找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 \7 ~/ Q/ ]5 m- a) e& O) [  L& c- |7 N
<TBODY>
3 Y. n. o% X2 J) V<TR>
5 N- _& j. j; p& a/ F<TD><PRE>Method 01
8 H: k7 d% k; {& E" O5 r% r# t( }7 n9 ]=========
. `5 Y: y$ ^; T, q* }. c- X! n$ L  o" k6 j7 p; C7 U
This method of detection of SoftICE (as well as the following one) is* s: H: {/ F) S9 J
used by the majority of packers/encryptors found on Internet.! h0 h: t: a% g6 O- O% I5 @
It seeks the signature of BoundsChecker in SoftICE( t0 z1 Y8 A' ]/ C1 z

7 W7 @  O' M8 ~9 J6 C    mov     ebp, 04243484Bh        ; 'BCHK'" T, L  @' F4 W5 A
    mov     ax, 04h
: W1 U$ W' ]  K% D. {' @    int     3       * r* t* q" m4 e* L: t( }
    cmp     al,41 y. ]8 I' s5 p: K; U8 O; f
    jnz     SoftICE_Detected
& j& V4 \# p% m/ Z
2 v$ j- d/ I2 R6 |* `1 X___________________________________________________________________________* a' |' g+ Y' |- r& N7 T. c1 r: r

$ H3 Y- W/ I1 u# h8 y/ {- ^Method 02
& S, j) @2 M& m/ [8 }& W$ a5 o/ _=========
5 E% B, A  B4 u7 |1 x% c: Y, z4 ~# R2 J% J6 U7 D
Still a method very much used (perhaps the most frequent one).  It is used
+ I) G' E, b3 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints," ]6 A- M! ]( D+ n3 E6 k4 K2 p4 k, h
or execute SoftICE commands...
( D3 V( b% m1 |It is also used to crash SoftICE and to force it to execute any commands# F( L4 c1 U  R) |8 z7 S3 y
(HBOOT...) :-((  
3 @5 p, k" {! f( o% _9 ~! E3 r, {! t3 Y
Here is a quick description:
+ K/ v6 Z) u: T9 N" K  O-AX = 0910h   (Display string in SIce windows)
/ c" h( g- ~& L' O, J-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 s% X8 q* A: I8 |
-AX = 0912h   (Get breakpoint infos)9 b+ _/ r  h( ]% Z
-AX = 0913h   (Set Sice breakpoints)
( x( [5 g9 C/ H/ F. R-AX = 0914h   (Remove SIce breakoints)! g6 B3 V; ~# A- z+ C' i. L4 O% w& U9 j
* c) ~9 r& t! t% }; z2 ]' w4 J7 ~! h' X' h
Each time you'll meet this trick, you'll see:# K( X$ \8 X. R; H
-SI = 4647h
7 [, w  C; X/ P-DI = 4A4Dh0 p6 p( t* g5 J
Which are the 'magic values' used by SoftIce.& G2 C% I6 L" |) h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 w3 N: H( i0 I8 }
) }7 K7 I2 y1 x0 |5 G. w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 X' `- A5 k3 d4 k- M6 x/ xEnvelope utility use to protect DOS applications:
# ]4 z1 [. C; I& l% m/ r3 @
6 b7 B4 X5 C, h* {$ O) n& ^2 K/ {$ y3 ~
4C19:0095   MOV    AX,0911  ; execute command.
0 a/ ^0 \9 J6 N7 Q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ y( u" o/ L; M# n" o: ]3 P
4C19:009A   MOV    SI,4647  ; 1st magic value.: D3 o0 u3 k( R0 A! Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 B' f- K" r; ]/ `
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)% g* p/ o) g: l' f- t
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. g2 L7 \$ `) X4 _5 G4C19:00A4   INC    CX
! v: d) P  ?2 v9 M) [/ F, `2 A4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! ?' O- y. \! {& H; C9 j; U3 M. x
4C19:00A8   JB     0095     ; 6 different commands.
' s! D# n' U  h5 Z7 F/ N4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. q' Q6 K8 G; T& X: L4 e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), J& N, O, P6 t( ]
9 I  u# [! W9 g
The program will execute 6 different SIce commands located at ds:dx, which9 _# e. i  `" o; ?5 a, e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% d% p" G. b' I* D$ n
1 I* B! f1 a6 ]0 w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 _. s8 S. Q. v/ a: O8 m; F7 Z___________________________________________________________________________
: Z. E" d: |0 K& v  P# t9 r" U+ p6 I
% h& G' _0 F5 X8 V- w4 Z
, ^( L( b, _1 q' ]7 I9 w- aMethod 03
4 J6 E0 H0 |( f- w* B=========- z; Q3 I2 `; {& I6 Y' E$ N1 G
. H# \# @2 e3 F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  M' R8 X/ [1 @- b( y# x(API Get entry point)
( H' P1 i9 u3 O2 N! ?$ ^/ y) l6 X        9 x& t9 K: h  y; q& y* v& ^% i
6 A" p; A' Y- T) F/ }) V
    xor     di,di
* e. v: g3 @; m7 f    mov     es,di- Q" |# ~7 ^' ]* X/ D9 J
    mov     ax, 1684h      
4 |7 w2 u( o1 H    mov     bx, 0202h       ; VxD ID of winice
2 v1 J3 Z, s, N7 ], K    int     2Fh4 y* Q- J$ j, B& _! V# Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; o* B& w. Y1 |/ ~6 s
    add     ax, di$ n: ^. E& M+ l* q. A$ X0 ]
    test    ax,ax
* Y$ ^$ Z. _8 L$ K' ^, d1 w    jnz     SoftICE_Detected- ^3 H' W  D. V5 W9 @

5 W; g6 j5 w- E  C# v2 K___________________________________________________________________________
" _- x* |& R* i+ F, I  L/ W" d! ], U  w
Method 04$ N& u9 z7 h: q, }; D  V9 L
=========
% }5 u7 g, P7 q: z1 z
/ z+ s# n8 u4 K2 g) L4 I/ H! hMethod identical to the preceding one except that it seeks the ID of SoftICE
& P5 S+ I& {3 }$ lGFX VxD.
) x0 |3 [' |7 R* Y# I) M7 `
( b* L3 u4 I! C% ]7 O) R$ X3 O# j    xor     di,di+ A3 i4 D4 x* G$ N# d8 m2 U& j
    mov     es,di5 a6 F7 h8 f9 n$ Y3 F
    mov     ax, 1684h      
! L5 [4 g3 Z  T+ r# F& N8 m+ a    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& }2 E( a+ _' R: R, P    int     2fh6 X' F& B; I5 Z' [9 X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. T/ q" p; R2 ]0 S, C+ L1 p    add     ax, di
- q; q. l  M  d* h( j    test    ax,ax
$ }9 D) M6 o% N6 g7 D! {" N. j    jnz     SoftICE_Detected2 D0 [& ?2 L7 b) _
0 j- x% [, \' D# j4 h
__________________________________________________________________________7 |2 T$ j( v6 ?7 K# a
0 @( D# v% t/ C% ^
3 ~/ v2 n5 r0 a
Method 05
# \$ C# [8 C  P( f" u- A; q" f=========* N0 V, @/ R! {2 h

- p% U2 c4 U4 O3 G2 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 p6 j3 r& j. I- q3 E, a0 l
debugger. It calls the int 41h, function 4Fh.
0 d$ t' X/ v, C4 T2 C# uThere are several alternatives.  ) z  F. }, @4 v& E' Q0 M7 O) E5 c
3 I" D0 ^& a& A
The following one is the simplest:9 y% e7 A/ N. d: t# g

8 n* D7 U4 w% F; _+ ]% h    mov     ax,4fh
) ]7 M5 S: l: W# Y; a" D    int     41h
/ L% j: G0 P- [5 t9 H) T7 w    cmp     ax, 0F386+ `1 @4 L+ l& K. U* Y
    jz      SoftICE_detected; Q. G) t2 P7 G* B0 L

- S- F4 D: b* a, E; x- O. x; \6 Z$ h% j. K  ~5 b
Next method as well as the following one are 2 examples from Stone's , s2 v) f  x- ]( f1 M
"stn-wid.zip" (www.cracking.net):
! w& B4 A6 h/ W- O0 U$ M7 E! s6 A5 }( F) s0 e
    mov     bx, cs8 U, ]0 b( w$ J9 Z& @6 O" _5 s
    lea     dx, int41handler24 Z, ~9 N7 Q' y! }, I) p0 e
    xchg    dx, es:[41h*4]
: f: F" `2 k+ ^; s( J4 U6 g# y* F    xchg    bx, es:[41h*4+2]
2 f5 `- ~+ |$ R# k. m, Y9 {    mov     ax,4fh2 e$ ~# G; |* `1 ]/ e. ~/ R( C$ i
    int     41h1 t, ]+ P' n# R7 W! q+ |5 k
    xchg    dx, es:[41h*4]
5 E8 V& q8 l+ \8 ~$ @* _. I' p    xchg    bx, es:[41h*4+2]
, _6 E2 T; u5 ?4 X0 `7 W: w    cmp     ax, 0f386h
7 J& \) d9 m; g7 k' e5 K1 r    jz      SoftICE_detected% t. l/ }: B2 t5 |+ @
3 I: S3 `- Q& r  x1 b
int41handler2 PROC
+ U( M2 ~/ L8 `# e3 e    iret' w% g5 s% J  Z- e0 H, L% M6 M
int41handler2 ENDP* @, P1 t7 r9 n6 w3 t+ ]/ |
2 y  Q+ c# V$ h) F6 J# O. w2 ^

7 d# u: ^3 f- B/ j+ O/ ?# z# [_________________________________________________________________________# V# ?4 `: i. q; h# z

2 _( P# J. r& x9 e1 I- y6 ~+ E* @
$ b' D' i. a: Z# V% H! vMethod 06
) f9 }" w' j' \, q7 E=========+ V& `- a& {7 r( m% F" }
# [) u' h8 A4 l, d9 T& j) K2 L

- s# \! \" p4 @4 k, u( U2nd method similar to the preceding one but more difficult to detect:
, o9 @: v1 C% k1 y$ c
5 b& v( ^2 n4 e( \; k7 d2 y3 u% W8 t- |/ V" ]( Z' Y) z
int41handler PROC3 S* j4 L/ X5 V' p! A" g/ L
    mov     cl,al
  Z" T, c+ x1 Q% K    iret
5 }" k; G  H( s# _3 Uint41handler ENDP9 \- W' U8 \, u$ s& i# X

; B: C- E5 M9 ?" Q2 O' o7 d4 P( {. t/ p
    xor     ax,ax/ r' E( V/ c6 y6 F0 d/ G% @
    mov     es,ax% H) M3 J' B) W/ D5 r! X- d) g. i, l" l
    mov     bx, cs! }6 z3 P4 g3 F% z* V& Q% D& g& [
    lea     dx, int41handler: J1 U. s* L1 h+ R& P
    xchg    dx, es:[41h*4]" V0 Y- v9 s& g+ t2 w! B: x+ z3 [
    xchg    bx, es:[41h*4+2]
7 h  M, B2 R, M% v, ^& ]* ?3 g% H    in      al, 40h7 u# K1 e8 o" I, M! a* R
    xor     cx,cx4 _- j% |* W4 [
    int     41h
0 C- J) d6 g# ^    xchg    dx, es:[41h*4]/ A1 A# W" q) f
    xchg    bx, es:[41h*4+2]# y1 e- x" {) N) t+ j& q3 P4 q
    cmp     cl,al
. p( _/ S' R/ u& U    jnz     SoftICE_detected3 ^' y! W) T( t' |! l  g" V

/ b6 z% E0 |8 b8 y3 S_________________________________________________________________________
. k1 Q" k+ b" D" j4 U. {% i1 {0 d7 D7 U' w1 P8 \8 G7 A- y5 d8 X3 h
Method 077 S# G* u2 {$ v$ u  U, ?, S
=========8 {0 g  T9 c7 o+ x3 X" {

" \8 o3 \8 Q' d( H. {  eMethod of detection of the WinICE handler in the int68h (V86)
. S5 e% e0 H6 a. }' q# o& O5 }: a% H: H3 s- k% Y. d- h
    mov     ah,43h  r" ]- {  W# Z) c* O$ c
    int     68h
% Y0 d/ o2 c5 B4 h    cmp     ax,0F386h4 L& M0 q  X8 O% S( }: Y% {
    jz      SoftICE_Detected# e5 k1 G; t4 o. p9 W+ L
3 [* Y7 A' y. ?5 O$ w4 P  n8 V8 L* t
  Y; P, ]) S3 p2 A. J+ D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 b# Q6 G! O5 ~5 Y2 K   app like this:' i& N; P5 ~) W0 g$ u- L8 A1 d+ O
' ?6 b$ e) O: t4 w
   BPX exec_int if ax==686 v  Y/ f( M7 A: l- K
   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 ]6 e  o: J1 X: x: @0 G& H   located at [ebp+48h] for 32Bit apps)5 S) h/ r) v- d# u* R: b) Z$ h
__________________________________________________________________________' ?# w6 E$ z7 ~) T1 n! o

' [- H0 V0 K$ _8 D0 |: t2 q  j( E2 h
4 V# r' J8 n/ r+ x: Z1 \Method 08) }& F8 [0 a' j  i% A% I- Y5 C
=========6 L0 O) I  u6 x0 n
3 w: g, \4 r5 |( A4 O3 Z4 B
It is not a method of detection of SoftICE but a possibility to crash the& w3 A# L* H  @- v
system by intercepting int 01h and int 03h and redirecting them to another
  H' a' `7 N6 Lroutine.
) N8 \) ]9 X' eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 w5 _8 n2 k9 U$ e
to the new routine to execute (hangs computer...)
& q" |8 [" z+ ?/ _. j, u9 d$ N1 y7 d+ O8 G$ y- N, q6 @! o, |' m
    mov     ah, 25h
6 k' n/ H7 u: ^  E2 b1 M6 G    mov     al, Int_Number (01h or 03h)
( [+ o" o. j. L    mov     dx, offset New_Int_Routine0 @# z4 ~4 M. w: _1 s" R& P9 z
    int     21h6 A4 k" h, ?9 T6 o% |3 j2 p
& M* Q0 |1 V4 O  ?3 M& z8 N, `
__________________________________________________________________________2 e9 r! \$ ?9 W

3 |5 b0 S0 F% Q  f: A. UMethod 09- t, }- T1 j" e) t6 h. a! Z
=========
! w) ^' W# t. q$ a( v: q
& t. I. d5 V& b& R1 ?7 @" lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# w, H7 o, O$ W& Gperformed in ring0 (VxD or a ring3 app using the VxdCall).+ d6 }- b5 p4 a* m
The Get_DDB service is used to determine whether or not a VxD is installed. u, b+ H3 P3 W$ b- C
for the specified device and returns a Device Description Block (in ecx) for
  `0 a: w7 S# n: V% jthat device if it is installed.
6 m- u) w  b4 G; V( H$ |! @
; }2 K$ H% \+ E1 H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 U$ J2 C0 U. S" t$ s- A+ y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. }8 c+ Y9 M, C) s/ d   VMMCall Get_DDB
7 }3 K4 [+ L" e' o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% W/ n6 u  ]/ v" f
8 q& R0 @0 {/ O8 d
Note as well that you can easily detect this method with SoftICE:
0 b  ~) T% a8 f   bpx Get_DDB if ax==0202 || ax==7a5fh
; O' v" R/ ~/ F1 p: r" m5 x! P( V: D
__________________________________________________________________________
/ n( N7 T( N& B% A  l; {) q; M* J0 j8 o
Method 10
- J! P  b! O- n# _=========
1 Q, r6 ~+ m7 D* j: y2 Y5 \) R. R* o. D& V' P, h) G& J
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: p; w% j/ L3 F* N- l+ l  ~, d& t  SoftICE while the option is enable!!, G$ d0 d4 Y& g! G

' ~) w2 j1 R9 L) TThis trick is very efficient:
; W8 o7 [+ f0 W" s. Vby checking the Debug Registers, you can detect if SoftICE is loaded7 l3 r1 c; q: q/ o. p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* b- o  w- {# othere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 g8 j/ r: L$ M! z- ^value (in ring0 only). Values can be manipulated and or changed as well
. B) i( N5 P% `( x+ Q(clearing BPMs for instance), j8 u7 s  s$ Q$ G' C2 R; J
  F9 Q: K1 Y4 f2 d) A  ?
__________________________________________________________________________4 g9 h7 L& g8 W0 N8 W

  S7 N) x$ f2 u# {6 cMethod 11, R0 ]& r6 O( W$ I0 `0 S4 V- d
=========; `: K: F$ X4 C; l3 l4 K0 Y9 T  ?

. ~5 T% e+ P1 ^7 ^This method is most known as 'MeltICE' because it has been freely distributed/ M8 E4 |3 v6 u7 h" c  G
via www.winfiles.com. However it was first used by NuMega people to allow, l" w/ o% M* ^5 k( w! u. T* [
Symbol Loader to check if SoftICE was active or not (the code is located
9 o$ r# V5 [- tinside nmtrans.dll).9 u; g2 O" |, N8 n6 V  g! {0 @
$ `$ Q3 F: f! g$ _5 M
The way it works is very simple:
8 [3 E) ^& O5 [8 T2 y; PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. T: Q9 C- M  |# C# XWinNT) with the CreateFileA API.
, F0 @" U' ]/ g2 |) j
5 W( J( f+ ~9 c5 ?; YHere is a sample (checking for 'SICE'):
. J1 s# J  x8 A. c5 _3 B" `: P5 `
% R9 y6 _# C$ [! S4 ?: C* z1 T7 {BOOL IsSoftIce95Loaded()
% R) M! t! J/ J# t8 e{( D! a6 z  g+ s
   HANDLE hFile;  4 T4 c  Y, ]8 [
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! ^! P* _" q! S" F; |+ }% C
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' w! ~) _  w* H) t$ u5 L$ X& t& ~                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ ~! L# d+ |* [! Q   if( hFile != INVALID_HANDLE_VALUE )
' B  u# W- I& b' J' R7 Z   {& F9 i/ G+ G) D+ j4 y( `
      CloseHandle(hFile);4 M" k, U2 b* l# q+ C# m+ a
      return TRUE;# D$ z( B7 d: r5 ?
   }! J% V9 I; e4 q8 b& r1 R3 I
   return FALSE;
6 _# y9 V5 }- {5 R% a2 P# X. ]}# w" H# H% m2 A3 ?  u9 b% ?

4 r4 Z. H0 H7 N) ?/ k) b! SAlthough this trick calls the CreateFileA function, don't even expect to be8 L0 g$ i: q" X0 g3 }  `
able to intercept it by installing a IFS hook: it will not work, no way!- Q3 `* k6 `7 V) c, I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 {: h, s3 i+ A' w, x' X: \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) L- V$ Z0 I$ f6 S- D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, w7 s' w2 r- E7 ~- e
field.
) Y5 D6 j; H6 T5 VIn fact, its purpose is not to load/unload VxDs but only to send a   W  `; M" t/ r- f( `% U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- @+ x, l6 U& `to the VxD Control_Dispatch proc (how the hell a shareware soft could try. |9 H8 T( q0 @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. h* y; N& x5 t1 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow( L$ [3 B6 w3 ^7 P& i
its handle to be opened and then, will be detected.3 K9 J7 Z1 i+ c, U  T3 A/ z9 k, f
You can check that simply by hooking Winice.exe control proc entry point+ m7 s  K+ m5 J, _5 O
while running MeltICE.# u6 k7 c$ {+ j# C

/ n  O7 o8 y( n6 H% z
, D3 M. B1 q$ e  00401067:  push      00402025    ; \\.\SICE
+ G9 l+ X4 t# K  V& T- k6 I  0040106C:  call      CreateFileA+ Q) L! J7 X0 d& Y
  00401071:  cmp       eax,-0012 z2 V/ P& T/ g) i/ R  n6 O
  00401074:  je        00401091- S& X& H6 a9 x8 D* s5 s
4 e+ |/ N4 p4 Q, y
" ?0 y' X4 c! K, p) i) f9 E
There could be hundreds of BPX you could use to detect this trick.
6 w. h4 i. _  K8 b5 W& r-The most classical one is:
- h1 f% C; w) R- m  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' ?+ C. w2 W7 u! @) Y: H9 ~
    *(esp-&gt;4+4)=='NTIC'1 m% N' Y) i8 P& W7 i" j
9 M1 D) x: R( T! Z
-The most exotic ones (could be very slooooow :-(( I9 n( I( T* y' ]& l* a3 ^# B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 x( l; J- q6 l$ Z7 G. q! [     ;will break 3 times :-(
; N, [  z- e4 D$ s1 I: u; W8 K) R
-or (a bit) faster: 9 \( p4 ?5 {( R9 C" O# A2 `, ~
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 {3 n8 v% P7 J* e/ M/ Q2 K5 ~/ o! M- K- o2 U
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 I* K" \. q9 Z, ~2 R4 N% B* r& B- ]
     ;will break 3 times :-(* @# w1 v2 X& C
: a2 e1 {2 c# W; i3 V2 ]
-Much faster:& f. ]! w) r1 L; O) p5 g) _
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 h; G4 l3 n+ W2 J/ r7 d8 n1 d) ~/ o

# w6 w5 }4 C4 y  Y2 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ V' k( W- b# s: {' N
function to do the same job:9 M  v4 J  b7 m/ B
6 s0 f; E; B8 g. P
   push    00                        ; OF_READ' s4 ?- X8 K- o+ V) u5 j6 t. k
   mov     eax,[00656634]            ; '\\.\SICE',0' M+ T" {( s0 E& x
   push    eax- k( R0 _3 c1 d" ]. k2 P6 n
   call    KERNEL32!_lopen, b5 L, k2 [9 v
   inc     eax
$ f+ }$ t. `. _0 E1 t& Q5 q   jnz     00650589                  ; detected
! |7 g# t; b" v* E! b# e$ m   push    00                        ; OF_READ
* }" b* Z0 J- i   mov     eax,[00656638]            ; '\\.\SICE'+ u0 ]% \' \9 v  t9 W
   push    eax
3 ~: H" \8 a$ T( H, f( x5 m   call    KERNEL32!_lopen
5 n" G. R0 {' G8 T9 h4 E   inc     eax
4 Q! K2 j; w' F1 F) j   jz      006505ae                  ; not detected
1 C  B# {, w; U2 g4 C# @3 D, L" ~
/ f$ }* _. G  X0 s! D
__________________________________________________________________________' e/ r- J0 q1 r& ?! A6 `% V8 `

" k! K( {- \/ c; AMethod 12
9 |3 F. @' f- n  V4 Z( W0 a/ L1 S( c=========
3 i3 q% ^. D+ ?6 o' x1 m5 d  S# l: u7 [, J+ M& d" e1 |
This trick is similar to int41h/4fh Debugger installation check (code 05
2 P' R/ r+ x! j&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; q. y5 p6 s) Z' S/ `& B8 r6 t1 las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( J. h& \' U4 Q: a% E5 ~/ p5 L' Y) [  n6 s
   push  0000004fh         ; function 4fh
( b& k: s* e1 u   push  002a002ah         ; high word specifies which VxD (VWIN32): C2 y9 J$ D4 D
                           ; low word specifies which service
$ e1 p0 X. ]2 J  W                             (VWIN32_Int41Dispatch)
4 C1 J4 `- P* k3 Z   call  Kernel32!ORD_001  ; VxdCall
  n' A9 d9 W' c( r: _   cmp   ax, 0f386h        ; magic number returned by system debuggers( I4 @9 L# @( H9 V
   jz    SoftICE_detected
& _6 t  K0 R6 k2 j% B1 ~7 P, u8 ^% B8 M7 K8 v# m& k& o* S
Here again, several ways to detect it:- f5 }$ d4 r6 f) K5 Y- p

7 A. d8 b+ A5 q3 y3 _4 q4 e( O    BPINT 41 if ax==4f0 l  O2 m6 g3 o# }  [
( w; G; Q; R& c2 C2 ]& |% L
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 o6 m) b" R! ^1 ~5 j/ P, c9 \) H  h
) L6 n7 ?# ~& d  u4 N3 F2 `
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 Y5 w7 X; X8 T: V' {# y! q1 T- @" U) g& B& L/ U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ ?+ s" _8 u& S( A
' {% E; p5 p  ^$ M4 Y9 q
__________________________________________________________________________4 I! L8 F7 Y7 F9 a

7 H0 i! s4 l( C0 `5 eMethod 13
, U" P; M( B: [& v- g: q+ S=========
" }: I& y1 O5 N3 @! B* T3 J1 v3 a& s6 w4 M- _
Not a real method of detection, but a good way to know if SoftICE is" Y5 p; ?2 z0 z+ \# p
installed on a computer and to locate its installation directory.2 ^! C, |' @( ?
It is used by few softs which access the following registry keys (usually #2) :
. d; k, a4 E$ [8 C4 m
8 d0 x5 L2 q2 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 o! f+ b( g5 V. ^! H' k' Z\Uninstall\SoftICE: Z0 T  J2 k0 ~- u) W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 e+ z/ H$ `$ F0 G* ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  O! e/ z; ^6 v
\App Paths\Loader32.Exe
4 }4 [) s: e/ ^6 @0 m; `2 ?2 Z( u  n5 S2 I

0 {/ [: o0 U  B9 S" tNote that some nasty apps could then erase all files from SoftICE directory
6 c5 C8 d( o" t% L- X' v(I faced that once :-(
) |' h3 [' @* s9 C: w) I
. C9 X/ E+ B1 [& R9 tUseful breakpoint to detect it:) G: N! f7 J# {
5 A% E5 q( z1 ^& ^4 o
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% B2 M6 O5 {8 g1 r$ |
' `' x2 x6 g. ~& @__________________________________________________________________________) B* V- m" E- j" G0 Y2 [# ]
, {- {$ p5 u$ D9 B4 R

" t' \: S! `( s! VMethod 14 # \- [7 M( e, l+ t9 Z
=========
, Q; y% }4 v0 L3 I" J  Q) F+ e- R9 \2 T9 f- E, E* F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; _& [( R) k) w2 \
is to determines whether a debugger is running on your system (ring0 only).
+ ]) P, a* K  s4 _- n2 t$ N1 ~0 R* g9 d* O+ o# [$ f1 h/ {& G
   VMMCall Test_Debug_Installed
2 K% v2 x% |+ y  Q* z/ G. H   je      not_installed
& V, }) h% }) ?0 q& N* \" ~: _
, k' c. L9 ]9 ~( hThis service just checks a flag.
6 q) ?6 \* q- v3 |</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 17:56

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表