找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
8 t1 B& R1 J5 B' [3 h<TBODY>
' ]: N, j- ?3 F) @% i. L<TR>
7 ?$ Q5 ^. V! r* Q<TD><PRE>Method 01
5 ?/ r$ T3 T8 K2 V' X! o8 u=========
& S$ n7 Y' m2 z( W8 w
& z2 a1 H2 ~9 w$ sThis method of detection of SoftICE (as well as the following one) is
, Y) T' C, Q; g1 T  [  Iused by the majority of packers/encryptors found on Internet.
9 y4 o8 O' p8 b" n/ Y0 i0 x3 N! }% FIt seeks the signature of BoundsChecker in SoftICE2 B& ~2 v$ i" }4 D; M) ?
* G* c7 F: Q) x: e! u2 \! y, L
    mov     ebp, 04243484Bh        ; 'BCHK'
+ C8 b. B9 O4 g- s8 `, h    mov     ax, 04h
, P, n0 a8 ^" i6 a) v! j3 i8 `    int     3       + Z) H, r8 U5 H. S0 E) u4 L! O
    cmp     al,4  J) H% [) l: B- R; C" X* B) t
    jnz     SoftICE_Detected% Y+ |3 e) a4 a  j% H

, F6 k" `2 o; k1 ^+ ~# m2 j___________________________________________________________________________
9 E2 [( x8 Z* D7 g% u
# J, i; w: u- W+ Z4 VMethod 02$ l5 W9 }0 u1 _' {
=========$ A! W/ B5 |, p4 Y3 \4 R

/ G. H6 I9 E4 U  ]7 S2 YStill a method very much used (perhaps the most frequent one).  It is used
9 \. ~1 ~4 w# }% T" rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, n0 J# ~& r8 q3 }- lor execute SoftICE commands...& ~- K1 z# W2 q8 [. g2 D
It is also used to crash SoftICE and to force it to execute any commands
) e# }1 P# _4 k(HBOOT...) :-((  6 y7 }, K# m- F4 H# t

& i% G* Q" }0 ?Here is a quick description:
# k- ]& K& e( G0 l2 B' Z6 _-AX = 0910h   (Display string in SIce windows)! U+ L* J; t: t- I
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! o$ p, e5 z* b3 f& e/ D* O: V
-AX = 0912h   (Get breakpoint infos)4 D9 f. S# f; I. D5 b
-AX = 0913h   (Set Sice breakpoints)
  m1 n4 o! F( b# _% v" ]-AX = 0914h   (Remove SIce breakoints)0 m; B% W3 a4 G& u9 v% `. J6 C: N
' f  T% ]- Q0 H; s% D
Each time you'll meet this trick, you'll see:( @% a6 Q8 L/ c* U' v; ]. \: y$ ]
-SI = 4647h
1 U5 s/ l" r1 i. l) Q. D( o. M-DI = 4A4Dh
: Z$ y2 y: U8 |3 Z# J6 j& uWhich are the 'magic values' used by SoftIce.5 n+ L3 `$ [! [8 ?' W4 h1 l7 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, g8 ?# v" h$ z* d/ y( f/ H. H  m
0 r/ x& b; F% W$ Z4 I3 JHere is one example from the file "Haspinst.exe" which is the dongle HASP" i4 o, _' s3 p$ F  c
Envelope utility use to protect DOS applications:8 P4 y# K: i- W4 c( S0 r  n
  S; r: w; C, D) o- x
2 w$ H* S/ |2 p
4C19:0095   MOV    AX,0911  ; execute command.
/ [% |  D& [9 i2 f4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: o+ v0 ~2 n$ i$ E5 H
4C19:009A   MOV    SI,4647  ; 1st magic value.7 T% Z, ^' g$ Q7 E* K2 z9 A; u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 f: m2 D3 O- E* i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 L; |  T+ T8 [/ I  S
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 l0 G6 P( s( I, H) I: A' J
4C19:00A4   INC    CX
( [# D9 x' q: J1 b" Q1 m2 m4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( c, o( O6 y# h- `
4C19:00A8   JB     0095     ; 6 different commands.9 u4 i/ L2 M( w/ b# N$ v% d' r- U
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) V6 o- v! _: U6 c! p, B6 C4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( R2 _) ^) D- o) I; p7 @. f6 t3 H9 r: J7 x
The program will execute 6 different SIce commands located at ds:dx, which
% m/ f6 ?; B/ f% [$ T+ c  B! O. Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 x; @5 W( y* y' \
8 T( \' k0 Y, M' Z% W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." K) C7 Z4 e8 N: N8 W
___________________________________________________________________________
$ A; U- L( g6 C; a  I) J% j
6 \4 X- Z% ~; c$ b) I: O1 ]# ]* p% B
Method 03
2 M# N6 k0 r' k) m  j# ^5 N8 l=========
8 G9 D0 I+ v) y/ i
/ Y* b2 A, w) w! {+ z' g0 G, ILess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ]" _* S) K) j* X. m(API Get entry point)* z! A* q( r+ U! ^; l0 `' O/ l
        
0 E, K# K2 a( i
! _! `+ X) m. X  b/ V    xor     di,di' [3 ?) I; ?" o3 A% [  V
    mov     es,di$ q9 e$ x7 y; n+ G1 M5 X
    mov     ax, 1684h      
0 v- z0 Q1 e8 M' c    mov     bx, 0202h       ; VxD ID of winice
& X: t& u( `& A0 h    int     2Fh, U0 r$ D0 h; f5 b) q. `) T, y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- z$ y1 R2 Z; u& r4 m5 J/ K( o
    add     ax, di, @0 q% G. w! P1 G% S0 r+ e7 T0 G
    test    ax,ax
( @) S# k( R! ?5 p    jnz     SoftICE_Detected+ W2 k6 m$ Z1 i* I9 z; }& v

0 o0 p2 `" ~" V* b; u___________________________________________________________________________
' O" s7 K3 {* _! o" Z$ y: m# D1 M* N% e' s
Method 04
2 y" Y# E0 P" i( W  z6 s. B=========
* T( n+ }+ `) T4 g  ^/ p  P6 R* A) ?. C6 d' Y9 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
' Z# O" y' m6 M# Q3 ]% Z8 a8 QGFX VxD.
! z4 \3 @# V( F! [
6 }0 k9 K! g- `7 T: o    xor     di,di
( `  U- M1 o" ~/ D    mov     es,di
$ Y( a& d) J4 W& m7 A1 ?- m# Q1 T    mov     ax, 1684h       + g: [9 w. a6 |3 H+ H
    mov     bx, 7a5Fh       ; VxD ID of SIWVID) S# S8 p0 Q8 `/ Z9 p% N
    int     2fh  V- w' G  q+ C8 C1 b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 u- k  ^  x0 |% J9 V* R' H    add     ax, di
* W$ V, J% x& A1 R    test    ax,ax
0 ^# q$ m# j2 h0 o# E  W( S- t    jnz     SoftICE_Detected$ G, H" n; t* v! X7 a

9 C9 Y2 M+ \: }; w4 r. P$ q* o__________________________________________________________________________8 q5 {+ b1 a! b) T( y" h

' P+ l8 }6 C" q" O1 a3 l- G8 y+ j3 N& Y9 ^7 h8 t
Method 05; u/ ]8 C- @, S( A' j8 p
=========1 c& U* U4 \) p; z

/ E' b. U: Q9 F3 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system( l: F, q8 c, g
debugger. It calls the int 41h, function 4Fh.! _8 f1 H2 C# t" |; [4 Z
There are several alternatives.  8 u' o& u( ]' Z- f4 D6 v) ^

4 j$ @4 t$ X4 h) J9 f; S( yThe following one is the simplest:
9 z7 l) f  R9 N; k
; \8 j- I& _4 S& ~3 x    mov     ax,4fh# s# i2 P+ ^# t0 C/ m2 f
    int     41h; G! X8 P: S( X4 @6 d
    cmp     ax, 0F386
( ^- [. c+ h2 D) F# t. k. E5 H    jz      SoftICE_detected
$ @* x/ g) [. J# q3 e- C# q/ ]0 b( e, b5 h1 X
0 F( Z' W% P0 N
Next method as well as the following one are 2 examples from Stone's . z4 d- B: B( I; g( Z8 j" I, N+ u
"stn-wid.zip" (www.cracking.net):" T) ]5 q* P& V% K; v* N
3 ^: S/ X9 e3 b: L" C* X1 S
    mov     bx, cs
6 R3 t. @7 h0 Q    lea     dx, int41handler2+ I* v& M, A9 I5 U- {+ Q4 S
    xchg    dx, es:[41h*4]7 r0 Y' W/ {8 G  a* R
    xchg    bx, es:[41h*4+2]
* D# N3 e$ b. e2 ^+ |    mov     ax,4fh
% C1 C: p! @* k  E+ Q8 E    int     41h
4 B, W" U/ d, v    xchg    dx, es:[41h*4]
3 M9 p# R9 D9 h* T  M% S    xchg    bx, es:[41h*4+2]
- R  o3 }8 i; b$ {    cmp     ax, 0f386h
  N' a9 H$ M+ X* e    jz      SoftICE_detected- G& C0 R8 t# T8 A  `) A2 V4 a; {
  W' A9 y( t& L+ k+ |
int41handler2 PROC
" X/ }. k% ^- I/ v1 n4 v) {7 T& y    iret
3 v  M" ^6 C4 ?int41handler2 ENDP
( M: Y6 h6 F2 Q2 m4 i: C5 `( Z- N* ?& J9 H2 q6 t
' {. p! \6 |" n% _1 g4 P* \
_________________________________________________________________________
$ ?0 |& d2 r( i2 T( Y7 ?$ m+ y. b6 E" e$ [6 A# N2 O1 D& I: M
! S1 ]# |3 b; J' e# m
Method 06
; d  T* \0 y- W% x$ m=========
! k" o! H. S3 T* C
" A& R% {5 X: i
" F8 d& y: p6 p. m2nd method similar to the preceding one but more difficult to detect:
' n( F7 |6 [0 e0 j$ \1 B( B9 b/ ?+ F/ a0 H

* f7 t9 }! D5 b& k  wint41handler PROC
& X- i5 P7 z, {& r" n! b! R    mov     cl,al
* |5 W+ l0 z& n; A+ A' X    iret, D1 [: E" K( F/ ^7 v
int41handler ENDP  M, B* q9 T2 j; F7 \* r7 _
' }# B- K9 ?1 x% k* ?0 i
) C/ c- _7 K* v7 ~; Q- b& \7 F. M+ w
    xor     ax,ax' @/ g" x. Z4 y/ s+ z
    mov     es,ax
" N$ Z( n+ {" E, N  B. C    mov     bx, cs! E3 m- [; j5 J# e- n( g4 q
    lea     dx, int41handler4 }! Q# Q8 k9 m( P: A4 c
    xchg    dx, es:[41h*4]
# w* P, j! W7 `/ F1 f1 x. |    xchg    bx, es:[41h*4+2]
% k$ b9 ]8 U9 C, Z  Z    in      al, 40h- |- U; J2 P# D3 w! V4 {8 x; k
    xor     cx,cx
) E8 X1 K+ f# g8 x+ o    int     41h
7 @# n4 f0 m7 J( k* _8 m2 K8 o% J    xchg    dx, es:[41h*4]
; F% m# B' \1 |+ n    xchg    bx, es:[41h*4+2]/ w# t7 r8 k: a0 A8 b& G
    cmp     cl,al
9 I2 z9 a$ \4 L% Z. Q) e    jnz     SoftICE_detected3 T/ a) e4 ]! V$ z! q

8 q' Z# D' g; e# y  L2 g7 E_________________________________________________________________________& R' ~/ A$ ~# ]- v; J2 g& e) ~3 y8 \

- }0 b, G1 y1 F; v# @$ |' \Method 076 E) h. B0 @0 t1 u+ l" L
=========9 N5 Z% ]2 N7 P
, r: q. Y1 x. U+ w& w$ J6 s
Method of detection of the WinICE handler in the int68h (V86)3 h+ ^. T3 F) H. g+ V* n
7 n3 O3 t- ]$ Y; P
    mov     ah,43h
/ B: s, ^. w, A" E* {* P+ b    int     68h
' h" m) c3 X; ?7 E5 |    cmp     ax,0F386h
5 G2 X: A. G9 R3 @    jz      SoftICE_Detected" g8 j, O9 L$ O1 _- u% \6 P' A; I
4 _% Z. W( d% M5 m6 p( s

- |; v7 _5 `2 L; y6 m1 u=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  x1 J9 x" i' d) s. ^" y   app like this:
/ O$ C+ _& Z+ R0 O( w  j  x* Z4 f1 z/ K" z1 R2 c6 f. n0 p
   BPX exec_int if ax==68
4 [% g& r4 i* \. n   (function called is located at byte ptr [ebp+1Dh] and client eip is8 i* v, s* H  N; m* I
   located at [ebp+48h] for 32Bit apps)/ j. b. T6 z4 ]: J8 [/ s8 W
__________________________________________________________________________
9 u9 W- G9 o- K; V
0 \5 |- A, T3 u; C' M5 l7 R+ ~! p$ y0 s8 d4 z" K: u
Method 08
! G; Q, J! G6 G+ q  Z, w=========
/ |9 X( W; p8 R' ]) |/ L+ M1 ~
* R9 o  P  G2 P! rIt is not a method of detection of SoftICE but a possibility to crash the
# @  e) X$ V! u: r! E& g+ wsystem by intercepting int 01h and int 03h and redirecting them to another7 P# }4 q) h; o" R& r  I
routine.
6 ?1 K8 \; X( m+ M( c; pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 Y2 N6 b+ G" k) J7 D
to the new routine to execute (hangs computer...)
- W1 {- E( L6 K
& Y5 \2 t7 z/ V  P    mov     ah, 25h
" r/ P. c  `6 w- k    mov     al, Int_Number (01h or 03h)
9 g0 Y+ X$ [' ~. ~: d4 v8 h    mov     dx, offset New_Int_Routine
& F8 u0 ]6 \( @" c. S    int     21h/ p  v0 `2 j( B
% w7 V: U( H( P7 B* [( \
__________________________________________________________________________. I  y) M* u3 c! a

: h- n+ ]1 x( j% NMethod 09
5 G0 s& Z- h2 s% {=========1 X3 D0 X& g* M) V# N- m# o; {. [

/ M% ~  G2 T% A/ E) E* m; dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* {" q8 D0 [6 r& gperformed in ring0 (VxD or a ring3 app using the VxdCall).
) t: }8 t% I0 J! e; I4 w3 c" rThe Get_DDB service is used to determine whether or not a VxD is installed
6 b% J  U0 z* F2 `$ P/ L9 @for the specified device and returns a Device Description Block (in ecx) for- I0 X8 t. p3 S3 d5 T  \  K
that device if it is installed.
* d0 `9 ]; N% [+ \9 |8 w
: V: F7 C' `1 u6 @3 ^- _( O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 V) w# [  A1 b5 O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 H. M( N- V* t: p; C$ N   VMMCall Get_DDB4 q2 ?- e, m$ Q& S* ~2 S
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
9 w+ `+ y, T5 Q( T: e5 @* W
6 b& @8 l$ M* U1 h* w% WNote as well that you can easily detect this method with SoftICE:
3 F: _, K% H+ b4 `   bpx Get_DDB if ax==0202 || ax==7a5fh
1 ?5 y! }) ?1 D  m6 q" @8 a0 ?8 h' s6 ]+ k% ?1 a% x8 A3 _) Z
__________________________________________________________________________
  W; F; Q0 z6 [8 ?
" F9 W+ Y+ A( M* N' E0 [Method 101 [+ a& c9 M; N# X. K' V7 n4 A5 h
=========2 K1 c0 u7 J7 ]1 _- d8 `
; K, P: I) c# N+ e
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ c' r- E/ Q, A: _, ^( q- s% ~  u) a  SoftICE while the option is enable!!! {* t: Z# l" a6 c  J

" |' ]' ]+ S' g2 ]0 LThis trick is very efficient:
1 D% E2 n7 m  C7 jby checking the Debug Registers, you can detect if SoftICE is loaded
2 ]; q/ _  g% W% T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ Z" n9 e6 L4 i1 E2 r/ vthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ w. w( E& T1 ^) a
value (in ring0 only). Values can be manipulated and or changed as well
2 A6 I7 N  v! V! Z/ C, }(clearing BPMs for instance)4 c# D5 s3 l% F

7 U% K3 r# v2 c9 R* M0 E' }__________________________________________________________________________
- t6 i3 _9 {. L! u8 v9 X
: s$ Y! L) {2 d) k) J, q( C# F& iMethod 11
/ }3 Y% w+ C# O=========* q0 C: ]# O4 k! z4 s" @

8 Z$ B) g8 {  o5 D! q  @This method is most known as 'MeltICE' because it has been freely distributed" n0 F3 g1 T  d( ^8 `$ _
via www.winfiles.com. However it was first used by NuMega people to allow. a" \+ Q- h) c1 N3 P/ Z0 r' a+ f
Symbol Loader to check if SoftICE was active or not (the code is located0 d7 x6 }5 R- O  f
inside nmtrans.dll).' ~  W/ L4 [, F+ i
. o8 ?3 ?8 d. y+ v
The way it works is very simple:3 H7 I" G/ a8 D' Q2 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% U' u) e* q7 i; r+ h
WinNT) with the CreateFileA API.
) L/ k) Z7 m+ k4 M9 }/ U: j9 D; s: Y
Here is a sample (checking for 'SICE'):  B( \* `/ t, Q

& P- t: u2 A4 ^. i- E  Q9 J# NBOOL IsSoftIce95Loaded()
- I8 `( g, `. a2 b5 R2 I/ v* v* e2 r{
  H' n: z, [, H' \2 x" i   HANDLE hFile;  # I$ o8 E. c3 }7 {  O
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ D" W" |! ]/ ]. H# V) ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 Q3 \) Y+ C% }
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 r/ H6 |1 R" m" P! D
   if( hFile != INVALID_HANDLE_VALUE )
, a7 o9 I+ J' k$ |5 x   {1 V/ O8 U: B# H8 G
      CloseHandle(hFile);8 X/ \+ P9 V5 Z: H6 A4 W
      return TRUE;+ N( Q1 M8 R) C# J5 P8 |  V" k
   }
, X# j6 w1 B0 C7 q. t/ @, I   return FALSE;
" H" b) r3 u2 @# ^, w}* z* [; [! R! n, E
$ e6 S% z* o4 U
Although this trick calls the CreateFileA function, don't even expect to be
, t, r8 o5 e. Z2 ]0 bable to intercept it by installing a IFS hook: it will not work, no way!
. u" |/ G& k- _0 t" ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 T, M$ g9 S8 d. E$ R( Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; o' f6 d+ o. \1 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc# [0 S$ r. R7 g  k6 f' g# k) n3 B" J
field.
0 \' E2 N; d* J9 O1 \6 Z$ BIn fact, its purpose is not to load/unload VxDs but only to send a
  Z! y, b3 L/ E9 o$ [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' O8 I$ z- X6 L9 T. q4 Y/ O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 {7 B0 N2 _. ^: s  S2 C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( k7 T9 X( O" F* R; p$ h6 ~0 d* i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: g0 f/ P8 r3 j5 m# Rits handle to be opened and then, will be detected.
4 o$ J5 W. G* Q1 XYou can check that simply by hooking Winice.exe control proc entry point8 d- Q/ H6 H# a# F) |' U3 I- B/ i& t
while running MeltICE.
  Q$ j) Z$ K" M! O( L2 n  f1 e/ ]
& P) f, Z* N9 u* g- o/ U% s7 T+ n+ t; f2 ]" [5 H( K% ^- s. ^3 I1 P
  00401067:  push      00402025    ; \\.\SICE
; U6 b2 ]) Y3 \" A6 }" }  0040106C:  call      CreateFileA
# E& V0 ?* P  L7 g  00401071:  cmp       eax,-0015 ?, s0 ~9 Q2 T4 @( z
  00401074:  je        004010911 K1 Y7 f* `9 z0 U- B$ l* ]/ v
& ~; b$ B+ n; e* J( H( F# W
; _$ T4 O/ s; m4 i0 \  j# Z1 `1 }
There could be hundreds of BPX you could use to detect this trick.$ ]- m2 F4 k; `% `+ E
-The most classical one is:
: q- P8 y) d* c* n) @' \2 t* ]  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ R% b5 u, n# q' n
    *(esp-&gt;4+4)=='NTIC'
- H1 {& m% ?) E% p" [: G3 {$ d: m8 i) g' r3 n
-The most exotic ones (could be very slooooow :-(3 y. C+ v( D7 j* H& n
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' j1 l7 i, L( z+ _
     ;will break 3 times :-(8 J( e0 P  ^( ~+ |* j
1 w3 K- M' R* L7 W3 e6 H* o
-or (a bit) faster:
2 H% N; E6 c0 s; r- x$ b! i7 r- D( _   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 w# D  S3 H- d/ [% f
, G* a" C  P+ [5 q( W# {/ P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 w5 v+ A+ q  Z7 M4 E     ;will break 3 times :-(
! E3 S9 a8 m' l4 u, E0 \6 e! r& J/ Y
-Much faster:1 S2 b! b7 Z$ S, c- c; J  X
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) _% {5 n1 Q# Q. O- Z# Z. f' y: N4 I2 }/ R: n' G  r' `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: A. f! X7 {( Z+ Y6 O
function to do the same job:. n+ Q% C* \" b6 _# J5 f* ?1 g

( s: s7 H! M, s8 K$ q, u$ G2 \/ k; C   push    00                        ; OF_READ
% q: f5 u( f; t( @3 t   mov     eax,[00656634]            ; '\\.\SICE',0
9 _3 V  o3 J: e# t( R$ O2 R   push    eax/ @0 P3 Z, ?; V( @
   call    KERNEL32!_lopen& w% \- e. _$ y5 {
   inc     eax
/ e4 Q% h6 W+ i$ B) r   jnz     00650589                  ; detected4 g9 o' U( g1 `% f$ W3 o1 l. {
   push    00                        ; OF_READ
; i# e) I3 A/ ^  D. {) s   mov     eax,[00656638]            ; '\\.\SICE'0 ?# Y9 H: f6 G3 a+ K" I) j+ i9 E
   push    eax" G: c; V2 ^4 a% c0 q
   call    KERNEL32!_lopen) K1 Z4 w& b* |( R
   inc     eax
* e2 {" h- N! |' F- V" E   jz      006505ae                  ; not detected
% ]  _" V7 r" o/ O
6 L' x; A) q3 Q
) G7 a( N6 a& U' K__________________________________________________________________________
/ V9 x1 g3 w0 m3 y8 D" M7 N" e6 P5 Y- i4 G3 z' z
Method 12
/ ?0 f1 i# q5 Y( {; Z=========8 G: _1 \) `( ?! P8 }; v# Y) b
- m5 k8 Z- P' p/ t0 O- @- N3 r
This trick is similar to int41h/4fh Debugger installation check (code 05
: [% ?- Y* S! q3 d7 {0 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)# c. R  k4 K8 o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& O4 E0 G) E9 H1 n" V

# n2 o4 g' U0 B/ l8 w  b   push  0000004fh         ; function 4fh
( A1 O, Y0 }- O; P3 ?, q   push  002a002ah         ; high word specifies which VxD (VWIN32)6 y4 ]% W5 D; F. t' m* l8 q
                           ; low word specifies which service
% U+ W$ b' l3 M! I% _( c( e                             (VWIN32_Int41Dispatch): ^- U+ u) V, L6 a# _# s0 x3 u  @
   call  Kernel32!ORD_001  ; VxdCall
6 S3 N0 Y& h6 c- Z2 Y( U2 m   cmp   ax, 0f386h        ; magic number returned by system debuggers
* h/ P3 D" a4 d) @9 o/ i- F: b   jz    SoftICE_detected% u. i8 K9 _& Z
) T( I9 w, N( [1 J" D; R
Here again, several ways to detect it:6 ^' s8 P6 u0 }5 ^7 C0 w
3 E; T! \: X% s9 ^; a
    BPINT 41 if ax==4f
* A4 c2 I6 ?% l1 M* u6 i' X7 B; Q5 O) r
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* y6 U7 T% m7 l5 k. h
% U: V* C6 u! V6 K. b8 H    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 B; n. F' F- R& S* Z# }1 s0 s6 O

/ e; _; ?2 P4 [4 @5 N' ?; T  S    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! U5 Z; ?5 Y6 j: m4 m( J) }3 Y! f( x8 a1 _% U7 @
__________________________________________________________________________# ~; e$ n8 U6 `3 R6 n
& X. `4 x- e) T8 U; F
Method 13
$ V% E5 x$ S1 Q4 D. y- w6 g=========& j! U2 ~/ }, l5 Z* f( s% B+ G2 [. z
8 }1 }9 r% h' L# P! b7 M( E
Not a real method of detection, but a good way to know if SoftICE is
9 y+ o+ ?* J% K- l: t: B+ A9 ^  }installed on a computer and to locate its installation directory.
# X0 [7 W% R3 T7 j+ @3 q% A; }+ RIt is used by few softs which access the following registry keys (usually #2) :
. s" y3 o6 x8 q7 l* L6 x3 o! e( |* u8 L, m' L8 H# p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, a, O# W  q$ C# n9 q( h$ ]\Uninstall\SoftICE+ I. P5 p  l* q* G3 X% i9 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 b+ L& }% @& O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% l* [. P0 }+ a& O1 Q6 m6 _\App Paths\Loader32.Exe' w- z7 X$ o+ U5 |) g1 Y: A2 d& x
% {. N5 [$ {( v8 E* M" u9 e

7 c: G6 ^% J: WNote that some nasty apps could then erase all files from SoftICE directory
9 b% f- E' `1 h& i: Y& c6 N0 |(I faced that once :-(4 s# y! K. A& L4 L# G, R( A
9 V3 i3 w7 Z3 O8 Z! T0 ]
Useful breakpoint to detect it:
1 ]' z# y! H( S
8 B8 C7 d! u# q4 p2 Q! K% l     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& D4 M2 T6 K+ e6 f2 T
( ^1 P8 ?8 i7 H
__________________________________________________________________________
# C, W5 u  Q9 r' @. n4 w+ j4 m
2 G) P* }: `4 k, f5 a) ~9 U7 l& ?
7 l; O3 W' Z2 p8 }. LMethod 14
/ I/ ^, Y* j! O9 Z=========
* \0 s! y9 s: {! @, p8 H7 y0 C" y- I* `1 T2 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 h4 [. y+ |2 y) v& Cis to determines whether a debugger is running on your system (ring0 only).
9 S$ A0 _! @/ S
  x, [% u/ I. r1 Y! C5 _( J  M   VMMCall Test_Debug_Installed% M8 `3 k1 J3 U9 @& g: `7 r1 ]4 y5 q
   je      not_installed4 ]5 V+ x) Q' R5 ?; n, N& ^
/ \& k; q/ r3 V8 U6 k, A% b' _
This service just checks a flag.8 U1 ?% W5 k0 |' {( ~0 B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-22 00:41

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表