找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& Y8 m& b7 B" Y
<TBODY>6 H* u  P# \# ^1 S7 J
<TR>0 v' S# U6 F7 i- j0 c$ ^# {) \, E* Z
<TD><PRE>Method 01 & [5 W9 R4 }8 g! U0 Z7 O. ^
=========) t7 S/ g, K9 q* h
: y2 e- T* E( Y
This method of detection of SoftICE (as well as the following one) is
2 ?' C* n- Z0 i6 `/ W% E- u' Q) Xused by the majority of packers/encryptors found on Internet.
+ N2 E6 o1 Q8 o) t7 p$ |+ tIt seeks the signature of BoundsChecker in SoftICE% e4 G$ ?5 Q. w/ l) F/ A' L

$ Q7 J# I4 w2 ^' v2 z    mov     ebp, 04243484Bh        ; 'BCHK'! d' t  ^; s# A( a3 c, L
    mov     ax, 04h; h: O* g( ?/ M
    int     3       5 V' V6 j. W- P( s* g$ z, I+ q/ ^
    cmp     al,44 Z5 Z* n5 T) j) r, Y: w
    jnz     SoftICE_Detected+ E9 M4 J3 s1 L& P4 n' ?- O9 Z3 P
/ ?7 w, J3 }+ s' ^" z6 b% s1 b3 R: m' V/ u
___________________________________________________________________________. H( ?  G" ?; u1 Y5 {4 T' a
5 F. g8 J% y& h, Y* A
Method 02( x) E, r: H+ U; C7 p5 h# B
=========) W" ]+ P0 m& X7 T' ^
& u" o7 z% H* b' S. B# M6 a
Still a method very much used (perhaps the most frequent one).  It is used
, G* P) c' k' D' n/ ?* N6 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,  C( Y5 k+ \7 J5 B
or execute SoftICE commands...
4 M- r* N% n$ WIt is also used to crash SoftICE and to force it to execute any commands) R; d: t) Y, J( t% H+ m
(HBOOT...) :-((  8 \4 V, u1 p5 f$ W0 A

7 Z" c4 T& L( Q, s5 @! XHere is a quick description:8 V& A- v' k. p: s) \, E
-AX = 0910h   (Display string in SIce windows)0 r: W9 r: N9 U; s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, E: `: \8 [9 }1 D-AX = 0912h   (Get breakpoint infos)  J8 ~  w4 X& Y
-AX = 0913h   (Set Sice breakpoints)
6 Z; M& x1 u( D2 d/ C, t$ a& l-AX = 0914h   (Remove SIce breakoints)
9 ?/ ~; A- W9 R, M" |1 D; \1 z1 Z' d
8 v) B9 v" z* C# IEach time you'll meet this trick, you'll see:' [! }1 ^9 B. T9 j5 ]
-SI = 4647h) A1 `6 ^, k/ ^& B  }1 G0 c
-DI = 4A4Dh
! q( b" k" X7 q* xWhich are the 'magic values' used by SoftIce.
4 A6 ]& U" f/ e- s, J0 h9 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; k% o& F: i* M. I

4 s) F% |; `) q9 M; |: FHere is one example from the file "Haspinst.exe" which is the dongle HASP/ I5 s- p8 I) ?$ s9 W3 L+ K6 M
Envelope utility use to protect DOS applications:
# ~. ?: v- R  D* F/ \- v8 P& R! V4 L, h

$ C9 ~; f1 ^% ~( M4C19:0095   MOV    AX,0911  ; execute command.
  B& V1 y  u' n. Y0 @4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 i. X1 u9 c' F, q; c2 f
4C19:009A   MOV    SI,4647  ; 1st magic value.% Y! M- W, Y$ U% R. \0 B$ Z! ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' k% x; f7 m7 F3 L
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
) _) Z" ^1 n4 u: k9 a$ r2 [0 ?" [4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! L! m" a4 P4 ]% a
4C19:00A4   INC    CX
% s$ D8 w6 H( D) L4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 c6 v# A8 w/ q9 ?6 }+ P/ T4C19:00A8   JB     0095     ; 6 different commands.  ~- ?* Q0 @7 [3 R6 b. @  |( O
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 S4 A6 Q0 Q/ l  ?& {; ~1 F4 q4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)5 m8 ~5 H: @6 G. T

# w9 e/ [( ?1 L# k$ KThe program will execute 6 different SIce commands located at ds:dx, which6 m% C' D! X* `6 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 n9 ]: U; e' E: d
  w5 g3 m4 F( H0 w: L; }2 f( U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 x! K9 o) R% i; p
___________________________________________________________________________
: W6 N4 ^& e9 E, y) S4 R) q  _4 J" y$ x) n5 ?5 v2 f

% s3 `9 a* w8 ]0 Q4 Z, r0 SMethod 03
) ?' E  q- O3 w# P/ r=========- O/ W, G$ o+ e
2 F5 A9 K0 q1 L- N* t% ]
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% w" G7 G9 u! t( s(API Get entry point)
" ^/ b8 K6 @0 l( K        5 J( p/ ]6 j7 F' H2 m9 I

" f% q" f3 d( N, p    xor     di,di
3 D! L$ Z* R5 q4 a! }    mov     es,di2 F& S' w9 _0 ^+ |* }1 _
    mov     ax, 1684h      
) }( v$ ]" J& ~; G+ _% z; N    mov     bx, 0202h       ; VxD ID of winice3 Z5 @: D; U% r. G4 t. _' i8 C' K
    int     2Fh
7 `  |+ _3 o7 r1 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* o% `5 `  }) F" l- e; W/ B    add     ax, di' l& o8 W; N3 {% F8 h! I+ N
    test    ax,ax4 `' J- y; _7 r
    jnz     SoftICE_Detected* S. u; I2 d' u

4 ?3 `9 P2 q$ e___________________________________________________________________________! t2 u$ z/ L" U: z3 {% O5 H  K5 d
" ~. K. f- p8 }
Method 04  n1 Z" V; K. x( M4 `2 J& L
=========
$ {1 n" |) H7 E  G! T- ]5 @: W9 @. v
Method identical to the preceding one except that it seeks the ID of SoftICE! {. P; ~% @# O, J
GFX VxD.
+ X! }2 P' G* Q0 W; @
3 C$ u/ \  v0 M8 y    xor     di,di# B: Z3 s5 l0 H. e3 R7 {/ y& H
    mov     es,di
/ w- Z5 ]. ?+ r* X. Q3 f* J    mov     ax, 1684h       " }: U6 I+ T, f2 ^8 P6 T; g' V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 z, G) L, P$ ]8 y    int     2fh. \, I& v7 g$ W2 v: X, r1 Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& x: ~1 C! i3 X" P7 V! V) Y    add     ax, di/ t8 _0 G& p2 L" `( d
    test    ax,ax$ O( p2 c' c. {5 Z- L
    jnz     SoftICE_Detected
/ ~( |9 }. _1 X1 n* N' ]6 S0 ~9 _: D+ y
__________________________________________________________________________' B) I6 w& v4 v! v0 X3 u% x
/ R2 \% K# T  T

- w6 |8 Y: G7 N5 C9 |4 n" vMethod 05, k; b$ ~& h1 L7 V0 y: e- e
=========
' {& e2 C5 f; t% O3 j. ?8 [% o5 }$ J
Method seeking the 'magic number' 0F386h returned (in ax) by all system) a) Q1 I! Y& o  R7 H6 z
debugger. It calls the int 41h, function 4Fh.: a; @  _1 G0 l9 S0 S0 d; v
There are several alternatives.  1 g$ [( T) S1 J; H. [( n' _1 S
$ k% ]" C" @. U/ Y$ J1 ^
The following one is the simplest:% @0 t+ j  H: z
, S# Y+ V# [9 l+ }2 E) c4 Y, P+ N
    mov     ax,4fh
' N! O1 F6 X) e- f    int     41h
- m  K$ F/ j- ]8 e4 l2 j    cmp     ax, 0F3862 r) j% d! E7 ]+ Y
    jz      SoftICE_detected5 i0 E/ L, D2 o. M

% H" f( s* W8 S7 c! C
, e  _+ u8 P4 B! z1 _& n9 UNext method as well as the following one are 2 examples from Stone's * ~5 C! _  z# i: c  d
"stn-wid.zip" (www.cracking.net):# [# E- x' _& }% X
+ `: n" G! y  F. D
    mov     bx, cs
( x! i8 ?' E  v# `    lea     dx, int41handler20 l! u, C$ T" K- s# ~2 p2 D
    xchg    dx, es:[41h*4]
3 G+ e: r( O2 p& J    xchg    bx, es:[41h*4+2]; {7 R+ o# L/ b8 X7 U7 R6 v
    mov     ax,4fh
. o" B% P( b& x, m! i* Q9 `0 v    int     41h2 m' {1 t- N2 D+ X- ^0 r0 a
    xchg    dx, es:[41h*4]' j" t7 \- ^9 f8 P' {: I: b
    xchg    bx, es:[41h*4+2]  t0 I9 o, E. q( K0 q$ U
    cmp     ax, 0f386h
. b! Q% e3 n7 ~1 w/ z) }    jz      SoftICE_detected1 A/ ^# N" a5 s! R/ U* A3 ?- D
, ?5 K  z% O) T# h) E4 C
int41handler2 PROC
/ X' @0 Z# ]6 i    iret
( n; i3 N8 i9 iint41handler2 ENDP$ \9 |3 v* K. C4 ]! V* l) v4 p& J
! y! I; R! q6 Z
0 S+ Y+ P$ [/ P8 S, p
_________________________________________________________________________  |4 e' |  A0 b! A  W( i

, v8 k* ]4 ~4 Z, G7 j% s9 S
! z" {9 q" \9 T$ I5 O( s& oMethod 06
& c0 W" h% g) Y4 U( G7 V=========
$ E  ?- R) p/ \% r6 Q, D1 b7 D- ]3 r% _/ _# Y5 w
- r! B8 q, ]2 ~8 h. g& A
2nd method similar to the preceding one but more difficult to detect:
. g: l' `" ?+ k
. \1 x5 E% ]. Y: k8 J
# y3 S) X, b& Y: qint41handler PROC& \8 T8 J7 R+ ~- w; D
    mov     cl,al
& U1 S. l$ _7 O! X  c- _    iret' R$ d, ^) Z2 d, z! T
int41handler ENDP& T9 R4 w. i, U/ F
, y  l# A& y6 X( F6 H( @% e
& b" o+ {) [9 ^- |" M
    xor     ax,ax
+ n/ i4 q( @. p, H1 q    mov     es,ax
' x' B) W1 d3 f* A1 C3 Y7 H    mov     bx, cs
) r3 `! w& h5 V3 s1 {    lea     dx, int41handler5 y% b0 f3 t: b- f1 A6 x9 ]& ]1 a
    xchg    dx, es:[41h*4]
: T% R) M' B, {3 ^8 m    xchg    bx, es:[41h*4+2]! k# ]& L- G" j+ ]6 F2 x
    in      al, 40h$ Q7 q( `' R9 h% V/ A
    xor     cx,cx
4 A5 F6 D- m7 I1 d" p    int     41h/ X  r, |- ?& b9 y( V4 Q% n
    xchg    dx, es:[41h*4]0 K. k9 o) z9 K7 _
    xchg    bx, es:[41h*4+2]
1 F$ ?, S4 f+ m: Z    cmp     cl,al
: V& h- b; K, l9 y5 v6 W    jnz     SoftICE_detected
  K" _8 l2 _9 `5 N% ?6 |
$ B; e/ k  U5 K  Q  x, |_________________________________________________________________________
/ L& _2 G* S+ K6 m* ?6 |
: p" o1 o+ P* X$ aMethod 07
! N& ]. G% O$ W! c  L% ^- A=========% N( `4 u& X8 g+ E4 |9 \, @& ^! @
3 O' {! c. F2 M& ~$ d
Method of detection of the WinICE handler in the int68h (V86)
! a) k7 A8 Z, l
6 D/ _' R" g7 A, f$ b5 W    mov     ah,43h
% q3 x) u6 Y# G7 N+ _# z. j$ i    int     68h2 H. [, V' V6 s1 S# q( u8 Q7 C
    cmp     ax,0F386h
( S7 V; C* E. L: O' J    jz      SoftICE_Detected
9 Y! M# P7 Y1 a& }) {' o& {+ W/ Z6 \. j: Q% D

4 }# g* ?5 [4 x6 B1 R+ x=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ~4 {# P7 Z: n5 s+ d8 w& r   app like this:
6 b$ L2 [& t7 Q! S0 D! k6 M! B" _
   BPX exec_int if ax==687 z% ~4 c& I. k( o5 |% v
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& V- E' D7 V3 C/ E( v% S   located at [ebp+48h] for 32Bit apps)
5 W  K! V8 |' d! ?- F6 B__________________________________________________________________________
$ K! U) I; U- s# k0 R9 z. G) g3 f) p7 ]& Z5 Z, w) B; L
* Y- [4 R" O) r0 ]% T
Method 08& X2 B4 U. Z- K& b/ ~, n
=========
- i; v" H- ~: u% n7 G% ^9 e. _: Y' Y) _' K1 a( H" j
It is not a method of detection of SoftICE but a possibility to crash the! R, v$ u6 L& C
system by intercepting int 01h and int 03h and redirecting them to another
9 c- h" G: Z" O* }- Froutine.
' u% g" u. \- s) \4 [7 h# X6 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) B6 N+ q) n4 c
to the new routine to execute (hangs computer...)
5 o6 g  C# B! Y* i1 M9 `+ D: i' }
& G' |6 [' @# v* y    mov     ah, 25h
8 ]# i- I+ c/ Y1 M5 ~. c8 `    mov     al, Int_Number (01h or 03h)
8 @: {9 S# F7 `3 e5 M    mov     dx, offset New_Int_Routine% ]" g( I4 }5 K/ W5 X% P
    int     21h8 ?& ]' O3 n3 j3 r0 ?( c3 A# `* e2 O

) }& n& _9 Q+ J; s1 }: g__________________________________________________________________________' _- L6 @) i" @+ N! N! l5 @
, B: P, |5 s. q4 S( c$ t
Method 09
& f5 m! ^' T" Q( M1 ]=========
2 O, v& t; Q  l: s' S. v
3 a' R0 q7 U* n" T, S4 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ |# Y; j. z2 \) I# Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
% ]0 L- H2 V& DThe Get_DDB service is used to determine whether or not a VxD is installed
( S, O$ ]. t: C: n& x( _$ J4 I; zfor the specified device and returns a Device Description Block (in ecx) for
, H( E, C$ ^1 C: A( Q6 U8 C- gthat device if it is installed.
: z1 _% V* X4 J/ T7 ^2 q
+ \% C: ]' z* z9 I0 H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 e8 [; d" b$ R+ n# \   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ f# J! `; l( Z: b: n& O, {. q   VMMCall Get_DDB9 Q# y$ W' g5 y
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 V9 _4 `( [9 X8 B  p- V, L$ j7 V$ C% g6 }2 x0 R% Q
Note as well that you can easily detect this method with SoftICE:9 }- t4 s& O7 ]6 W, ?3 H
   bpx Get_DDB if ax==0202 || ax==7a5fh
  e9 i1 @" b0 C4 P4 X
3 J3 \/ R/ n6 w1 r: @! x__________________________________________________________________________
) a( e% Z' \, U8 k, Q' O. ~) X+ r
, S7 z* b/ O: Z( Y: Q0 dMethod 10
# d/ r: l4 Y) z0 Q' l$ z! R% d! z' V=========
* @, l) N2 o5 d% [! }) z, D4 I* J/ x
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 F  w$ ?- G3 M: T, b; y
  SoftICE while the option is enable!!
4 ]( ~- H5 `9 ^7 V7 ?
3 c6 W- c# \: [- D& D5 [/ y$ y' R2 _This trick is very efficient:# L: E9 e/ c+ |$ m0 J. V9 {
by checking the Debug Registers, you can detect if SoftICE is loaded
$ x+ R  E; I$ b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: U$ R6 f, w9 _: x$ h7 K5 Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their! _& A1 Y$ G" U# d8 _$ d5 c( h9 ^3 z; d- ^
value (in ring0 only). Values can be manipulated and or changed as well1 b3 V5 X: s8 K& W9 G0 D4 P
(clearing BPMs for instance)' d2 m- }+ {( D) S% H' ^0 A: ?7 h
  o  k! y% {7 Q. m4 \
__________________________________________________________________________
/ ]1 H3 ~, _; b( x) E4 _' F# t$ R3 X( G) r; Z
Method 11  ~. t1 m5 g0 f* C" F+ c+ g
=========
$ D& H) S1 B' J  \4 ]/ @4 b: r! E# j% a  ?9 B! h/ ^4 e/ X$ w
This method is most known as 'MeltICE' because it has been freely distributed+ U8 k8 \9 [' p4 e  f' ]
via www.winfiles.com. However it was first used by NuMega people to allow
9 _  g2 T# h+ |7 |& fSymbol Loader to check if SoftICE was active or not (the code is located5 R' C, H7 Z: P' N# A6 @; H
inside nmtrans.dll).4 b7 I1 K: @7 {0 d( y
# S# v/ S) P2 c, ~# [3 V  B
The way it works is very simple:
- O3 Q8 N2 L: j! nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ T  J$ U# I: M, d  _WinNT) with the CreateFileA API.
" F9 W- b: A, ^
6 ~! G8 M9 }  g* sHere is a sample (checking for 'SICE'):5 M! B" l8 }: g: M3 i9 y
/ O* n' V" m3 c! F; M2 n
BOOL IsSoftIce95Loaded()
- x+ w* O0 C% S* U{3 u+ b+ X' g% l) _1 ]
   HANDLE hFile;  
" g9 Y. T/ f7 s( _: @, U0 I, h   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 [2 g! i+ E! f) a3 h, m3 ^                      FILE_SHARE_READ | FILE_SHARE_WRITE,! w- q" _# e9 l9 |2 }  V
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 m& h  X. b" s. b+ f! f4 J! |
   if( hFile != INVALID_HANDLE_VALUE ). R0 I, x/ K; z5 w( o/ y2 B
   {2 x1 I  i5 b  F
      CloseHandle(hFile);0 p6 @) S" g- f# [& V5 J4 v  k
      return TRUE;
2 T# D! c  n! r0 o   }2 T8 a3 V' \$ n% k5 S( d" H& C( J
   return FALSE;8 h# T# y9 a* C  }% i
}& V" s& B+ P, z" T, I

0 |3 F% T  P0 C) D( s8 jAlthough this trick calls the CreateFileA function, don't even expect to be
+ E9 {. U" Z2 w# [0 Y4 `+ fable to intercept it by installing a IFS hook: it will not work, no way!
7 a1 P6 d/ i* N, x* dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 e% q) q8 R# F1 ]( z- T7 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- U3 E7 J( r. F2 ]1 g% f3 I+ t. Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' k, p+ G3 W1 h  ufield.8 Z" n% b, x9 `9 w, Q+ b% G7 d
In fact, its purpose is not to load/unload VxDs but only to send a
2 Q  Z; b& ?) C" P1 H4 n4 _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* c- w3 h$ e6 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ H9 Y" Y# f8 O0 Z3 X. z+ f; ato load/unload a non-dynamically loadable driver such as SoftICE ;-).$ S/ ^- k5 w. F& c. p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ X- K7 Z. ]' A* jits handle to be opened and then, will be detected.
1 \2 i* q; l5 d. k  ]* PYou can check that simply by hooking Winice.exe control proc entry point/ D: R8 g/ e  X( q
while running MeltICE.7 }$ i" u+ J( r, Q
8 d6 {3 C. A2 H" k8 w/ q
/ H5 N9 }& X/ X$ E# Z' n
  00401067:  push      00402025    ; \\.\SICE
% G- J" Q0 z1 @2 J  0040106C:  call      CreateFileA3 D. h- d+ [. x- s( B
  00401071:  cmp       eax,-001
$ E2 u, T/ o4 R6 {4 f  00401074:  je        00401091
! E' O/ C1 h0 K" Q+ A! H, A
; K7 t0 v$ U* ?" {4 g+ d3 q3 T6 s  M) b/ ?+ }3 t: A$ [5 J* q
There could be hundreds of BPX you could use to detect this trick.. f7 x+ _" [) p8 Z# v
-The most classical one is:
- N' s' `; E6 x- z8 p" E  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- x8 S& W" n) M+ P    *(esp-&gt;4+4)=='NTIC'
8 c1 \" v6 t9 k2 c4 i4 B
. R& J! e* R3 v- I-The most exotic ones (could be very slooooow :-(. P$ p6 Y2 X2 I: Y' B' u
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 ^/ l7 B: d. z     ;will break 3 times :-(! L# p. ^& K) U. l2 z

$ k5 f( _/ T; f' m) J1 [0 a6 X-or (a bit) faster:
6 ^) t9 Z0 }7 @3 o: W" b/ W) g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ W$ y" N! {! p- T+ k' `2 f0 A  W

4 N  d4 e1 u: N3 J) @6 j   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & g. \8 q1 W+ K8 z" \$ H# a. H: Z
     ;will break 3 times :-(, J% Y5 o: k" x3 Y( N) a

9 ^* U2 N; Q! M/ v% ^1 N-Much faster:
9 y& T4 |: H9 L; S' f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% I* ^8 c" R) j0 M  X
, g* m5 M6 D, X; R: Q8 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 v( P- r8 j$ K1 j( V* j% v% zfunction to do the same job:0 E& |5 @& U% S9 b
, B2 [( E# l: u! T+ u% C
   push    00                        ; OF_READ
1 f0 F! p7 n  l& c) J   mov     eax,[00656634]            ; '\\.\SICE',0
* F7 t" j8 Z0 M/ A: _, h   push    eax0 T% ]' F. w& `$ Z4 u, R8 Z. n& J
   call    KERNEL32!_lopen" v" I9 r0 p* g7 f' Z
   inc     eax
, Z# i% W( K6 D  O( s4 f   jnz     00650589                  ; detected6 S7 t% r9 N- d! r- @- K
   push    00                        ; OF_READ
2 n0 `: G- p4 n# ?   mov     eax,[00656638]            ; '\\.\SICE'7 E; [% a. R9 S% ^1 ?* \; O
   push    eax! M8 l* j9 q- j- ?
   call    KERNEL32!_lopen, h4 N" L, X& T0 M" a4 S
   inc     eax
& C+ s+ l6 L3 M5 r' B) D   jz      006505ae                  ; not detected
6 z- @9 w+ d! I  W9 B- A  W, L
  |: S8 |, M7 g4 }9 U: z- G
/ V' W- u: M0 u) L6 X__________________________________________________________________________
$ a2 q; f$ j% A9 ]% h3 h: W8 S! k3 \: R8 P7 C. z6 w2 T1 }
Method 12  t* X8 C# p7 ^' e5 D4 z( M  N
=========9 T. j  t6 L- n) R) ^- u& x, t, c
. |. Z! [& J! P) ]5 {  _4 I& M# q8 q
This trick is similar to int41h/4fh Debugger installation check (code 05
& x% H* _/ a; [&amp; 06) but very limited because it's only available for Win95/98 (not NT)* T* |2 F7 Q! y% F  L4 n/ B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 P3 W+ ?# H$ V/ h6 ]9 r9 p
; L4 I1 u; I8 v5 G6 `1 H! j) V
   push  0000004fh         ; function 4fh6 X; T# P) }+ q. ^2 o( G
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, o  X, u+ ]6 A. u) ~                           ; low word specifies which service6 s4 Q. g$ H: ~% ~+ x2 L! i
                             (VWIN32_Int41Dispatch)* A% Q, I; P$ V( J
   call  Kernel32!ORD_001  ; VxdCall
( \0 U/ k0 H/ t  `& a9 i2 D   cmp   ax, 0f386h        ; magic number returned by system debuggers
) Q! ]$ j5 _( I9 k: m) c  Y* S   jz    SoftICE_detected' a. f3 j+ ]. T& }+ {8 J- m

' K( B: O' H5 `" Q9 THere again, several ways to detect it:
' K$ `& P/ u0 h9 H" W5 L5 \2 c1 ]& M7 _# t& f  B
    BPINT 41 if ax==4f$ |2 @. P% m8 D7 F. n2 K1 R
9 Q* T. ]; j* A( g) |
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' d- ^0 V3 Y: a

& K; ]  f/ y- L' [  L3 T+ B    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: H" |0 R2 F" s6 G7 f) H

0 b! ^$ D6 d! e$ Q* R: L    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, L6 T' i1 h7 i# ?& y

) C. l. q6 F* r  y__________________________________________________________________________! r2 @. T0 k6 T2 b. i1 R, @+ J

* u( |2 P0 h7 ~. TMethod 13: A! |0 y# g  {
=========. m, R. Z! n  z- \: z7 B

2 o/ x0 W: u2 R; ~0 O, ~' KNot a real method of detection, but a good way to know if SoftICE is
& R/ R+ b8 g6 |9 q, x# x! jinstalled on a computer and to locate its installation directory.
0 C! {9 ?( m* h# i" G1 M6 aIt is used by few softs which access the following registry keys (usually #2) :
3 W( F4 k. }, E: U1 U8 {) u! ~: \/ {9 w/ B  R4 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Z) S- m' N- Z$ T; D' f: L
\Uninstall\SoftICE7 N; C$ C8 p" \' Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ s' i: g& _9 V6 ?6 x/ A; {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. p" q, A3 t, ]& t% Q
\App Paths\Loader32.Exe
' c' v+ _$ T8 `# D, Z, i( o- V, {9 t' R0 I1 z

9 a3 ]7 n+ z, p* ^! CNote that some nasty apps could then erase all files from SoftICE directory2 h# Y5 Z9 U- Q) n: |
(I faced that once :-(
) K* U4 R0 ^1 c# p' s
$ b0 h2 T& {: E& W  K# q  Y/ c) AUseful breakpoint to detect it:1 [! u8 s8 b. Q! \

* P8 ^. f8 y" Q4 i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 t7 Q9 e* k1 I' W* x8 K
/ R3 A0 @0 P+ c2 S! ~0 p( s
__________________________________________________________________________# J* H0 T$ z6 x6 G
# h6 P+ l/ o, Q/ i5 F' `. |# L

3 B3 u  A8 s. |9 ]8 nMethod 14 ' |$ d/ ?- [+ ?$ n/ F
=========
) L/ U1 x5 [6 X& ~; v
4 {7 Q% D2 n( Y, ^- }) ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! G7 z# G( v, V. ^$ {; \7 w4 k/ vis to determines whether a debugger is running on your system (ring0 only).: \" C: j# [; w: e

% N' M. [& b; N( T; s6 p   VMMCall Test_Debug_Installed5 A% X- i% ?# }6 j8 I1 }
   je      not_installed/ {6 c+ R7 w" w1 {4 p- _
! Y  R# i& _8 ?  C7 r
This service just checks a flag.* [. g- y" Q6 E4 M4 L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-28 07:50

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表