找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' ]+ E/ M, ]# P6 i<TBODY>
" `& }8 s8 S( p& V% T6 F9 p% h<TR>  r: h$ M, _" j- N+ [2 k) t( Z, j9 _
<TD><PRE>Method 01 ' t1 {- S6 v$ J' R
=========
" d$ T, P6 ^1 i% u. H3 d* F5 ]5 v' \% `4 @4 T
This method of detection of SoftICE (as well as the following one) is+ r% f, S) m" u0 V+ G/ q* w9 j3 v; Z
used by the majority of packers/encryptors found on Internet.
0 N' i6 H6 D" eIt seeks the signature of BoundsChecker in SoftICE! o4 G# i+ e7 J9 u' C5 ]* u( y
( v: |, h, {4 ~9 k: [0 {
    mov     ebp, 04243484Bh        ; 'BCHK'! P/ M9 H$ W0 B" {+ e2 p. @
    mov     ax, 04h
1 A, D7 F, ~* k# x% K: f    int     3       . _# Q* G/ H7 h
    cmp     al,43 L! `4 W; E& L9 B3 A! @+ S
    jnz     SoftICE_Detected
# i" H  g+ T* n
+ S+ ~1 W% {4 T& t4 C___________________________________________________________________________
4 l* U9 s* G6 R3 p5 n( Z' W0 g9 ]# R" T; J# n8 [
Method 02$ g& ^8 x! p, F- q% u
=========
9 {* x3 p/ r7 Y  N1 k8 ~$ ~
$ X% a  {. f" ZStill a method very much used (perhaps the most frequent one).  It is used2 i2 |4 _* H5 l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F5 D; ]% y, d, l
or execute SoftICE commands...- v2 Z9 f: Q, v6 X; C( Q( o$ t
It is also used to crash SoftICE and to force it to execute any commands1 e8 ]  W% Q. u9 s
(HBOOT...) :-((  
* Q- t( r7 U/ k; {% F
6 r0 Q$ S. O, B2 s/ l2 m9 w6 {Here is a quick description:
& b* j' M( X6 M: Q9 S) c7 W' l-AX = 0910h   (Display string in SIce windows)# i5 `, J2 ?- g$ i* s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 u: D$ c2 q* r/ @* d$ S) }-AX = 0912h   (Get breakpoint infos)6 V4 _1 D: W6 F" ~6 T* g
-AX = 0913h   (Set Sice breakpoints)
  g# h% a9 I; Z/ E' d' ^-AX = 0914h   (Remove SIce breakoints)
% I1 L" I- I3 h9 m5 E) L' T( q4 n1 x9 ]4 w
Each time you'll meet this trick, you'll see:
7 t% r# P2 a7 V9 F4 K7 X* l1 k7 S1 M-SI = 4647h- u2 `2 L* T+ X& r; k
-DI = 4A4Dh
' Y. L# C3 Q& f3 n, W0 |0 rWhich are the 'magic values' used by SoftIce.
$ L3 R( M! C* a' i6 y) ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* b$ i6 Z: P9 `* S' ]
. G5 ~( x8 a& c% C4 N' {2 ?: J1 KHere is one example from the file "Haspinst.exe" which is the dongle HASP. p' ]% q- f* ]
Envelope utility use to protect DOS applications:& I; d4 b% |3 q' ~2 }  A! k
; A: c1 [4 u& ^' ~9 ~7 v& i% ^
# `  P% N6 L; g6 E' ?! n, l
4C19:0095   MOV    AX,0911  ; execute command.) H2 j: z, W% M1 z) y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 c7 m. N! r- O% l' h% z$ |4C19:009A   MOV    SI,4647  ; 1st magic value.
0 y% Y5 d/ V" \5 `1 G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 o7 h6 U3 U* f+ O/ n
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 ~. c! o3 ?& L
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 |! g3 ~1 o, E
4C19:00A4   INC    CX
: L: p. A# M6 V3 w6 R; X  N4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' `0 r# f/ Z2 S- `/ m+ {
4C19:00A8   JB     0095     ; 6 different commands.
8 n3 w2 I6 c: M& L9 F) ^% e; b4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 J& R2 z9 g1 }: X# d' H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* x$ p: f+ p- K, ~5 a

' x5 }! ^0 H( c2 |! `. BThe program will execute 6 different SIce commands located at ds:dx, which+ m$ P( h) F) I* h$ A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 Z3 B, ^3 a5 h

: j) L; V/ z" H* p5 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 O" n- [* g# z6 F5 k3 W7 @, Q$ R( T
___________________________________________________________________________
, O. @8 `8 P7 m( U  M8 N6 A. S5 m+ T6 W+ C
* P1 t6 b4 R) u2 a6 f
Method 03
3 u2 {8 b. w2 `, u=========( j4 v$ @  x9 u0 `1 y$ W# V0 }: L

) N! g5 ?0 u0 ?" K1 c3 z8 X. y9 ?: ~Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 C# g- b7 j1 D: J; p, b6 ?(API Get entry point)9 Y- N! V8 N* e
        
" g/ a3 p6 J0 p+ h3 f4 y+ B- V$ t. I$ u- D7 Q
    xor     di,di7 o' W7 v. I; S8 S( t8 b2 K3 u
    mov     es,di2 k. ]3 ~  p1 L  G( f) O! ]
    mov     ax, 1684h       $ W& ?$ R# k% X2 k& z! w0 `
    mov     bx, 0202h       ; VxD ID of winice) X/ y6 A1 S* s; b% [( w- Q0 f
    int     2Fh1 _( A! k+ x' m4 B  Q  d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 h& @' R: Y; J( ]" ^: d$ A
    add     ax, di
9 N' f# H9 K4 S# D1 k    test    ax,ax
2 b0 M& y5 H/ Q8 v$ E8 t    jnz     SoftICE_Detected" h; Y9 m1 ?5 c! N
8 J$ G8 `3 N" H1 J
___________________________________________________________________________
' w" n: ~6 C7 M. g
  k! S9 K) d7 rMethod 04
" p5 k$ U5 Q# a; M) y3 n=========
7 F. u+ i" Z1 d
0 `% c' p5 q+ q: mMethod identical to the preceding one except that it seeks the ID of SoftICE
, s: Q" B! w: x5 ]5 uGFX VxD.
; C8 q! m; {* W. s: O
, l+ D9 U1 X" P+ z, W    xor     di,di2 p2 s5 F0 R; d" n/ n
    mov     es,di
) K- c1 l& _) b4 h4 T; V    mov     ax, 1684h       , p7 k, _+ b3 h9 n
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ h% u/ C1 N( m! s7 g3 o5 @    int     2fh9 F9 P! K, t9 S7 s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" }8 e  \% r& Z8 c    add     ax, di3 F! q' M7 i5 B
    test    ax,ax) k  R$ }3 Q: k3 F1 K* i0 P5 {6 n
    jnz     SoftICE_Detected. N/ s: I! v# {' m& K
9 e. Y( d/ `' f/ t. G
__________________________________________________________________________4 q! ^4 }3 s% d, J, v* m  H
! B) [& [' n0 V% E9 e' J
6 }9 ~4 E; j: U8 H$ m
Method 05
( |4 P0 |2 j8 |7 f=========, r, K9 @+ E5 G1 m, b. V( k5 ~
6 J* _7 ~3 u3 A1 a1 {$ w. J/ t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, ~9 N& R& W/ X0 fdebugger. It calls the int 41h, function 4Fh.8 o) S# ]2 W0 x" g3 P  A2 I
There are several alternatives.  ' W2 {2 M. Q1 _6 J. n$ C
6 M3 M8 v- F  G3 e: H
The following one is the simplest:
) h- J  f/ e& y/ |5 t/ L0 A$ e; _4 V/ O4 C5 V/ ?
    mov     ax,4fh, C; u& O# S3 a9 C  _8 g& V
    int     41h6 s7 f7 G* J( D$ s/ e
    cmp     ax, 0F3863 _2 s% I" g7 G+ L$ p9 M
    jz      SoftICE_detected
1 K! @# p( A! X+ E& o+ Z( n4 u9 }! l  k! j$ u# p3 s1 G/ {- `

# r7 Y) q0 h8 I% i, Q" sNext method as well as the following one are 2 examples from Stone's & |6 a; `) X+ J" a1 {
"stn-wid.zip" (www.cracking.net):8 T  b; L+ o7 V) W/ {
+ A; {% ^/ u% ~& K7 ?. J5 l4 s
    mov     bx, cs
' _7 `  `* L, f4 t: D; o* i    lea     dx, int41handler29 b' e2 c0 `+ O; A1 s" f
    xchg    dx, es:[41h*4]
% b! H. V" H# n    xchg    bx, es:[41h*4+2]5 f5 [/ J/ F, Y. i. s4 {. L$ S  G
    mov     ax,4fh
" h0 |$ t3 j, J4 l, A9 ]) p, x& r6 _    int     41h
+ U9 Q* J. q7 i    xchg    dx, es:[41h*4]$ ?" M4 p. C. k  A4 ~
    xchg    bx, es:[41h*4+2]
8 F& P' V- b7 @: E$ L    cmp     ax, 0f386h
% J) e% o+ M! c( M5 j    jz      SoftICE_detected. l4 i4 M, K9 @

( p! X. q" \! F+ Q, Dint41handler2 PROC
1 ~+ m- r3 A5 @- A+ a    iret
$ z) F6 c- h" q5 [int41handler2 ENDP
$ u0 h; q! n6 v  V2 f$ y& \1 [: k4 H  Y* b; N5 V! K

9 H" U1 W% f$ W2 U, {# _& C+ P_________________________________________________________________________' J; e0 r2 Z5 L

4 a2 p6 ~: I/ ?7 ~1 r! n2 @1 k3 t
Method 06
6 v, q/ _. a$ e+ t9 Y4 Z=========
5 R- W6 x/ q5 Z8 e3 R+ n4 i4 u; V
/ [/ }' |/ }6 @3 @, H6 B
  h; |2 i5 s7 ?, @2nd method similar to the preceding one but more difficult to detect:
7 x$ k& y! E0 @. T; N# R
% l0 C4 h2 t4 i. A3 `8 f  @0 P3 o0 g9 M
int41handler PROC2 R8 t4 ~1 U1 {; ?) F+ Z8 z
    mov     cl,al
$ A7 d( U4 w2 F    iret
6 R1 p: T$ C3 a: y! @int41handler ENDP
/ e9 S' _6 s6 z" @& }1 l3 r
" o1 r% O& o4 v. B. P, r- }, [: r
/ y2 E6 l, f  R+ S/ Z5 g- \    xor     ax,ax/ H) g+ i% H: ?/ {5 \) t2 v
    mov     es,ax
1 A! ^9 V9 \! `3 B- x3 }    mov     bx, cs5 C; T, Z. H- x+ I9 y1 \0 \
    lea     dx, int41handler
8 q9 z7 A; I9 w9 n2 [    xchg    dx, es:[41h*4]
+ n& x. E, z+ U# r* m. j    xchg    bx, es:[41h*4+2]1 w! [  l! e# }# k2 F2 J. [
    in      al, 40h% T# n* I! Z9 X  h6 V
    xor     cx,cx% ]6 [: o8 o9 z  d
    int     41h7 V/ r: j3 F' q$ N# c, o- z
    xchg    dx, es:[41h*4]
6 V! ?  _- Y4 P; _' [' b: R    xchg    bx, es:[41h*4+2]
( P. E0 v* m  w# T    cmp     cl,al8 y/ y  I9 V5 c( J3 ^, P
    jnz     SoftICE_detected- _( F: a& p! q# t" B

; {4 l) c$ T& a* B1 l+ y_________________________________________________________________________0 X/ @( M  F  s4 g$ N7 l& L5 `
$ x! Y9 _7 Z8 C, G. j
Method 07
/ Y. k  g5 U0 B7 `* o& n=========
  V- ^+ J; U7 @. r/ M. M# m0 ^2 e/ Q% t4 S# x
Method of detection of the WinICE handler in the int68h (V86)( Y/ W$ p4 a: c4 k* w( m) P" Z
/ [- A' X3 R7 }0 d2 U; P: S4 y7 q
    mov     ah,43h
, q9 T$ ?+ w8 L. t2 P+ T    int     68h/ m: m5 H7 c9 S) ~3 [
    cmp     ax,0F386h" i8 i$ j( ~( I* q# A8 ]% n) f
    jz      SoftICE_Detected
) I/ ?; M2 L9 J- F; Z$ W! t- w0 Z2 {5 _; f
& I% Z4 D2 S  o! w: u: |- m$ [
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 k; l, _; W! S$ @  l   app like this:) Y+ X$ f5 x) L
( w. j8 T/ K! |/ C! u' P  _
   BPX exec_int if ax==68
! L* v# {3 _  N# y( G   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 E# ^8 t+ X- `( T; C   located at [ebp+48h] for 32Bit apps)1 _( ?* [5 w" J5 x9 t0 }
__________________________________________________________________________
, W' E1 y& y) _* u
0 `) S  k' P+ _& p* n; S1 r. l3 D* A# n0 I$ [" ], _
Method 08
; Y: U5 ?9 D; J5 Q9 \7 B( L=========5 }% T8 l2 R. ]' a

% S: k/ W0 H/ S% OIt is not a method of detection of SoftICE but a possibility to crash the' G1 @$ E& f- A3 \; k% ~  X/ ?
system by intercepting int 01h and int 03h and redirecting them to another$ n& S4 Z. C5 V* f
routine.
. L3 U4 U6 W6 u5 D$ oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 e" }/ ~7 a/ V6 o, ]" b! l
to the new routine to execute (hangs computer...)2 O, L9 }) t6 T. }4 Z7 C8 B0 T
4 L5 @& {$ h* k
    mov     ah, 25h
/ M  p1 Z$ [& N) i& A    mov     al, Int_Number (01h or 03h)2 o2 q. J/ f7 D6 M3 i7 _
    mov     dx, offset New_Int_Routine
2 ^4 ]4 v/ T, R  U9 v    int     21h
( {- @. f: }1 N: N( [
! f$ ]) h: Z4 [__________________________________________________________________________
8 h% o" H4 H8 f. x  \/ D& L( s
; i. Y: U( e* O: XMethod 09+ `* W- h8 k+ r4 l
=========
" d( a" b  d* J' e
7 M/ M1 b; c, K; ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* ?! n0 E. _. X; ^9 U
performed in ring0 (VxD or a ring3 app using the VxdCall).* M5 ?8 E. B" X
The Get_DDB service is used to determine whether or not a VxD is installed4 o$ x9 D6 @) G: U0 j
for the specified device and returns a Device Description Block (in ecx) for7 ]# ]0 e2 a& @- `+ |7 d6 E, |5 N+ ]0 Q
that device if it is installed.1 p; j% k! ?# Y4 g! q" S/ y5 q
2 Y$ x5 |3 y+ |4 V7 B$ H4 c
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ e1 v( u/ k% f7 t& n7 `- z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 L# H0 b5 A' U
   VMMCall Get_DDB! T. E+ e2 A/ g8 j/ o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ [+ I! Q+ b) y3 n/ f4 _

8 |% O: a( k- \2 H( n" DNote as well that you can easily detect this method with SoftICE:
  i0 _/ g3 ?1 f3 P7 U  H   bpx Get_DDB if ax==0202 || ax==7a5fh
2 Y: q3 V' K5 P8 _1 H6 C" ?6 R  y2 e( N8 `# F  |4 e
__________________________________________________________________________
6 R' ?4 d4 F" i2 ^- t% h! L. _4 q1 u% l" s5 q$ ?
Method 10/ n+ t: N+ Q3 r! ]" F
=========
0 w/ U/ l% e6 ^3 A8 a( S# ^4 a2 M' U3 [+ A
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, \" W- L1 W. p. s
  SoftICE while the option is enable!!
0 J1 h* u* Q9 P# z4 W; C9 Q% @) |
This trick is very efficient:7 _6 J/ g: ~6 m7 ~( p# h" [
by checking the Debug Registers, you can detect if SoftICE is loaded
2 h- a" q9 C% U5 ~- I. N* d, L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- V6 E: ]- M) e+ f9 othere are some memory breakpoints set (dr0 to dr3) simply by reading their, J& K2 o0 Z* G8 x7 F% b; Q
value (in ring0 only). Values can be manipulated and or changed as well
* X2 a! ]: X' R% K(clearing BPMs for instance)
% ?. K. P4 U( L9 C! ^
3 e0 O; r' M& V! H$ v__________________________________________________________________________3 i7 Q$ u: d$ f" A0 M- N, ?3 x
, ?) r$ D) i6 A7 I& |- N' u$ P- r2 x
Method 11& V' d  Z7 W  E; H& Z  X: D' `. R
=========8 ^$ {, a! \% \. x7 O0 J1 P$ {
# g4 l" n0 l: G: I
This method is most known as 'MeltICE' because it has been freely distributed
. S. i9 ?1 r0 A4 ~- z% U. K# }via www.winfiles.com. However it was first used by NuMega people to allow
; t; f# o- ~5 z" b6 P$ `: RSymbol Loader to check if SoftICE was active or not (the code is located5 a2 u, c* b9 X  p# E4 ?" C
inside nmtrans.dll).% s' R& B# K' x# s8 Y5 ^& B
# B- v% |' T* Q# q( v/ o
The way it works is very simple:/ _+ T( I8 l1 d, U! j4 a! s! D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% M- F3 t. m/ l$ T" ]6 @WinNT) with the CreateFileA API.1 @: |& U$ F6 g7 J

" ]) P' T% @: RHere is a sample (checking for 'SICE'):* f/ j  [% r# X5 E
$ i; M4 V) e# z* g
BOOL IsSoftIce95Loaded()) R0 \8 a. t7 Y# y+ f3 l. |  A- K
{+ j( p& R2 f. ?$ o( |" I
   HANDLE hFile;  
5 Y" G$ x1 C- ]# w* X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ P4 Y- q9 H4 B( _- S
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 `/ v# F/ X/ t  e" o8 Z0 K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  `6 d0 f% l8 `9 f5 S$ j" k
   if( hFile != INVALID_HANDLE_VALUE )
4 [# c+ U3 B" U! k. w4 v8 c   {
' h9 r4 h7 O4 q  A      CloseHandle(hFile);
, L# W8 ?, F' D+ X& N      return TRUE;
. i: c1 f' c6 H6 L+ q   }
" }) c. l' l/ t1 v   return FALSE;8 s6 X# T1 g5 g& ~
}
) V; r3 D5 D" F* e, F; O4 U' Y5 e' _* K+ z; O, X: I9 D5 U
Although this trick calls the CreateFileA function, don't even expect to be
: [) D. [7 l& j) xable to intercept it by installing a IFS hook: it will not work, no way!3 R3 S0 ?. L4 B6 Q: l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& H! z# O5 z8 k9 g, W, Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Q& N0 ~8 {6 }3 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% ]5 y! f. H( r- M) L! Xfield.3 `' \! L/ e3 Y/ `1 ]2 x
In fact, its purpose is not to load/unload VxDs but only to send a 2 ~1 p5 b* P' ]* v5 P, J" V* {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* V, u; X( B) {7 M; Z; b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 l5 M6 h1 p% k$ V* v" d- g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& H) C; L: M$ j9 G& U+ w) Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow) E( y6 D$ N/ e3 u: F
its handle to be opened and then, will be detected.
' f0 \' g' u6 _) V4 lYou can check that simply by hooking Winice.exe control proc entry point
& }8 C% {" n: ~& ]2 r7 q1 jwhile running MeltICE.* ^7 x; k# R8 B0 J
8 C$ Z- T& S  d: m8 d  w% R; D

' |3 `1 n1 x: T% e- y  00401067:  push      00402025    ; \\.\SICE
6 i' o* _8 K( R' `0 X$ f% e  0040106C:  call      CreateFileA7 K6 ~; ?: N+ ~
  00401071:  cmp       eax,-001
1 F! l" I' z6 {2 a: }- |" g" @4 |  00401074:  je        00401091
/ q! J( u$ g" a! U' p9 @1 r4 d! b- z8 o7 L

& \# M" O" i1 K. V+ d3 ZThere could be hundreds of BPX you could use to detect this trick.: w% t5 B5 {. X
-The most classical one is:
$ B5 V* J4 ]/ k0 q4 O  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 C* i6 N5 \9 I
    *(esp-&gt;4+4)=='NTIC'% K7 c/ U# @' R# O* W

% S$ ~' a$ m. u* _# z- y, L2 G& u-The most exotic ones (could be very slooooow :-(
# }) A$ F7 d" \) E* M$ t   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  & Y5 P1 \! C" H; r0 S8 [
     ;will break 3 times :-(
' C  `+ ?' K: F6 [2 O# J& @  @/ r1 N2 F" a" Q' s" X# u* Z% Z
-or (a bit) faster: 6 Z( W5 c7 G  K7 S
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ J/ x% b1 u- s5 g) W# p- ?& j. s( ~3 y' ?. i
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 w+ s: [4 d9 S. h$ Q     ;will break 3 times :-(" T- {& m; I1 N4 X, W
4 C& B$ s+ ]$ v% u8 T. ]$ G% o$ y! t
-Much faster:
# O5 q& o7 q% m) x: J" s( y3 M0 ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* B9 W0 l9 |. s3 l5 V0 g

: b/ L' \% N$ J$ O4 v) i  S7 y5 [" ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 p; U% J9 J8 |+ @* [* t% u  l3 f( X' a: }
function to do the same job:5 D& D5 X( j  z0 E2 q
2 Q2 e3 U! S$ R9 y! N- M$ G: n
   push    00                        ; OF_READ/ }) A- ]( g3 p  \
   mov     eax,[00656634]            ; '\\.\SICE',0" G  u% h0 ]  u$ S
   push    eax
+ B5 F  L; j5 k   call    KERNEL32!_lopen* ]8 B& p1 E2 K& F
   inc     eax8 _7 v; k& J, g2 w
   jnz     00650589                  ; detected
$ D3 p; ?: l( ~; X. U   push    00                        ; OF_READ
$ p' `; w, \; F7 D/ Z! n( d8 z" Z- y   mov     eax,[00656638]            ; '\\.\SICE'' z& `2 f- H( f) Y% K
   push    eax5 k# W4 B' L& G" N  n+ z( N3 e* f- I
   call    KERNEL32!_lopen0 ~$ c/ A/ F2 E" o! O
   inc     eax* n2 C6 |  B1 L& H
   jz      006505ae                  ; not detected
8 x8 C8 |/ d  ]6 T; J/ ~* s6 t! h4 P2 f; H/ N- _, K& d

1 t1 v% |" [' t8 N__________________________________________________________________________( K0 k  H7 m( L! c4 l0 z

8 R& Y* l$ {& D% zMethod 12# b* C' w4 w  p9 ~+ D- X8 J8 D
=========* `0 ^- W1 b+ ^/ y

% k0 A. j; F5 H5 UThis trick is similar to int41h/4fh Debugger installation check (code 05
  O  k# A% p$ \+ m% o&amp; 06) but very limited because it's only available for Win95/98 (not NT)
6 [& C  Y: n. @0 f2 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 F6 ^& W, h$ ]  e. ^" ~  R
: y  R  u- }7 j# r$ Y, |9 I   push  0000004fh         ; function 4fh0 f' f1 l6 D' b# U& R) z" e
   push  002a002ah         ; high word specifies which VxD (VWIN32)& E$ I/ A! ?& n
                           ; low word specifies which service
0 \1 M+ ]% i7 Y0 {                             (VWIN32_Int41Dispatch)
3 Y8 J- |$ i' D   call  Kernel32!ORD_001  ; VxdCall! m3 O  K& I( B# q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) a- o5 t& ~$ p: I/ d, B' X4 v   jz    SoftICE_detected
" Q" n! ~8 {, ?  o0 F% f7 k& ~) U9 Z8 I" W+ Y- F
Here again, several ways to detect it:8 P2 }0 n4 i# T0 z# h
* a4 B$ p5 u) w( C) w" _1 {' B
    BPINT 41 if ax==4f
2 n* ?0 U% g8 ]# O% |8 y" `6 g& n* d& p$ _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one# z: E( a* S& P% D/ r

( [1 l, N" Q* w. l    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 p' b/ K; N6 H, Z8 }
3 m! c  `' B2 v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, |# ?+ U/ H" ?% t' N$ q: q
% R& ^* @/ o6 |: P( E3 R
__________________________________________________________________________$ D; P, W1 h8 {: F7 d& n

1 P2 C/ x' b0 I6 q2 |Method 13: ]) R6 u8 l5 i2 f
=========
% ?1 X: B% i" X. k3 |# a# X9 x- S3 r$ k$ }# X! ~6 O
Not a real method of detection, but a good way to know if SoftICE is
& r+ Q5 p6 v- ?( p2 {installed on a computer and to locate its installation directory.
; M! m0 s" T3 VIt is used by few softs which access the following registry keys (usually #2) :2 S3 T. c" v" L6 ?# X, D+ @# _" M

: i7 @  H) u# i' ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 E( U( _8 i& b- k: Y' U\Uninstall\SoftICE
" x+ l" T( V* G& [% [. t+ E6 c1 ~9 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: b- x/ h, W, z+ I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, J$ {2 q" k2 p! i" c* E1 L# l\App Paths\Loader32.Exe6 }+ J0 s: |1 o
% h; r" h% E' H
: @6 p) b" e0 P: h, T0 a0 p
Note that some nasty apps could then erase all files from SoftICE directory
% |( p" v& @; Z" y& V- {& c- Q+ B(I faced that once :-(
! g# Q0 Z. S! {) n8 x# f" x1 j; |: x& ^, t( ?4 m$ g0 A, J
Useful breakpoint to detect it:
' V+ }) V2 C/ ?; C. S; b2 D$ K  u1 M9 E
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; n; S& I% F! _$ s2 c" l7 O; f7 f& c- S1 M& O
__________________________________________________________________________/ [4 a6 [; h! e+ c% |
0 E9 o+ W3 ]8 c9 R: H- e
! c5 n3 `% W& o4 J, a
Method 14
1 K. p/ W+ S/ r( a% @  y8 G=========
; C0 \  H3 H4 }' n$ K! a( V" W4 X$ n+ x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 Z( i" w+ \2 e5 y& j$ R
is to determines whether a debugger is running on your system (ring0 only).
) W! o' j4 O# ]1 S. J. {' @, [
' g8 S) s7 W! z) }# ?   VMMCall Test_Debug_Installed
# s& U% ~) A' U( H   je      not_installed7 V% G: c6 H  o" A8 t0 x7 X5 m! u0 D

0 R4 X! J8 h) n; f% rThis service just checks a flag.4 F6 j, M: {9 z/ C4 O
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-9 14:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表