 ]
It is not a method of detection of SoftICE but a possibility to crash the
% q4 }7 a' I. [: F* {0 osystem by intercepting int 01h and int 03h and redirecting them to another& `  c, j( r* B/ H  e4 C7 g
routine.4 Z+ J" n; H  A/ D5 c9 Y( ^" e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 ~+ G% V  e3 b0 pto the new routine to execute (hangs computer...)
) o. W, y! G. _- f& a' V' N9 ?( ]4 }" g! I! g9 U
    mov     ah, 25h
. U! G8 s  U; l' T% J    mov     al, Int_Number (01h or 03h)
' f6 B! T2 X: W" I/ g2 g. E3 K    mov     dx, offset New_Int_Routine
- j7 F4 |2 ?( Z3 e6 ^5 a/ a    int     21h5 Z% M: e' G/ C
3 T& d8 o, n: x% U- b# a( r
__________________________________________________________________________$ x' t4 ]2 M0 @% a+ ~) P  X

1 `0 m4 @+ p5 [  m0 N9 @1 PMethod 09  K, M7 \  t6 a- j2 ?9 ~
=========$ I5 v1 R* ]0 ]" S' I& d$ P1 M6 U

% g" {  N* K$ G% gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 n0 z" v9 t8 R; Z) z( O  e
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 M/ E9 a0 i7 Q8 D) sThe Get_DDB service is used to determine whether or not a VxD is installed
8 y1 H) e9 `' ^7 E" W' c6 mfor the specified device and returns a Device Description Block (in ecx) for
* U( W3 k/ u5 O. i, @1 bthat device if it is installed.& x! P& _/ m2 C& \7 j" y
7 ?7 s; X5 t; d7 {
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ t4 r- F: q  P: t: \% T
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' v, r9 @, ~/ O6 \4 R
   VMMCall Get_DDB; O4 o6 q% @, _1 Y6 J+ }. b. [
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: y* ^# j5 \' a; K3 o
2 j( B  \4 J0 {% S; I. ~$ B
Note as well that you can easily detect this method with SoftICE:. M- C' I# A) m
   bpx Get_DDB if ax==0202 || ax==7a5fh# M9 q3 v9 n7 `! _. v
0 w7 K# Y5 K2 P9 D% l3 j2 A* ]
__________________________________________________________________________& S% H0 S" z- q

' J, h' x9 q1 p5 ^9 n! O2 f9 D$ KMethod 10
8 C0 N( O* v# d* I. U8 o; J=========# g0 d" ~1 O- k/ E4 X

9 r& o" q, ^0 X0 w4 A" i3 p0 Y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 R; j# s3 q' A1 u
  SoftICE while the option is enable!!$ U/ n! D9 ?1 S  m: ^
4 i! d7 d" W# d1 O
This trick is very efficient:2 s) b/ w/ S6 V/ o
by checking the Debug Registers, you can detect if SoftICE is loaded
; V7 u! n6 c; q% r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; B( t+ E" }" D9 f  j
there are some memory breakpoints set (dr0 to dr3) simply by reading their( d: ~5 C. _3 [8 |* W# W% F, T
value (in ring0 only). Values can be manipulated and or changed as well" Y8 F0 d6 V1 S  v
(clearing BPMs for instance)
; W' l6 t( ?2 o7 m6 h  n2 b& z/ U
__________________________________________________________________________% ^) `/ T! Q8 o6 L; B- }

% w7 i, {/ @0 R3 r2 z, P9 u& J6 DMethod 11& {/ s+ j+ |5 N+ e: }# f8 }8 ]
=========
9 n0 O- D5 U. r7 M4 z: |
% b, }. U2 y! L- ^  p3 ?8 qThis method is most known as 'MeltICE' because it has been freely distributed9 S# Q. _$ G5 F2 i8 _  w+ K
via www.winfiles.com. However it was first used by NuMega people to allow- E* L( |; I  o/ @0 r. t$ C( z* W
Symbol Loader to check if SoftICE was active or not (the code is located
6 M. {0 p7 T+ p3 l0 O( m, ~inside nmtrans.dll).& j3 X5 Q0 U' r2 J4 O1 d
! h. j. n, q. n+ I/ z- [( H
The way it works is very simple:
- B: e9 P. C3 z5 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' H" J! ?3 y) hWinNT) with the CreateFileA API.& N/ D: Z) g! K% R* m% ~

; o% Z- W' p9 Z$ g# {Here is a sample (checking for 'SICE'):2 P8 M" v* b% k1 f0 A: P$ I
* P: j$ n8 h  Q% H  T
BOOL IsSoftIce95Loaded(), t4 T; S, B: g) F, ]+ J0 x0 }
{! p, [0 b4 m9 N. k+ r
   HANDLE hFile;  
) B8 H$ s$ U6 x9 N6 I8 }3 J   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 m1 p/ \! j! r3 {8 o                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 W0 M! \2 r; a6 ~& ]/ [4 r
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 U4 h2 D3 N3 F2 A' r   if( hFile != INVALID_HANDLE_VALUE )
+ ~- i" F2 h$ A* u  H3 y  ^- m7 v   {
7 A, C2 ^( L9 F! Z+ w8 p      CloseHandle(hFile);
) y3 ]3 ?- P) d. A      return TRUE;1 [; {# F! \& Y! \: c2 S: _* T
   }8 d- b; `/ q# m+ [  h% x5 _- U& c
   return FALSE;# k7 `: B' _$ u; W
}
0 ~9 H2 L) [' d8 n2 A7 J9 `2 S! v- v
3 z! s# d6 `# @3 o& bAlthough this trick calls the CreateFileA function, don't even expect to be
' X" H2 C3 [+ I, Yable to intercept it by installing a IFS hook: it will not work, no way!
. l" a5 p! i, c3 }. C* r# ]9 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& s, {' s! y6 d+ h, l! Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& A. N1 E! M" X: vand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 Z$ D4 f+ V0 L2 N
field.
2 w2 i8 q* E8 s5 X' u( _In fact, its purpose is not to load/unload VxDs but only to send a
( {( k* r) i5 i9 C- q" S0 R& {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. A" w6 l% R4 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 w# `  s$ e, F! y& Z1 x  G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% r/ d! q2 s) q$ [, o
If the VxD is loaded, it will always clear eax and the Carry flag to allow, A4 `( c+ x: W4 _8 c$ ]
its handle to be opened and then, will be detected.8 f6 [; @( Y% i, }: E( U/ z
You can check that simply by hooking Winice.exe control proc entry point" J( R7 q% \- @
while running MeltICE.
: H% c4 h/ x! V% r0 f8 s' X8 ^4 \- v5 ]. `

5 J, t( L2 G$ @5 u0 w. I  00401067:  push      00402025    ; \\.\SICE
. |3 X4 C$ c- t3 f  0040106C:  call      CreateFileA) u8 G$ v' m9 ]/ |3 k
  00401071:  cmp       eax,-001$ d9 `- H& p8 @: u7 ?
  00401074:  je        004010918 J# h9 W- j! x1 t) L: R

2 E: D5 U3 N- i+ v4 N+ V4 ]3 W2 b
+ ~1 q% h' ~. h. R$ qThere could be hundreds of BPX you could use to detect this trick.
. l# R5 f  C# U; B9 U-The most classical one is:
; e& n* f& n# G/ \' |3 V8 \  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! v  ?5 `9 K0 B# i  j( l, \5 h4 p    *(esp-&gt;4+4)=='NTIC'
4 f, c- Y( z0 o& F- f8 }6 j, Z0 K" r1 ?+ l, n; o% M
-The most exotic ones (could be very slooooow :-(4 S' R7 B3 k9 N7 e# B' C
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # X" G7 ?9 ~' E1 W! u0 R
     ;will break 3 times :-(6 S5 ^) {( R0 B5 F
# c0 X2 \- Z- p0 q8 Q6 ?1 y+ v
-or (a bit) faster: 8 B1 t; o9 N' X& x2 r6 `
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* _0 C" q' e$ @2 e+ j  A, }
3 o* f" |/ {" e# M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. T2 c2 y4 u6 Z: S; _% l! F$ K     ;will break 3 times :-(( |+ ]% V$ D6 q( |! K) N. P
( W3 R' D' T. W# \. U) s
-Much faster:7 q0 X9 t: l" Y- I
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% _5 }( r& Q: o1 a3 `8 K7 J$ p& n% u% ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( A: W' G& Y3 u+ n
function to do the same job:
  z6 R' Z( R0 T' ^& d* R/ ]9 `% c: ]
   push    00                        ; OF_READ% t2 c5 J- A7 Y/ x
   mov     eax,[00656634]            ; '\\.\SICE',0
# j- z0 c9 ^1 _7 d, U   push    eax* N/ h! Q" @* w( M. @& Y) f6 P/ y
   call    KERNEL32!_lopen* r6 I) p9 m$ {* \4 E
   inc     eax0 O% v" P5 U5 e0 O2 k
   jnz     00650589                  ; detected
' f! B9 L$ w# v/ J/ W( P/ E   push    00                        ; OF_READ
" O/ v$ x8 Z3 [   mov     eax,[00656638]            ; '\\.\SICE'
( V/ E. J* [! i; y/ @% T' Z   push    eax9 B. P" O% w% n/ R3 h/ l
   call    KERNEL32!_lopen' V* m" K( V# p+ w& {1 S
   inc     eax
- D8 {0 ]1 i8 t) p) X! k' ~: ~   jz      006505ae                  ; not detected
6 S- I3 E; l7 ], L3 X' \" U6 V/ W& ^4 {

/ J" V9 M+ }2 i( `( T9 I9 o/ G__________________________________________________________________________4 @  n; M; H* f* A; r

* L1 b5 g2 _7 c+ e% J; r. J; F& g$ GMethod 12& P3 a$ ^% U3 ?
=========
) u9 H$ {9 r$ N1 g9 B; B- D% ?7 c6 |+ i$ M) k6 A
This trick is similar to int41h/4fh Debugger installation check (code 05
4 t  _+ f$ C- X5 d) F2 K. P9 K&amp; 06) but very limited because it's only available for Win95/98 (not NT)/ H7 N3 l! n% b; `6 a0 I( r+ @9 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 `/ C1 R3 x1 b- L- x

* Y! e/ B( l7 E, w+ w) K; h2 w   push  0000004fh         ; function 4fh$ G" ?1 ^; X& B# H6 t
   push  002a002ah         ; high word specifies which VxD (VWIN32)' o% f" |( m3 q  F# X
                           ; low word specifies which service( K" p; i5 ]0 O1 S6 e4 E
                             (VWIN32_Int41Dispatch)
7 p# U' ?1 u4 ]% L   call  Kernel32!ORD_001  ; VxdCall5 j2 W% J, K$ L9 d) e
   cmp   ax, 0f386h        ; magic number returned by system debuggers2 e$ E4 ]) R! S/ e
   jz    SoftICE_detected
0 ~& u* u$ W: ~: @6 R$ o  s1 r1 L4 ?9 |3 r- t( U
Here again, several ways to detect it:& T* n' ^- v5 I! Q% I# W8 u
9 d. M9 \5 A7 M' y9 |+ ]% ~( j, k1 W
    BPINT 41 if ax==4f
8 t. V' u" f' P( S& W* X% M9 W+ v6 B% `) o6 v7 {1 V7 n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( B" Q! N: h1 k( g) n  M' V0 _, J
9 m0 [8 z0 I% t0 }; T7 K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; a9 M7 T1 J) z. A

8 A! p! m# C0 l& e% d9 l/ Y7 j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!& W8 M/ x% L4 o5 m: @
+ `! B2 y  n  A' Q( @
__________________________________________________________________________  s" b/ ?0 j# [! c( f- Q; q. y

: P2 ~$ E8 f% x  L. H2 E  kMethod 13# N; T) L+ W9 A" t
=========, Y& u2 k3 _+ d) I
0 A! {2 G: P! N: i% K; I* H7 I  K
Not a real method of detection, but a good way to know if SoftICE is' x" p) x# S6 z, ?8 m
installed on a computer and to locate its installation directory.
7 S8 N, [2 z7 Y% K! v  m" U9 jIt is used by few softs which access the following registry keys (usually #2) :* D+ }% F& I- l4 x# X) L1 K

- t6 m% O1 x$ `4 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- B- a  ~( z1 o: f" q
\Uninstall\SoftICE7 M2 A, H& L) E7 J) ?8 X% Q4 T6 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 F7 V  @' Y3 E7 W7 o7 F" W; R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Y  f$ l3 `* s* ]/ F- l2 F\App Paths\Loader32.Exe
' D& K& F9 N& |! l4 I
8 q" j" M" L# }# k; e8 m& O" \1 p! E, z' u
Note that some nasty apps could then erase all files from SoftICE directory* ]8 ~; K- P% V4 M" E1 U; o
(I faced that once :-(
, a+ p6 E' X6 R2 u+ o1 w5 p7 U
4 l3 s5 H. o7 I7 C# Q1 qUseful breakpoint to detect it:
, D5 U/ j  ?2 p2 \, z6 P2 U0 \1 g: E* c
( l4 d' m9 v/ ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( k& y' T: s' l; p+ L1 Y9 I' [6 I7 h2 e- X% Y5 }
__________________________________________________________________________* q  j" b0 t9 M" f& v! W
1 A  B4 q# u7 k/ R  }

; j) E1 I; ]0 D1 K+ _: W! c. AMethod 14 - {2 B% ]5 i; {2 D- x/ X$ U
=========2 a# C; r: |) s2 p# N, p

. ^! [9 \. l5 y- L' y  C1 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. U& r' {6 o, ~2 T! t  i  z
is to determines whether a debugger is running on your system (ring0 only).9 P+ X! D& V$ b5 Y; l5 t

0 ~# W2 W% a* \) n; i   VMMCall Test_Debug_Installed
1 j% F7 `- k8 e. l( x   je      not_installed
) S5 D9 H  M; k" @% H/ }  Q' Q
) L' Z' g( O; {% v9 @% R0 fThis service just checks a flag.
8 B$ M3 |) G' m' Y  G$ P8 r$ y; v; q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-23 03:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表