找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 k. W5 |; Y+ v  J<TBODY>
: U4 X) r+ r3 ?9 e; ?0 _<TR>3 C4 s- _( V' T+ \: h1 z$ E2 E- |
<TD><PRE>Method 01
- f6 R8 R" g+ o4 o8 d# u! `=========; i; ~% C' v" o6 X
: F/ C' m8 N. Z" e9 ?5 D0 \5 x
This method of detection of SoftICE (as well as the following one) is
/ P' _- d; _1 J! o5 Yused by the majority of packers/encryptors found on Internet.
! O) F- K7 Y2 o6 W/ D" h1 tIt seeks the signature of BoundsChecker in SoftICE+ V0 m2 O5 @8 ]; J( `: h1 O& C3 C

- {: E; ?$ [4 J% o# A    mov     ebp, 04243484Bh        ; 'BCHK'  _! M( Q4 [, C
    mov     ax, 04h
( p# b: [! X( N& b' X, N8 ~    int     3      
$ [  ?% g0 N& C0 x  o    cmp     al,4
" L# @6 y3 {% H( q% S  a/ Y3 }    jnz     SoftICE_Detected/ E9 k6 t7 c9 b
) `/ Z4 O+ P9 \% ^% ^* W" ?6 o: X
___________________________________________________________________________
0 q% S, v' D9 f% `, Q" m; p7 Z' \: b) E. C* Z% k
Method 02
( V8 P- e3 i* ~% B- x$ P=========
  M4 S, P& j# L" D$ O) M+ u/ K6 K0 A/ Z4 \) e% k
Still a method very much used (perhaps the most frequent one).  It is used) Q9 q) A& x! j' v+ S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 z" X# b1 Q5 F6 I5 ~( D4 O/ z
or execute SoftICE commands...
# ?- g6 O4 y4 @It is also used to crash SoftICE and to force it to execute any commands
& c. N, b& Y8 I1 C" f! q" [" A3 @/ c: J(HBOOT...) :-((  
  v( }' O$ |. n$ z( A% ?  c! J4 j+ F# ^
Here is a quick description:
4 {1 d& Y8 [8 H. |-AX = 0910h   (Display string in SIce windows)% v8 b( E# V- M9 g
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! s1 M+ q9 ^& R) M$ L( G& g
-AX = 0912h   (Get breakpoint infos)1 T3 J6 `4 M6 i
-AX = 0913h   (Set Sice breakpoints)
' D3 u1 t1 g" R6 u-AX = 0914h   (Remove SIce breakoints)5 b0 |$ ^* C4 B; f3 L8 ?

6 I/ \. l* N- @! U) p7 jEach time you'll meet this trick, you'll see:
, ~1 Y# _3 u% ~/ e2 ?-SI = 4647h9 X( j. d9 Y, z/ l- A
-DI = 4A4Dh/ ?$ o. X7 }2 ^) k0 G
Which are the 'magic values' used by SoftIce.
) {# ~; _3 r+ ~  `) U: P9 d0 w8 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ r  L  @0 b; [# _# H, L% Y( _
, i- y3 f( a1 r$ N
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 S- w) y$ i# j6 u" n  e2 i- ?
Envelope utility use to protect DOS applications:
3 U* |" h6 |! s! w" ~5 W: [  K) u3 F6 Y
' V9 w5 R  @, n; W
4C19:0095   MOV    AX,0911  ; execute command.
8 N( ]+ U9 ~( Q4 m8 `. s4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 L4 T( X" k  }) Z- ?5 K9 U4C19:009A   MOV    SI,4647  ; 1st magic value.9 l* _5 s/ _& ?9 ^$ U; ?
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; g- x: `" T. w* l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 B' L, j) J* ^7 F# f
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 @' n$ ?& n7 [5 E: r
4C19:00A4   INC    CX
$ B5 i, J" D$ {% q! j9 I, i0 p4 e! Z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. \0 ?8 _! E: V8 o" j- y7 d4C19:00A8   JB     0095     ; 6 different commands.% O3 k7 c! g% R3 x
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ d6 k, b0 L/ X  V4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 }5 s% |: k6 ?3 p+ r  N- [

% N/ H4 o; W5 b! d+ ~  {The program will execute 6 different SIce commands located at ds:dx, which4 K2 L& z! O3 B) A, f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 s2 g% U  h$ |- X$ W3 J! }. A) ]6 O% {( h4 F% U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X& m6 v( X' i- Z7 B$ o- r2 O. z___________________________________________________________________________! _, x7 n9 s3 T. J- n6 g$ n2 P6 X6 ^

; s* N0 I, z; L% \  H  O
+ m  d, N: u/ _8 |Method 03
3 d7 }/ C; P. w+ J% ?( u=========
  _- ^9 s' ^- {& a3 P: b* X; d; r$ H6 O" j& J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- c: o; m& l: M. ?# ~
(API Get entry point)
, g" H: I6 ]# {; ~        
$ E1 b8 @9 J9 I4 y6 V; a# u
4 C- N1 B4 A$ ]5 t  t( N    xor     di,di. H: ^; N; {3 Z& m4 b+ G  W
    mov     es,di
' }7 |8 A3 h" l  c1 Y' w4 r    mov     ax, 1684h      
/ j( Y; ]" u% F: a: B    mov     bx, 0202h       ; VxD ID of winice' I+ ^$ [, a, U! C  j" N
    int     2Fh
: [6 K, w$ e+ Y- N3 I    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 S2 b* P6 E" e: u' T
    add     ax, di/ c& }0 }9 d: Y; q& E9 A( N
    test    ax,ax- w& ~# P" y- |' _# C+ E% e6 {% [
    jnz     SoftICE_Detected6 U, x+ F8 w6 j2 I" m! D) t

% Q' ]6 w- S' R9 q! J9 K5 I6 h: G___________________________________________________________________________
  d& F( r# T9 n$ Z& E( S; n) h9 C) k" w, G
Method 04' Y  Q' t  ]: ?9 I- G7 ^
=========( o2 {2 l: @) }7 i0 N5 Z* S

* R2 v7 k4 P/ t! f8 yMethod identical to the preceding one except that it seeks the ID of SoftICE
; G( u2 _0 C  r9 x! m6 k: G: y( hGFX VxD.5 t- h4 D! |; K: j+ C
% t& s  j0 G* ]; }" u% p' e
    xor     di,di+ }1 d. S) c6 r9 z4 m2 {8 l4 h0 ~" B
    mov     es,di
1 C) i; U1 [! Y& [) q+ B' a    mov     ax, 1684h       , D! R9 p% v! a1 f  s; ?' u
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- |! ^* g+ D* E    int     2fh
" T$ m7 U8 I: f  @2 K: l    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 T0 V5 u+ j6 Z; T- z0 F. ^) Z    add     ax, di
9 H( I3 d8 l$ d% d    test    ax,ax
4 i/ O( n5 ^. e- s0 R. h    jnz     SoftICE_Detected
( V6 j! V, y5 e" C+ U4 y* C. K
: p4 T2 `" M+ A/ _, O  {__________________________________________________________________________3 B  o# E% u: U# S+ \: ]
- p) X% ^* D0 q% R; L+ [4 p

& y$ R3 h7 N2 X$ |- R: rMethod 05
+ S9 P1 e! g- c7 g: i, O2 j=========
( U6 F4 e' ]( b
: |: Q1 c8 `9 u1 ?6 x- PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; i0 [4 ~: Q+ Z3 Y; ~9 S  T- ^debugger. It calls the int 41h, function 4Fh.
* A( a# X% r: q. D/ oThere are several alternatives.  
& x) N1 O0 s, |& R+ ^
/ v: a- x$ |/ @) oThe following one is the simplest:
( M+ p9 b" y6 u9 Q6 _: s' ~8 M1 }5 s: I/ d$ U
    mov     ax,4fh0 x/ ]! _* d! r( O+ h
    int     41h$ V) ^6 m- _7 ]8 b# {- w+ w
    cmp     ax, 0F386' |0 \7 i  L5 p, D
    jz      SoftICE_detected" @" t+ b0 R: K6 j4 k5 r8 l7 w
6 \8 e7 n" x7 R6 k& o  ~
) M! q; d" \6 {  c- L' Y
Next method as well as the following one are 2 examples from Stone's $ y" ?5 T% t7 U
"stn-wid.zip" (www.cracking.net):) h3 B2 E) ], ^" j5 x& e+ g
2 C8 c( L7 e( _
    mov     bx, cs
% k) `2 I4 S0 s    lea     dx, int41handler2( C- W  Z( a) w' b6 k
    xchg    dx, es:[41h*4]5 M) V$ S: B! [. W: z
    xchg    bx, es:[41h*4+2]- B: ^2 N5 g5 h9 Q* Q. [' O: w
    mov     ax,4fh
4 l. U# i! X* p4 u) ^) J, X    int     41h  H& O0 o6 h' V1 Y
    xchg    dx, es:[41h*4]
4 l5 g+ g' c6 d0 q" q9 G* ^    xchg    bx, es:[41h*4+2]3 j6 X" q4 Q5 M" v7 c
    cmp     ax, 0f386h
! V8 E  N' ]& i) o4 v    jz      SoftICE_detected
0 ~" R: p: W, C& m, ^
9 L; T: V" A# R8 }/ wint41handler2 PROC
; h& d, |1 R. N    iret
, m/ ?5 B& R: J0 h: v  j4 Aint41handler2 ENDP, H& H( ^8 T9 [5 n; ]% b4 k

% }" V# a" O. k+ H, f- [* Q! m9 Q( h' T$ Q0 N. g9 G
_________________________________________________________________________
: h0 @' w/ e% o1 Y" R
- P' x; T. Q; b1 F. t- V' e' _1 Z4 X+ m; O% ^3 E" j& O6 i; z' J
Method 06
0 T; n3 k$ T/ \5 o=========
! y) d% B. x2 @# v; H3 R5 E& D# I; S* W  ~! L4 r" E
2 g) X' r7 V6 Y7 [, z$ \* N3 O
2nd method similar to the preceding one but more difficult to detect:
1 Y7 ]5 _& v5 T1 ^! k
/ C- Q6 U5 ^- ?4 J8 R
- j$ h) F: ?$ c9 A3 i8 b1 g+ hint41handler PROC
) B* ?9 w9 U4 F  f    mov     cl,al
% R& L% B  F' m0 ~! B) W    iret: X  X% A0 o+ b$ K+ k
int41handler ENDP
* N4 H% Z5 I0 Z3 b5 }1 q8 c  ]4 k5 I3 Y( T2 \  X9 L

5 S9 H- u6 e/ g$ x7 O    xor     ax,ax, a! T+ x! g- n
    mov     es,ax
6 T( A& {$ i' }, Y$ C    mov     bx, cs9 C7 p0 }# }- f0 l( B
    lea     dx, int41handler4 \- V  Z7 p* t/ |
    xchg    dx, es:[41h*4]
* {- \5 V/ N4 k1 J; ?8 q+ v. V' U    xchg    bx, es:[41h*4+2]
9 N  V$ P) H( p7 u9 u$ o0 p2 Q    in      al, 40h
$ B. W: b6 o* Y$ `2 Z    xor     cx,cx
  O7 `/ l/ h) p7 k; P    int     41h! f* q2 r) K5 F, H% i6 U0 J
    xchg    dx, es:[41h*4]6 e9 @; ]/ A- j) W, }: i
    xchg    bx, es:[41h*4+2]( e. n: J2 w( k& D
    cmp     cl,al
8 I% S1 E5 R2 v) w    jnz     SoftICE_detected
2 t) n3 g' {' L. X& f, o- G
# _/ S* T( p* Y& ]1 L/ n_________________________________________________________________________& u1 H" \* c0 m1 a4 Q8 s6 Y

* R+ e$ z  Y# vMethod 07  E  c$ F8 X; b; q1 J& ]) ~/ ?. S' K
=========) d/ Z$ |3 U, C( c
- I6 Q# X3 R4 D( u/ M# o8 C7 y: v
Method of detection of the WinICE handler in the int68h (V86)
2 T$ d& `: S! [6 y& f9 G: k$ b8 @: M7 c# D
    mov     ah,43h
! h4 W) `3 |+ c  v; ]8 o    int     68h( y& p0 O! J' j  g
    cmp     ax,0F386h
1 I* }& y1 Z5 T: r- n. J; D* G. @    jz      SoftICE_Detected# Z. l3 A3 M  n; G7 F1 o
8 ]1 d' s2 T1 C: \3 l# p
, I  a2 u7 i% E4 A- Z3 v4 c3 E% T
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) H, t+ X3 {& R8 _6 V3 P   app like this:
# i+ d; m0 N8 S- g& b* E
2 E- W/ H$ T) T# \5 o+ J) ?$ E7 }   BPX exec_int if ax==68' H) k7 t4 W$ x, W$ T% R. R' J
   (function called is located at byte ptr [ebp+1Dh] and client eip is- N5 _4 _6 E0 u
   located at [ebp+48h] for 32Bit apps)1 E9 \! J9 [0 ~/ s& p
__________________________________________________________________________
  K/ w' f- V$ R% R: j8 M) C0 x. g, s6 c8 S2 I, Y& Z

( o1 [; C5 @8 y1 W8 bMethod 08
0 `0 O6 S6 B2 G0 t5 S=========
0 l3 y/ G9 ^+ }) h3 L7 ~4 i# D7 f& S: \
It is not a method of detection of SoftICE but a possibility to crash the# _# @# H% v6 Z! b( h' g% A/ ^* U# S
system by intercepting int 01h and int 03h and redirecting them to another  t) w" b  a5 J* c3 V! m$ f6 J
routine.
, r' [8 [) a+ k3 v# r: wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. k' C# L# S& w5 x5 f1 w
to the new routine to execute (hangs computer...)9 m* }5 x( ^, d; w( E# V9 P

- A6 w' ]. H- V7 U2 |) S    mov     ah, 25h: c; Y; t9 x: a: k5 C% e
    mov     al, Int_Number (01h or 03h)! p1 S& i4 q* F  z0 J
    mov     dx, offset New_Int_Routine
1 V, V  B. ], b& C5 y0 ?. _. a5 b    int     21h* D" t- o' `9 E% |

% F3 w  n6 n# Y7 s  D__________________________________________________________________________3 N  k( T+ F; u0 C/ q) C4 s8 s
( l  u" Q! |1 x( [
Method 09
  H; s- |, D; G=========. Q/ W2 R- d7 j
: U4 D+ w  J' i7 Y  v' k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& @" t- w: x! H8 o0 K2 R
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 t4 ^3 Z- o' h/ p5 B' PThe Get_DDB service is used to determine whether or not a VxD is installed  M1 C* t; @5 |+ w$ U, A
for the specified device and returns a Device Description Block (in ecx) for
2 @5 E7 k8 ^7 \$ P- [3 Dthat device if it is installed.
% T! _' p0 d3 u1 b, p. ?' _* J7 D( m; O9 C7 n6 m/ M! \- _, Z. e, P
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ `1 H2 f+ [6 \! ]" Z8 P
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: I* i+ |; C; X; `: I- o   VMMCall Get_DDB  q1 R; l- n) O& P4 R
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 G' m7 _1 n2 {- C
3 h* g: _3 _7 I
Note as well that you can easily detect this method with SoftICE:
9 {/ i6 `( _  F: J6 N" c  J   bpx Get_DDB if ax==0202 || ax==7a5fh% o- ~% O( Q2 s6 J# I* b

7 U  A0 A9 K! T__________________________________________________________________________
1 C( b2 r3 H* N' e& G# p8 v+ d0 ?* {6 t% l
Method 105 T; w* @+ \# b
=========2 {1 X4 s" v5 r/ ~, n

8 K9 Z; m8 L. Q$ Y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with" a0 j% U4 p+ K
  SoftICE while the option is enable!!( F8 L: y/ G+ T: Q0 a8 k
" f/ }5 R: g: f
This trick is very efficient:
- k/ ^$ O" C; E8 k, bby checking the Debug Registers, you can detect if SoftICE is loaded( r5 X0 k5 v2 M, p. L$ [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: W5 `8 k# L2 v( n: P- e
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ L' Y7 k' G: e6 d# Z& ?# D; K7 b
value (in ring0 only). Values can be manipulated and or changed as well
1 o4 r8 ]; [! R7 i/ V. D(clearing BPMs for instance), [7 w2 g4 j4 e% M# C

0 c. n: t, h! o) A__________________________________________________________________________3 N! _/ S; y  v0 j+ l" _
! h8 H$ @* N" {" }; M6 B8 S6 N
Method 11
0 D  h# Z" z, ?& L$ z=========& Y( ~) Z* U: L( x* l: f
' S8 D5 S- ^% }, Y
This method is most known as 'MeltICE' because it has been freely distributed# B2 [0 J) h; b; a8 }& k3 d
via www.winfiles.com. However it was first used by NuMega people to allow2 u7 {! G. j7 ?/ H% c
Symbol Loader to check if SoftICE was active or not (the code is located! D3 g- u8 k- f8 i( D
inside nmtrans.dll).# u0 Y: A( A  F5 H) y

: k& F$ k9 E% h! h! Q+ I6 jThe way it works is very simple:' F) J& e' E0 d- M# A! ]- o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) x( p; |5 d# D0 x0 e* i8 s& u
WinNT) with the CreateFileA API.5 S, w" s2 F+ C- |0 u" v; F

5 U" f( r0 j# BHere is a sample (checking for 'SICE'):
7 b- N$ G* w; f; B4 O
/ d' \8 o; W0 X- {! PBOOL IsSoftIce95Loaded(), `. M3 G7 Z* O$ h8 B1 a1 o: K; S
{( E" A7 u& d- Z' G& s& U
   HANDLE hFile;  
; g! r3 R+ u) h' @5 N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 v4 c3 f+ `( T8 r2 X. }6 |                      FILE_SHARE_READ | FILE_SHARE_WRITE,% {# \8 g1 r4 s* y
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& S3 O& C: X4 |7 _  \5 C8 ]
   if( hFile != INVALID_HANDLE_VALUE )
1 `4 D9 J& {! [8 l! S* b# G" D, q   {- b7 x% X9 L# x; w) A  l0 `
      CloseHandle(hFile);$ d/ k0 K  {  O; P0 J5 F
      return TRUE;
! j& J8 H5 |' T. B2 T! _- [, @   }
9 e8 m: ~( T5 w2 [   return FALSE;
" y6 U1 x, c4 Z  ^8 ^}: F) \; J/ T. ^6 [+ ]( t* o, X
* T( C" k- m0 m
Although this trick calls the CreateFileA function, don't even expect to be0 I) A. [4 a! Y$ S% d
able to intercept it by installing a IFS hook: it will not work, no way!2 \! W, G3 b' p1 P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 i% O9 B! ~8 |3 `1 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' {) [! C( V6 I  @$ z5 |( Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; {' D+ x4 E: `+ U( p( Gfield.
! u7 J! w% J. f% z' y4 _  T5 HIn fact, its purpose is not to load/unload VxDs but only to send a
/ y5 x; b* H' W+ cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 _8 s+ D! A5 m. D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 U, {3 f- D1 G4 J# Bto load/unload a non-dynamically loadable driver such as SoftICE ;-)., h2 z. @, o; R% J, Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow' w7 N$ j; |* `: Z
its handle to be opened and then, will be detected.
- w2 Y+ J0 l0 g" D7 o% lYou can check that simply by hooking Winice.exe control proc entry point1 v1 s. p1 L0 C/ e$ p5 J+ n; h+ j. |4 ^
while running MeltICE.* f" Y: Y" t, `2 t3 q, K' f
0 s6 e( L9 E4 Q( _! Q5 n

6 L' |& `& Q5 F9 {9 s- Q. T  00401067:  push      00402025    ; \\.\SICE' ?2 i5 Z5 P' l) f; I4 V
  0040106C:  call      CreateFileA
  z' c' t# o, H5 @! x. @  00401071:  cmp       eax,-001: G) |+ z3 |; n) p! C8 B
  00401074:  je        00401091
% q* y& U( c# f1 B- K+ L) |
5 ~$ l" D. Z4 d) e4 _+ I8 i% ]4 A/ A' X" Y2 ]5 {0 M
There could be hundreds of BPX you could use to detect this trick.
1 w, F4 N3 p/ c% t# l: d-The most classical one is:
% T& [- v/ D& v& h! g% ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||8 h; {7 S/ @1 s- g& ]* a9 x
    *(esp-&gt;4+4)=='NTIC'# z- {+ M. Q. }# \/ {  y5 n
; I- `0 X, x" }: Y. Q( [
-The most exotic ones (could be very slooooow :-(( x/ U- A: ?! ]3 J- ~1 B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : m; O/ k7 j" Z/ Y5 U- p$ B
     ;will break 3 times :-(
  I# [7 p2 c+ \) [# I
$ s# L* {2 k, C) o; B" e1 N! X-or (a bit) faster:
$ ^0 ]/ V( }' O) M0 v   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ ?( L. ~  `% G& v1 F+ p! I% c

. Y. a4 y- Q* p$ Y- `4 B8 v   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 R! l6 {5 E$ w/ Y/ v! J& v2 e$ B
     ;will break 3 times :-(4 Q7 C. R# c( H* i) q& X
8 M' G, [6 l  N, x9 s; \6 ]9 f0 K
-Much faster:
; A9 H8 H! ~3 Q   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 m) Q1 M, [- U6 [, P$ n' O) j

( b1 D* [) i. I3 D2 I4 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 F' ?! Y4 v& Q" I
function to do the same job:
/ B' L6 D% @7 n  ?: ~7 [& s8 {) C6 p" W0 V- E5 a5 I
   push    00                        ; OF_READ
! V8 g) J2 @% H% H/ _% s: X+ ~   mov     eax,[00656634]            ; '\\.\SICE',0
$ Z' K0 e, J0 h/ c   push    eax
8 j& Q2 [- y! B# T6 V   call    KERNEL32!_lopen
2 M4 ]; `1 j* R& b" e1 O! b$ A   inc     eax6 j3 F5 V$ s0 q% F1 @* o- V  ^
   jnz     00650589                  ; detected7 V) T8 d& e' c0 I# H2 B3 l9 R
   push    00                        ; OF_READ
  X% s0 j* V! t$ [- n   mov     eax,[00656638]            ; '\\.\SICE'
+ O) K$ R9 W9 E: O   push    eax4 {! Z* v' k; {9 U
   call    KERNEL32!_lopen% k% u- B! F: N8 h! c
   inc     eax
: Y; P' |) \  b0 g7 y( Y, l, t   jz      006505ae                  ; not detected
4 [3 u; n% R& S/ a- }; j/ t1 T" _5 v2 q6 N# r

  |8 c: F/ Y' Z$ Y0 A7 j  T__________________________________________________________________________4 \4 j- x3 D0 k' b) P! U

0 P3 R7 g. w( a3 }) A1 MMethod 12, W  w4 u8 ~% t
=========
, M% h) E; k" C4 a4 |% E4 W
4 P- C) K8 }* e6 o) TThis trick is similar to int41h/4fh Debugger installation check (code 05& y# L) ?3 m# b% p8 U, C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% b/ k; w* k% o3 N0 @! a) Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.! i7 V/ E/ }2 E5 n2 a

! a$ \. F( ]$ P* k   push  0000004fh         ; function 4fh( y% ?7 ^! D$ _, c
   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ J# M0 O8 l* K                           ; low word specifies which service: \# k3 K- U6 D* R9 f* ]8 k* z( K% B. ~
                             (VWIN32_Int41Dispatch)  O. |6 e3 y6 O% O* ^& j
   call  Kernel32!ORD_001  ; VxdCall
) W6 ~2 t- Q( U8 g2 }; B  v   cmp   ax, 0f386h        ; magic number returned by system debuggers
, K5 W) r+ D3 R/ k: [7 f+ f: V/ U   jz    SoftICE_detected- X7 K' p2 B+ k7 U
5 F9 y$ I5 u! a7 N
Here again, several ways to detect it:9 H5 V$ W: P& d; \3 F

! N$ f, W9 [7 I; n    BPINT 41 if ax==4f
: Z7 ~  a0 j$ e* C" f- _3 d- v  B7 N9 E, I" @
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! A% d  ?* \' m8 w. o
9 k7 r$ z8 R' O) @6 a# r
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 B+ R. W9 a$ D* W8 x. z. x" @5 k

9 K3 i) J" Q! w" E! Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* @& u, L; K, [, G: N' W8 k% h
% x5 ?0 ?0 Z, n* \' t9 a$ |, P__________________________________________________________________________1 I. z1 I3 G, P/ `( M9 Z7 {- q; r+ c
5 I+ t. Q1 D/ {
Method 135 W/ N+ L9 H* \9 V& d  p$ z5 k1 W" U
=========
& A  [( t0 b4 U& X) ~# V( c1 i# U
7 w# |9 `2 @& oNot a real method of detection, but a good way to know if SoftICE is
# t# R1 Z* C2 Z1 e) |3 Z2 Y0 _installed on a computer and to locate its installation directory.
1 }  K5 W% R- I' X3 n$ sIt is used by few softs which access the following registry keys (usually #2) :
0 Q# p$ f/ `2 K* c2 l) I
$ z/ S" |% W- k. |9 M, q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; e- B) d2 A5 H\Uninstall\SoftICE% `9 c7 S  L& }/ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! P% g! X1 a: O/ q, D9 o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' p+ c1 Y, c% D! G5 o  H8 b\App Paths\Loader32.Exe: f5 {' M( t4 f& O

" W. O' B7 }1 j! i
8 b# P8 s7 ^1 H. S9 w( RNote that some nasty apps could then erase all files from SoftICE directory
& R5 j  a9 i3 t2 B- A: }(I faced that once :-() ]- ~! ^; y1 t
, X4 M# L. R; T0 |  s  Q. w$ _
Useful breakpoint to detect it:
. }0 ~- ?8 P, i7 M/ q& q
8 a' U! _( ^6 k$ y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
5 d; Y* b8 k" D  q  K
3 z1 i% n# H' t" |8 n9 M__________________________________________________________________________
# ]5 ~8 g! i0 F% j) d& R5 t# G0 o. W# r1 _3 t5 Z

' D. ]% F$ g" [- p: p' C% t3 HMethod 14 # \' b2 H2 T) V- @7 Q" U
=========4 p- w2 j2 a( w& u: F0 @! J- {( O

  {2 D7 a5 _3 a2 j$ X+ z2 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ k% S9 [9 T3 T1 {3 pis to determines whether a debugger is running on your system (ring0 only).9 c9 i. h6 U" C4 d& B9 v

5 w/ ~. |( O% M. v/ x5 X- Y   VMMCall Test_Debug_Installed
# ~: ^8 Z9 O: A& p   je      not_installed' q, J6 H- ]( T, o) i3 |

) _4 c+ A+ J# S( U3 r+ }5 d. a* BThis service just checks a flag.
/ \/ i! f  w# M  }+ X5 J, Q* ^</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-16 19:46

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表