找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ p( }3 v/ C0 \4 O, Z
<TBODY>% _) ^1 n. Z, M, U* R# s) T
<TR>5 E6 E& V$ t- ~
<TD><PRE>Method 01 2 @! V% G& Q& E% D/ L* O) ~
=========+ S4 C, O; u, U' t: t

6 l& I4 o+ o, J% jThis method of detection of SoftICE (as well as the following one) is' K5 I7 e8 A' b' P9 |) K$ |- ~
used by the majority of packers/encryptors found on Internet.
3 H. k( T- h8 T/ W0 g7 S) {It seeks the signature of BoundsChecker in SoftICE5 J% f) z: K/ W- G- H* E2 X

. K$ T; f9 p; z& ~9 U# F    mov     ebp, 04243484Bh        ; 'BCHK'
8 y9 _+ u; l5 i- V: N    mov     ax, 04h
$ k1 F- C7 W' R8 `# h+ t    int     3       0 }2 r7 Z# |" }, T9 G& G6 `; |
    cmp     al,4
5 k" ^3 h- ]7 [/ l    jnz     SoftICE_Detected+ a: M. m# _: T2 g! r7 ]8 E

6 p. e0 I+ G( M) j___________________________________________________________________________
, Z+ f; h# T" n) f6 N9 z- v5 b( ^: F! E( p! R
Method 02( v8 N' W$ ^% m7 b) k+ l% v
=========
* T: ~: S; C1 Y4 y# {* e) `
% V5 f8 M" s) X4 ~/ \0 }8 x/ [Still a method very much used (perhaps the most frequent one).  It is used9 x! i# [+ l& O5 q- r3 [! Z- N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," ?  j5 i9 n3 v. d
or execute SoftICE commands...3 b; S& q* x: @3 |/ ?  s$ s) P
It is also used to crash SoftICE and to force it to execute any commands6 j4 y# y! L0 T4 m) \. u* H$ P
(HBOOT...) :-((  
+ h# s% ]$ P& D7 C; z* C
4 J9 P/ j3 |& d" h  kHere is a quick description:
% a8 f$ S% ^# e' G-AX = 0910h   (Display string in SIce windows)
2 k& S& l8 ]/ u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 y% b( k" E$ K& I1 |5 w+ I0 B& l' ^-AX = 0912h   (Get breakpoint infos)
% k4 _1 _: t' w-AX = 0913h   (Set Sice breakpoints)$ e$ z* Q0 w* H9 Q  [6 B3 Y
-AX = 0914h   (Remove SIce breakoints)5 j, z3 b* V/ l6 D  ^

. g, v4 y) G0 ]" C- o  o; s. }Each time you'll meet this trick, you'll see:: ^. I( R. R7 y6 j0 s7 M: b
-SI = 4647h
; j2 O1 v$ s- ?" z# W-DI = 4A4Dh& R$ ^$ Z2 K7 i  Z+ L
Which are the 'magic values' used by SoftIce.
8 y, q( ?& w9 ]6 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 v2 J7 u& }8 a- ^+ G. Q" j
% y4 z7 G4 S& L  i5 SHere is one example from the file "Haspinst.exe" which is the dongle HASP
- k. j) I. B& F4 K9 e4 R" CEnvelope utility use to protect DOS applications:
0 _7 @! N8 P. w8 G# v: t' c5 e8 z# B& T% Q

$ {/ M2 r! b6 O2 C, ^% B* [$ o4C19:0095   MOV    AX,0911  ; execute command.2 I0 n$ c) y& W: N* Y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% n8 O' k- Z  j6 M1 l/ J) U4C19:009A   MOV    SI,4647  ; 1st magic value.; H: I; r  p$ D7 e6 d& X1 ?
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ o" p$ Q: g4 p9 i# |$ I5 |! C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 `1 M- ~6 Y! w) X4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# Z4 }+ x% }) i# ^4C19:00A4   INC    CX3 x. J) _$ U( k
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# ?7 b/ o' t& v7 M- m4 ^0 b: Z9 c& a4C19:00A8   JB     0095     ; 6 different commands., A7 J% J' ]6 J6 F3 i( X5 @; d9 Y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- _% e+ s5 r" {( A  [
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ b9 D: F* N2 P/ c: O: L9 M( ?( i+ W' j+ ]2 ]: x+ x
The program will execute 6 different SIce commands located at ds:dx, which
0 [8 j' u8 D& n2 d( m( o1 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 m1 w1 d) J- H8 J; P7 M2 [5 V

2 T4 O, ]3 Z  z' ]4 z! C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 A7 a5 R, _, [___________________________________________________________________________
- V5 A, _! r& I8 Z: B! b& ?* u( l4 F/ I

, W* a) ~8 E- h& C5 cMethod 03
1 K: O( i9 X$ |; @( X=========
. J" ^# R* M* l: E8 X( M- x% \( r. B  o. v& p" F* m
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 g! _4 h) P3 }1 S/ k3 h/ Y1 ~5 d
(API Get entry point)
. G0 W( U0 h" F5 g- g        
' }& H" F; P( _) l' R" F7 a
' P9 e/ B! q& m" [) o    xor     di,di2 _6 T1 [: N( E) s: u, i9 R
    mov     es,di1 x; {. }9 F) B4 I7 y- L; X  v
    mov     ax, 1684h      
, E" {) F6 ~7 G/ Q7 {    mov     bx, 0202h       ; VxD ID of winice& O( L- S- V0 a& w  v9 ]' D% {
    int     2Fh
" ~4 Y7 b  H" s$ r    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- K+ ?5 G% B3 K* j1 t! C+ G    add     ax, di, j# Q3 y* \) q) k+ S
    test    ax,ax
, a6 p% W; W  L/ x- J: ^# ^    jnz     SoftICE_Detected) I: Y7 s- _/ w3 ]
$ l" W$ w: f9 v1 B& a: p; `
___________________________________________________________________________
/ M8 o1 e4 f2 A; _; r4 I
) n7 ]$ N( i6 c1 w" C4 F* C2 `Method 04
: @) X1 ?- ^6 C2 ^=========- O; {+ N% O9 E2 e% f, _% L

+ v/ H  Y8 o1 DMethod identical to the preceding one except that it seeks the ID of SoftICE& ~& g* i/ U0 H$ ]
GFX VxD.
7 F2 U, m  K3 O0 K
  [# [6 d. b( p7 x    xor     di,di
+ [% G3 Y! |$ Z7 ^7 L# M    mov     es,di5 `6 X, ?. F- }% t# l  R& z" g
    mov     ax, 1684h       1 r3 L! U' Q9 O& y2 U0 d: Q2 ~
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 F6 O  ]4 |' ~9 R    int     2fh
. R2 G! e' J% F. f. i9 }# [# }    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ x( v+ m3 I% r0 q
    add     ax, di
  |; u- s1 K4 K) I: f    test    ax,ax% f' `, {3 K3 T( S
    jnz     SoftICE_Detected( {, B1 C$ U2 \1 [$ g; d  A

: u' ~% T( u$ U& D3 t; B5 E__________________________________________________________________________
/ y- a* G1 h! L2 M1 P+ m# V( s: ?( t, s- I0 z1 }* P3 {" q

4 [# c# n0 k$ w2 s) W( \( hMethod 05! Z0 T& d" l6 d5 u5 f' v4 g
=========
5 e8 S! F6 l) s/ E' S- V
6 p( v5 I% R, u2 \+ jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% A- j7 T/ [2 n$ Q5 i2 vdebugger. It calls the int 41h, function 4Fh.) g" _. d: Q0 b- D$ `. v( Z$ F8 a: m9 _
There are several alternatives.  
9 O# I* @. \/ i4 g
  f, X3 s( j& }8 H/ n  J1 [The following one is the simplest:
1 p5 e) t, k1 \" t3 n8 ^& c7 a: P( y: l, W6 }# i6 o- H
    mov     ax,4fh
9 w& H$ Y+ n4 N% L    int     41h
) K3 a' e3 n/ ?    cmp     ax, 0F3866 b3 ~) T4 H5 X/ k
    jz      SoftICE_detected& T: J7 N0 j# |' }, y( c
9 F9 o7 }+ X) s- c- l/ k
  Q$ J8 {; i1 n$ a4 d- G4 H# _
Next method as well as the following one are 2 examples from Stone's
4 |  ^- q" G& ^; ^, x- Y" H, M0 v"stn-wid.zip" (www.cracking.net):
3 I) Y3 w! }$ ]4 k. [% [" E" c6 R" p) E9 T
    mov     bx, cs
  U% R; f. r. F+ f8 K7 f! l' C- k    lea     dx, int41handler2
& ~: ^9 H/ T: b6 y& }    xchg    dx, es:[41h*4]
4 L1 J2 B" k' u4 T# s+ R, Q" v5 f    xchg    bx, es:[41h*4+2]
# v( g6 z' J0 k    mov     ax,4fh0 L( N9 k! G$ o$ m: l7 O- D( r
    int     41h
/ q# y- x4 v5 l* ^* T) \4 w    xchg    dx, es:[41h*4]
, q! T3 S) B8 Y    xchg    bx, es:[41h*4+2]
% o+ l' Y7 ^) V& b+ F  N- k    cmp     ax, 0f386h; ?, W+ e) W. w6 H, o* O
    jz      SoftICE_detected4 u* j3 M2 ?0 M& K. _" t1 D

- x- J* `' B  `4 p1 Qint41handler2 PROC# y" c% F/ y8 z" u
    iret
! T! u0 H/ I" n7 lint41handler2 ENDP
7 W; v: F7 f/ K8 g. L/ w( ]1 @5 O: {7 m6 y0 c$ v
: w2 I: }0 t9 [: \4 Q6 f, U
_________________________________________________________________________8 l, i, K5 {% B( K; M
9 j& }7 \% G- l3 s4 _" [7 Y9 o

3 e' o3 k5 Q' S# {) BMethod 062 Q; N" l! _% s* M' S% R" \+ c: J
=========
$ _3 U1 G7 i) Z/ C4 I$ V$ U! O# v6 H  I) P1 P
1 B( K  S7 u3 k
2nd method similar to the preceding one but more difficult to detect:
: w- B6 e$ f/ s+ r4 D: e. E4 _& l2 d' T+ W$ J: j8 o7 u: w# w
# F2 R% n6 |$ q. ]
int41handler PROC
' t9 N! z# _; }    mov     cl,al
$ J. n; D  u" _$ ?3 Q7 I    iret
( i" }1 L% ~, ]# b+ yint41handler ENDP
: F$ w  t/ T) t  }2 P# a. M4 b$ p  F2 g

" Y" l; c  U5 b; ]$ b1 |    xor     ax,ax
. |. Q! r4 H" T- `- Q, j1 n    mov     es,ax  v! n4 K- w! f( g# \8 j
    mov     bx, cs1 K1 S) Z4 Q0 h  }9 V
    lea     dx, int41handler
6 A8 @% c) m$ Q$ Z9 ~8 {4 W( N    xchg    dx, es:[41h*4]; Y* Q9 W# m8 O5 X
    xchg    bx, es:[41h*4+2]
( w0 n4 I" b  y0 Q- v7 q    in      al, 40h
- K$ z' x! _: x/ }) P0 G# M    xor     cx,cx# u+ Q5 M6 R. }3 k  P& g
    int     41h, {: H- _- ~4 Q% \# a1 d6 T, q: i
    xchg    dx, es:[41h*4]
* o$ E% c/ d/ N% d    xchg    bx, es:[41h*4+2]
; h. r: G2 G& h. l% o7 b$ F; L    cmp     cl,al
4 K5 z2 q& m7 w* s; i6 j    jnz     SoftICE_detected' X$ ]6 `) k2 u% k

9 |2 D; h$ |' ^- s6 e_________________________________________________________________________# `( T8 O# U) y$ s. G7 v4 o8 A$ z

0 j6 N. W! p* P  kMethod 07$ `7 p9 z& v' f, {
=========- R' S4 A$ ^/ p" X- f/ V

/ P. A, x: _3 j( J0 d/ q: U( JMethod of detection of the WinICE handler in the int68h (V86)2 _" C" C; s4 L  e+ z
, |2 o" C; |3 O9 J6 N, I
    mov     ah,43h/ M3 v: v) y. g  o
    int     68h
# c4 J+ T) C( H( _8 @    cmp     ax,0F386h
4 \3 f5 w8 A) o    jz      SoftICE_Detected' N; e* l3 J3 |$ q; ?2 }3 c
: \" n3 i* ]2 J

  t8 k2 |7 R# M2 \! i9 L# \/ n=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 d2 ~) p) J# J, O* e
   app like this:- m) ~5 r4 _9 q& H: J

6 P/ r5 {+ U* ?5 G* w   BPX exec_int if ax==68
: R2 u9 H& p+ \( P   (function called is located at byte ptr [ebp+1Dh] and client eip is
& O# d( y; W. u: C* J5 y" _1 R   located at [ebp+48h] for 32Bit apps)
: o" B1 V) ?; G8 C/ z  v__________________________________________________________________________8 M. D' w* I% `- \( e
0 k9 C4 A4 O+ t! p7 Y5 c: ?/ y) `7 e
. |& Z1 _/ }5 `- k$ R1 Q
Method 08
/ m8 G6 Z4 K; s+ E5 }=========
1 }0 q+ ?' F# P% p/ R! Q$ |& c; j0 ^3 r  {/ ~* M3 V7 o
It is not a method of detection of SoftICE but a possibility to crash the  ]1 {4 T- A7 ~- k( n
system by intercepting int 01h and int 03h and redirecting them to another$ P: w& A9 ^; q, ?
routine." x% @, j- b6 Y# Z# B* U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! S* i% s8 v  ^' ?# S
to the new routine to execute (hangs computer...)( m8 |( u7 P, u. p7 T
( m) m% P: U0 V2 B$ @7 j$ y
    mov     ah, 25h; N! l5 R5 O' J: J7 a8 r5 i
    mov     al, Int_Number (01h or 03h)
  s( \4 R# Z( @" N4 F& m0 S0 e    mov     dx, offset New_Int_Routine" w- ~: T: J, a. M7 @
    int     21h
! g: e. H! p- n1 o3 P  H
. R/ D0 `; D! D__________________________________________________________________________0 ?3 c1 S4 _8 `( ~
, K+ X* B9 j1 ^7 @( R) N
Method 099 b- F- }2 R. g1 Z. S0 e# {
=========# `+ K) ]4 q6 [3 @  Q8 {- N
( C) O& ]2 g% a  Y: E; e( J. j+ W/ E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 z$ ^" Z0 T+ l6 Y4 Gperformed in ring0 (VxD or a ring3 app using the VxdCall).) l" ~+ g; {* I( i1 j
The Get_DDB service is used to determine whether or not a VxD is installed, g1 R4 G3 a5 n( `$ G1 ~
for the specified device and returns a Device Description Block (in ecx) for0 x9 n1 X! K; b8 H
that device if it is installed.
+ `5 j( g. G$ O& g: }: v+ y1 S, U8 }0 H! I) ?1 u7 Z, e) h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 L5 h  S( n- f, Y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' z# r& ]! }" _) v, j+ c   VMMCall Get_DDB
4 v5 l: K: Z! |. ~6 n4 U) ^4 f& F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed" B# F* a. c$ k; |" _# I
  [6 z9 x' W! S$ S: H
Note as well that you can easily detect this method with SoftICE:
' Z; A" J$ _* P9 L6 i   bpx Get_DDB if ax==0202 || ax==7a5fh- [- U! R5 H0 Q! z& i' c2 i

9 \8 H/ M7 _" i* y. p8 V, ]__________________________________________________________________________
( A2 j7 X+ Z  _# _/ g* v. Q" {" x# X- _) @: T2 J
Method 10+ ]! M, O( B2 G( C; K8 {: K
=========
6 N9 N; M8 [6 a& [2 `8 N2 h: }8 |& k- d! h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( o1 s% a# r! i4 k' d9 |
  SoftICE while the option is enable!!
( P  t2 K; S# d+ e/ M( m
( W' X2 x$ l, T7 q4 l. KThis trick is very efficient:# Y) @& @$ k7 V% x
by checking the Debug Registers, you can detect if SoftICE is loaded+ T* Q' }4 ?" C( Q1 ]7 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% F. K2 a* ?. j3 ]' D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! c/ X8 w" S. V& `value (in ring0 only). Values can be manipulated and or changed as well
, i3 u" Q0 i6 N(clearing BPMs for instance)2 u; c- ^) o6 E  p; w

  M: d$ J$ n$ f3 ?$ Y+ Y1 K__________________________________________________________________________% ?5 [! b0 r0 w. U
2 S* |( K$ |, ?- c: c2 Q) L& B
Method 11
" _$ T4 z" x: p, C7 z=========: Y" k+ p  w# B" }8 j8 I
9 b$ Z/ U, n% U( K+ u, V
This method is most known as 'MeltICE' because it has been freely distributed
/ _2 o5 g2 G' O7 q8 s2 [9 _, Fvia www.winfiles.com. However it was first used by NuMega people to allow
6 }# V5 S4 J) ?' LSymbol Loader to check if SoftICE was active or not (the code is located
, T$ K; x- l8 f" q( k7 ginside nmtrans.dll).
6 r7 Q8 M: N5 H
& m& Q! T0 `( }5 V, s* {The way it works is very simple:6 G6 L0 |9 o; B4 i4 _+ G2 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ N1 o$ i8 M$ S8 O$ q0 @) r- s
WinNT) with the CreateFileA API., F: {! E" [5 \7 R
$ C8 S: d5 y1 ]- a5 q
Here is a sample (checking for 'SICE'):
* q7 U, ?( f# y! H! O; j5 a' n. w9 D
( f1 u7 B3 b& i! R) d0 q" JBOOL IsSoftIce95Loaded()
4 q- H. [3 x1 R. t, j/ \, {{
$ p% p1 p" s) M  X   HANDLE hFile;  ! ?7 Y0 e& L: ^3 i0 v
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ k% [% `0 X% F! `. U, d                      FILE_SHARE_READ | FILE_SHARE_WRITE,# b/ {2 a8 A; _- O( h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& k2 P* K! v4 M" Q   if( hFile != INVALID_HANDLE_VALUE )
2 r9 V' W# b0 D2 r- \+ D   {- _+ X; g: Y1 ~: @( \( w# ?
      CloseHandle(hFile);
, r! \: \% L& T. P      return TRUE;
( X7 O2 O2 P! k; A) [   }
7 F8 U9 l% H# m4 I+ n& g$ {   return FALSE;) x/ n: D& D9 x8 X
}
* J9 Q1 w, S3 ]; e) U. w- `4 a% H
6 c- T7 m: X! _( [0 eAlthough this trick calls the CreateFileA function, don't even expect to be$ u2 X0 R6 a1 d" R& p
able to intercept it by installing a IFS hook: it will not work, no way!8 h2 A' F1 {/ y0 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" g$ n/ ^7 R8 [" F6 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 R, [$ ^# O' G9 `" U& \0 c$ t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! C, I: L7 Y, z! o
field./ @" s$ [3 \6 K8 Z. d: A, _
In fact, its purpose is not to load/unload VxDs but only to send a   M& t% O+ Q0 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& \8 r% r" m" Q: l- ]# Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" n, |; d. u9 u# X( ~4 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).! |6 g$ f" l: s" Y7 [. i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 u! N, Q4 O% Cits handle to be opened and then, will be detected./ }5 [( w, d/ u: u9 ^3 E0 {
You can check that simply by hooking Winice.exe control proc entry point3 C4 z* U% y4 O1 @( C" c- S% A
while running MeltICE.8 e  u( `, j" r0 O, d- c( J* U
' h: ^2 X3 T# C; K: v2 c

8 A3 v9 V* Z5 ]/ w0 W  00401067:  push      00402025    ; \\.\SICE
+ b" F; t1 L2 d  0040106C:  call      CreateFileA
4 m% Y: ^9 R' t; |5 v  00401071:  cmp       eax,-001
* z0 r( g* E* C! }' I- G4 w$ h  00401074:  je        004010910 w1 P2 A1 x. k; Z
- X% r4 y- j0 @1 p5 X( b$ {
4 Q, Y4 e6 ]/ t
There could be hundreds of BPX you could use to detect this trick.
/ Q" |$ u8 `; c' C9 S) I-The most classical one is:
' \5 g1 d7 H: h. m! t/ ]1 k  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* a0 W# B8 b6 O( \5 m  ]    *(esp-&gt;4+4)=='NTIC'. D( z. `- o- J

9 U& h3 }' Z" l-The most exotic ones (could be very slooooow :-(2 _0 p7 {( q+ @4 i' `
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 U% x& s, q. l' ^  Y, b: S( c7 b
     ;will break 3 times :-(6 V8 V# w/ i) ^" G  B6 L

# P! c/ w4 }4 h% {- k-or (a bit) faster: 9 M2 N% W( t8 w( A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" r2 O; ]. S- M8 l, g0 B
  p: w3 Q2 f7 w8 `  q5 l$ d
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 P1 Y7 }9 \0 A5 h) _
     ;will break 3 times :-(
6 g3 ^+ _0 q; z9 F3 w( }$ A% w) }4 e7 c; @- _  C0 z' ~& L: ]
-Much faster:! A! T( t3 q3 u$ `/ {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' j/ U6 w# x5 ^: s7 V7 X' m. ?. o" I+ {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  [4 u7 ~, `& B  f* r
function to do the same job:" B9 A! R* W1 }+ J6 P
: B- C( H# X& Y9 N) f( o3 [
   push    00                        ; OF_READ* e4 [5 D; t  g7 O" O
   mov     eax,[00656634]            ; '\\.\SICE',0
4 }. b" _: E) q/ q) T   push    eax
6 I$ r& |2 l2 D9 J% N* e   call    KERNEL32!_lopen
* E& C: e7 q$ Y/ }' j5 J   inc     eax
( A- {: d( o. `, p   jnz     00650589                  ; detected
8 W- m0 b6 @3 R  J- G   push    00                        ; OF_READ/ @' r- F1 B. {/ f5 d2 k
   mov     eax,[00656638]            ; '\\.\SICE'
9 F3 ^  m: b# X   push    eax
6 S' ]' g, H" V- p" U   call    KERNEL32!_lopen
" h0 ]; L, G/ {4 \/ D   inc     eax: E0 q# u5 z$ J9 ^# c
   jz      006505ae                  ; not detected6 h- V# B& e+ T0 l: F) {" U* U

/ O3 N) H  Q5 U/ C) W( m: U" v- B
__________________________________________________________________________' J0 D9 w4 M* X+ d$ m/ l2 l1 o
1 N5 e( x6 a" y& n1 p7 r. B0 @2 `1 G
Method 12
5 A0 l8 w( n) Z9 u* F  h=========2 ~* W3 i  G$ G

, w0 J5 B3 l9 C0 j3 hThis trick is similar to int41h/4fh Debugger installation check (code 05
2 A. Q, t2 W0 R$ V&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 N3 [/ A! y6 F+ {1 ]0 I0 G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 f6 B+ i0 o$ `4 ~9 @7 q. R/ F6 `* E1 ]& [9 W8 \1 X
   push  0000004fh         ; function 4fh
7 a1 n* I+ a2 Y+ [. f   push  002a002ah         ; high word specifies which VxD (VWIN32)" ?4 N$ R  G6 {# E" ]
                           ; low word specifies which service
2 M9 s7 g( M2 D5 w                             (VWIN32_Int41Dispatch)
* |& g8 t) }+ k( k1 ^" q   call  Kernel32!ORD_001  ; VxdCall
, T! L7 _$ `, J  i   cmp   ax, 0f386h        ; magic number returned by system debuggers; A8 u3 e$ g# s6 r
   jz    SoftICE_detected
( t: z6 j) o% i4 u3 N. g) }8 _# X# ~5 C$ \" \4 Z
Here again, several ways to detect it:) F5 |4 l0 }+ W9 D
$ M+ S0 x( s, d4 ]$ i
    BPINT 41 if ax==4f; i# r- z3 I+ x2 B! o
3 ]; A1 I8 r+ T7 e
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 F4 ~$ q$ ?+ ~7 D

7 M, w) s. O4 F4 }    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% C& Q, L8 P! }0 F! [( i$ x6 ~
  @7 J4 _8 @  K
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) ^& C" S# E/ x9 e8 B. a4 R% q2 ?4 x" [) ]) u3 u2 Y8 ~
__________________________________________________________________________4 ~5 L" B+ ~7 I- P0 j9 m) p/ N
1 L! |" d, b' N, j- J- N
Method 134 A9 q" x- T; M8 i
=========
( f' x- b1 z' _' j  y! H* m- k, G+ e+ m, C2 o
Not a real method of detection, but a good way to know if SoftICE is
" J, N6 ?0 o/ Z  }* \% Q2 `installed on a computer and to locate its installation directory.
( d6 e$ D4 n" `: M; uIt is used by few softs which access the following registry keys (usually #2) :; ?6 P' T) i( k7 F( a

% G) w0 D; {8 ]" k4 `( h- P6 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 D2 P) @  E; z' g  J9 d9 j\Uninstall\SoftICE5 E5 U0 }$ Y1 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- i  M# b% C( J+ @( i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 j0 A4 ]+ a0 f9 }& q- q\App Paths\Loader32.Exe, H5 y" w* s, a/ z, y, e% o: }$ `
4 Z0 j4 e# Y) Q$ J! D

' ?6 F) J3 h. K5 kNote that some nasty apps could then erase all files from SoftICE directory0 y) h) ?5 ?; J( G6 ^$ @, n# m1 t. p8 a
(I faced that once :-(
6 h) L5 ?* }/ G4 v& B0 u/ v  U+ p; A* X/ G
Useful breakpoint to detect it:  B7 u  V2 F) j1 g" M) ~2 E

$ w2 |7 M+ x' e2 \7 s     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ ?1 S4 N' k5 {  c' p* d( H+ X9 E5 g3 z8 m, G
__________________________________________________________________________
8 r  h0 A" A/ O/ J4 Q* b2 S& `# D) s

; F$ x& u2 q& P7 ]* U" dMethod 14
5 c  F& _& |; K  {# W=========
1 a2 u0 }0 v& K2 ^; j
; e  ]& `6 _4 S) {6 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 V% t( F$ s" b9 l& qis to determines whether a debugger is running on your system (ring0 only).
! @; H# J3 {) Z6 V- }" `
6 z( R. V5 ?$ T- Q/ c  q   VMMCall Test_Debug_Installed7 b6 }- [; C8 [% q( H
   je      not_installed0 K0 ?+ F) I/ y
7 A! \8 {& r" ?" o. j; w
This service just checks a flag.
6 {  c. e; T4 y0 V</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-12 14:56

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表