找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& d0 z3 k1 e( z  {<TBODY>+ e& r8 C  U2 p7 [5 m/ j8 P
<TR>: @. O8 g& M! d" ^
<TD><PRE>Method 01 2 N" f4 E8 m. N8 V
=========
# z/ d& j) ?1 G( H* l
6 V9 N& i4 o5 f3 t2 L0 m; QThis method of detection of SoftICE (as well as the following one) is# J, A% Q/ e" w8 w9 o/ b
used by the majority of packers/encryptors found on Internet.
" ~8 A  t& X: l6 U6 g) @3 JIt seeks the signature of BoundsChecker in SoftICE
) H7 m4 ^7 |' F8 r8 Q% x: M
' a6 R: {& ?4 u4 W" A3 ~# C    mov     ebp, 04243484Bh        ; 'BCHK'' R8 S0 I. F- T0 T
    mov     ax, 04h
: }: b: W( e9 k# ~/ R& w8 T! c    int     3       $ n! K; V) h& E
    cmp     al,4; t, C+ p- I9 q$ ~
    jnz     SoftICE_Detected
0 W0 t) K7 z# V) O$ }" r3 [9 K) v7 Z& G  B
___________________________________________________________________________0 j" l  x4 _. U: Z
' }* K( g$ G- O: h0 t* `
Method 02
& W8 K9 f$ D( B: S5 g! i- O4 E=========
! w* |/ `' i( v/ y: ?  i3 q0 Z  X" }6 @& N  r
Still a method very much used (perhaps the most frequent one).  It is used
1 ?# ~6 P; F% k1 L* {6 j5 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% e7 u$ J2 |" Zor execute SoftICE commands...
2 Q: X1 j0 t: T$ O4 _; |1 pIt is also used to crash SoftICE and to force it to execute any commands9 K7 n+ Y4 f2 Z" X
(HBOOT...) :-((  
- w5 g  u$ @" B& Q/ S7 l# I  X5 X" S, W0 V  ^/ r9 U
Here is a quick description:
; t, [3 ~" L* {. Z- P7 _: g& v9 D-AX = 0910h   (Display string in SIce windows)0 e1 ^5 u& F% C2 l5 B! ^) r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 k% r8 f- G2 |/ {  l( G' O; {
-AX = 0912h   (Get breakpoint infos)0 V/ d" q, l- Y8 B3 P2 i" R
-AX = 0913h   (Set Sice breakpoints)
* J+ `; Z7 {. f! S1 g-AX = 0914h   (Remove SIce breakoints)2 W4 o! u9 g7 q8 i
  i: q2 \0 D# i, g
Each time you'll meet this trick, you'll see:, r6 Y5 ?" g& H; H
-SI = 4647h
! s/ L4 J/ h' u4 `5 [( w4 R" O  K-DI = 4A4Dh
/ x  N, s; h5 Z; R; V+ uWhich are the 'magic values' used by SoftIce.
8 q# j( f3 l0 {/ `( u1 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 s% r/ O/ T  B

/ `, X- V$ \  j* v- lHere is one example from the file "Haspinst.exe" which is the dongle HASP( A1 c! y0 z# _( [$ u
Envelope utility use to protect DOS applications:
! ^! o/ K3 }) k0 @7 x) c& v: s+ A4 {* S( Z" s2 j6 L6 I, d2 ?

9 d# g- A2 E1 Z7 x6 S7 O! O1 f4C19:0095   MOV    AX,0911  ; execute command.
- ^- d* S/ b$ l6 q' B6 M- i3 T5 q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 U* H" x9 k; M0 }4C19:009A   MOV    SI,4647  ; 1st magic value.5 D- l/ a& w) o4 R
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ H+ d6 d2 F2 q! E8 S/ g4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): R- K' k, O. w4 X+ \5 \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# C" p, p/ e. x- q& D- K. W# Y- U
4C19:00A4   INC    CX
# W; J; Y$ U( r$ T) g4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 P0 W- e0 v1 o/ B- k$ I; a4C19:00A8   JB     0095     ; 6 different commands.
' f) U! r, h8 {: C( g9 S! X' V4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 V+ \0 V6 d1 _' e, P4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ |: w6 ]) r0 E& Z# V/ o* T
& C0 N! q9 z, J+ F6 D
The program will execute 6 different SIce commands located at ds:dx, which9 `! G+ I' H+ R& O" v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ ?. E) p* F, A* c7 s3 Y
1 [$ Y8 B7 M* E% k! A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& i4 U2 J. K: C___________________________________________________________________________
; f& F$ B) [) x! Z2 s/ n1 o4 M9 u4 o( e0 n" Y9 Q
1 f8 {" j" |8 `( \) H7 n: T
Method 03
( q) \* P6 K; f6 B* V=========3 }4 e' }+ X" z! b; v
' i" Q# m) f8 _) t6 S3 ~5 O
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 H5 B9 N% o) C; o: ?' d( j(API Get entry point)& e% i3 w! D  j: Y& G. l6 C
        
: {0 N, o5 M, S5 {: K0 F' g
/ ^6 J4 G+ Y4 _& q- m3 _" g    xor     di,di( l7 v; f1 F% `- u# c" @
    mov     es,di6 e8 m) ]  h. f8 u' {& a. o( j0 _$ t
    mov     ax, 1684h       ) \- y5 P. V2 H6 y" G) d! @- O
    mov     bx, 0202h       ; VxD ID of winice
" R" _% i% ?3 B$ ^; H    int     2Fh
" B, P  b; R9 @4 @2 Z" R    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 e# ~9 T% e* _  w0 h    add     ax, di
% M2 L$ i3 e( b; [    test    ax,ax
, }/ l: ]+ O) Y1 H+ l    jnz     SoftICE_Detected
7 n/ _% L! u/ i6 ?6 Z. m0 ?4 p( z3 ^1 t2 [5 ^7 K' e4 W
___________________________________________________________________________
5 d& x- h4 a5 Z9 |/ B/ p( D
3 u) X7 J- H% {: h7 [Method 04
1 T$ H" n8 D& w( \# }: I/ j=========2 g4 m0 ]% }/ X4 d
! N, W  k+ m1 d7 _- F6 S
Method identical to the preceding one except that it seeks the ID of SoftICE8 m9 d" e4 ]6 O- M% Z+ x- g
GFX VxD.9 F4 F; P7 j: V$ w& U
( l/ z* r3 ~: t" s, Z0 f* H$ \
    xor     di,di
, _5 E3 g& l3 w# |# g4 R, g    mov     es,di' Z$ z9 U7 S2 o: W
    mov     ax, 1684h      
4 q# o' y) j8 s5 n" H    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ G4 d8 i! l8 M; s7 }/ f' e$ n    int     2fh
; \5 I1 J/ E+ l    mov     ax, es          ; ES:DI -&gt; VxD API entry point* d" J; f3 v7 V  }7 f
    add     ax, di2 D% l7 g& T; [9 F1 e. o  N
    test    ax,ax
/ I0 e& \5 a/ v. B    jnz     SoftICE_Detected5 `9 W$ J% _( s5 \' E- R, e: T
# s6 Y. J9 C# |$ T4 J
__________________________________________________________________________
+ T$ P+ X" Z1 I
! H, o" y7 K( x$ [! ]# N
5 f8 p7 x: w% y4 f. n7 \& Y5 `, M4 T$ ZMethod 05
! M9 C& \& |5 x: V) h7 P/ g=========
% V; K% A+ p: `7 j$ W) V4 B; m. b7 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system# w  J0 R& f- E& a
debugger. It calls the int 41h, function 4Fh.# T2 ^! f$ J' }9 N# j
There are several alternatives.  
& J) ^9 h' W9 j* j6 w  \$ s( `; h9 \# p" s. ]
The following one is the simplest:
% t/ j' o$ h* Q
( s8 `( M$ C$ `; n    mov     ax,4fh
; w; v) `. `& |) w    int     41h! I6 x9 Z2 t+ l! C2 L
    cmp     ax, 0F386
! |$ |( B; Q# D& {+ R    jz      SoftICE_detected( `( a+ M' C6 j4 s
$ I4 l5 j. `# d. Z
/ Y3 w% M! Q3 a9 }
Next method as well as the following one are 2 examples from Stone's / Z! R# C; g: R3 X( q
"stn-wid.zip" (www.cracking.net):: o$ x$ a. _% M3 N; |
- b5 ^- \( T4 A5 g
    mov     bx, cs6 ^$ k6 _4 `3 d% V
    lea     dx, int41handler2
/ C$ I: z1 g( }" l! W2 k3 d    xchg    dx, es:[41h*4]
; r, B" W. g7 v. h& b# g; Q! p    xchg    bx, es:[41h*4+2]) K/ ]$ B. p3 S4 W
    mov     ax,4fh5 Z9 h% ]! V% d. V! P4 J6 Q/ ]
    int     41h
6 j7 Z5 L* j3 ^) R" r; d7 X, @+ i    xchg    dx, es:[41h*4]. [& c# U* P9 `3 T, ~9 X1 `
    xchg    bx, es:[41h*4+2]
/ C8 Y: _1 @0 V& @; G* R    cmp     ax, 0f386h+ I" u2 w9 {: d% T% M8 ]: m0 m) ?  t
    jz      SoftICE_detected6 [! M) _1 S" n, Q7 Y; u& e1 m2 [
# I1 p3 d1 \7 l
int41handler2 PROC
0 v) `' J/ \7 w3 w( k    iret
$ a" t( }* |2 o' ]int41handler2 ENDP3 v7 p% y* [* ]6 k

% L3 A& k1 m; B  I1 x& h
, H5 d8 g4 |7 {8 z6 P: c_________________________________________________________________________: y8 m& Q# @: H! x
, q- r; w. \) L4 T# n  u3 e8 d/ P
7 \/ G9 ^9 Q, u: o
Method 06' m/ U* i3 P  ^+ c; y9 Q) c
=========
( T; Q) X% ^( G. }3 {$ H
' x& T; P( M$ w/ S) q% B
  o) `: a8 A1 c2nd method similar to the preceding one but more difficult to detect:
  e! L9 }$ Z1 E/ g
3 m5 s8 K$ V+ d% n
3 v: ]$ }& V/ U" ~int41handler PROC% {& d. J+ e3 K( P
    mov     cl,al
& i0 }  ~  m7 \9 h6 \" W    iret
- u9 V- S4 \; C1 o' B  C0 e. O/ oint41handler ENDP
% V. x' G5 i) U1 h9 l& i) B' v9 I
6 d' z% y9 d! @4 r3 g9 i. l1 ?# {5 k7 U# f7 r2 T
    xor     ax,ax
0 S  Q: N& x3 {, W5 @% h+ [    mov     es,ax) C! w! d2 ?2 ~9 x# a- B% y8 d
    mov     bx, cs
4 \" L7 A. o& V9 {    lea     dx, int41handler
6 J# @$ z9 Q, a5 P    xchg    dx, es:[41h*4]9 N6 [* G  }1 m7 w" w- W3 t
    xchg    bx, es:[41h*4+2]8 E9 P6 l6 r# L5 b
    in      al, 40h
; B+ d% D" D  t" K4 d    xor     cx,cx6 t% }& ?5 A- x- U; i' B  G+ m8 z
    int     41h) }* q. P7 Q  Y$ s
    xchg    dx, es:[41h*4]
  X$ A" W+ E5 ?/ [0 M- ^7 ^1 C$ o    xchg    bx, es:[41h*4+2]
+ u) ^4 Z" y" R; ~% Q    cmp     cl,al3 ?8 d9 }8 e) |; i8 T9 u
    jnz     SoftICE_detected
3 ~3 `8 L. [4 u- ]1 ^- S( \9 D' Q
6 _. ~, D" @. w' u) B_________________________________________________________________________
% y& H. B6 N/ C$ s* S/ J( c) @5 \$ H, T* z
Method 07
* S- v& L, b9 s8 y1 M' k* ^' U4 R=========! l8 x2 y1 y9 A3 g* F8 I

1 a' Q  @9 G' f7 `; I' qMethod of detection of the WinICE handler in the int68h (V86)$ C- G% Z! W" ?9 b+ J

4 i) m3 |; [- n6 P: j3 ^    mov     ah,43h0 Q2 A% e2 T; ]/ j2 @" L* `
    int     68h
7 G& `) P+ o* O* a9 x: J+ S    cmp     ax,0F386h1 e/ Y* f9 O6 w; Q5 y  X
    jz      SoftICE_Detected
& E- y& j4 [# R3 P
) E9 C/ N& Q. o! @3 F
' w" M$ c8 G1 Q: q: [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, g+ f% @* I9 ]: C
   app like this:0 `+ ?9 i+ {0 E" v4 G- X; g

5 W& {" |* T; p' p2 m   BPX exec_int if ax==68, N) O4 }7 ]3 Z2 L
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 G0 \* x1 |. p# b1 U0 h   located at [ebp+48h] for 32Bit apps)( C0 {( N' [  Z$ F" P/ i
__________________________________________________________________________
5 n+ k& o+ [5 j, [3 E6 ~- V( q+ ]* e! V7 k6 I
5 p$ f' c, I* ?% H5 Q- `, X& p
Method 08+ I. |) D3 E" q5 y5 Q0 \! Y+ }
=========
8 ]. k% g  M0 p4 [) X9 f3 e, D4 V! f: e, e7 m1 X) ]
It is not a method of detection of SoftICE but a possibility to crash the
. ^6 n# {; O3 b  a! ?$ s# p, Isystem by intercepting int 01h and int 03h and redirecting them to another6 t! N+ X; V% Q: d
routine.
( L1 I: Q% |) V0 B% sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 H/ {7 p: m/ x* }
to the new routine to execute (hangs computer...)
% s+ V, F2 G+ p& X
+ U$ W6 U, U  ^& I1 A7 w; V    mov     ah, 25h
" j1 d0 V1 |4 K3 k# f    mov     al, Int_Number (01h or 03h)
0 e/ x+ s5 j; H( ]$ Y1 J8 y    mov     dx, offset New_Int_Routine) h* Y# I! W7 ]; M
    int     21h% l; z7 z; y$ {8 D: ^, I9 T3 f
( G3 E3 |6 P6 F7 j( m/ t
__________________________________________________________________________# l: p9 R* [  w( U- F+ d# q: h

6 }1 Q' F7 _" [1 k2 w$ n9 AMethod 09
: h% r$ E+ b$ P=========& p6 [" s! d/ a" t

+ E$ X8 @6 l8 p& f8 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 [7 u6 {0 l3 I, z5 p- d9 \performed in ring0 (VxD or a ring3 app using the VxdCall).
9 F1 I( n0 O5 C* O! R' Z* W0 U$ IThe Get_DDB service is used to determine whether or not a VxD is installed8 m# q% Q8 n* |2 `. H' [
for the specified device and returns a Device Description Block (in ecx) for3 Q5 j3 e0 J+ S) d7 o; D" M
that device if it is installed.) Q% M/ g* B* H

* _. Q& `: ~3 r1 l& b   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 a# V0 b8 K4 o, d$ M! {
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); T8 s0 _% N  O- m+ ^2 @* E3 l3 Q
   VMMCall Get_DDB
7 y9 U( e6 x3 f- i, W5 L: z9 V   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  K8 b1 i7 ~- f) i- f* P+ C4 U' L
Note as well that you can easily detect this method with SoftICE:- `' t5 e) B/ ^
   bpx Get_DDB if ax==0202 || ax==7a5fh
# I% L2 ~$ y2 s2 m" Q1 b; Q
4 u0 _9 \$ K: F0 f" F' e6 t: @__________________________________________________________________________) W6 j* d+ W- e2 a/ S

6 D* g7 W& }5 {  J/ IMethod 10( n( w/ V% j3 n, v) }/ |
=========
" [0 d) B# \4 \8 |2 F5 \2 K5 [' P0 f$ v& P1 K) ]! Z+ w
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 W7 G: r( @! f8 q  SoftICE while the option is enable!!
/ W2 L" T7 J4 G( M" j" H9 V6 F" P$ G* s
9 d; z; [' h$ W* J7 _This trick is very efficient:
& u/ l+ @8 N7 R/ oby checking the Debug Registers, you can detect if SoftICE is loaded9 p, M7 r4 r, ]8 A3 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ y. I: j4 z+ E
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 e6 g' L  W% X; Q
value (in ring0 only). Values can be manipulated and or changed as well
5 g% J3 P9 b9 f+ `(clearing BPMs for instance)/ |: N- c' J3 T+ d/ R

" x! }, z- C* w- z7 x, O6 Q__________________________________________________________________________4 G& w/ V; m; Q# |" v/ J

5 u" W- ~, g0 u5 W: {Method 117 V, }2 o0 z  j5 a) I" S( A
=========
& C; N; k/ i$ L" {( J+ [0 Q- B, R
! Q8 h, h1 O  P( }2 PThis method is most known as 'MeltICE' because it has been freely distributed3 Z# Q; Z1 Z6 @& s. p" i
via www.winfiles.com. However it was first used by NuMega people to allow, F, R8 S3 f- }# P& F
Symbol Loader to check if SoftICE was active or not (the code is located7 P: D/ p4 j4 ]6 d6 c( {
inside nmtrans.dll).
, S" X" s9 T* g4 ~5 [4 A: h9 I4 x% \9 S
( c$ V1 y) z5 s4 q. @, iThe way it works is very simple:
# ~' `5 B4 B0 D1 M+ Q" T) F- ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. |# j$ E. U: K- `WinNT) with the CreateFileA API.
0 I8 k, O# B0 H8 y% n, @: W$ @
Here is a sample (checking for 'SICE'):% S/ J; L- N1 S& j- C. x

! z9 F1 r0 y6 x  v  E+ zBOOL IsSoftIce95Loaded()
- K8 M8 a0 c9 v# ]" D" w0 ]7 ?8 @" R1 T{9 E* u; k! W, K0 L
   HANDLE hFile;  % y0 o5 a' l4 I1 I. u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  Z& }3 ?; y' g9 [( k                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 F  p! W# s5 ]% h" H$ l8 j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 o6 M" O; v2 a! _4 }
   if( hFile != INVALID_HANDLE_VALUE )
$ t! A& s6 O( B   {* O$ `; F! i7 `
      CloseHandle(hFile);
8 c: t3 Y' n) n      return TRUE;
3 N5 d) u! J0 {: |0 b+ _   }+ C. I0 q' v/ H
   return FALSE;
/ m! l* V0 H3 j7 a& C}: N8 }. Y. H" R

5 v  C" R; b) p6 O4 x1 b) JAlthough this trick calls the CreateFileA function, don't even expect to be
% n8 ^3 V, \6 r$ h* ^- Aable to intercept it by installing a IFS hook: it will not work, no way!
! i3 q& u2 i- R+ ]6 V( s  QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- z  L6 f8 o5 z& {7 Q% Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" s. p, j# {) a1 O. Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc. T! r) Z, M) u7 ~7 B
field., q; t( X5 V" m! U( ^; \
In fact, its purpose is not to load/unload VxDs but only to send a # B& f) n; d  L7 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# [6 E' [3 \5 O% _% Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try% V: t  Q8 x! d5 R: j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 \) T4 e% S7 L; Y! m
If the VxD is loaded, it will always clear eax and the Carry flag to allow  i% Y) k" J9 J5 }$ W- T" ^! K
its handle to be opened and then, will be detected.  I2 n" [  {' p9 w" S5 F6 [
You can check that simply by hooking Winice.exe control proc entry point
" u7 @4 @+ a- F+ Z% L2 w  o2 O: W* B7 Cwhile running MeltICE." G- w6 b* m. E# `  l

" q7 S  A( a! l# T" M" s3 I6 U: `* Q2 K
  00401067:  push      00402025    ; \\.\SICE( ^% g5 c; \" R) d6 N1 u  C
  0040106C:  call      CreateFileA
6 |; g. E* E% V  00401071:  cmp       eax,-001
$ ?4 C9 S$ w' ~* s6 B: D$ f* C9 d" t  00401074:  je        00401091" S: [6 v2 N2 G5 W% I8 a' p% b. i
# W$ T" Z0 j/ t6 o6 C7 ?7 f

( T6 @% g# ~9 YThere could be hundreds of BPX you could use to detect this trick.
! h" P  B5 z  w3 K0 w8 a7 |  G-The most classical one is:$ W' J. b# c$ _# Z! v& z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% A- y" {& n! ?& p" F9 y9 |8 ~
    *(esp-&gt;4+4)=='NTIC'% ^3 L$ ~- o$ d4 L# r$ }
  |" Y( Z% Q3 {) A9 n7 r6 V
-The most exotic ones (could be very slooooow :-(
( {4 L0 c* K. t1 h2 U# U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / Q6 O5 z3 }: L7 f) N9 e& ?
     ;will break 3 times :-(3 Q5 _3 H7 `% x" C

8 f( G$ \+ h3 ?# q-or (a bit) faster: 9 R0 h2 l- q& m. N' a6 o" Z1 X
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: U0 [4 [5 y( h9 W2 E  Z+ l/ `/ M  s  i. v  K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  : M/ R1 B- o4 e  N7 F/ W
     ;will break 3 times :-(
) s" o2 Y# f; e2 r1 l5 E9 ^) @8 @9 }# C
-Much faster:
. b$ D! x3 s! [% [9 R   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! s& }- s( \4 q4 O8 q* S
* k( E$ N9 D* J) a: S7 L: ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 N4 H& L6 G0 m+ ~* J
function to do the same job:2 F  b4 P- u1 e$ V$ g) b
2 L! I2 D+ H" t6 W% @% r% K
   push    00                        ; OF_READ/ w/ t+ s1 j1 Y6 d. |+ ^6 ^" I- D' Y
   mov     eax,[00656634]            ; '\\.\SICE',0
4 ~+ o; Z" y3 W. c/ \$ x   push    eax5 X$ x7 U' S5 |5 ?) c
   call    KERNEL32!_lopen+ t. r- j  a+ g- z! \
   inc     eax- Q& N( H! T8 n! Q( x
   jnz     00650589                  ; detected
% [7 D; P0 l+ t   push    00                        ; OF_READ
) I  \% I- k8 c# M$ T3 m- s   mov     eax,[00656638]            ; '\\.\SICE'
3 Y- e) K# @. b! @   push    eax, J. l- u6 y" E+ k
   call    KERNEL32!_lopen. Y( B# d2 Z. [/ a
   inc     eax
! k1 w' c# L# e& U2 N   jz      006505ae                  ; not detected
4 t; s( v5 L+ i# `- o5 ?5 P+ N9 v
& j/ B5 u& s! K4 W3 }8 W- _; o" L
__________________________________________________________________________
. C$ y: g5 x2 \7 \5 ]: G* C) O; W" r9 x" A# k
Method 127 _# h8 p" H9 W4 |( z$ k
=========
" J4 D8 U/ s8 B" R$ v  x0 Q4 t
This trick is similar to int41h/4fh Debugger installation check (code 05
6 P9 w$ |' i! o9 v! w&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 e9 C: Q: i% ?9 I1 S0 h% v/ Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 T; M+ f: ~5 S2 _1 C
! V4 c" s3 E8 x, X* Q   push  0000004fh         ; function 4fh
# [; |1 e% E( m% W4 s   push  002a002ah         ; high word specifies which VxD (VWIN32)
- v2 B. d- a7 {                           ; low word specifies which service
7 J' A5 _5 j! J                             (VWIN32_Int41Dispatch)* E$ Y% x& q: {" w+ R. _7 k9 v
   call  Kernel32!ORD_001  ; VxdCall
# K: C8 q+ O5 [  ^% b   cmp   ax, 0f386h        ; magic number returned by system debuggers
) v" _5 Q* o4 k! j0 o   jz    SoftICE_detected
3 W- p" T5 Y& s. C( I" A# k5 l% q- \6 I* A' U- w- Z+ m& W
Here again, several ways to detect it:  e) P5 U# v8 Y  ]% K

+ i5 K8 X' b- u$ |/ L    BPINT 41 if ax==4f: }5 h. @' c. `) s/ I, j

. O9 d' ~# `/ D7 O6 V    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' O  ^8 t- `8 h% H9 j! w2 u1 u  @  d8 ^  Y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 Q# Y, |1 y, N) h4 [

. G- N# @2 i' j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 ?  n' K. l( y" y
6 \" _. l  ^( B9 H  p# H
__________________________________________________________________________9 Q5 [; z7 p- H  M& _8 F1 t$ H4 j
( z$ P* M$ h& [7 x; E
Method 135 `( ?: f0 m. Q! n; p5 J
=========
7 U$ V: ]8 O& a& o: p/ d3 t* b: I1 h: K. D- \5 ]  Z5 W: ?% [
Not a real method of detection, but a good way to know if SoftICE is
  J2 ~* R2 X6 y+ n$ z: ninstalled on a computer and to locate its installation directory.
3 M2 W/ S  A# U  j! J; i$ ZIt is used by few softs which access the following registry keys (usually #2) :) X8 K# [, R" M8 t! Q$ j

6 X0 _$ e" b5 j& S) i1 T8 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ F: T5 n  Y; I2 p2 K\Uninstall\SoftICE) K: ?% m$ M* C) Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% B, O" F5 ^0 P+ C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 l. _+ z4 c$ w+ _\App Paths\Loader32.Exe
/ i+ o6 e9 n; G" ], P' K
; ]  a4 |  j+ K+ Q% c( B
& a& Z- u) x7 p* l# {# c1 f9 tNote that some nasty apps could then erase all files from SoftICE directory
7 {- D' F5 q) E) j(I faced that once :-(+ s9 L- ^: S- K1 a: m1 ~, s5 r

9 `/ k% L' I4 g! O- Y6 qUseful breakpoint to detect it:
9 r1 `- I1 W& {! W) k5 ?' r
5 m1 m& |  f- j) O+ [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 s* L' P% \( E% n1 K+ G
8 ]2 j7 g0 g& N; F- }
__________________________________________________________________________) A- Y, w; F0 g% B% a0 p2 i8 T
$ |* n5 ?1 C  d5 k
. h! c. ^" i$ ]  P3 a
Method 14
) n  A$ X" u! n# O. w7 w/ k1 @=========
* x; W& k( p5 C8 N! W! ^
1 S0 Q/ m, I; T( PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; a8 O" o, z6 n' B6 E4 F+ u  B
is to determines whether a debugger is running on your system (ring0 only).. O3 S5 ^1 b' d& k( m" J/ `/ f9 n

  }+ J2 c) p, ^7 D8 q   VMMCall Test_Debug_Installed0 }2 B( K. N8 ^  n* R
   je      not_installed0 ~0 Y% V, b) Q

% z' @1 z; h: [0 x5 ?* p: _0 `- S- rThis service just checks a flag.5 j+ m/ K* ?$ f: D2 _+ y. r" G: B5 V
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-21 04:15

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表