找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) ^; h: m5 Y! w; O
<TBODY>
1 u( @2 Y: R* [* o) b+ R' Z<TR>
/ d; ~3 ^& R" Q2 ]  |* D' z<TD><PRE>Method 01 $ M6 S# d* j$ q) ~* F6 E! J! b
=========9 S5 C8 u# V# u1 \6 f# i

  j2 m% g0 E. C! L/ vThis method of detection of SoftICE (as well as the following one) is
0 F8 n0 {3 ^, ?: w# Aused by the majority of packers/encryptors found on Internet.
% |( v3 i4 W$ l! K/ [" `; WIt seeks the signature of BoundsChecker in SoftICE. a8 M' j1 G( r) o( ~

5 `& p' T5 x: Y    mov     ebp, 04243484Bh        ; 'BCHK'% Q0 x; S! T, t9 c- Y/ {
    mov     ax, 04h4 H3 Z+ B. `8 W8 D/ Y# x
    int     3       $ N  S$ p# C1 x2 t
    cmp     al,4
' }. e$ e3 r7 s4 b    jnz     SoftICE_Detected/ s3 g+ A8 g* M6 Y' T! n* r
( }  j( k) F7 y+ V
___________________________________________________________________________
5 \& y! k0 S) `$ Z" G3 J: `% j" W4 h; @
Method 02+ ^2 u/ M( M4 }2 s
=========
) h+ }+ b3 U; V7 n  [9 @; Q. V4 _. K* A
Still a method very much used (perhaps the most frequent one).  It is used
) x1 W' r, F& s7 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& `. H3 r$ Y2 Q
or execute SoftICE commands...8 N4 w; m; \, M
It is also used to crash SoftICE and to force it to execute any commands
# C/ J! z3 `. w) }1 u- f  a(HBOOT...) :-((  8 H$ m& n# ]$ t& x
  s3 x: b+ y0 a! b
Here is a quick description:
' U' |8 K! G) i- q( j6 l; F-AX = 0910h   (Display string in SIce windows)3 j8 g6 u1 {" J  P! Y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 f* E0 _0 [( _- c9 j  [
-AX = 0912h   (Get breakpoint infos)5 Q" C' x7 A; q; q! l2 x
-AX = 0913h   (Set Sice breakpoints)
6 Z/ r4 ~$ F% l-AX = 0914h   (Remove SIce breakoints)
' `1 o  _5 ^6 U+ V$ p# @" o$ }4 M( {6 N6 t$ N" Y. z
Each time you'll meet this trick, you'll see:
4 Q) m. o% a" B- F& c-SI = 4647h4 E# c6 y; ]( w/ _/ X; f3 h
-DI = 4A4Dh/ `" k: n& c+ g) R5 r  r- V+ W
Which are the 'magic values' used by SoftIce.1 O/ o/ M- o+ U0 U! g+ Y( ]) l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ c0 u8 y' ]3 W( d+ Q# `2 c9 \" F# _8 F2 V& ?" F2 V/ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP! C1 A9 E& W/ W5 d
Envelope utility use to protect DOS applications:
- ?) d2 H1 |* G9 e
% l( r4 Y' d+ e0 }9 s0 m5 g( ^- i6 [( D
4C19:0095   MOV    AX,0911  ; execute command.* q. F0 v& c/ L3 x; _
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 l6 r0 @' S4 w4C19:009A   MOV    SI,4647  ; 1st magic value.
/ q2 \9 B4 I  G/ z* U( F/ _4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 o2 [1 }  ]3 F; p- X1 z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 O/ \+ _$ {+ b7 a) a, z" a) t
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# n6 G1 |/ H- Y- _* R" c
4C19:00A4   INC    CX
- i& H+ P) j* b1 ]" X) h, Y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  e* y" M! q1 Y3 M' \; \/ ]( m4C19:00A8   JB     0095     ; 6 different commands.- Z& I% p; t. B5 d" H
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ ~- S% @( h' W9 [6 S- l8 R) y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). U  a( q+ e; h9 b2 W- F

4 r* ^) [# _0 h6 C9 K) fThe program will execute 6 different SIce commands located at ds:dx, which' K, T! o) a* E  @. R$ @( v' @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 J5 K, Z* R  B" j. P5 W. D+ n
* H# _/ L5 O6 M) ~, k6 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& ~0 O# j! t# X  G___________________________________________________________________________# V/ [* G. v, N. ?& ^
1 `. l1 {, \/ y" q* l; H6 [; r

- n& }/ p+ H7 d1 ^Method 036 |8 I# W. @# P# A' u
=========, X7 Y! N# X- v
$ A8 q) f; |. \. t5 a% B* {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 K1 r0 r, D3 G9 g& v9 l(API Get entry point); Y/ ^9 s, D0 N. D
        ' a3 w* w; `+ t/ {8 v
' `4 M+ J) y: n- H- P2 `
    xor     di,di
/ X& n9 o8 _1 P0 a    mov     es,di0 D' K% ^: i3 h: A4 a
    mov     ax, 1684h       0 ~1 O# W5 x. e' \
    mov     bx, 0202h       ; VxD ID of winice
8 t! c! F; A$ z9 f    int     2Fh* u+ @) P& B0 g4 V$ f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 z# K/ v6 y8 T$ U/ |6 j6 n    add     ax, di: G5 z: s  c  ^
    test    ax,ax* k1 N& p9 T  X  U! c# [4 q3 d
    jnz     SoftICE_Detected
8 P7 Q. I7 Q# j9 E. [7 @3 W1 o  h, Q/ r' b5 I  H6 B
___________________________________________________________________________7 y9 B) @6 j$ K; @

; w: F  O- J+ X3 N7 `Method 049 c4 _& n6 y$ \$ h
=========) Z0 s* Z3 y' a& |0 O! N
9 O3 n. q/ k% r0 O' S8 h0 s* `
Method identical to the preceding one except that it seeks the ID of SoftICE
7 O2 ~0 T! k, K: aGFX VxD.
2 L3 ?0 K6 E7 f& @- R+ L: E) E+ Z7 y3 C4 V: y6 L0 {) n% I$ [
    xor     di,di
; x* S2 q, K9 w% F) z    mov     es,di0 u9 X$ V7 C. ^& z
    mov     ax, 1684h      
. [5 F2 F9 h6 H2 i  i    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# X% @$ B  Y% }  }! [: I  M/ N) {    int     2fh
( q6 v" s$ ^' F3 C9 w9 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 i7 ^. i8 Y( m2 l( k  N    add     ax, di- u+ a* D5 C6 d4 E2 s: p5 c: t
    test    ax,ax
% y7 x1 z0 g9 y8 Y    jnz     SoftICE_Detected
2 y3 ~9 C) m! u- B* S1 B  b; N" i3 r. q! x/ A5 i* C
__________________________________________________________________________
& |8 J5 g; C! d5 u6 z) p
* w8 I) w, u* ?9 @, a3 v  _2 }% n1 s
Method 05# h! ^- B: y, ^! O3 R+ ?
=========9 y$ G0 R3 G; Z+ S1 D
3 z/ S" r0 {0 T- f- l; x
Method seeking the 'magic number' 0F386h returned (in ax) by all system! Q; x9 S- j9 f7 ?1 k  x
debugger. It calls the int 41h, function 4Fh.
* D! d# ?, g% J$ `6 w" C7 c6 ^There are several alternatives.  5 }; \! S9 w: o4 y/ M; n

& f! t% {0 z) \& M8 ZThe following one is the simplest:
1 C9 ]; ?% _5 P
4 Z2 G; w4 ^& k- |0 P3 Q/ a    mov     ax,4fh2 p, I! ?, B* C! k- H# I' q( D+ [
    int     41h- U6 g4 @$ [" O5 }$ y; D
    cmp     ax, 0F386% R4 k8 \7 ]1 j4 z( a6 P
    jz      SoftICE_detected; g4 H( ?! N2 }, i

. v4 X) Z+ Q, D( D- S! ~: |
7 S' H& D) V4 g) K/ INext method as well as the following one are 2 examples from Stone's
' f* ]0 r: B0 o3 t5 U$ s- k# Z1 ?"stn-wid.zip" (www.cracking.net):. U9 O- E3 A' {, B. @

+ z8 h# M  {3 A8 `7 p( u* [7 r    mov     bx, cs  x4 V6 S% q/ B
    lea     dx, int41handler2/ P$ N7 M6 q6 u5 o" W$ o! e
    xchg    dx, es:[41h*4]
4 d* t+ G& {5 p0 s$ P- o    xchg    bx, es:[41h*4+2]
3 _6 y: X4 ]# s5 y    mov     ax,4fh
7 z3 Y9 F: y+ q7 m! j$ E    int     41h
  B' V, N+ ~+ h( y; t8 N& p$ n4 D    xchg    dx, es:[41h*4]
: c% Q7 N, Y: }7 i4 N5 j( a    xchg    bx, es:[41h*4+2]
/ e6 ]7 x& A7 A8 Y, ?2 n    cmp     ax, 0f386h$ j: g  i% m* y5 k& N. \6 X! n" i
    jz      SoftICE_detected5 e% |+ q2 ?9 h) v$ d# i, e+ [! l

5 E0 ]' v1 m: f6 I- Rint41handler2 PROC& W- h' j7 w! u* Z5 n' V6 m0 R: b
    iret# p- b7 k6 O7 @( U; p
int41handler2 ENDP+ _5 a3 J# |, A" q& j$ [5 `

% }7 j6 F9 M3 l+ B5 b8 \+ F8 J0 K
% t6 \  k$ ?1 U( P, N_________________________________________________________________________6 E& C5 Y) P$ Z. y. j' j/ S
5 d0 i" `# p/ Z

. t( O8 Q" o9 c! Z' _& o) MMethod 06% T1 d+ H, @; c' l4 T; C, M
=========
7 u  f3 }9 r0 Q4 c9 n3 h3 S0 q" P5 p. A& G: {- [6 b
  n* L0 x1 Y$ I( i' ^5 g( q
2nd method similar to the preceding one but more difficult to detect:5 k( H$ p. S& m! c; \

. q- l9 [8 {4 L4 Z7 H: }9 C+ E6 A, L
int41handler PROC+ N2 P6 V/ l( v+ I/ k+ N3 r% A
    mov     cl,al2 C- l6 ]6 o* M% X
    iret
/ c, N4 s; N$ i  ?" }; hint41handler ENDP
! W6 e% d" ?' }! [5 a, i; X: r" _! A* E2 `/ `; e

: N. N) F% c; V( a, \" l( v# b    xor     ax,ax' h3 q! q. g# d! @1 W/ l
    mov     es,ax
, u6 c& P- z- p    mov     bx, cs; e( \0 c  g3 j( A1 g
    lea     dx, int41handler4 e$ h5 h! ~' X8 v. ^. H/ E
    xchg    dx, es:[41h*4]; N! k% f6 \' m5 p! i; R1 [
    xchg    bx, es:[41h*4+2]  L2 D+ P- a1 R2 h
    in      al, 40h
" c% H) N3 r0 y    xor     cx,cx  s0 ~+ @5 a2 Q- N
    int     41h% P- K5 Q4 u! c! O/ L3 E2 X
    xchg    dx, es:[41h*4]
* P: D% g$ n8 X    xchg    bx, es:[41h*4+2]! U$ g; k) c0 Q/ u0 I) R. n+ R7 g
    cmp     cl,al: N' L7 s% u( R7 ?' B& v0 U
    jnz     SoftICE_detected* e7 d( ?- Y' {* ~8 L$ e$ g) h

! d# E) [! N+ J$ a  t& K* L: G_________________________________________________________________________1 V9 ~- p* p+ |% _. Y

5 R3 \/ M% _: i9 |1 ]Method 07
- M! q3 i! Z) V# ?8 Y4 v7 I* u& l=========2 |- k* B" d# H7 j: l$ E
% J+ w' Z; m' n8 h+ W9 }
Method of detection of the WinICE handler in the int68h (V86)
4 y+ `8 |* R: P5 ~. K- A( `8 n2 ^* F' k* w
    mov     ah,43h- K- i) L. W3 \3 M4 Z2 `
    int     68h$ V3 _& f- k+ Z# W, z1 o
    cmp     ax,0F386h
3 X! M7 w  t3 R& ]. v    jz      SoftICE_Detected7 L6 y; ~9 x+ _7 U' ~

! Z  N! r  J2 D# c! P0 t
. T* Y$ Z2 _$ i# Z: ~0 [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% m- U5 w7 s' v3 S! U% F. r   app like this:4 l% O9 v5 E) ]! k/ V5 c% U3 Z% @+ z) r

- L5 u! h, i1 _3 ~3 d% M   BPX exec_int if ax==68
5 ~. m9 i8 r: J. ?3 k5 P   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 m' G7 K* I( b0 J/ ?! N2 H+ z   located at [ebp+48h] for 32Bit apps)3 h( D, u+ z6 O" ]
__________________________________________________________________________! W$ H$ u8 r2 p& d0 Z2 F4 f/ b

, {; s1 y0 _9 `* Q" z; L' L' ^2 |2 e
Method 08+ h; B* ^; C" \4 O4 P! l
=========1 @  t  ?, X% s4 G; W

+ E$ ]6 E' C( H4 f  _/ B5 PIt is not a method of detection of SoftICE but a possibility to crash the" E. B. X. E5 c$ _" U
system by intercepting int 01h and int 03h and redirecting them to another
$ ]4 |7 u7 p' u& ]' Kroutine.$ v# g- k6 T$ _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# Y* F# h4 E0 S$ t% ~5 M2 l, ?
to the new routine to execute (hangs computer...)
- y$ C) T, Y; n, o" m
5 k$ a- F6 G* b( T0 \    mov     ah, 25h
3 \1 U0 u# a& n0 ?, w    mov     al, Int_Number (01h or 03h)
" z: a+ A9 b. I! z( l0 a0 x) H    mov     dx, offset New_Int_Routine1 r: C- P/ @# |3 @6 e
    int     21h* L3 r' K/ J: c9 u: |* m* P
4 m/ D' C8 E: {% B8 T
__________________________________________________________________________! I. ]7 b. @  Z% Y. {! {
- y/ S+ v- G- i  N$ G7 i; v  T
Method 09
; z7 M  x1 I& O4 K) c. p=========1 @' _5 i& h# ]0 W0 V2 G
; s! r5 q, P& J- O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 G$ p4 g' W) S8 {$ {- Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
) l* J: S" j( v0 \1 xThe Get_DDB service is used to determine whether or not a VxD is installed7 _& ~1 x) C/ g% e9 _2 F
for the specified device and returns a Device Description Block (in ecx) for
& j5 `4 p8 S& w' W# [- I, sthat device if it is installed.1 X6 e. [7 l9 \8 ?- @* X  w
0 @+ b8 g8 N1 A8 i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ x: b8 }& a" v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. h, B8 u6 R& |6 R1 f   VMMCall Get_DDB
: D$ V* a# E1 B. r$ h   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& I& {% B$ J% O$ l9 ]! }
# g- t( w4 V) V, F1 gNote as well that you can easily detect this method with SoftICE:3 y6 b3 P7 C. M) i$ h% v
   bpx Get_DDB if ax==0202 || ax==7a5fh
9 ]3 y0 u- K6 S6 U0 n) v$ d1 h+ B# \& W8 O/ b- o3 U# \
__________________________________________________________________________
) `  L4 {1 t: t  r: e6 W0 S( L7 ?% g! [  s: A1 z
Method 104 z  R3 m* ]# I6 O$ J( R8 z
=========2 g3 Y" b. T* e" M9 X

1 z6 m1 K& {* Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. J* n3 n8 s' F$ r9 t' K  SoftICE while the option is enable!!
9 f8 j/ l% K1 u1 a+ h/ r/ q
7 ~  y- R5 N1 m4 Q4 C% T  K$ HThis trick is very efficient:
7 P5 q" m& o4 i" T' ~' s2 A5 A" l& |! tby checking the Debug Registers, you can detect if SoftICE is loaded! H5 Z1 n( Y+ J( n2 S; w  O5 Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; {# T5 \* u8 X' a6 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ h, I  X, `6 d" ~
value (in ring0 only). Values can be manipulated and or changed as well; c" a' X& V  `( S1 `7 c
(clearing BPMs for instance)- Q* Z1 \- P( `/ K+ r% r. q3 l
% U$ Z+ g, B& f, K5 g$ `
__________________________________________________________________________& k: ]1 H) j$ p, N- V5 [, {$ c
0 U; i( `6 K* Q8 ^, S- W" \* q
Method 113 J9 d- }: L8 v; v+ u
=========
( O& f: }/ L4 k- o7 w9 e0 E: ]- g+ `0 T/ v% M7 l3 D
This method is most known as 'MeltICE' because it has been freely distributed& e9 R: v+ O; C6 Q5 M
via www.winfiles.com. However it was first used by NuMega people to allow
$ q8 c: A: z; `. USymbol Loader to check if SoftICE was active or not (the code is located0 O. m2 R/ M% L/ E
inside nmtrans.dll).& j& \* k* _( U% _

6 a- S- W/ M. ]The way it works is very simple:
' w4 V+ f. G+ P$ W- kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! Y5 V$ B: }6 v8 G  |
WinNT) with the CreateFileA API.# q4 {) ?! s+ w# H1 n' K7 u
2 _# v$ r! S6 Q; v) Q& O' \
Here is a sample (checking for 'SICE'):
& {# }2 Q6 }" ]6 S) J
6 H7 i' s9 l9 y" ]BOOL IsSoftIce95Loaded()4 H1 P2 e; C( n+ N1 ]
{
% s# n' {. j# A) J1 ]   HANDLE hFile;  ( _/ U# L6 q# f, Z. l8 `- X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ~, [6 J4 u0 _0 v0 y                      FILE_SHARE_READ | FILE_SHARE_WRITE,% J) P" u2 T1 g: \) ~% ^! p+ P
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ X+ `( K8 |& d
   if( hFile != INVALID_HANDLE_VALUE )
; G; J" R1 G# h* s" E   {
! q. B& h0 {6 t6 j- ~, Y      CloseHandle(hFile);, G0 K- p6 F$ T
      return TRUE;2 H7 y8 c8 ?1 Y
   }" h/ F, _( y" t$ @; n" U; Y" ~. E  s
   return FALSE;
3 M) F9 W9 i( ~4 A9 b. G}
1 B. |3 Q8 V3 K( R5 P! [9 r
  s. A: Q( q0 _! @; `2 Q0 vAlthough this trick calls the CreateFileA function, don't even expect to be) v& t* y7 l+ I3 o# {8 V
able to intercept it by installing a IFS hook: it will not work, no way!* L$ X- f7 R: o  S# {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# o" x+ n1 |. @1 a. _1 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 }% D+ R) {5 T, w2 E$ i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* |( `% ~3 b# u+ p; [+ M6 \9 {4 ?
field.
. ~0 A  K+ E& d; V8 EIn fact, its purpose is not to load/unload VxDs but only to send a ' e" J  H( M1 _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 D' O8 s, W: ?- F/ G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: T7 R5 Y' }& L+ w5 |) ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
' X, A/ S4 Q/ i- `! B( GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ P, X7 L0 @* v& P+ ?2 A: `* Eits handle to be opened and then, will be detected.- B: S5 k% c! X5 ~
You can check that simply by hooking Winice.exe control proc entry point
6 X) Q1 D# ~# o9 O; i4 Fwhile running MeltICE.
7 Q% [" U, E; F$ u6 K
' k  w) u5 s3 j, l3 c9 _4 P7 K
3 Q1 l; J# N; ]0 Z2 H: s* \# a5 m! C# H  00401067:  push      00402025    ; \\.\SICE9 P& ~+ u; P7 N# L3 \% R
  0040106C:  call      CreateFileA* g5 s1 b2 A  D) U: E( ^7 H7 w
  00401071:  cmp       eax,-001. k9 \! W* x7 l& g) `' N
  00401074:  je        00401091
: O' B% i$ s+ @& o' i7 o
8 M& E/ Y2 M& ~- G# Z. N5 w. Y! Z. F4 H# h4 h4 V! y0 Y$ E
There could be hundreds of BPX you could use to detect this trick.; V: g! {; w) C, c5 F
-The most classical one is:
% M' E9 h/ Y* r6 G  M! G8 [- T; J( D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* E* C+ w2 v8 K- e3 n$ x* p    *(esp-&gt;4+4)=='NTIC'6 H+ q' `- ~& h/ O

. q$ {( h  f0 s5 f# }* Y-The most exotic ones (could be very slooooow :-(
8 q1 M$ @( V" R  p1 n% W' Q, y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : Z' k: ?) v3 l3 Q
     ;will break 3 times :-(
0 z; Z$ w5 y5 y9 R9 ^* W7 n+ a, w1 d) p$ C4 D
-or (a bit) faster: - p% R. R" d, u( a+ Z( P/ S
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" S& I. ~, g1 ?- l% f

5 `$ Y8 s" E4 ^   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    P) i" m- a% T& t& z
     ;will break 3 times :-(
/ x% b; d9 N* H6 B2 h8 U# {  J0 x; `/ z
-Much faster:' P1 x9 u" P: U1 O" ?5 G2 {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 k6 w) ]/ ^" F% W5 |6 Y
, G/ d0 _, w- ^" T; f4 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 U# R" k5 B% ~0 p
function to do the same job:
# X  P7 \: f! @+ o- R1 N( J1 u. G- A9 O$ x# }* y4 C
   push    00                        ; OF_READ
4 ]  H8 u: ~, K- u% h   mov     eax,[00656634]            ; '\\.\SICE',0
2 R+ C4 [  f2 t7 E   push    eax
' F- d* D3 t! t$ |( m# }   call    KERNEL32!_lopen; f4 ^7 l* N/ w5 ?5 c
   inc     eax/ ^4 E/ J! O3 H7 n
   jnz     00650589                  ; detected4 G8 H6 U8 O; B, t. b& p
   push    00                        ; OF_READ: @& z8 j0 U5 @& t4 t% [; H' N$ b( {
   mov     eax,[00656638]            ; '\\.\SICE'  Q' c) S* G! a4 Y& S
   push    eax1 e4 ~; U  ^! v
   call    KERNEL32!_lopen) e5 R0 w) G7 d, L, j
   inc     eax
- P( Y% x5 t$ n( v7 Y* E; U  U   jz      006505ae                  ; not detected0 M) `- p5 G" D; `
# {, |' J( q# d4 O9 U+ i' x- `
% W# m: u. o. s" ?$ `2 A3 L7 a
__________________________________________________________________________
' m% e2 ^8 e" Q# R. k) ]& M
. ]' R& T5 R0 e, z1 r1 r" oMethod 12/ K& k0 @+ |0 N5 Q
=========
3 Z! Z  N3 o) b; w5 _/ ~# F* ^$ j
$ R. \3 X( N  aThis trick is similar to int41h/4fh Debugger installation check (code 05
6 S- H% Z9 d( X5 c3 r/ R! p&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, k% G# I8 J& l' q+ F7 `! w% qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 Q/ P: _, g0 k8 [* y) O* K! O& O% z- f( V! H9 u1 H4 r
   push  0000004fh         ; function 4fh
  a* |' j* p! a6 y* O   push  002a002ah         ; high word specifies which VxD (VWIN32)
, j  p  ~$ n% {9 C& \                           ; low word specifies which service
' U' J( R  F" ]6 u                             (VWIN32_Int41Dispatch)2 X! t7 r6 k8 n
   call  Kernel32!ORD_001  ; VxdCall- E6 L7 i4 V/ ^6 ~: m0 {2 k
   cmp   ax, 0f386h        ; magic number returned by system debuggers3 Y  a7 v) U, P% }
   jz    SoftICE_detected
( B5 b5 p: T0 l
. u" M% I4 R# I" g& {9 g- I, C, z2 ^5 eHere again, several ways to detect it:1 l# v* o6 C  Q* y- y: O4 P

( v0 X3 L% ]$ ?    BPINT 41 if ax==4f
7 Q/ h7 B) i9 }. S' ~
9 B$ I4 s  Y8 u6 K7 G6 W7 z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* f( |3 b0 L) o# c/ ?

5 N, m5 |: ]( h5 u' s    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" I. X! j! U: G, u
, t5 _) X) _+ ^8 H' [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# `  D# g9 k: X) y/ r0 T. P5 h
+ a8 y  w4 X/ Q8 G) @% e1 L3 p9 _* e2 ~__________________________________________________________________________
* J9 t4 w+ l, g" h" }5 G3 P( }( M- z2 ^, P- x% ]
Method 13
8 m6 c* r' \' w) u=========4 U/ N9 Q# U) Z4 p; B* \0 X5 S

9 E+ M9 g! \" P2 PNot a real method of detection, but a good way to know if SoftICE is
& q5 h* n' k2 b! y( }installed on a computer and to locate its installation directory.2 [3 i  i, I2 @3 p  J* Q
It is used by few softs which access the following registry keys (usually #2) :
3 q0 J# h" E; d: o0 z0 R9 b; E' I& u3 X* M/ Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 \% v) f' M  ]3 b$ M0 a7 T" w+ G
\Uninstall\SoftICE
8 _. X9 J6 e5 c$ L/ [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 u# e- c2 }5 ]* M6 U/ K+ F- N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; O* Q3 l2 X$ m5 B\App Paths\Loader32.Exe1 W9 ?2 U# ]$ o# Y; V9 {
5 t( C+ C4 A) ^8 l
8 |) D$ @1 ^0 ~8 h; a, ]9 n& \5 L0 a5 z
Note that some nasty apps could then erase all files from SoftICE directory
+ u" }% A6 w7 X(I faced that once :-(1 e# b- `& G$ k- Y( ^. B

5 n' J9 `3 U7 L8 bUseful breakpoint to detect it:7 j' D$ r% |* k% H- O' M/ L2 j
  `9 W" |& v) D
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 H4 v! U/ }, B3 D; T  a' {
0 C/ \5 t5 E6 `) p6 U__________________________________________________________________________
0 w$ U- q2 U2 T" c/ D+ }
$ G; i( \, h: {* S7 r3 ]
+ U% e' }+ a6 h3 v- `  l0 ]2 D# cMethod 14
+ f( M" ]. o5 e" Q=========
) D+ X" {2 g4 C6 v- X0 {2 r5 U! @
) t: ^! F& k6 @0 s& B  G& yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 F( C. P  N# u8 j3 D* s
is to determines whether a debugger is running on your system (ring0 only).
% @7 n3 D0 z- g% _" s* R4 M; g& F6 q, u+ C
   VMMCall Test_Debug_Installed
! }1 G2 w# C. I3 V9 i   je      not_installed8 Z' u1 B! J, u, I2 h& l" ^

! ^- s0 K9 w3 O; Y7 J& d& a8 n2 ?This service just checks a flag.
+ w' b' w* N8 s! m</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-5 12:00

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表