找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) E7 p. F" v+ W+ N8 e! D<TBODY>
7 q: F3 B, b1 m; V, r7 f<TR>
! m* f8 \3 z& v$ r<TD><PRE>Method 01 / p" d0 R$ V$ f$ q/ W* A* e+ Q
=========
, h/ D0 O; ]4 Z
: _& X3 r: G/ ~7 [* k/ U9 GThis method of detection of SoftICE (as well as the following one) is) o8 a- J# I1 K' f  T
used by the majority of packers/encryptors found on Internet.! Q- C+ I+ j4 p) H; r: N" J0 l
It seeks the signature of BoundsChecker in SoftICE
& u6 P6 ^  P) Q7 `6 E/ J+ R
& P$ s* R; L6 k+ |2 h! D) z    mov     ebp, 04243484Bh        ; 'BCHK'
' c* @7 O2 y7 k% {! [* m8 k    mov     ax, 04h4 S* l4 m: x$ B( Q- W5 \  Z7 @
    int     3       : {: S3 v" c: v9 k. L& d; j5 s
    cmp     al,4
8 ]5 p/ M3 |* Q( Y8 g& j: x4 |3 K/ u    jnz     SoftICE_Detected
- E. `' d$ z9 f& d/ K: b/ D; f. ~5 t2 l- x- `: d
___________________________________________________________________________
! d! O* x# k  H, Z! _9 r3 k6 N9 ?4 T2 K7 h( Q  G6 y) e
Method 02/ h8 Y( C; |( e; i* G
=========4 `9 h* a& l' l/ V  Z7 I9 I

& j# N  P0 Z$ _) R" ?$ \8 ~Still a method very much used (perhaps the most frequent one).  It is used
$ e+ h" r% u% u1 J( y9 s* ?" u1 b7 `1 vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r! s- l: h7 m" _4 P
or execute SoftICE commands...$ l/ w& Z4 X3 r+ ~( c2 _
It is also used to crash SoftICE and to force it to execute any commands
# k2 f8 k7 U1 q& a3 W) z(HBOOT...) :-((  * S1 h5 n0 ~- ]  v6 j2 `

% [# n8 o& N+ J7 h$ }  kHere is a quick description:
, y5 k) L- ]* K' |-AX = 0910h   (Display string in SIce windows)" d) \: x: ^% J, q( r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- a; Z: g& G3 N" {9 O! C- t
-AX = 0912h   (Get breakpoint infos)) x- R, a' S  c/ `/ H5 l
-AX = 0913h   (Set Sice breakpoints)
/ g( J$ U2 r* R+ ]3 r4 J-AX = 0914h   (Remove SIce breakoints)
/ S7 x1 G/ ?, u& x* E3 W% T4 I( m/ l' ~; T; t: {4 _1 ^5 D+ R' F" G$ a
Each time you'll meet this trick, you'll see:
& P9 _  x7 L  K9 C% Q; }$ o' Q-SI = 4647h
3 Z  ^- [1 l( `2 X+ i3 g! W-DI = 4A4Dh7 ^" n) K& c/ I. C+ i* s
Which are the 'magic values' used by SoftIce.
5 L3 i1 K; l  N( `2 X: FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- I# x  f' o5 r. Y" A0 n$ d2 ^% @, e0 j. \& Y9 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 r: A5 _9 o1 K$ s7 E4 ^6 y! K2 ~Envelope utility use to protect DOS applications:4 r( ]! l% w) N6 X9 F

" J9 \4 r" q; w8 @/ k) B
: n5 q& U2 h  {* l( X( u- B4C19:0095   MOV    AX,0911  ; execute command.! u2 w* r' y7 b2 `% S; u7 J, M3 e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 l- ^( z' d# |  _/ O0 Q. c; K
4C19:009A   MOV    SI,4647  ; 1st magic value.
9 y2 G1 {1 B/ E4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 [4 @' J  V: P* n( W/ A4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): z8 {5 j% q  m/ L) N5 N- `
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& _" W% V6 z' O& O/ K% u9 S5 |
4C19:00A4   INC    CX
0 j. Z* N) Q/ v: p) t1 H4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' D2 l) N" N) }4C19:00A8   JB     0095     ; 6 different commands.
  D( e( L) ]! {, H9 C6 n" n4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ S" S+ K- t8 [: w+ J
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), O5 l  `! P: O; X' r
5 D6 b$ r/ X1 j8 O$ l7 v
The program will execute 6 different SIce commands located at ds:dx, which
' A2 _+ ^3 T1 M) x; K2 \0 J6 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 t- p* }; K2 U
. k' K* R0 ?1 s8 H+ k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) q& k; ^" R3 i& o( x; |___________________________________________________________________________
9 f6 B" P6 P  ?& ?+ S$ _2 e8 b
# X6 O4 D& m% M4 ^- P7 a* |  p6 c3 q( \$ u
Method 03, D8 n' V4 F& ~) Y1 x
=========
. W* T2 p* S; N" T4 t# L+ p* K5 b' w# Y4 f- M4 R/ H
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ O; V. g- Y$ }4 _, D$ ]) S1 b3 |(API Get entry point)
9 S4 }6 K1 {5 S; b1 b2 T4 x) [        " W7 n! W9 T9 @" q1 U; g
( b: e: I$ Y, M
    xor     di,di
" T! h9 ^! m' o6 {% b    mov     es,di
8 [% ^& [% O6 h4 R    mov     ax, 1684h       ! Q, C( v8 G# e  A
    mov     bx, 0202h       ; VxD ID of winice4 g' n( y2 Z0 p0 k0 E, a" i
    int     2Fh
+ i) S' o7 d1 E. T8 x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. Z* n+ P, V( g8 `2 j    add     ax, di
5 _# e1 g; k% @    test    ax,ax6 v, `; F; S& C" f$ X
    jnz     SoftICE_Detected
% ?# i( g+ S6 R+ }; {9 e( Z0 d; i7 U8 Q: {& o; M1 q
___________________________________________________________________________% q. E% q7 @! K/ O0 R5 M/ v6 K

3 }& |. p6 v- |; L3 {Method 04
$ |1 z2 ^- y, b5 u=========
( i0 T6 n! q. U6 f) `: @% `8 H+ x0 y; u, R$ y( V, C/ @3 W
Method identical to the preceding one except that it seeks the ID of SoftICE' S' U, K, u- _  `0 I' P' j
GFX VxD.
" W4 f( z1 B( u9 G3 S' ?* v2 r* K/ K! ]1 d
    xor     di,di
: ^  h& l# r; v- L. u    mov     es,di7 `& h$ _+ y8 m* n
    mov     ax, 1684h       $ X% _( v. _% `( o# L! }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ q9 L  Y: h, I. h4 Y1 ?    int     2fh5 {" Q0 D# M0 l) q4 I8 q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 V0 v9 \" A: p6 V/ X' A
    add     ax, di. `4 U& R; {" Y, ]6 B
    test    ax,ax
* Q! y! z  z8 h# h4 V+ N2 E) `- W& T. ^    jnz     SoftICE_Detected0 Q. v3 I' T9 d# a4 ?" ?6 E; g
( o8 A% [: ?, J4 K8 s, P7 Y* |
__________________________________________________________________________6 K1 B) A/ ]* w3 D: S

% L" \. E3 e6 D. T( d3 L6 ^- e; n) Y6 N2 l& y1 G/ r* X4 q
Method 05& l8 U; ~; ~: I' L
=========
9 [  G0 I/ H8 p/ w1 Z& c+ i
+ M- [. t# t% v. I! p, GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% l; G; r; p+ L# i' jdebugger. It calls the int 41h, function 4Fh.) v7 B' V9 q7 `2 Q- l
There are several alternatives.  % @3 c* l9 ]2 Q* K

8 E# M* M) G; R8 ~9 T, ], @The following one is the simplest:7 _* ?9 v4 Y: n) w3 p* b4 q' w
/ q/ ]* q# \$ C: a
    mov     ax,4fh
1 U  _2 r8 N& ^5 a2 Z& l    int     41h2 X7 q/ s! i8 P1 @, O& \- R
    cmp     ax, 0F386
6 y+ o1 r" l' n: H, e* ?( l6 W& n    jz      SoftICE_detected! o5 U. P* f* l

% X7 O5 A. }7 s- X$ |* o9 v* W: U. F* V: w. ^9 @( a
Next method as well as the following one are 2 examples from Stone's & N8 q0 L8 J7 V8 i6 w! F
"stn-wid.zip" (www.cracking.net):
/ k, |' }$ D( w/ L0 x! W
- M/ w2 t4 G. }8 B0 T    mov     bx, cs
* |# a  @- i- V    lea     dx, int41handler2
% T% O9 O# x5 e5 F    xchg    dx, es:[41h*4]3 J$ s9 T" H- t" g
    xchg    bx, es:[41h*4+2]
$ v6 P1 s8 T) T: G& u6 M    mov     ax,4fh
9 T. [) k' S0 y    int     41h7 o. q4 W8 j# f' C3 ~& o4 }) R: p
    xchg    dx, es:[41h*4]
7 u) K7 k3 z8 F8 {6 H    xchg    bx, es:[41h*4+2]3 S" `  m% {( x3 s0 }% [
    cmp     ax, 0f386h+ U4 e) |, ?) [
    jz      SoftICE_detected8 I6 e9 b( {8 ^

+ ]$ |/ @% w0 _6 O" U/ R3 b# Oint41handler2 PROC
- }) M6 S+ o5 Q# J    iret6 w% a' d8 C" g$ X
int41handler2 ENDP& Q$ e! {. G/ y- u

  \4 G* A! I; R$ Z2 M9 h5 y& m# o! T6 ~
_________________________________________________________________________& O5 z4 i( s! [) x  B+ s! S
5 g* _+ M$ I( t$ i

( c- s1 `/ @7 x3 n6 _5 k) ZMethod 06
- `0 q1 |7 G6 v=========- p0 F% i1 p$ {  T; l2 \( d; ~
8 ~$ m$ V$ {/ l  _4 U! R

! i, U* q$ n) ^8 c' g: N2nd method similar to the preceding one but more difficult to detect:2 Z! w3 w6 D) q& V( P
0 L  J- g$ `" P$ U( V

2 t- |" W2 ~/ f* S- i5 \8 W. Hint41handler PROC
% R* ~7 \. m: M' g4 }    mov     cl,al
6 _) B7 `. n; S5 m6 y1 B: S6 J    iret
3 H* O' L, L, T% @% b& U2 Oint41handler ENDP
5 V6 e5 a/ v  \8 V: o8 Y$ L8 c6 V  k' U- a! s8 l1 X- C
# n4 K. l# D2 h; o5 e# `8 p, d
    xor     ax,ax$ o, o9 z1 M& c' Z
    mov     es,ax
2 Z1 z9 {2 P0 w* q& j  P    mov     bx, cs
# H3 g: U" {% F2 j    lea     dx, int41handler9 P0 w6 k  E- N5 @: P0 B
    xchg    dx, es:[41h*4]/ m% \3 e. t+ ]# g1 B9 `
    xchg    bx, es:[41h*4+2]1 U' S& n1 w, c; v& d7 K
    in      al, 40h
5 t7 _; _  j( B9 U; ?# V    xor     cx,cx
7 z8 ]. x/ h1 ~  H% O% m3 P    int     41h
7 \8 @! W  h5 x, ^1 K! R    xchg    dx, es:[41h*4]
7 z& w. O  N0 K& g    xchg    bx, es:[41h*4+2]% x; I1 R' N1 P3 d: Q1 e
    cmp     cl,al* H+ _, W4 D- {. q
    jnz     SoftICE_detected" W$ k, S) m  t9 ~6 E4 }( n

! `- F/ W. s: F) T* G) G) X! l_________________________________________________________________________, W. w: l& H1 K9 u' q' u0 n2 y
' [1 {! U4 q0 g2 V
Method 07$ B/ p1 f* Q4 A5 D, P
=========
! j) E5 E! O- `, L, G2 W) \- C: J  m* e# V, g' i
Method of detection of the WinICE handler in the int68h (V86), H3 e. C" x: s/ M

+ `1 r1 H+ x: Q5 b    mov     ah,43h7 C8 K. n0 ?2 q- r9 M6 f0 ?
    int     68h" y* l% a' H& y
    cmp     ax,0F386h: c! `; i" w6 b, R8 d/ C% T
    jz      SoftICE_Detected/ t) D3 m* O% p  e

% u2 J/ }4 q/ S. K1 X0 L. I# v" ]
: {6 }% A5 d; f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  B* Z5 ]- O$ r+ n" r
   app like this:4 c! ?! @' A1 l2 x
0 L5 l8 I8 B: ~3 `$ k6 [5 I
   BPX exec_int if ax==68
# @1 O2 `( q1 w, p. A! L4 y) b9 n. q   (function called is located at byte ptr [ebp+1Dh] and client eip is7 _0 G. @2 W) M) O  s
   located at [ebp+48h] for 32Bit apps), \3 }  X$ Y1 V
__________________________________________________________________________
( l; W) |! y3 o; F1 w3 j
% A5 n' ]+ c6 f3 ^) j4 r, {4 h& R. ]. `; @* C" s0 V
Method 08! G2 Y* K) s* c$ d5 }  D( Q
=========
/ @- N  G$ ?' M$ F. M- w( Z1 P2 ~- Y; ]
It is not a method of detection of SoftICE but a possibility to crash the
. |# t2 U# A" Z' x" w+ [9 l/ Fsystem by intercepting int 01h and int 03h and redirecting them to another  A  w* V0 y# _5 u
routine.
& P0 w* j+ y3 B2 J7 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. y1 B" Y% Z6 M. F/ u8 Dto the new routine to execute (hangs computer...)
6 o+ _; t6 r4 ?; ~( k" i
$ C) U1 W" t4 c% @, Z6 V    mov     ah, 25h- x" B0 n" V" r
    mov     al, Int_Number (01h or 03h)
8 `+ j# I/ p1 b  y, Y5 o    mov     dx, offset New_Int_Routine& A- ~% d. f4 P2 x% t0 p/ S. ~
    int     21h0 X3 r$ L& g1 ^# c7 t; k# w

" x% j% `2 q+ h9 C__________________________________________________________________________! x8 T; J/ W) o6 G

' u' q6 t2 Z  K: P0 i  TMethod 09
8 [1 }' X5 P" Q& a( W! G  `=========/ G6 U& u! f6 g5 t5 L9 i/ a* T
% J0 i% V% J8 A- |1 [  e8 @" \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: {, X& P& m8 |( B# s* \/ v, Q& N, mperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 R. f: z# q% M, U% I! TThe Get_DDB service is used to determine whether or not a VxD is installed1 L. ?$ x  F# {+ t: T- n
for the specified device and returns a Device Description Block (in ecx) for4 z5 M; I4 p* Y/ y. H6 r
that device if it is installed.
3 t1 c' ?! ~2 d: n) |/ ~! p# V* q0 \: j
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 o9 |, g2 y) c9 z1 n6 F# h2 c: {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- @* d% ]) b+ d% p
   VMMCall Get_DDB( Q) L  Y; S, c0 R1 f
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- h# r4 k8 l% I  |3 a9 ^" k+ g5 J7 N
Note as well that you can easily detect this method with SoftICE:
/ o/ u" C: _# q" u) J   bpx Get_DDB if ax==0202 || ax==7a5fh
( ^7 u0 o1 T: h+ G# `
% Z% D& r9 s9 z7 h) ^__________________________________________________________________________
% F* r! e+ p* Y+ t; c* G/ [6 V* M4 W1 _' j2 I
Method 106 t( K  @  g3 I' B" b3 \  E
=========* X" a, E! E7 M% f
* \/ U2 `' V" }2 w. K4 o
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ `& i, T8 J! s! Q
  SoftICE while the option is enable!!
  a2 B+ l( H, U3 F5 ^: q( g, F! t3 V/ ^; @9 I1 ?/ A3 x
This trick is very efficient:$ ~( h: C  c4 {2 Q8 q& r4 Q
by checking the Debug Registers, you can detect if SoftICE is loaded  I9 Z! v) h8 [9 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' ?. N1 i/ P0 q/ A+ I7 g8 P9 N. J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- X  j3 P( _$ M4 Nvalue (in ring0 only). Values can be manipulated and or changed as well2 H& m" M- `- H2 z0 x1 ~5 O. J
(clearing BPMs for instance)& e( {6 ~  [( q4 f2 P% A* o9 e# g

' v3 l: h- s" Z8 T) \__________________________________________________________________________/ \$ ^) q2 P# B1 \4 m
/ |5 S. W. f, a
Method 11
5 v% X. D: |2 {6 K=========
% c  _) A, |+ m* ?# I* E2 N2 H8 K, Z. ?2 U/ s# ]/ E9 P' w2 z5 }
This method is most known as 'MeltICE' because it has been freely distributed
8 `$ A$ ^/ I! D# ivia www.winfiles.com. However it was first used by NuMega people to allow; `& U! X, L8 _# d- ^/ q% \" L$ U0 X+ O
Symbol Loader to check if SoftICE was active or not (the code is located* a2 `# v+ P  R0 T& d7 \$ ^# `; r
inside nmtrans.dll).
+ V! A9 g6 O- o6 d
# v0 m) e( R0 A# b& xThe way it works is very simple:
( b- b. e, \% k& |  wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 W! @/ i$ t; w/ b! Y# C
WinNT) with the CreateFileA API.
. g! i: V; f+ z3 q: ]" Y
- Q3 v7 H3 Y2 v" x4 m! ]" ~" `Here is a sample (checking for 'SICE'):5 ^2 U5 E& Z* P& W7 d; l, C& }
# F9 j% j9 x( Y$ [7 y& e' H$ Y
BOOL IsSoftIce95Loaded()
1 n0 b  |  _5 C% E( ~; y{
2 p7 R  H1 n7 a( z% }   HANDLE hFile;  ) S+ S3 S* K- w
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. u# _+ M. V' L+ r2 U* A  D
                      FILE_SHARE_READ | FILE_SHARE_WRITE,4 B' j) E3 [- b+ |  l  X, z. F
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# O, X# j4 U2 Q& U6 W4 q- B6 }! U3 @
   if( hFile != INVALID_HANDLE_VALUE )2 g0 g3 o7 l& {4 j
   {: c9 M* D* P7 C' }
      CloseHandle(hFile);
% L5 Z+ p9 m( i! V4 s( w: s1 o; O0 u      return TRUE;+ C) _# s9 ^' ?, |: x/ |
   }$ d. T: q3 u1 n$ u5 i
   return FALSE;+ A( D1 v5 N* ^, E
}
# J, F' E7 h0 P  @: f1 U: |! [6 W1 G4 n, n' x* i
Although this trick calls the CreateFileA function, don't even expect to be" \8 q7 Y7 H$ A- S
able to intercept it by installing a IFS hook: it will not work, no way!8 ~# T! A2 r  N6 G. @/ O" r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: f! p5 y. D- P% A0 p- q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- \) ~, D9 k! |4 r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; e; S4 X& j# }8 w) [field.( s2 u+ y/ k7 o8 y. `# b4 _7 A
In fact, its purpose is not to load/unload VxDs but only to send a
  h) J( ~9 n- YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 d3 x! S9 ]- g( I0 b( ^0 u# g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# k8 z$ e2 \+ n' ]5 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 u% ^7 P' t. T9 D0 ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- X+ {4 }$ j: d' a- F* gits handle to be opened and then, will be detected.5 W. G, M* E; U# P* i
You can check that simply by hooking Winice.exe control proc entry point
: \7 r  o' h& G. t& Hwhile running MeltICE.
( J. E. b9 i6 {, _5 i. e
7 H% i- s# R' A" z) H
0 l$ I3 X3 K/ E. G: b8 V  00401067:  push      00402025    ; \\.\SICE
2 g: C9 v: X  Q  c% y# }: C! }6 }  0040106C:  call      CreateFileA
5 |% R" x  c1 V' K: y  00401071:  cmp       eax,-001
* z! C! f5 }2 s  00401074:  je        00401091
! D- g" ^; |' X: _5 H5 L
: o  V* Z$ y$ V" s0 ^7 n. T, W5 `' u3 T5 O1 Z1 a0 d6 {
There could be hundreds of BPX you could use to detect this trick.
- H8 S7 ?( a5 Y4 h- W-The most classical one is:
. d! a  \, B' |  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||* \( ?% d3 w& x7 U& n3 b+ a/ W
    *(esp-&gt;4+4)=='NTIC'
3 W: v$ w' ^0 _( C, o% t! ?; c3 ^5 i+ s" O1 ]
-The most exotic ones (could be very slooooow :-(( f4 o; f( _; E5 t, u- l
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( ]( `7 o* N: C
     ;will break 3 times :-(
8 Z. J8 e9 O- D
" X3 E3 N* O0 V1 Y-or (a bit) faster:
2 d0 h6 c, x/ K5 }1 y! z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. o  l* c* t6 [7 W1 T/ a3 b7 f$ V8 x! v
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 n2 T* p; F1 j6 x
     ;will break 3 times :-(
9 Z2 V/ k, }8 Y# K* j9 }% z
9 r# w  p3 `" L0 O* c2 F0 I& u-Much faster:
' T" v0 i# y# `& z' [   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 b( K  {9 R4 G2 j" B& k* i- v! H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 E) p8 f4 z7 {% ?3 H7 e) |1 |
function to do the same job:' U) M7 n' z1 S3 {0 N& @
# ?5 ?3 \8 a1 ~0 J2 j. v) a7 i" x, j. Y
   push    00                        ; OF_READ
( o! z4 s6 D3 |   mov     eax,[00656634]            ; '\\.\SICE',0
) B: c6 w5 v/ H: i* }/ @   push    eax4 H# J+ {" b5 s3 ?0 M6 V! F
   call    KERNEL32!_lopen
2 {, x( {: a& h   inc     eax. E* U& P+ y# I2 Y
   jnz     00650589                  ; detected. _. b6 M5 A0 s+ J) H: t8 C5 P
   push    00                        ; OF_READ' u+ ?% t3 S1 l5 W$ i
   mov     eax,[00656638]            ; '\\.\SICE'. V& |& }- z; o: l7 L5 Y) `- L
   push    eax
" E6 _# M3 d5 B% B   call    KERNEL32!_lopen
6 v. v) L' b+ R% Y' m3 K   inc     eax
5 z: @5 Z/ }1 n) s   jz      006505ae                  ; not detected
: y3 w! j3 [+ E( d' |+ s& s' o/ q0 v; R0 T$ J) s

6 b) @3 F9 V- d1 Y4 o! Y0 p__________________________________________________________________________
: l. w# D  }, X+ h" ~. D8 r, c1 p9 l. B
Method 12
' s' ]9 k/ E* K5 t' e8 D2 r=========
/ v5 w, K+ I$ s& h5 H' J' T& N" t8 z  V
This trick is similar to int41h/4fh Debugger installation check (code 05
$ X* T! \8 E" Y) Z' _0 q! A# S&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! K+ q+ d' I2 Z5 }/ W& Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( B# j! ^+ [7 M8 X  v
; H% z' u' }' t5 N   push  0000004fh         ; function 4fh  A" I# p) B9 _. [  m& m, i
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ W7 s) [% v: `( y5 R; R* ^                           ; low word specifies which service" j9 a: m$ k) z. ?. `! y
                             (VWIN32_Int41Dispatch)
, m% Q: O$ g% Z/ L   call  Kernel32!ORD_001  ; VxdCall
6 j7 `: l: l- r  p   cmp   ax, 0f386h        ; magic number returned by system debuggers
- O8 {) l" Y6 q7 I: x+ Z   jz    SoftICE_detected) s# W2 {6 B  U; R5 r) @7 d' K

" \" |) F" f1 HHere again, several ways to detect it:: E  t8 k* }7 G! o# X% p, ~

. w' A$ u2 O3 ~7 V% t( O& y) e8 Q    BPINT 41 if ax==4f
0 L* k1 F2 `* k: S) ]# a# X( U" A5 z" s8 V* \* v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# N; D* Y3 y- p0 _" c. p& a' \0 b6 b1 c, d, k" V! M# [8 U4 M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) |6 S2 E+ l8 ~
' [* @6 u- p  N    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
- X9 w2 H  f) r) @* d
: Y9 i5 i7 D9 e  S7 r__________________________________________________________________________
  n' R3 ?# e" u1 K8 |& q' V5 V. f7 O3 \+ W& ~( P
Method 138 }$ V% y/ O$ U) Y
=========9 D/ Y. t8 l6 D2 S  n
0 k" P7 E$ x  k9 m* l' _9 e: m
Not a real method of detection, but a good way to know if SoftICE is& i* G, a9 a6 w& k
installed on a computer and to locate its installation directory.
! J) ^* k+ P) O" ]2 E2 F! M! VIt is used by few softs which access the following registry keys (usually #2) :
6 \* T& g9 M3 w! c! ^8 \) ]% D* a5 G  N0 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 @  v. J4 e7 [/ m. m8 N5 x
\Uninstall\SoftICE
  R( U5 W+ Y; m! ^. ~- G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ H+ N: X1 `7 u5 G8 O8 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( Y& v; X' r, q+ [6 `, {7 n
\App Paths\Loader32.Exe" J# x/ [2 h4 ^5 d# w+ X. t+ ?* |
: j+ ~4 p. E9 a
8 J9 W) O4 Y* J, S
Note that some nasty apps could then erase all files from SoftICE directory
6 c* o- r! L& W6 \1 n$ x" [(I faced that once :-(
$ N, V0 Z/ ]% z
! g+ [  C' r4 B% {% J8 ]. r- @Useful breakpoint to detect it:
& s! r, D5 {- Y3 b3 D* w1 v9 D$ A" {
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ N8 V! @! G4 A. }! u$ w7 r1 U" F4 _8 u. t/ D
__________________________________________________________________________& q) a' b* t* |: z1 Y5 D/ E" z1 f# k/ C
* T$ r7 u: D1 z7 ~
( M  i) r5 K, u  y6 ]  A) j
Method 14
5 E% `* w) m& c0 y: p=========
* p7 S  r3 @! }) g8 f/ z6 V) R+ G  ]9 m9 [0 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 J# R1 n( c3 {, @& S( w; Qis to determines whether a debugger is running on your system (ring0 only)." B1 |+ A* ~0 v' L) `
! H, u" V( A( k6 o7 }1 N
   VMMCall Test_Debug_Installed
9 l. d2 |9 R7 L* G% Z# K0 |! Q3 h   je      not_installed
' y2 B% ]6 S1 o6 M9 |6 @6 Q2 z) Q4 F* F1 \$ V
This service just checks a flag.
3 o5 l7 M" H. L8 G" l, L</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-23 11:36

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表